|
-----Original Message-----
From: wdsci-l-bounces@xxxxxxxxxxxx
[mailto:wdsci-l-bounces@xxxxxxxxxxxx] On Behalf Of
Heinz.Sporn@xxxxxxxxxxxxxxx
Sent: Wednesday, November 07, 2007 2:47 AM
To: wdsci-l@xxxxxxxxxxxx
Subject: Re: [WDSCI-L] System i on the web (was RE: Fooling
around with VRPG)
Hi there!
I was following the interessting argument for quite some time
now and like to share some thoughts. Two short statements in
your last post actually gave me a bad gut feeling:
- System i is the most easily secureable box of the planet
- System i with only port 80 exposed
I am sorry but this is not a matter of philosophy anymore. If
you work in the security business the following concept is
beyond dispute best practice:
No mission critical system should have a direct link to the
outside world. Period.
And sorry again but potential extra complexity can't be a
valid argument for reducing security. I mean you used that
word yourself: "expose". Really - that's exactly what it is.
Exposing a system to potential danger. Willingly and unnecessarily.
*Only* port 80? I was literally gasping when I read that.
Quick calendar check - yes it is still 2007 and not say 1980 ...
The internet is bad, m'key? We're talking iSeries here so
money can't be that big a deal if we want to design a
multi-tier state of the art security infra-sctructure:
1. "Decent" firewall. Decent reads: does more than port
filtering. Intrusion detection and DoS protection for
example. Content filtering maybe.
2. DMZ. Just do it.
3. Proxy / reverse proxy. Less pain as it sounds. Will give
you additional control.
4. Your iSeries stays on your LAN.
I am calm now. ;-)
Mit freundlichen Grüßen
_________________________________
Heinz Sporn
TE - iSeries Systeme & Kommunikation
voestalpine Stahl Service Center GmbH
Industriezeile 28
4020 Linz, Austria
T. +43 / 50 304 / 19 - 466
M. +43 / 664 / 83 62 355
F. +43 / 50 304 / 597 - 466
mailto:heinz.sporn@xxxxxxxxxxxxxxx
http://www.voestalpine.com/stahlservicecenter
voestalpine - Einen Schritt voraus.
-----Ursprüngliche Nachricht-----
Von: wdsci-l-bounces@xxxxxxxxxxxx
[mailto:wdsci-l-bounces@xxxxxxxxxxxx] Im Auftrag von Wilt, Charles
Gesendet: Dienstag, 06. November 2007 16:34
An: Websphere Development Studio Client for iSeries
Betreff: [WDSCI-L] System i on the web (was RE: Fooling
around with VRPG)
-----Original Message-----other than
From: wdsci-l-bounces@xxxxxxxxxxxx
[mailto:wdsci-l-bounces@xxxxxxxxxxxx] On Behalf Of Joe Pluta
Sent: Tuesday, November 06, 2007 10:04 AM
To: 'Websphere Development Studio Client for iSeries'
Subject: Re: [WDSCI-L] Fooling around with VRPG
With WAS, you can run the web application server on a box
your System i (I often call this an "appliance" to keep it short,referring
although Aaron's use of the term is a little more specific,
to a box devoted entirely to firewall and filtering). Anyway, theturn executes
appliance is the only thing open to the Internet. It in
business logic on the System i, but at no point can anexternal agent
access the System i.Internet. Port
With RPG-CGI, the System i is directly attached to the
80 traffic is routed directly from external sources to the System i.attacks. There
This is a potential hole, if for nothing else than DoS
are ways to mitigate the risk: a true web appliance of thetype Aaron
spoke of, or even carving off a separate partition on your System i
for the web serving. But you can't take the simple move of taking
your web server and moving it into the DMZ and thus isolating your
production box.
Joe,
Seems to me you think having your production System i
Directly on the web is a bad thing. Since we both know that
the System i is the most easily secureable box of the planet,
I have to wonder why?
You mention DoS attacks. But a decent firewall should
protect the box from that. Granted, your web server wouldn't
be accessable to the public but the box itself should still
be able to run your production applications, even the
internal web based ones.
Ideally, I'd prefer to have a seperate network card going to
DMZ of the firewall. IMHO that's worth the cost.
The issue I have with putting the web server on a seperate
Windows/Linux box is simply that you end up with a back door
into the production box; and since the back door is a
Windows/Linux box, you could easily have a much weaker lock on it.
Don't get me wrong I'm not saying that having a seperate
Windows/Linux web server is wrong. I've set some up that
way, primarily because the web server was running ColdFusion.
But when doing so, you have the extra complexity of securing
the System i (and maybe the rest of your network) from the
web server being compromised. I think that's usually more
difficult than securing the System i with only port 80 exposed.
Thoughts?
Charles
This e-mail transmission contains information that is
intended to be confidential and privileged. If you receive
this e-mail and you are not a named addressee you are hereby
notified that you are not authorized to read, print, retain,
copy or disseminate this communication without the consent of
the sender and that doing so is prohibited and may be
unlawful. Please reply to the message immediately by
informing the sender that the message was misdirected. After
replying, please delete and otherwise erase it and any
attachments from your computer system. Your assistance in
correcting this error is appreciated.
--
This is the Websphere Development Studio Client for iSeries
(WDSCI-L) mailing list To post a message email:
WDSCI-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change
list options,
visit: http://lists.midrange.com/mailman/listinfo/wdsci-l
or email: WDSCI-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/wdsci-l.
--
This is the Websphere Development Studio Client for iSeries
(WDSCI-L) mailing list To post a message email:
WDSCI-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change
list options,
visit: http://lists.midrange.com/mailman/listinfo/wdsci-l
or email: WDSCI-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/wdsci-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
