Unconfigured Ad Widget

Collapse

Announcement

Collapse
No announcement yet.

Boss says -

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Boss says -

    In the security sessions I attended at COMMON, the common thread (no pun intended) was to secure your production data from TCP/IP access. By making secure production data accessible through DDM to an AS/400 with TCP/IP access, you have in effect given TCP/IP access to the production data. The idea of having the web server AS/400 is to provide a demilitarized zone where no production data is accessible through regular file access, but instead only through controlled server programs not accessible through TCP/IP. FWIW The idea of locking TCP/IP access from host systems is where banks were 4 years ago. Since then the pervasiveness of IP based solutions means that IP has become enabled and the banks that are no longer insisting on SNA gateways. So a web server or application server will sit in the demilitarised zone and access the Host through a firewall. The firewall is configured to allow specific IP ports from specific IP addresses. So I cant see why the same cant be applied to DDM, or configure the DDM session to be SNA. David

    Comment


    • #17
      Boss says -

      Make it valuabe to our numerous retail customers. Make them want to come to the site for useful information. Let them buy things. Let them change their addresses. Let's send E-mail newletters to them, etc... Ideally, the store front should tie into our existing AS/400 database. IMO It really depends on what you're trying to achieve with the web site and your business and clients. I dont believe the real issue is the choice of technologies but the strategy and processes. Is the intent to provide an online store or to try and develop an online community ? What advantages will the online store offer over the existing catalogue ? e.g. Will the products be cheaper ? How to you expect your online store to differ from your competition ? Do you need to support both personal consumers and/or corporate consumers ? Is the product such that inventory is not important when making the decision ? (i.e. You can fullfill without knowing the inventory) Is the aim to make the store shop a personalised experience or just a generic online catalogue ? While none of these are technical questions, they do relate to the amount of integration required. Add the technical question is if you need to tightly couple to your host application can it support 24x7 trading ? IMNSHO Opinion if your building an online catalogue I would outsource it. However if you do plan do on doing it inhouse you can pick technologies, for instance href="http://www.microsoft.com/siteserver/commerce/30/downloads/SSDataC.doc">Mic rosoft Site Server Commerce Edition can be a simple solution if you dont need to integrate lots to host systems. IBM WebSphere Commerce Studio also has an e-commerce/retailing solution runs on lots of platforms, including AS/400. I would also recommend getting the assitance of a graphics designer PC LAN and AS/400 guys really dont have qualifications to do HCI well. HTH David

      Comment


      • #18
        Boss says -

        Frank Whittemore wrote: but we really need to be heading towards having a store front. We sell over 20,000 items! In a word Frank, "Websphere". I recently saw a demo where a store front was put into place in less than 90 minutes. Impressive, but you have to get your hands on an expert. Dave

        Comment


        • #19
          Boss says -

          Frank Whittemore asked: If you could point me in the direction of a couple of good ones I'm sorry I don't know the URLs, but if you can get to the Aberdeen or Gartner Group web sites, that should provide a wealth of researched opinions on the subject. Dave

          Comment


          • #20
            Boss says -

            FWIW The idea of locking TCP/IP access from host systems is where banks were 4 years ago. Since then the pervasiveness of IP based solutions means that IP has become enabled and the banks that are no longer insisting on SNA gateways. So a web server or application server will sit in the demilitarised zone and access the Host through a firewall. The firewall is configured to allow specific IP ports from specific IP addresses. So I cant see why the same cant be applied to DDM, or configure the DDM session to be SNA. I guess it's simply a matter of how secure you'd like your production data. If your production data is on an AS/400 that can be accessed via TCP/IP, and your network also has a connection to the network, your data can theoretically be hacked via TCP/IP. If, on the other hand, your primary machine has no TCP/IP access, you can't access it. But that leads to a number of management difficulties, not the least of which is user access to your application programs (for example, if you have Client Access Express sessions, you are running TCP/IP. Obviously there is a tradeoff between security and access. At IBM Israel, no machine that has access to production data is allowed to have access to the Internet at the same time. There are two separate networks, and you must physically disconnect from one network and attach to another. This is the only truly secure solution. So, as in anything, you need to ask yourself how willing you are to be secure. An AS/400 as a intermediate web server is a pretty good solution, because it's relatively easy to shut down all but a specific port dedicated to HTML traffic. But remember that all your security is for naught if someone can hack into your internal network; getting behind a firewall is not impossible, and once you allow Internet access, you open yourself up to that possibility. If your production AS/400 is open to your internal network and someone gets on that network, they have full access to your AS/400. As I said, it's a tradeoff. But the danger should be recognized, not minmimized with an "it can't happen here" or "nobody else does it" attitude. Microsoft just found out the hard way. Joe

