Use this information to learn about the security measures that you can use to protect your data as it flows across an untrusted network, such as the Internet. Learn more about security measures for using the Secure Sockets Layer (SSL), iSeries™ Access Express, and Virtual Private Network (VPN) connections.
Remember that the JKL Toy company scenario has two primary iSeries systems. They use one for development and the other for production applications. Both of these systems handle mission-critical data and applications. Consequently, they chose to add a new iSeries system on a perimeter network to handle their intranet and Internet applications.
Establishing a perimeter network ensures that they have some physical separation between their internal network and the Internet. This separation decreases the Internet risks to which their internal systems are vulnerable. By designating the new iSeries server as an Internet server only, the company also decreases the complexity of managing their network security.
Because of the pervasive need for security in an Internet environment, IBM® is
continually developing security offerings to ensure a secure networking environment
for conducting e-business on the Internet. In an Internet environment you
must ensure that you provide both system specific and application specific
security. However, moving confidential information through a company intranet
or across an Internet connection further increases the need to enact stronger
security solutions. To combat these risks you should put security measures
into effect that protect the transmission of data while it travels over the
Internet.
You can minimize the risks associated with moving information across untrusted systems with two specific transmission level security offerings for iSeries: Secure Sockets Layer (SSL) secure communications and Virtual Private Networking (VPN) connections.
Securing applications with SSL
The Secure Sockets Layer (SSL) protocol is a de facto industry standard for securing communication between clients and servers. SSL was originally developed for web browser applications, but an increasing number of other applications are now able to use SSL. For iSeries server, these include:
- IBM HTTP Server for iSeries (original and powered by Apache)
- FTP server
- Telnet server
- Distributed relational database architecture (DRDA®) and distributed data management
- (DDM) server
- Management Central in iSeries Navigator
- Directory Services Server (LDAP)
- iSeries Access Express applications, including iSeries Navigator, and applications that are written to the iSeries Access Express set of application programming interfaces (APIs)
- Programs developed with Developer Kit for Java™ and client applications that use IBM Toolkit for Java
- Programs developed with Secure Sockets Layer (SSL) Application Programmable Interfaces (APIs) which can be used to enable SSL on applications. See the Secure Sockets Layer APIs for more information about how to write programs that use SSL.
Several of these applications also support the use of digital certificates for client authentication. SSL relies on digital certificates to authenticate the communication parties and to create a secure connection.
iSeries Virtual Private Networking (VPN)
You can use your iSeries system VPN connections to establish a secure communications channel between two endpoints. Like an SSL connection, the data that travels between the endpoints can be encrypted, thereby providing both data confidentiality and data integrity. VPN connections, however, allow you to limit the traffic flow to the endpoints that you specify and to restrict the type of traffic that can use the connection. Therefore, VPN connections provide some network level security by helping you to protect your network resources from unauthorized access.
Which method should you use?
Both of these security methods discuss the need for secure authentication,
data confidentiality and data integrity. Which of these methods you should
use depends on several factors. Factors to consider are who you are communicating
with, what applications you use to communicate with them, how secure you need
the communication to be, and what trade-offs in cost and performance you are
willing to make to secure this communication.
Also, if you want to use a specific application with SSL, that
application must be set up to use SSL. Although many applications cannot take
advantage of SSL yet, many others, like Telnet and iSeries Access Express, have added SSL
capability. VPNs, however, allow you to protect all IP traffic that flows
between specific connection endpoints.
For example, you may use HTTP over SSL currently
to allow a business partner to communicate with a Web server on your internal
network. If the Web server is the only secure application that you need between
you and your business partner, then you may not want to switch to a VPN connection.
However, if you want to expand your communications, you may want to use a
VPN connection instead. Also, you may have a situation in which you need to
protect traffic in a portion of your network, but you do not want to individually
configure each client and server to use SSL. You might create a gateway-to-gateway
VPN connection for that portion of the network. This would secure the traffic,
but the connection is transparent to individual servers and clients on either
side of the connection.