Hal Merritt writes: >That said, IMHO, the sacrificial server has some pros. It could be a >useful shield in a password DoS attack. Its mission is to contain the >damage by going out of service. >It can also add value as an outer shield to a DDoS attack. The MF can >handle the load much more so than the network infrastructure. Having an >outer server fail would sacrifice that connectivity to protect the >overall network. Seems reasonable.
Good points. That's what I had in mind with those "redirector" (or "IP reflector") comments. The good news is that, if that's a concern, you might already be protected just based on the existing network infrastructure. Either way, you don't need yet-another-set-of-servers to take care of this. Modern routers (e.g. Cisco equipment) can handle this stuff for you. And you've got multiple physical and logical isolation capabilities on the mainframe itself to deal with such circumstances in the extremely unlikely event they get past the physical network infrastructure. I've heard the argument on occasion that putting the TN3270 gateway on an offboard server allows different groups of people to manage LU names in different ways. True, I suppose, but then I inquire about why there's a need to manage LU names at all. (Are pools appropriate?) I also wonder why there's a internal process or organizational dysfunction which encourages the more costly management of multiple servers, each with their own set of LU names, rather than the (much easier) management of a centralized set of names. A lot of people think assigning specific LU names yields security benefits. I'd argue not, at least in the TN3270 world where hardwired physical terminals don't exist. And of course all of this refers to 3270 access, a user interface which college kids find passe but which is still highly productive among highly trained call center operators and airline workers. That results in a question about whether an emulated 3270 terminal interface is appropriate for a particular group of users. Mainframes can handle HTTP(S), HTML, even AJAX just fine, and none of those acronyms have anything to do with TN3270. - - - - - Timothy Sipples IBM Consulting Enterprise Software Architect Specializing in Software Architectures Related to System z Based in Tokyo, Serving IBM Japan and IBM Asia-Pacific E-Mail: [EMAIL PROTECTED] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