            Comment


            • #21
              Boss says -

              Ralph wrote: "Neither Websphere nor Strategi is open source, nor is IIS on NT. Apache is the main open source web server. I doubt seriously whether open source has any merit unless it exposes code that you wish to modify, for example the source code to ERPs. Strategi's solution includes source code to modify the web pages, the server programs, and to customize integration." and Susan responded: Ralph, I see the term "open source" thrown around a lot. What exactly is meant by open source? I thought I knew, but lately I have seen it used in ways which makes me think my definition is too basic. Could you please explain it in a bit more detail? And why should it be an important consideration to me when I put up my websites? (I hope that will be REAL soon!) Hi Susan, Open source had its roots in Unix. Nearly every Unix technology that I can think of except databases was developed and offered back to the Unix community which communicated primarily with university connections through the nascent Internet. Software was written purely for the pride of having your peers use it, and any enhancements to the source code were offered back to the general distribution. Although some don't like to use the word, open source is free in that it is freely available for download and must come with source code. You can make any changes you want for personal use but if you offer your changes to anybody else you must offer it to the Open Source community as well. Each package has names and addresses of those maintaining the software source to send the enhancements to. Since Java was developed by a Unix company, Sun, it was developed with the same philosophy. There is a very healthy Java Open Source community along with the very healthy Linux, BSD, Gnome, KDE, Apache, and Wine Unix Open Source communities. However, the creators of Java software still have dreams of getting wealthy off of the Java software. After all, IBM and Sun did pay programmers to write the software. So IBM and Sun often offer Java programs for free but without source code. This is not Open Source but just free software. This is often done to create a market or a de facto standard while not disclosing source code. This has nothing to do with Open Source, and free software without source code should not be confused with Open Source. Open Source code is a subset of source code. All software has source code, and business software has a culture of providing source code for an additional fee with the commercial package. That's one reason Windows has never been much of a business platform. There is one Windows technology that has a culture of including source code, and that's Delphi. It also has a fairly active Open Source community. As I said above, I find it questionable whether the Apache web server is better than Websphere, Strategi, Lansa, or IIS because it is Open Source. Who really wants to make a customization to their web server product? The same would go for DB2, Oracle, and SQL Server versus the leading Open Source databases, MySQL and Interbase. Yet Open Source advocates are somewhat zealous about this, to the degree that all software is supposed to be written on our own time for the sheer joy of it! On the other hand, it is critical that business software be provided with source code to customize around the way you want to do business. There is an anti-customization movement going on where it is alleged that vanilla implementations of software is the answer to all those massive ERP projects. And that inability of the wannabes to provide custom business solutions is why AS/400 software still runs. Ralph ralph@ee.net

              Comment


              • #22
                Boss says -

                Here's a thought.... watch what your automated messages will generate... from IBM's site.... An error occurred: The database is currently undergoing maintenance, which started 9 hours 2 minutes 33 seconds ago. The maintenance is not expected to last longer than 10 minutes. Ralph

