|
Kevin, We have this set up: Firewall === web iSeries === firewall === production iSeries This was done because we didn't want our production box directly exposed to the web. We thought about a Windows server in front of this but ODBC wasn't fast enough at the time. As far as breaches go, I know we have hired people to try and break into this system a couple of times with no success on their part. We have been running in this configuration since 1999 and the only time someone got unauthorized access was on our test environment. They got in through FTP and placed files in that user's home directory. That was due to having an easily guessed user name and password for one of the user profiles on that box. We have had a couple of user profiles disabled via FTP attacks over the years and we have had to deal with DOS attacks but nothing that did any damage to the box itself or any systems behind it. One other thing that we did that helps with keeping this box hack resistant was to use validation lists instead of user profiles so that you can't log in with user names and passwords for the web sites. You can also write an exit program for FTP to do the same thing for it. LDAP will offer the same protection vs. user profiles and had it been an option at the time, we probably would have gone that route. We also have permissions locked down on the web iSeries. It's locked down tight enough where I know our ERP system wouldn't work properly on it and probably a lot of the custom programming we've done over the years would have issues as well (primarily due to being written for the same environment our ERP software runs in). The iSeries rocks as a web server. When we have done load tests in the past, we've had to stop because it could handle more traffic than the network. Windows is okay for a couple of sites but IIS doesn't do anything beyond simple very well. If I was looking to avoid buying a second iSeries, I think I'd stick a Linux box in the DMZ, run Apache on it, and proxy the traffic to the main iSeries. Matt -----Original Message----- From: web400-bounces@xxxxxxxxxxxx [mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of Kevin Touchette Sent: Monday, January 29, 2007 12:49 PM To: web400@xxxxxxxxxxxx Subject: [WEB400] System i web accessibiltiy setup Hello, We are faced with putting our system I boxes on the web and I was wondering how you all handle this? Currently we have a system where we've put two network cards in the system. One is set up to allow only port 80 traffic to it with routes set up appropriately assigned to an external tcp/ip address. It sets up a pseudo DMZ scenario. The question that I have is, 1) Do any of you have a set up similar to this? 2) Is this scenario "secure enough"? I know that it is not necessarily the "recommended" approach but it gives flexibility in it's setup for taking down certain sites and not others etc. Another question is there a web site or place where there are reported system I web hacks or breaches through the web? This has become a large topic in our shop and something that looks like it could become a holy war between system I and Microsoft servers. Feedback is appreciated. Thank you, Kevin R. Touchette
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
