Unconfigured Ad Widget

Collapse

Announcement

Collapse
No announcement yet.

Boss says -

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Boss says -

    Then, after that, you still have AS/400 built-in security to protect your data and other resources. How often do you use FTP to your AS/400? When you do, do you start the FTP server, use FTP, then end the FTP server? That's what you SHOULD do, but I'd venture a guess that the majority of people don't. Next, try Telnetting into your FTP port. You'll be amazed to find that not only is it available, but it's extremely helpful. I won't go into detail, but it's an extremely dangerous feature, and all but unknown to AS/400 programmers. However, it's STANDARD in the non-AS/400 world to do just that. Now all "they" need is a user ID and password; and guess what? They may be able to get that with a decent packet sniffer, once they're on your network. Of course, with the "sniff" and "son of sniff" programs, we all know that AS/400 passwords aren't as secure as we thought they were. Anyway, all I'm saying is that an AS/400 is not a "secure" web server. It's reasonably secure, but not anything close to completely secure. Nor is a simple firewall. Before you make a blanket statement that it's okay to use a production AS/400 as a web server, you may want to first understand what data is on that AS/400 and how sensitive it is. Joe http://www.java400.net http://www.edeployment.com http://www.plutabrothers.com

    Comment


    • #32
      Boss says -

      Before you make a blanket statement that it's okay to use a production AS/400 as a web server, you may want to first understand what data is on that AS/400 and how sensitive it is. Good point. As I mentioned before, all I want is an informed decision. In fact, the value of this type of discussion lies in our exploration past blanket statements. For example, I have never tried to telnet into the ftp server. But, a couple years ago our ftp server (on the AS/400) quit working. Actually, it was still working, I just wasn't using the right userid/password. Without my knowing it, a colegue had inserted a simple exit program to exclude anonymous access - even within the LAN. Another simple exit program prevented all directory listings and file transfers - except within a specific directory. So, in addition to weighing the sinsitivity of the data, we ought to also become aware of the available features that protect that data. Make an informed decision. I must concede, that in some cases, a healthy paranoia is a good thing. No one knows all the resources available to a good hacker. You're right considering the sensitivity of the data. But my overall premise is that you want to provide web access to your data, its just a matter of how. I've suggested employing a good firewall and protection features available on the AS/400. What would you suggest as a general purpose solution?

      Comment


      • #33
        Boss says -

        Joe, I too think organizations should carefully evaluate their security requirements when connecting their corporate network to the internet. I dont agree with those who think it is ok to let a mission-critical, production as/400 be visible to the internet. I realize I wont convince anyone who has strong opinions otherwise, especially in the limited space of a discussion forum. However, relying on the anonymity of the vast www to not draw the attention of a hacker to your system is probably the most dangerous advice I have seen posted in some time. Sure, putting a firewall in front of the as/400 is better than nothing, certainly. You cant treat a firewall as a magic bullet. As you start opening up ports and services to allow you the access you need, you take a brick out of that wall. Eventually you will make a mistake or just take out one too many bricks. The AS/400 in a twinax-only world is a very secure system - that is, it is fairly easy to manage the security and provide adequate protection. The AS/400 in a tcp/ip world has many more avenues of entry, and most as/400 shops I have seen are not trained to close the loopholes, much less manage the security in an ongoing basis. There are very few as/400s that I cannot enter given electronic access and a couple of hours, and I dont consider myself especially expert at that sort of thing. It is just that most companies put their IT effort into solving their business issues and very little into security. (A company comes to mind that let everyone sign on as QSECOFR because all that security stuff was a hassle - I kid you not.) We all have to strike a balance to find that acceptable level of risk. With the price of small as/400s dropping so low in recent months, I just dont see why any company wouldnt dedicate a whole box to web access. If your company cant afford even that modest investment, let someone else host your website. You will be happier in the long run, but, there again, you have to decide the level of acceptable risk. Alex Garrison

        Comment


        • #34
          Boss says -

          Alex, Nice to have you drop back in. Your brick analogy was very good. One reason for my probing into this is because I plan on enabling web access to my AS/400 by the end of the year. Your suggestion of having an ISP host your site won't always work because the purpose of enabling a web connection is to provide outside access to production data. That's what e-business is all about. Enabling customers to check their orders, for example. If you buy a small AS/400 to host your web site, you still must connect that box to a box where the data resides. If the cost of a dedicated box is not a deterrent, than maybe performance, or the cost of an extra layer of software is. Can you elaborate on your idea? Also, if a hacker is successful in getting into your web server, whats to prevent him from going further? Nathan.