                Comment


                • #23
                  Boss says -

                  On the other hand, it is critical that business software be provided with source code to customize around the way you want to do business. There is an anti-customization movement going on where it is alleged that vanilla implementations of software is the answer to all those massive ERP projects. And that inability of the wannabes to provide custom business solutions is why AS/400 software still runs. Ralph makes an excellent point here, and he clearly delineates between the "Open Source" movement and the concept of customizable business software. There is an important distinction; your business software is probably not going to be "Open Source" in the sense that you download it for free from the Internet. But you absolutely must have the source code to whatever business software you purchase. Again, I point to the word processor analogy. You may not like how a word processor's grammar checker works. At that point, you have two choices: live with it or turn it off. However, if you your ERP package's pricing logic doesn't match your business practices, you can't very well just "turn it off". You need to customize it. People who have implemented SAP point to the lack of customization as a serious problem with the package; if your business practices match those of SAP's designers, the software works great, but if not, you're going to have some serious trouble. In my original post, I used open-source in the sense of "non-proprietary", meaning customizable. I said: "And above all, stay away from proprietary solutions if at all possible. Anything you purchase should be as configurable and open-source as possible. Remember that web technology is changing more rapidly than any computer technology we've ever seen before - the leading edge today may be the doorstop of tomorrow (anybody remember applets?). If your direction begins to diverge from that of your original provider, you want to be able to take over the development yourself without being tied to any one company." My point is that you need the source to the software your business runs on. Without it, you are at the mercy of developers who have no clue what your business requirements are. Joe http://www.java400.net http://www.edeployment.com http://www.plutabrothers.com

                  Comment


                  • #24
                    Boss says -

                    Ralph Daugherty wrote: Open source had its roots in Unix IMO, this is the main reason the UNIX kernel is such a mess. Contributors to the open source came from a variety of places over a long period of time. Consistency in how various commands work is non-existant. e.g. Some command parameters are prefaced with a dash (-p) others with a slash (/p). Some commands actually accept either, but they mean different things. The parameters themselves are almost always limited to a single character, so that meaningful expressions are never the case. This is because the byword in UNIX development has always been brevity over everything. Many commands can not tell the difference between an argument and a parameter. Differences in case, make debugging a script a virtual nightmare. BUT, the "MAN" pages will always have "Buglists" spelled out. Dave

                    Comment


                    • #25
                      Boss says -

                      Ralph Daugherty wrote: "Open source had its roots in Unix." and Dave Abramowitz responded: "IMO, this is the main reason the UNIX kernel is such a mess." The GNOME and KDE visual interfaces (app compatible with each other) will mask over the particulars of shell commands just as Windows has now hidden the DOS commands that came from the same roots. We have a very small window of time to get IBM to provide a coherent and consistent visual interface to our beloved OS/400, and instead they are screwing around with an incoherent web page strategy (both Websphere and Domino web servers, according to IBM) and the ultimate confused vision of adding Linux in a separate environment while bus integrating to an NT box. This is the ultimate design by committee which is doomed to failure. All from good people who brought us the AS/400 we know who have somehow become lost in a confused maze somewhere in Big Blue land, convinced that the browser is the visual interface of the future. They are wrong, and the AS/400 will be the sacrificial lamb to that vision. Ralph ralph@ee.net

                      Comment


                      • #26
                        Boss says -

                        Joe wrote: "...But you absolutely must have the source code to whatever business software you purchase. ..." How is this possible? We are using Domino for its basic document workflow capabilities. We are adding lots on top of that, up to and including a Netfinity Server. How can we get the source code for Domino?

