135 lines
8.8 KiB
HTML
135 lines
8.8 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="concept" />
|
||
|
<meta name="DC.Title" content="Choosing iSeries network security options" />
|
||
|
<meta name="abstract" content="Provides you with a concise discussion on which security options you should choose based on your Internet usage plans" />
|
||
|
<meta name="description" content="Provides you with a concise discussion on which security options you should choose based on your Internet usage plans" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzaj45zgiptraffic.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzaj45zgiptraffic.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1999, 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1999, 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzaj45zvsolutions" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Choosing iSeries network
|
||
|
security options</title>
|
||
|
</head>
|
||
|
<body id="rzaj45zvsolutions"><a name="rzaj45zvsolutions"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Choosing iSeries network
|
||
|
security options</h1>
|
||
|
<div><p>Provides you with a concise discussion on which security options
|
||
|
you should choose based on your Internet usage plans</p>
|
||
|
<p>Network security solutions that guard against unauthorized access generally
|
||
|
rely on firewall technologies to provide the protection. To protect your iSeries™ system,
|
||
|
you can choose to use a full-capability firewall product or you can choose
|
||
|
to put into effect specific network security technologies as part of the i5/OS™ TCP/IP
|
||
|
implementation. This implementation consists of the Packet rules feature (which
|
||
|
includes IP filtering and NAT) and HTTP for iSeries proxy server feature.</p>
|
||
|
<p>Choosing to use either the Packet rules feature or a firewall depends on
|
||
|
your network environment, access requirements, and security needs. You should <strong>strongly</strong> consider
|
||
|
using a firewall product as your main line of defense whenever you connect
|
||
|
your iSeries server,
|
||
|
or your internal network, to the Internet or other untrusted network.</p>
|
||
|
<p>A firewall is preferable in this case because a firewall typically is a
|
||
|
dedicated hardware and software device with a limited number of interfaces
|
||
|
for external access. When you use the i5/OS TCP/IP technologies for Internet
|
||
|
access protection you are using a general purpose computing platform with
|
||
|
a myriad number of interfaces and applications open to external access.</p>
|
||
|
<p><img src="./delta.gif" alt="Start of change" />The difference is important for a number of reasons. For example,
|
||
|
a dedicated firewall product does not provide any other functions or applications
|
||
|
beyond those that comprise the firewall itself. Consequently, if an attacker
|
||
|
successfully circumvents the firewall and gains access to the it, the attacker
|
||
|
cannot do much. Whereas, if an attacker circumvents the TCP/IP security functions
|
||
|
on your iSeries,
|
||
|
the attacker potentially might have access to a variety of useful
|
||
|
applications, services, and data. The attacker can then use these to wreck
|
||
|
havoc on the system itself or to gain access to other systems in your internal
|
||
|
network.<img src="./deltaend.gif" alt="End of change" /></p>
|
||
|
<p>So, is it ever acceptable to use the iSeries TCP/IP security features? As
|
||
|
with all the security choices that you make, you must base your decision on
|
||
|
the cost versus benefit trade-offs that you are willing to make. You must
|
||
|
analyze your business goals and decide what risks you are willing to accept
|
||
|
versus the cost of how you provide security to minimize these risks. The following
|
||
|
table provides information about when it is appropriate to use TCP/IP security
|
||
|
features versus a fully functional firewall device. You can use this table
|
||
|
to determine whether you should use a firewall, TCP/IP security features,
|
||
|
or a combination of both to provide your network and system protection.</p>
|
||
|
|
||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><thead align="left"><tr><th align="left" valign="top" width="25%" id="d0e59">Security technology</th>
