ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaj4_5.4.0.1/rzaj40a0internetsecurity.htm

164 lines
12 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="The layered defense approach to security" />
<meta name="abstract" content="Your security policy defines what you want to protect and what you expect of your system users." />
<meta name="description" content="Your security policy defines what you want to protect and what you expect of your system users." />
<meta name="DC.Relation" scheme="URI" content="rzaj45zssecurityplanning.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaj4securityreadiness.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaj45zgiptraffic.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaj45zrscenario1risks.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaj45zhcryptointro.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaj40j0securitypolco.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaj45zgiptraffic.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaj45zoemail.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzalx/rzalxsecterms.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzaja/rzajagetstart.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaj45zpftpsolutions.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1999, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1999, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaj40a0internetsecurity" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>The layered defense approach to security</title>
</head>
<body id="rzaj40a0internetsecurity"><a name="rzaj40a0internetsecurity"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">The layered defense approach to security</h1>
<div><p>Your <strong>security policy</strong> defines what you want to protect and
what you expect of your system users.</p>
<div class="p"> It provides a basis for security planning when you design new applications
or expand your current network. It describes user responsibilities, such
as protecting confidential information and creating nontrivial passwords.
<div class="note"><span class="notetitle">Note:</span> <img src="./delta.gif" alt="Start of change" />You need to create and enact a security policy for your
organization that minimizes the risks to your internal network. The inherent
security features of iSeries™, when properly configured, provide you with
the ability to minimize many risks. When you connect your iSeries system
to the Internet, however, you need to provide additional security measures
to ensure the safety of your internal network.<img src="./deltaend.gif" alt="End of change" /></div>
</div>
<p>Many risks are associated with using Internet access to conduct business
activities. Whenever you create a security policy, you must balance providing
services against controlling access to functions and data. With networking
computers, security is more difficult because the communication channel itself
is open to attack.</p>
<p>Some Internet services are more vulnerable to certain types of attacks than others. Therefore, it is critical that you understand
the risks that are imposed by each service you intend to use or provide. In
addition, understanding possible security risks helps you to determine a clear
set of security objectives.</p>
<p><img src="./delta.gif" alt="Start of change" />The Internet is home to a variety of individuals who pose
threat to the security of Internet communications. The following list describes
some of the typical security risks you may encounter:<img src="./deltaend.gif" alt="End of change" /></p>
<ul><li><strong><img src="./delta.gif" alt="Start of change" />Passive attacks<img src="./deltaend.gif" alt="End of change" /></strong>: In a passive attack, the perpetrator
monitors your network traffic to try to learn secrets. Such attacks can be
either network-based (tracing the communications link) or system-based (replacing
a system component with a Trojan horse program that captures data insidiously).
Passive attacks are the most difficult to detect. Therefore, you should assume
that someone is eavesdropping on everything you send across the Internet.</li>
<li><strong>Active
attacks:</strong> In an active attack, the perpetrator is trying to break through
your defenses and get into your network systems. There are several types of
active attacks: <ul><li>In <strong>system access attempts</strong>, the attacker attempts to exploit security
loopholes to gain access and control over a client or server system. </li>
<li>In <strong>spoofing</strong> attacks,
the attacker attempts to break through your defenses by masquerading as a
trusted system, or a user persuades you to send secret information to him.</li>
<li>In <strong>denial of service attacks</strong>, an attacker tries to interfere with or shut
down your operations by redirecting traffic or bombarding your system with
junk.</li>
<li>In <strong>cryptographic attacks</strong>, an attacker will attempt to guess, or
steal your passwords, or will use specialized tools to try to decrypt encrypted
data.</li>
</ul>
</li>
</ul>
<div class="section"><h4 class="sectiontitle">Multiple layers of defense</h4><p>Because potential Internet
security risks can occur at a variety of levels, you need to set up security
measures that provide multiple layers of defense against these risks. In general,
when you connect to the Internet, you should not wonder <strong>if</strong> you will
experience intrusion attempts or denial of service attacks. Instead, you should
assume that you <strong>will</strong> experience a security problem. Consequently, your
best defense is a thoughtful, proactive offense. Using a layered approach
when you plan your Internet security strategy ensures that an attacker who