                        Comment


                        • #27
                          Boss says -

                          "How is this possible? We are using Domino for its basic document workflow capabilities." Like I said, there are certain functions you can use without source, like word processing. I would put BASIC document workflow somewhere in the area of word processing functionality. If, on the other hand, your critical business processes begin to depend on the function (or lack of function) of Domino, what happens when Domino doesn't stack up? So, no, I'm not a big fan of building mission critical systems written in LotusScript. It's fast, it's easy, and it's proprietary. It's your decision. JOE'S OPINION: When programming is reduced to calling macros, it ain't programming anymore, it's simply configuration. And if what you have underneath doesn't do the job, then you can configure to your heart's content, but you can't make a silk purse out of a sow's ear - and you can't make an ERP package out of a spreadsheet, either. Joe

                          Comment


                          • #28
                            Boss says -

                            Also, I agree with those of you who say for reasons of security not to connect the Internet directly to the existing AS/400. I think this attitude is often taken to an extreme. People will architect unnecessary layers of hardware and software between their AS/400 and their customers. The end result is often a bottleneck and a solution that costs a bundle and doesn't scale well. In most cases, a firewall is the only hardware/software separation you'll need. Denial of service attacks are stopped there. Connection attempts to unauthorized IP addresses and ports are stopped there. It prevents disclosure of any information about your local area network. The IBM HTTP server is also very secure. Access to every AS/400 resource is denied by default. You must explicitly configure any exceptions to that rule. Its a great gateway to Websphere, Net.Data, and CGI applications. In most cases, its overkill to have a policy that disallows the AS/400 HTTP server to handle requests that are passed from your firewall.

                            Comment


                            • #29
                              Boss says -

                              I think this attitude is often taken to an extreme. People will architect unnecessary layers of hardware and software between their AS/400 and their customers. The end result is often a bottleneck and a solution that costs a bundle and doesn't scale well. In most cases, a firewall is the only hardware/software separation you'll need. Denial of service attacks are stopped there. Connection attempts to unauthorized IP addresses and ports are stopped there. It prevents disclosure of any information about your local area network. The IBM HTTP server is also very secure. Access to every AS/400 resource is denied by default. You must explicitly configure any exceptions to that rule. Its a great gateway to Websphere, Net.Data, and CGI applications. In most cases, its overkill to have a policy that disallows the AS/400 HTTP server to handle requests that are passed from your firewall. Nathan, I don't disagree that you can take security to an extreme. As I said, IBM Israel has two separate networks, one for Internet and one for internal use. This was rather cumbersome, but is obviously very secure. On the other hand, you can certainly go with a simple firewall using a router. But a firewall may or may not be secure enough. Firewalls can be hacked. Are you allowing Telnet access to your router, or do you have a hardwired local console? Do most people even know if they have Telnet access to their router? It's important, because if you do it's pretty simple for someone to brute force hack into the router. And once that happens, if the router is your only security, your network is now completely compromised, because the hacker can reprogram the router any way they choose. How much security do you need? It depends. But you should always consider the extremes, and go in with the idea that any computer attached to the Internet could be compromised. The chances are small, sure, but you must make an INFORMED decisions - you must be willing to actively ignore the potential security risks, not minimize them with an "it can't happen here" attitude. "Good enough" is not necessarily good enough when it comes to security. Joe

                              Comment


                              • #30
                                Boss says -

                                But you should always consider the extremes, and go in with the idea that any computer attached to the Internet could be compromised. The chances are small, sure, but you must make an INFORMED decision... An "informed" decision is all I'm asking. But, I think in the case of connecting an AS/400 to the web, many people are making decisions based mostly on fears that are amplified by the media. Decision makers often don't know much about TCP/IP and related protocols. But they do know that their AS/400 hosts a lot of valuable resources. So, they just decide to play it safe and adopt the blanket policy of hosting their web site on NT. Most networking professionals come from an NT and/or Unix background. They mistakenly assume the AS/400 might be vulnerable to the same types of hacks employed in the rest of the world. They don't give "informed" advise. I'm asking that credit be given where credit is due. That, you can host web applications on an AS/400 without undue fear. You make a good point about routers/firewalls supporting Telnet. But often, remote configuration is turned off. If you decide to turn it on, you still protect it with a password. Point is, you can protect a firewall from being hacked. Then, after that, you still have AS/400 built-in security to protect your data and other resources.

                                Comment

                                Working...
                                X