          Comment


          • #35
            Boss says -

            O.K. - looks like I need a front end web server to minimize the security exposure for our existing production AS/400. From what I understand, there are two choices - a Microsoft Windows solution that could run on an IBM PC web server (Netfinity now x-series) or a small IBM AS/400 now i-series web server. What are the pros and cons of these choices? For starters, it has been said that the AS/400 solution would be more secure, but normally there are more software choices at lower prices in the Microsoft Windows arena. What else should we be thinking about?

            Comment


            • #36
              Boss says -

              After my previous post, I visited my snail mail box and what should I find, but a folded postcard type advertisement from IBM Global Services. The second one of this type received from them in the last couple of weeks. ------------------------------------------------------ "IBM + Windows 2000 + Emerging Technologies = e-Power" "Don't Miss this Rare and Valuable Opportunity to Learn Advanced and Proven Windows 2000 Server Solutions that Can Transform Your Business!" "Migrating to Windows 2000 - An Enterprise Deployment Case Study" "Examine the very latest for Windows 2000 in emerging technologies, enhancements, and solutions that have everyone buzzing." ------------------------------------------------------ What is IBM trying to tell us? They know this is an AS/400 shop. We currently do not even have a Microsoft Server. We have Novell Netware for our Network Operating System! Is it any wonder that we are considering using a Windows NT or Windows 2000 web server? IBM is all but telling us to, and by the way, next year you will even be able to direct attach such a box to an AS/400! Why should I even consider getting a front end AS/400 web server?

              Comment


              • #37
                Boss says -

                Nathan, I thought I'd respond here to your questions, since you've asked both Alex and I essentially the same question: "If you don't like the firewall approach, what's your answer?" Which is a valid question . "Your suggestion of having an ISP host your site won't always work because the purpose of enabling a web connection is to provide outside access to production data. That's what e-business is all about. Enabling customers to check their orders, for example." Agreed. There are three kinds of data requirements: 1. Static, where someone manually updates the website as needed 2. Staged, where production data is staged to a local box on a regular basis 3. Demand, where production data needs to be accessed on demand For static and staged data, we can assume that the data on the local machine is unsecured, and so most of this discussion doesn't apply. Either one of these can be hosted on an ISP, and the rest of the discussion is moot. It's the on-demand requirements that really tax the security aspects. In this case, we need a way to provide data to an end user, while at the same time preventing access to other data. This is the issue. "If you buy a small AS/400 to host your web site, you still must connect that box to a box where the data resides. If the cost of a dedicated box is not a deterrent, than maybe performance, or the cost of an extra layer of software is. Can you elaborate on your idea?" This is the real issue. No matter what you choose as yor web server, you'll still need to connect it to your production data machine. While I won't go into great detail, the best answer is to have a non-TCP/IP pipe between your machines. A very simple, fast client/server protocol can be designed that will allow access to any data you require, and can even support bidirectional processing if you need to enter transactions from the web. I've done this, and the results are impressive; I created a web-based file maintenance program that is actually faster than green screen. The added overhead of going through a proxy is minimized by the fact that you're usually talking about a very small amount of data per transaction, and the actual communication with the end user is pure HTML. For longer reports, by the way, the best idea is to run the report on the production machine, send it to the web server which then converts it to PDF format and makes it available to the end user. This avoids a host of bandwidth and security issues. "Also, if a hacker is successful in getting into your web server, whats to prevent him from going further?" While David Bye pointed out to me that there are indeed SNA hackers out there, they are a VERY small minority, and SNA hacking is much more difficult than TCP/IP. The usual pattern for a TCP/IP hacker is to hack into one machine, then do an IP address scan to see what other machines the hacked machine connects to. So if the web server is an isolated box with no connection to the primary network and has only a non-TCP/IP connection to your production machine, then what the hacker sees is essentially a "dead end". This is no fun and no challenge, and the hacker is likely to seek out a more interesting target - hopefully not on your network. The long and short of the situation is this: I think a firewall is a requirement for any network. I think no machines other than your firewall should have a realworld IP address. I think you should use address translation and port-level security for all your IP traffic. And I think your webserver should be isolated from your primary network, and connected to your production machine through non-TCP/IP communications. With all these in place, you have a reasonably secure environment. Of course, as soon as you let your end users have simultaneous access to your production machine AND the Internet, you have just taken a very serious brick out of your security wall. But that's a different issue. Joe http://www.java400.net http://www.edeployment.com http://www.plutabrothers.com