penetrates one layer of defense will be stopped by a subsequent layer.</p>
<p><img src="./delta.gif" alt="Start of change" />Your security strategy should include measures that provide protection
across the following layers of the traditional network computing model. Generally,
you should plan your security from the most basic (system level security)
through the most complex (transaction level security).<img src="./deltaend.gif" alt="End of change" /></p>
<dl><dt class="dlterm">System level security</dt>
<dd>Your system security measures represent your last line of defense against
an Internet-based security problem. <span>Consequently,
your first step in a total Internet security strategy must be to properly
configure <a href="rzaj4securityreadiness.htm#rzaj4securityreadiness">iSeries basic
system security settings</a>.</span> </dd>
<dt class="dlterm">Network level security</dt>
<dd><a href="rzaj45zgiptraffic.htm#rzaj45zgiptraffic">Network security</a> measures
control access to your iSeries and other network systems. When you connect
your network to the Internet, you should ensure that you have adequate network
level security measures in place to protect your internal network resources
from unauthorized access and intrusion. A firewall is the most common means
for providing network security. Your Internet Service Provider (ISP) can and
should provide an important element in your network security plan. Your network
security scheme should outline what security measures your ISP will provide,
such as filtering rules for the ISP router connection and public Domain Name
Service (DNS) precautions. </dd>
<dt class="dlterm">Application level security</dt>
<dd><img src="./delta.gif" alt="Start of change" /><a href="rzaj45zrscenario1risks.htm#rzaj45zrscenario1risks">Application
level security</a> measures control how users can interact with specific
applications. In general, you should configure security settings for each
application that you use. However, you should take special care to set up
security for those applications and services that you will be using from or
providing to the Internet. These applications and services are vulnerable
to misuse by unauthorized users looking for a way to gain access to your network
systems. The security measures that you decide to use need to include both
server-side and client-side security exposures. <img src="./deltaend.gif" alt="End of change" /></dd>
<dt class="dlterm">Transmission level security</dt>
<dd><img src="./delta.gif" alt="Start of change" /><a href="rzaj45zhcryptointro.htm#rzaj45zhcryptointro">Transmission
level security</a> measures protect data communications within and across
networks. When you communicate across an untrusted network like the Internet,
you cannot control how your traffic flows from source to destination. Your
traffic and the data it carries flows through a number of different servers
that you cannot control. Unless you set up security measures, such as configuring
your applications to use the Secure Sockets Layer (SSL), your routed data
is available for anyone to view and use. Transmission level security measures
protect your data as it flows between the other security level boundaries. <img src="./deltaend.gif" alt="End of change" /></dd>
</dl>
<p>When developing your overall Internet security policy, you
should develop a security strategy for each layer individually. Additionally,
you should describe how each set of strategies will interact with the others
to provide a comprehensive security safety net for your business.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaj45zssecurityplanning.htm" title="Use this information to gain a general understanding of the strengths of iSeries security for e-business and the iSeries security offerings available to you.">Planning Internet security</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzaj4securityreadiness.htm" title="Use this information to learn what system security you should have in place before you connect to the Internet.">Security levels for basic Internet readiness</a></div>
<div><a href="rzaj45zgiptraffic.htm" title="Use this information to learn about the network level security measures that you should consider using to protect your internal resources.">Network security options</a></div>
<div><a href="rzaj45zrscenario1risks.htm" title="Use this information to learn about common Internet security risks for a number of popular Internet applications and services and measures that you can take to manage these risks.">Application security options</a></div>
<div><a href="rzaj45zhcryptointro.htm" title="Use this information to learn about the security measures that you can use to protect your data as it flows across an untrusted network, such as the Internet. Learn more about security measures for using the Secure Sockets Layer (SSL), iSeries Access Express, and Virtual Private Network (VPN) connections.">Transmission security options</a></div>
<div><a href="rzaj40j0securitypolco.htm" title="Defining what to protect and what to expect of users.">Security policy and objectives</a></div>
<div><a href="rzaj45zoemail.htm" title="Using e-mail across the Internet or other untrusted network imposes security risks against which using a firewall may not protect.">E-mail security</a></div>
<div><a href="../rzaja/rzajagetstart.htm">Virtual private network (VPN)</a></div>
<div><a href="rzaj45zpftpsolutions.htm" title="FTP (File Transfer Protocol) provides the capability of transferring files between a client (a user on another system) and your server.">FTP security</a></div>
</div>
<div class="relref"><strong>Related reference</strong><br />
<div><a href="../rzalx/rzalxsecterms.htm">Security terminology</a></div>
</div>
</div>
</body>
</html>