Your security policy defines what you want to protect and what you expect of your system users.
You need to create and enact a security policy for your
organization that minimizes the risks to your internal network. The inherent
security features of iSeries™, when properly configured, provide you with
the ability to minimize many risks. When you connect your iSeries system
to the Internet, however, you need to provide additional security measures
to ensure the safety of your internal network.
Many risks are associated with using Internet access to conduct business activities. Whenever you create a security policy, you must balance providing services against controlling access to functions and data. With networking computers, security is more difficult because the communication channel itself is open to attack.
Some Internet services are more vulnerable to certain types of attacks than others. Therefore, it is critical that you understand the risks that are imposed by each service you intend to use or provide. In addition, understanding possible security risks helps you to determine a clear set of security objectives.
The Internet is home to a variety of individuals who pose
threat to the security of Internet communications. The following list describes
some of the typical security risks you may encounter:
- Passive attacks: In a passive attack, the perpetrator
monitors your network traffic to try to learn secrets. Such attacks can be
either network-based (tracing the communications link) or system-based (replacing
a system component with a Trojan horse program that captures data insidiously).
Passive attacks are the most difficult to detect. Therefore, you should assume
that someone is eavesdropping on everything you send across the Internet.
- Active
attacks: In an active attack, the perpetrator is trying to break through
your defenses and get into your network systems. There are several types of
active attacks:
- In system access attempts, the attacker attempts to exploit security loopholes to gain access and control over a client or server system.
- In spoofing attacks, the attacker attempts to break through your defenses by masquerading as a trusted system, or a user persuades you to send secret information to him.
- In denial of service attacks, an attacker tries to interfere with or shut down your operations by redirecting traffic or bombarding your system with junk.
- In cryptographic attacks, an attacker will attempt to guess, or steal your passwords, or will use specialized tools to try to decrypt encrypted data.
Multiple layers of defense
Because potential Internet security risks can occur at a variety of levels, you need to set up security measures that provide multiple layers of defense against these risks. In general, when you connect to the Internet, you should not wonder if you will experience intrusion attempts or denial of service attacks. Instead, you should assume that you will experience a security problem. Consequently, your best defense is a thoughtful, proactive offense. Using a layered approach when you plan your Internet security strategy ensures that an attacker who penetrates one layer of defense will be stopped by a subsequent layer.
Your security strategy should include measures that provide protection
across the following layers of the traditional network computing model. Generally,
you should plan your security from the most basic (system level security)
through the most complex (transaction level security).
- System level security
- Your system security measures represent your last line of defense against an Internet-based security problem. Consequently, your first step in a total Internet security strategy must be to properly configure iSeries basic system security settings.
- Network level security
- Network security measures control access to your iSeries and other network systems. When you connect your network to the Internet, you should ensure that you have adequate network level security measures in place to protect your internal network resources from unauthorized access and intrusion. A firewall is the most common means for providing network security. Your Internet Service Provider (ISP) can and should provide an important element in your network security plan. Your network security scheme should outline what security measures your ISP will provide, such as filtering rules for the ISP router connection and public Domain Name Service (DNS) precautions.
- Application level security
- Application
level security measures control how users can interact with specific
applications. In general, you should configure security settings for each
application that you use. However, you should take special care to set up
security for those applications and services that you will be using from or
providing to the Internet. These applications and services are vulnerable
to misuse by unauthorized users looking for a way to gain access to your network
systems. The security measures that you decide to use need to include both
server-side and client-side security exposures.
- Transmission level security
- Transmission
level security measures protect data communications within and across
networks. When you communicate across an untrusted network like the Internet,
you cannot control how your traffic flows from source to destination. Your
traffic and the data it carries flows through a number of different servers
that you cannot control. Unless you set up security measures, such as configuring
your applications to use the Secure Sockets Layer (SSL), your routed data
is available for anyone to view and use. Transmission level security measures
protect your data as it flows between the other security level boundaries.
When developing your overall Internet security policy, you should develop a security strategy for each layer individually. Additionally, you should describe how each set of strategies will interact with the others to provide a comprehensive security safety net for your business.