× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. August 2003

Re: iSeries vs. Unix vs. SQL Server vs. Oracle&Security/Dataseparation???

----- Original Message ----- 
From: "Nathan M. Andelin" <nandelin@xxxxxxxxxxxxxxxxxxx>
To: <midrange-l@xxxxxxxxxxxx>
Sent: Wednesday, August 06, 2003 2:49 PM
Subject: Re: iSeries vs. Unix vs. SQL Server vs. Oracle
&Security/Dataseparation???


> I'm talking about company controlled LAN segments separating an iSeries
> server from the Internet.  Access to LAN segments is controlled through
> firewalls.  I'm talking about connecting the iSeries to a LAN segment as
> opposed to connecting it directly to the Internet.

we are just missing on terminology, here.  A public internet lien connected
to a firewall that relays connections to a webserver behind it I am calling
"connected to the Internet" as opposed to a computer that does nto receive
connections from an public source.

> The main purpose of the firewall is to filter traffic.  I brought it up
> because Chris Bipes described a home-grown Windows based service
essentially
> filtering traffic to the AS/400.  In general, would one rather have
> firewalls filtering traffic to the AS/400, or home-grown Windows
> applications?

You are missing what we are saying.  The windows box is NOT filtering.  You
have a windows/linux/AIX/macintosh/iSeries box sittign behind a firewall.
It runs your web based component.  There is a another firewall behind it
separating the DMZ (where the webserver is) from the internal network. In
the internal network you have your application layer and data layer running
on iSeries/Windows/Linux/AIX/etc.  The firewall allows only those two ip
address and only the ports neccessary to finction to pass through it.

So you have a webserver component that handles requests and answers with the
user and performs data validation, liek any client piece in a good
multi-tier application.  The difference between a web application and an
internal n-tier app is that you KNOW you have malicious users interfacign
with the web application.  So, in the web absed application, for security,
you physically segment the interface from the data layer.

Now, the webserver on one box talking to an applciation server on another
box is nto "filtering" traffic.  It is separatign the interface from the
business logic.  Standard n-tier programming principles.  The nice thing
about an iSeries is that it can handle all the tiers on one system.  the
thing is, for security reasons, you still want to segment the interface on a
separate physical unit.

> Firewalls are used to define network zones.  Several people have commented
> about the value of a DMZ, for example.
>
> The purpose and scope of firewalls may be an overly broad topic.  But one
> firewall may filter DOS attacks, while another filters NETBIOS traffic,
> while another filters ports, depending on the purpose of firewall and the
> scope each LAN segment controlled by the firewall.

Umm, no.  You would have your firewall handle all those functions.

> Not to be pedantic, but a firewall may pass a "message" not a "person".
I'm
> suggesting that an HTTP Server under OS/400 is generally more secure than
an
> HTTP server under Windows, Linux, and Unix.

I'm not arguing that.  I am merely arguign having the webserver on a seprate
piece of equipment than your application/data component.  I could give two
flips if the webservr is iSeries or not.  That isn't the point.

> I'm also suggesting that
> simpler single platform application interfaces are less vulnerable than
> complex multi platform ones.

Yes, fine.  One platform, but two separate boxes.

> I hear of many shops opening an HTTP port to a Windows server, then
opening
> the ODBC data ports from the Windows server to the iSeries.  In contrast,
> opening just an iSeries HTTP services for selected applications is easier
to
> secure than locking down ODBC services.

And that is bad practice on thjose shops too.  They should not have their
webserver directly conencting to the data source.  It should be itnerfacing
with an application layer that talks to the data source.

> For data access, the HTTP server passes a request to an application.
> Otherwise the HTTP server won't provide access to the database.  My
> suggestion is that application level security be handled by iSeries
> applications for performance, simpler and easier to adminster interfaces,
> and because the base OS is more secure.
>
> I'm suggesting that dividing applications between two platforms is
generally
> more vulnerable, more difficult to develop and administer, poorer
> performing, and unnecessary when the data resides on an iSeries.

You are completely caught up on using a different platform. All I, and
others, are saying is to have them on two separate boxes.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.