                Comment


                • #38
                  Boss says -

                  "I too think organizations should carefully evaluate their security requirements when connecting their corporate network to the internet." At the risk of shamelessly plugging my company, that's why eDeployment decided from the beginning that we needed not only AS/400 expertise, but also TCP/IP and web presence expertise. Each of these areas has different, often conflicting, requirements, and you need to balance all of them together to find the right solution. For example, the tightest security might make an application unacceptably slow. Meanwhile, a quick-time-to-market web solution may not be scalable. And a fancy front end might make web access time too long. All of these factors and more need to be addressed when putting up an AS/400-powered web presence, and there's no one-size-fits-all solution. But then again, that's the true nature of the business software market: there's no such thing as a shrinkwrapped business solution. Joe http://www.edeployment.com

                  Comment


                  • #39
                    Boss says -

                    "What is IBM trying to tell us? They know this is an AS/400 shop. We currently do not even have a Microsoft Server. We have Novell Nerware for our Network Operating System!" Frank, for whatever reason, IBM marketing has no idea what the AS/400 market is. They never have, and I don't know if they ever will. At the same time, they're trying to make sure they don't "lose" any of the perceived market out there for server business, so they'll jump on the Microsoft bandwagon along with everyone else. I think this is an idiotic position, and so do most of us who really know the AS/400 and its strengths, but this message comes from Armonk, not Rochester, and there seems to be very little we can do about it. At COMMON I saw a great mini-movie about how the AS/400 just crushes UNIX when it comes to scalability, integration, cost-of-operation and reliability. And at the exact same event, I then saw a video with a guy skiing down a steep, virgin slope (I think this was another "extreme computing" gig). IBM is still unsure of how to promote the AS/400, so don't be worried by getting mail from a part of the company that, essentially, has no idea what an AS/400 is. Now, as to your previous question of AS/400 vs. Windows for web serving. You can break the pros and cons down pretty quickly: Windows PROS: A less expensive initial cost solution (although Windows 2000 server is by no means a cheap piece of software). More software choices, though the real issue, web serving, is pretty much limited to a choice between Microsoft IIS which is integrated into the operating system, and "other stuff" which may or may not work from release to release. CONS: You need a Microsoft technician, or at least someone who understands the various setup pieces. This person is required to know TCP/IP, security and configuration of Windows 2000. You need to put in place all the required backup and security procedures, none of which are like those of your AS/400. Fixes, patches and upgrades come very often, and on occasion break your machine entirely. Like any other Microsoft product, Windows 2000 goes belly up on occasion for no apparent reason. When it does, you need to reboot. AS/400 PROS: You're used to the AS/400 environment. Regular backup and security are the same as for your production AS/400. Highly reliable: AS/400's don't go belly up. Highly scalable: if you need to ramp up for volume, you get a bigger box, plug it in, and it runs. Most importantly, it is very, very easy to set up a secure, non-TCP/IP connection between two AS/400's. CONS: You'll need to learn TCP/IP security for the AS/400. While this is the same as for the Windows solution, it's more foreign because it's an AS/400 and you'll be tempted to have an AS/400 person do it. If you do that, the AS/400 person has a pretty big learning curve, but it's not impossible. Just remember to allow for that. It's certainly less than the learning curve required to have an AS/400 programmer learn Windows 2000 Administration. Summary A Windows solution is generally cheaper going in and more expensive in the long run than an AS/400 solution. However, a Windows solution in a non-Windows shop is pretty expensive even going in, because you're going to have to train or hire Windows expertise, and that's no small feat. Hope this helps. Joe http://www.java400.net http://www.edeployment.com http://www.plutabrothers.com

