[Info-vax] Using VMS for a web server

[David Froble]

Jan-Erik Soderholm wrote:
> David Froble skrev den 2015-06-08 19:21:
>> Bill Gunshannon wrote:
>>
>>> Exactly.  I would never run a webserver on a machine that was intended
>>> to do the data processing for the business.
>>
>> It would depend, but I'd usually agree with this.
> 
> David, how many web servers have *you* setup and managed?
> On VMS or on any platform?
> 
> There isn't anything magic with a web server, it is just
> another application out there. You can use it and you can
> missuse it as much as you like. Just as any application.
> 
> 

I don't have much experience with web servers.  Might remedy that in the 
future.  Might not.

If I have an application that does not need to have access to / from the 
internet, many issues no longer exist.

A web server, by definition, is open to access from the internet.  Well, 
usually.

What I do have experience with is services running on VMS that accept 
connections over the internet.  I'm in control of the design and 
communications in the services.  They do not use any known web server 
that hackers can be familiar with.  This means I can make them rather 
secure.  I control what happens with the incoming data.

Now, TCP/IP is in use, and if there is a vulnerability in TCP/IP, it's a 
bit beyond my control.  It then becomes a problem for the people 
providing the TCP/IP software.  So, there are multiple levels involved, 
some you can control, and some outside your control.  Like Steve asks, 
"are you fully up to date with patches?"

But as to the topic of separate systems.  If they are not the same, then 
even if a hacker gets into the system(s) running the web server(s), he's 
still not into your production system(s).  That can add an additional 
layer of security to your production system(s).  Any hacker would have 
to be able to get into the communications between systems, in order to 
affect your production system(s).

So yeah, it's something to consider.