When connecting to an untrusted network, your security policy must describe a comprehensive security scheme, including the security measures that you will implement at the network level.
Installing a firewall is one of the best means of deploying a comprehensive set of network security measures. Also, your Internet Service Provider (ISP) can and should provide an important element in your network security plan. Your network security scheme should outline what security measures your Internet Service Provider (ISP) will provide, such as filtering rules for the ISP router connection and public Domain Name Service (DNS) precautions. Continue to check with your ISP periodically to ensure they are continually upgrading their security measures, this will also help you keep your security plans current.
Although a firewall certainly represents one of your main lines of defense in your total security plan, it should not be your only line of defense. Because Internet security risks occur at a variety of levels, you need to set up security measures that provide multiple layers of defense against these risks.
While a firewall provides a tremendous amount of protection from certain kinds of attack, a firewall is only part of your total security solution. For instance, a firewall cannot necessarily protect data that you send over the Internet through applications such as SMTP mail, FTP, and TELNET. Unless you choose to encrypt this data, anyone on the Internet can access it as it travels to its destination.
Choosing network security options
Network security solutions that guard against unauthorized access generally rely on firewall technologies to provide the protection. To protect your system, you can choose to use a full-capability firewall product or you can choose to put into effect specific network security technologies as part of the i5/OS™ TCP/IP implementation. This implementation consists of the Packet rules feature, which includes IP filtering and NAT, and the HTTP for iSeries™ proxy server feature.
Choosing to use either the Packet rules feature or a firewall depends on your network environment, access requirements, and security needs. You should strongly consider using a firewall product as your main line of defense whenever you connect your system or your internal network to the Internet or other untrusted network.
A firewall is preferable in this case because a firewall typically is a dedicated hardware and software device with a limited number of interfaces for external access. When you use the i5/OS TCP/IP technologies for Internet access protection you are using a general purpose computing platform with a myriad number of interfaces and applications open to external access.
The difference is important for a number of reasons. For example, a dedicated firewall product does not provide any other functions or applications beyond those that comprise the firewall itself. Consequently, if an attacker successfully circumvents the firewall and gains access to the system, the attacker can not do much. Whereas, if an attacker circumvents the TCP/IP security functions on your system, the attacker potentially could have access to a variety of useful applications, services, and data. The attacker can then use these to wreck havoc on the system itself or to gain access to other systems in your internal network.
Security technology | Best use of i5/OS TCP/IP technology | Best use of a fully functional firewall |
---|---|---|
IP packet filtering |
|
|
Network Address Translation (NAT) |
|
|
Proxy server | To proxy at remote locations in a corporate network when a central firewall provides access to the Internet. | To proxy an entire corporate network when accessing the Internet. |