                    Comment


                    • #40
                      Boss says -

                      Alex, Nathan, "Your suggestion of having an ISP host your site won't always work because the purpose of enabling a web connection is to provide outside access to production data. That's what e-business is all about. Enabling customers to check their orders, for example." Certainly that can be a problem. I was thinking a company just getting into the web might have more modest goals - like just serving up static html. However, there are some companies out there now who will host your website and provide linkage into your legacy system. You can get services that run the gamet from bare essentials h/w up to full integration into your company. My current employer is in the process of deploying their web servers at a colocation facility run by Exodus in Austin, Texas. Exodus provides high-speed, redundant connections to the internet backbone. The also have all the UPS and generator power you could want with a nice, physically secure facility. We supply the computer hardware and of course the s/w applications. Our corporate network links into Exodus providing real-time access to any production data we desire. One of the big advantages here is that Exodus has a great team of security experts who really allow you to focus on solving your business problems (not that we blindly rely on their expertise). We have invested in multiple tiers of security that make it very hard to compromise. While not for everyone (some go to much more effort than we do), this is our acceptable level of risk. Another hosting option is a company like dotLogix. I start working for them in two weeks, so please treat this paragraph as a shameless plug. DotLogix is an ASP providing the hardware to run your web site and goes one step further to provide programmers who can link it all back into your legacy system, if desired. Neither of the above options is probably appropriate for a very small shop due to $$$, but the point is web hosting sites can do much more than just serve up static html these days. "Also, if a hacker is successful in getting into your web server, whats to prevent him from going further?" To me your question goes right to the heart of the debate. There is really nothing you can do to keep out someone who has infinite resources and time. So we are always talking about reaching some level of acceptable risk. I believe there are simple things you can do to reach a high level of protection, beyond which is a point of diminishing returns. What we do is throw up obstacles that hopefully will keep out all but the most determined attack. There are some things you can do to try to isolate your web server to keep someone from going further. Getting into my as/400 web server doesnt mean you can easily get into one of our production corporate as/400s. Even if you can figure out some way to passthru (or telnet or...), for example, you will face the security builtin to the other as/400s. We put up one roadblock after another. Hopefully we will notice what is happening before all the layers are penetrated. Although it wouldnt be appropriate to go into all the details, the as/400 system exit points provide a great way to be proactive with security. You can even get some third party as/400 utilities to help in that regard. "If you buy a small AS/400 to host your web site, you still must connect that box to a box where the data resides. If the cost of a dedicated box is not a deterrent, than maybe performance, or the cost of an extra layer of software is. Can you elaborate on your idea?" Websphere and Java come "free" with os/400 (you dont need the enterprise version of websphere). I dont see where you have a $ for any extra layer of software - unless you are referring to the cost of os/400 for the dedicated box. Of the things you mentioned, I think performance is the hardest metric to really nail down. Scoping out the size of the dedicated box is one place where I would seek out some consultant support (I mean other than just your friendly IBM salesperson). If nothing else the exercise will help you establish your own expectations in some measureable way. Benchmarks like JBOB are fun to read about, but they havent helped me really decide how big is big enough. I can give you some generalizations - just my opinions. Lets start with one of the things I learned: websphere and Java are cpu pigs. If you figure out how much cpu power you need to do some task in RPG, double it for Java/websphere (even worse if you are using jdbc instead of IBM toolbox record level access). Secondly, be realistic in predicting the web workload. Will you have 5-10 hits per day, per hour, per min, per second? A small as/400 capable of supporting a couple of simultaneous web sessions is just not that expensive. Thirdly, dont try to predict demand too far into the future. Websphere 3.5 on a os/400 v4r5 box (with its faster jvm) is probably 30-40% faster than websphere 1.1 on a v4r3 box (based on a combination of subjective experience and IBM marketing hype). IBM is getting faster all the time, so predicting far into the future using current performance will cause you to buy way more CPW than you really need. Lease a small as/400 that will be adequate for 12-18 months. You can cut your teeth on your first web deployment and develop your own feel for CPW needed in the next level up. Well this has rambled on way too long. Hope this helps some. Alex Garrison

