×
The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.
-----Original Message-----
From: wdsci-l-bounces@xxxxxxxxxxxx
[mailto:wdsci-l-bounces@xxxxxxxxxxxx] On Behalf Of Joe Pluta
Sent: Tuesday, November 06, 2007 10:04 AM
To: 'Websphere Development Studio Client for iSeries'
Subject: Re: [WDSCI-L] Fooling around with VRPG
With WAS, you can run the web application server on a box
other than your System i (I often call this an "appliance" to
keep it short, although Aaron's use of the term is a little
more specific, referring to a box devoted entirely to
firewall and filtering). Anyway, the appliance is the only
thing open to the Internet. It in turn executes business
logic on the System i, but at no point can an external agent
access the System i.
With RPG-CGI, the System i is directly attached to the
Internet. Port 80 traffic is routed directly from external
sources to the System i. This is a potential hole, if for
nothing else than DoS attacks. There are ways to mitigate
the risk: a true web appliance of the type Aaron spoke of, or
even carving off a separate partition on your System i for
the web serving. But you can't take the simple move of
taking your web server and moving it into the DMZ and thus
isolating your production box.
Joe,
Seems to me you think having your production System i Directly on the web is a bad thing. Since we
both know that the System i is the most easily secureable box of the planet, I have to wonder why?
You mention DoS attacks. But a decent firewall should protect the box from that. Granted, your web
server wouldn't be accessable to the public but the box itself should still be able to run your
production applications, even the internal web based ones.
Ideally, I'd prefer to have a seperate network card going to DMZ of the firewall. IMHO that's worth
the cost.
The issue I have with putting the web server on a seperate Windows/Linux box is simply that you end up
with a back door into the production box; and since the back door is a Windows/Linux box, you could
easily have a much weaker lock on it.
Don't get me wrong I'm not saying that having a seperate Windows/Linux web server is wrong. I've set
some up that way, primarily because the web server was running ColdFusion. But when doing so, you
have the extra complexity of securing the System i (and maybe the rest of your network) from the web
server being compromised. I think that's usually more difficult than securing the System i with only
port 80 exposed.
Thoughts?
Charles
This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
As an Amazon Associate we earn from qualifying purchases.