× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. WDSCI-L
  3. November 2007

Re: System i on the web (was RE: Fooling around with VRPG)

From: Wilt, Charles

Seems to me you think having your production System i Directly on the web
is a bad thing. Since we
both know that the System i is the most easily secureable box of the
planet, I have to wonder why?

Yeah, I know it comes out that way. Really, I'm not saying that: I'd much
rather have the System i run everything. Obviously you know that I believe
the System i to be the most secure platform.

But the reality is that, especially on older boxes, there simply isn't
enough horsepower to run the web application server. In that case,
offloading can actually improve their throughput. For example, I've found
that running my product to web enable their applications and then moving the
web serving off onto another machine actually reduces the overall load on
their primary production machine.


You mention DoS attacks. But a decent firewall should protect the box
from that. Granted, your web
server wouldn't be accessable to the public but the box itself should
still be able to run your
production applications, even the internal web based ones.

Again, I agree, but what's a "decent firewall"? How many SMBs even know
what a decent firewall is? If your primary firewall is your router, it's a
lot harder to prevent DoS attacks. But realistically, a DoS attack is not a
statistically significant threat. It's just the concept.


Ideally, I'd prefer to have a seperate network card going to DMZ of the
firewall. IMHO that's worth the cost.

The issue I have with putting the web server on a seperate Windows/Linux
box is simply that you end up
with a back door into the production box; and since the back door is a
Windows/Linux box, you could easily have a much weaker lock on it.

I understand the point. I'm not a big fan of Windows, as you know. But at
the same time, if you limit the Windows or *nix box to being purely a web
application server, it's possible to lock it down pretty hard. And even if
someone compromises the appliance, the chance of getting from there to the
server is pretty remote, at least if you're using a good client/server
architecture (as opposed to ODBC).


Don't get me wrong I'm not saying that having a seperate Windows/Linux web
server is wrong. I've set
some up that way, primarily because the web server was running ColdFusion.
But when doing so, you
have the extra complexity of securing the System i (and maybe the rest of
your network) from the web
server being compromised. I think that's usually more difficult than
securing the System i with only port 80 exposed.

I agree that from a pure security standpoint, I'd prefer the pure System i
approach. I also understand the realities of SMBs and that they may not be
able to afford the extra cycles on their production machine, making a $500
web appliance a reasonable option.

My real point is that J2EE provides you the flexibility to go with either
approach, or something in between, while RPG-CGI limits your options.

Joe


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.