|
||
|
<th align="left" valign="top" width="38.657407407407405%" id="d0e61">Best use of i5/OS TCP/IP
|
||
|
technology</th>
|
||
|
<th align="left" valign="top" width="36.342592592592595%" id="d0e66">Best use of a fully functional firewall </th>
|
||
|
</tr>
|
||
|
</thead>
|
||
|
<tbody><tr><td align="left" valign="top" width="25%" headers="d0e59 ">IP packet filtering</td>
|
||
|
<td align="left" valign="top" width="38.657407407407405%" headers="d0e61 "> <ul><li>To provide <strong>additional</strong> protection for a single iSeries server,
|
||
|
such as an public web server or an intranet system with sensitive data.</li>
|
||
|
<li>To protect a subnetwork of a corporate <strong>intranet</strong> when the iSeries server
|
||
|
is acting as a gateway (casual router) to the rest of the network.</li>
|
||
|
<li>To control communication with a somewhat trusted partner over a <strong>private
|
||
|
network</strong> or extranet where the iSeries server is acting as a gateway.</li>
|
||
|
</ul>
|
||
|
</td>
|
||
|
<td align="left" valign="top" width="36.342592592592595%" headers="d0e66 "> <ul><li>To protect an entire corporate network from the <strong>Internet</strong> or other
|
||
|
untrusted network to which your network is connected.</li>
|
||
|
<li>To protect a large subnetwork with heavy traffic from the remainder of
|
||
|
a corporate network.</li>
|
||
|
</ul>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><td align="left" valign="top" width="25%" headers="d0e59 ">Network Address Translation (NAT)</td>
|
||
|
<td align="left" valign="top" width="38.657407407407405%" headers="d0e61 "> <ul><li>To enable the connection of two <strong>private networks</strong> with incompatible
|
||
|
addressing structures.</li>
|
||
|
<li>To hide addresses in a subnetwork from a less trusted network.</li>
|
||
|
</ul>
|
||
|
</td>
|
||
|
<td align="left" valign="top" width="36.342592592592595%" headers="d0e66 "> <ul><li>To hide addresses of clients accessing the <strong>Internet</strong> or other untrusted
|
||
|
network. To use as an alternative to Proxy and SOCKS servers.</li>
|
||
|
<li>To make services of a system in a private network available to clients
|
||
|
on the <strong>Internet</strong>.</li>
|
||
|
</ul>
|
||
|
</td>
|
||
|
</tr>
|
||
|
<tr><td align="left" valign="top" width="25%" headers="d0e59 ">Proxy server</td>
|
||
|
<td align="left" valign="top" width="38.657407407407405%" headers="d0e61 "> <ul><li>To proxy at <strong>remote locations</strong> in a corporate network when a central
|
||
|
firewall provides access to the Internet.</li>
|
||
|
</ul>
|
||
|
</td>
|
||
|
<td align="left" valign="top" width="36.342592592592595%" headers="d0e66 "> <ul><li>To proxy an entire corporate network when accessing the <strong>Internet</strong>.</li>
|
||
|
</ul>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</tbody>
|
||
|
</table>
|
||
|
</div>
|
||
|
<div class="p">To learn more about how to use the i5/OS TCP/IP
|
||
|
security features, see these resources:<ul><li><img src="./delta.gif" alt="Start of change" /><a href="../rzajb/rzajbrzajb0ippacketsecuritysd.htm">Packet rules (filtering and NAT)</a>.<img src="./deltaend.gif" alt="End of change" /></li>
|
||
|
<li><a href="http://www.iseries.ibm.com/products/http/httpindex.htm" target="_blank">HTTP Server Documentation Center</a>.<img src="www.gif" alt="Link outside Information
Center" /></li>
|
||
|
<li><a href="http://www.redbooks.ibm.com/pubs/pdfs/redbooks/sg245954.pdf" target="_blank">AS/400<sup>®</sup> Internet Security Scenarios: A Practical Approach</a><img src="rbpdf.gif" alt="Link to
PDF" /> (SG24-5954).</li>
|
||
|
</ul>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaj45zgiptraffic.htm" title="Use this information to learn about the network level security measures that you should consider using to protect your internal resources.">Network security options</a></div>
|
||
|
</div>
|
||
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
||
|
<div><a href="rzaj45zgiptraffic.htm" title="Use this information to learn about the network level security measures that you should consider using to protect your internal resources.">Network security options</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|