We have this set up:

Firewall === web iSeries === firewall === production iSeries

This was done because we didn't want our production box directly exposed
to the web. We thought about a Windows server in front of this but ODBC
wasn't fast enough at the time.

As far as breaches go, I know we have hired people to try and break into
this system a couple of times with no success on their part. We have
been running in this configuration since 1999 and the only time someone
got unauthorized access was on our test environment. They got in through
FTP and placed files in that user's home directory. That was due to
having an easily guessed user name and password for one of the user
profiles on that box. We have had a couple of user profiles disabled via
FTP attacks over the years and we have had to deal with DOS attacks but
nothing that did any damage to the box itself or any systems behind it.

One other thing that we did that helps with keeping this box hack
resistant was to use validation lists instead of user profiles so that
you can't log in with user names and passwords for the web sites. You
can also write an exit program for FTP to do the same thing for it. LDAP
will offer the same protection vs. user profiles and had it been an
option at the time, we probably would have gone that route. We also have
permissions locked down on the web iSeries. It's locked down tight
enough where I know our ERP system wouldn't work properly on it and
probably a lot of the custom programming we've done over the years would
have issues as well (primarily due to being written for the same
environment our ERP software runs in).

The iSeries rocks as a web server. When we have done load tests in the
past, we've had to stop because it could handle more traffic than the
network. Windows is okay for a couple of sites but IIS doesn't do
anything beyond simple very well. If I was looking to avoid buying a
second iSeries, I think I'd stick a Linux box in the DMZ, run Apache on
it, and proxy the traffic to the main iSeries.


-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx [mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Kevin Touchette
Sent: Monday, January 29, 2007 12:49 PM
To: web400@xxxxxxxxxxxx
Subject: [WEB400] System i web accessibiltiy setup



  We are faced with putting our system I boxes on the web and I was
wondering how you all handle this?  Currently we have a system where
we've put two network cards in the system.  One is set up to allow only
port 80 traffic to it with routes set up appropriately assigned to an
external tcp/ip address.  It sets up a pseudo DMZ scenario. 


  The question that I have is, 1) Do any of you have a set up similar to
this?  2) Is this scenario "secure enough"?  I know that it is not
necessarily the "recommended" approach but it gives flexibility in it's
setup for taking down certain sites and not others etc.


  Another question is there a web site or place where there are reported
system I web hacks or breaches through the web?  This has become a large
topic in our shop and something that looks like it could become a holy
war between system I and Microsoft servers.


  Feedback is appreciated.


Thank you,


Kevin R. Touchette


This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].