Internet<==>router<==>firewall 1<==>firewall 2<==>firewall 3<==>System i

That diagram probably is overboard, but it depicts a number of network devices 
that could separate a System i from the Internet, where each device could serve 
a different purpose, ranging from address translation, to packet filtering, to 
establishing a DMZ, to rebuffing denial of service attacks that could target 
the System i.

If you replace any one of those network devices with a server running a Windows 
HTTP service, and establishing an ODBC connection to the System i, the 
interface would be less secure than one that just routed valid HTTP traffic to 
/ from the System i HTTP server.


Nathan M. Andelin



----- Original Message ----
From: Kevin Touchette <KTouchette@xxxxxxxxxxxx>
To: Web Enabling the AS400 / iSeries <web400@xxxxxxxxxxxx>
Sent: Monday, January 29, 2007 12:20:47 PM
Subject: Re: [WEB400] System i web accessibiltiy setup

Ok, here is the rub with the Microsoft evangelists.  The system I in
question has company financial data and other things sitting on it.  We
want their web site and all of their web applications to run on the same
system. So we put another network card in their system and set up the
router to do NAT on the tcp/ip of that machine to an external number,
and only allow port 80 traffic through to that card on the box, then set
up the web server to respond to traffic from that IP address.  

  The Microsoft people are saying that it allows for possible hacks
through to our internal network by doing this that it's not standard
protocol for setting up a web server and that there should be a box
outside the firewall that doesn't touch anything inside our network,
then there is "no" chance for company data being compromised.  I.E. put
a windows box that does nothing but runs HTTP and FTP services outside
our firewall and talks to the system I machines through ODBC or JDBC or
something of that nature.

  What I'm trying to do is have some kind of security justification in
the system I setup, see how other people set up their servers and what
the security risks really are for this kind of set up.  I like this
system I setup because you can host each company's web site on their
system I and not bring down every company's site when you do maintenance
on their system as opposed to hosting all the sites on one Microsoft box
and dropping that box all the time.  I also like the fact that the
database is on the same system.

  I have to justify it because it's cheaper to set up the Microsoft
solution, it's hard to justify a system I that does nothing but serve
static web pages all day.  :)

Kevin Touchette







 
____________________________________________________________________________________
Now that's room service!  Choose from over 150,000 hotels
in 45,000 destinations on Yahoo! Travel to find your fit.
http://farechase.yahoo.com/promo-generic-14795097

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].