                      Comment


                      • #41
                        Boss says -

                        Re: Pros and cons of Windows vs. AS/400 web serving (not to mention Unix) Frank, I agree with all that Joe said and have just a little to add, that being that anyone that thinks they can sell the AS/400 as the web server of choice to the client by dismissing Windows out of hand as unsecure and unreliable isn't going to get anywhere. There are too many major sites running IIS and not enough major AS/400 web sites. It is actually we who have the burden of proof. We can chant reliability, scalability, and total cost of ownership until the cows come home, and it won't sell one person. Ever. As in never. As always, the AS/400 will sell to run unique software, and that is what justifies the AS/400 as web server of choice for your shop. The combination of running RPG server programs on an AS/400 web server accessing production AS/400 files via DDM over SNA is an unbeatable scenario of providing real time business logic in the most secure environment obtainable. There is not even a premium to pay for this scenario as the AS/400 Invader of a couple of years ago priced out less than an equivalently configured NT box. Remember that all Windows software for web site creation and administration is used the same whether AS/400 IFS or NT is the file repository. The backend is a choice between the industry standard Apache based Websphere versus the proprietary if not ubiquitous Microsoft IIS web server with its ASP technology (I saw the post where an equivalent to ASP has been implemented as a Java servlet). It's essentially the choice between Unix and NT that everyone must make. The AS/400 is the Unix fork but with RPG business logic and OS/400 as additional benefits. Hope that makes the AS/400 the compelling choice for you. If not, we can add more details about what it would take to implement what you want to do on NT or Unix. It's way more than IIS versus an AS/400 web server, it's the back end real time business logic and how you will implement that on a web server. Cheers, Ralph ralph@ee.net

                        Comment


                        • #42
                          Boss says -

                          Joe Pluta wrote: IBM marketing has no idea what the AS/400 market is. They never have I'll disagree with you here Joe. Once upon a time, IBM computers were broken up into two divisions: GSD and DSD. I forget which was which, but the division that handled Midrange Computers (The AS/400 was just a S/38 back then) actually knew what it was doing. During this time - Prior to 1987 - Shops actually got to meet with their salespeople. These people would visit the shop every so often. The CE and the SE were known on a first name basis. IBM reps would attend user meetings, and no one would ever get fired buying "blue". Then came progress :-( Dave

                          Comment


                          • #43
                            Boss says -

                            Here is an indication of how bad security is in the internet. I think when your planning to implement you need to get people with the right skills. In my opinion the idea of learning as you go or winging it is not acceptable when it comes to security of your companys information. David eSecurity breaches cause over US $15 billion damage worldwide annually 15 Nov 2000 London, November 15, 2000 - A whitepaper published today by Datamonitor reveals that despite numerous high profile attacks, companies are still not taking eSecurity seriously. According to the white paper 'eSecurity - removing the roadblock to eBusiness', over 50% of businesses worldwide spend just five per cent or less of their IT budget on securing their networks. The lack of eSecurity is a barrier to the effective growth of eCommerce. Datamonitor predicts that global business-to-business and business-to-consumer eCommerce revenues will reach US $5.9 trillion and US $663 billion by 2005 respectively. However, these forecasts will not be achieved without the security issue being resolved. "Many eBusinesses are still ignorant about the risk they are exposing themselves to. Despite the fact that a significant number of companies have already suffered problems with unauthorized access, over 30% have yet to implement adequate security", said Datamonitor eSecurity analyst, Ian Williams.

                            Comment


                            • #44
                              Boss says -

                              Oh yes, one other minor detail, we also have an AppleTalk Mac LAN here that must be taken into consideration. There is a Mac Server with 6 to 8 Macs on their own LAN. That is in addition to our AS/400 which is on our PC based LAN with its PC Server. Our publishing type creative folks use the Macs. They are the ones that store the thousands of images of our products with detailed product descriptions. Hmmm - how to take that into our Internet planning? Has anyone been there & done that? I'm close to clueless. Here's a real wild idea that has recently popped into my head. Should we be considering having our web site hosted on multiple servers? Should one of them be a Mac web server? Seems to me, under the click on a URL address Internet approach, there is no technical reason that a company's web site needs to be limited to just one web server. Is anyone hosting their web site on multiple web servers? What are a few key considerations in doing so? Or am I just getting a little crazy here? Maybe I've overdosed on caffeine. Help! Help! Help! I really could use whatever advice you may be capable of giving. Thanks.

                              Comment


                              • #45
                                Boss says -

                                I've never used or seen a MAC before so let me be the one to give you advice on this. ;o) It's a good idea to use multiple servers for load balancing and security. What I mean is setup a multi-tiered web application where the business data resides on the '400 and the web app is on one or more webservers with the business logic anywhere in-between. You can encapsulate business logic in Java beans which can be served from any web server. these beans can reside on the web server or the data server. The webserver can be of any platform as this makes no difference to the application logic and data. There's definite research to be done here. I'll stop now and read the rest of this thread.

                                Comment

                                Working...
                                X