ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaj4_5.4.0.1/rzaj45zvsolutions.htm

135 lines
8.8 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Choosing iSeries network security options" />
<meta name="abstract" content="Provides you with a concise discussion on which security options you should choose based on your Internet usage plans" />
<meta name="description" content="Provides you with a concise discussion on which security options you should choose based on your Internet usage plans" />
<meta name="DC.Relation" scheme="URI" content="rzaj45zgiptraffic.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaj45zgiptraffic.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1999, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1999, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaj45zvsolutions" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Choosing iSeries network
security options</title>
</head>
<body id="rzaj45zvsolutions"><a name="rzaj45zvsolutions"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Choosing iSeries network
security options</h1>
<div><p>Provides you with a concise discussion on which security options
you should choose based on your Internet usage plans</p>
<p>Network security solutions that guard against unauthorized access generally
rely on firewall technologies to provide the protection. To protect your iSeries™ system,
you can choose to use a full-capability firewall product or you can choose
to put into effect specific network security technologies as part of the i5/OS™ TCP/IP
implementation. This implementation consists of the Packet rules feature (which
includes IP filtering and NAT) and HTTP for iSeries proxy server feature.</p>
<p>Choosing to use either the Packet rules feature or a firewall depends on
your network environment, access requirements, and security needs. You should <strong>strongly</strong> consider
using a firewall product as your main line of defense whenever you connect
your iSeries server,
or your internal network, to the Internet or other untrusted network.</p>
<p>A firewall is preferable in this case because a firewall typically is a
dedicated hardware and software device with a limited number of interfaces
for external access. When you use the i5/OS TCP/IP technologies for Internet
access protection you are using a general purpose computing platform with
a myriad number of interfaces and applications open to external access.</p>
<p><img src="./delta.gif" alt="Start of change" />The difference is important for a number of reasons. For example,
a dedicated firewall product does not provide any other functions or applications
beyond those that comprise the firewall itself. Consequently, if an attacker
successfully circumvents the firewall and gains access to the it, the attacker
cannot do much. Whereas, if an attacker circumvents the TCP/IP security functions
on your iSeries,
the attacker potentially might have access to a variety of useful
applications, services, and data. The attacker can then use these to wreck
havoc on the system itself or to gain access to other systems in your internal
network.<img src="./deltaend.gif" alt="End of change" /></p>
<p>So, is it ever acceptable to use the iSeries TCP/IP security features? As
with all the security choices that you make, you must base your decision on
the cost versus benefit trade-offs that you are willing to make. You must
analyze your business goals and decide what risks you are willing to accept
versus the cost of how you provide security to minimize these risks. The following
table provides information about when it is appropriate to use TCP/IP security
features versus a fully functional firewall device. You can use this table
to determine whether you should use a firewall, TCP/IP security features,
or a combination of both to provide your network and system protection.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><thead align="left"><tr><th align="left" valign="top" width="25%" id="d0e59">Security technology</th>
<th align="left" valign="top" width="38.657407407407405%" id="d0e61">Best use of i5/OS TCP/IP
technology</th>
<th align="left" valign="top" width="36.342592592592595%" id="d0e66">Best use of a fully functional firewall </th>
</tr>
</thead>
<tbody><tr><td align="left" valign="top" width="25%" headers="d0e59 ">IP packet filtering</td>
<td align="left" valign="top" width="38.657407407407405%" headers="d0e61 "> <ul><li>To provide <strong>additional</strong> protection for a single iSeries server,
such as an public web server or an intranet system with sensitive data.</li>
<li>To protect a subnetwork of a corporate <strong>intranet</strong> when the iSeries server
is acting as a gateway (casual router) to the rest of the network.</li>
<li>To control communication with a somewhat trusted partner over a <strong>private
network</strong> or extranet where the iSeries server is acting as a gateway.</li>
</ul>
</td>
<td align="left" valign="top" width="36.342592592592595%" headers="d0e66 "> <ul><li>To protect an entire corporate network from the <strong>Internet</strong> or other
untrusted network to which your network is connected.</li>
<li>To protect a large subnetwork with heavy traffic from the remainder of
a corporate network.</li>
</ul>
</td>
</tr>
<tr><td align="left" valign="top" width="25%" headers="d0e59 ">Network Address Translation (NAT)</td>
<td align="left" valign="top" width="38.657407407407405%" headers="d0e61 "> <ul><li>To enable the connection of two <strong>private networks</strong> with incompatible
addressing structures.</li>
<li>To hide addresses in a subnetwork from a less trusted network.</li>
</ul>
</td>
<td align="left" valign="top" width="36.342592592592595%" headers="d0e66 "> <ul><li>To hide addresses of clients accessing the <strong>Internet</strong> or other untrusted
network. To use as an alternative to Proxy and SOCKS servers.</li>
<li>To make services of a system in a private network available to clients
on the <strong>Internet</strong>.</li>
</ul>
</td>
</tr>
<tr><td align="left" valign="top" width="25%" headers="d0e59 ">Proxy server</td>
<td align="left" valign="top" width="38.657407407407405%" headers="d0e61 "> <ul><li>To proxy at <strong>remote locations</strong> in a corporate network when a central
firewall provides access to the Internet.</li>
</ul>
</td>
<td align="left" valign="top" width="36.342592592592595%" headers="d0e66 "> <ul><li>To proxy an entire corporate network when accessing the <strong>Internet</strong>.</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
<div class="p">To learn more about how to use the i5/OS TCP/IP
security features, see these resources:<ul><li><img src="./delta.gif" alt="Start of change" /><a href="../rzajb/rzajbrzajb0ippacketsecuritysd.htm">Packet rules (filtering and NAT)</a>.<img src="./deltaend.gif" alt="End of change" /></li>
<li><a href="http://www.iseries.ibm.com/products/http/httpindex.htm" target="_blank">HTTP Server Documentation Center</a>.<img src="www.gif" alt="Link outside Information&#xA;Center" /></li>
<li><a href="http://www.redbooks.ibm.com/pubs/pdfs/redbooks/sg245954.pdf" target="_blank">AS/400<sup>®</sup> Internet Security Scenarios: A Practical Approach</a><img src="rbpdf.gif" alt="Link to&#xA;PDF" /> (SG24-5954).</li>
</ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaj45zgiptraffic.htm" title="Use this information to learn about the network level security measures that you should consider using to protect your internal resources.">Network security options</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzaj45zgiptraffic.htm" title="Use this information to learn about the network level security measures that you should consider using to protect your internal resources.">Network security options</a></div>
</div>
</div>
</body>
</html>