Choosing iSeries network security options

Provides you with a concise discussion on which security options you should choose based on your Internet usage plans

Network security solutions that guard against unauthorized access generally rely on firewall technologies to provide the protection. To protect your iSeries™ system, you can choose to use a full-capability firewall product or you can choose to put into effect specific network security technologies as part of the i5/OS™ TCP/IP implementation. This implementation consists of the Packet rules feature (which includes IP filtering and NAT) and HTTP for iSeries proxy server feature.

Choosing to use either the Packet rules feature or a firewall depends on your network environment, access requirements, and security needs. You should strongly consider using a firewall product as your main line of defense whenever you connect your iSeries server, or your internal network, to the Internet or other untrusted network.

A firewall is preferable in this case because a firewall typically is a dedicated hardware and software device with a limited number of interfaces for external access. When you use the i5/OS TCP/IP technologies for Internet access protection you are using a general purpose computing platform with a myriad number of interfaces and applications open to external access.

Start of change The difference is important for a number of reasons. For example, a dedicated firewall product does not provide any other functions or applications beyond those that comprise the firewall itself. Consequently, if an attacker successfully circumvents the firewall and gains access to the it, the attacker cannot do much. Whereas, if an attacker circumvents the TCP/IP security functions on your iSeries, the attacker potentially might have access to a variety of useful applications, services, and data. The attacker can then use these to wreck havoc on the system itself or to gain access to other systems in your internal network. End of change

So, is it ever acceptable to use the iSeries TCP/IP security features? As with all the security choices that you make, you must base your decision on the cost versus benefit trade-offs that you are willing to make. You must analyze your business goals and decide what risks you are willing to accept versus the cost of how you provide security to minimize these risks. The following table provides information about when it is appropriate to use TCP/IP security features versus a fully functional firewall device. You can use this table to determine whether you should use a firewall, TCP/IP security features, or a combination of both to provide your network and system protection.

Security technology	Best use of i5/OS TCP/IP technology	Best use of a fully functional firewall
IP packet filtering	To provide additional protection for a single iSeries server, such as an public web server or an intranet system with sensitive data. To protect a subnetwork of a corporate intranet when the iSeries server is acting as a gateway (casual router) to the rest of the network. To control communication with a somewhat trusted partner over a private network or extranet where the iSeries server is acting as a gateway.	To protect an entire corporate network from the Internet or other untrusted network to which your network is connected. To protect a large subnetwork with heavy traffic from the remainder of a corporate network.
Network Address Translation (NAT)	To enable the connection of two private networks with incompatible addressing structures. To hide addresses in a subnetwork from a less trusted network.	To hide addresses of clients accessing the Internet or other untrusted network. To use as an alternative to Proxy and SOCKS servers. To make services of a system in a private network available to clients on the Internet.
Proxy server	To proxy at remote locations in a corporate network when a central firewall provides access to the Internet.	To proxy an entire corporate network when accessing the Internet.

To learn more about how to use the i5/OS TCP/IP security features, see these resources: