Use this information to learn about the security measures that you can use to protect your data as it flows across an untrusted network, such as the Internet. Learn more about security measures for using the Secure Sockets Layer (SSL), iSeries™ Access Express, and Virtual Private Network (VPN) connections.
Remember that the JKL Toy company scenario has two primary iSeries systems. They use one for development and the other for production applications. Both of these systems handle mission-critical data and applications. Consequently, they chose to add a new iSeries system on a perimeter network to handle their intranet and Internet applications.
Establishing a perimeter network ensures that they have some physical separation between their internal network and the Internet. This separation decreases the Internet risks to which their internal systems are vulnerable. By designating the new iSeries server as an Internet server only, the company also decreases the complexity of managing their network security.
Because of the pervasive need for security in an Internet environment, IBM® is continually developing security offerings to ensure a secure networking environment for conducting e-business on the Internet. In an Internet environment you must ensure that you provide both system specific and application specific security. However, moving confidential information through a company intranet or across an Internet connection further increases the need to enact stronger security solutions. To combat these risks you should put security measures into effect that protect the transmission of data while it travels over the Internet.
You can minimize the risks associated with moving information across untrusted systems with two specific transmission level security offerings for iSeries: Secure Sockets Layer (SSL) secure communications and Virtual Private Networking (VPN) connections.
Securing applications with SSL
The Secure Sockets Layer (SSL) protocol is a de facto industry standard for securing communication between clients and servers. SSL was originally developed for web browser applications, but an increasing number of other applications are now able to use SSL. For iSeries server, these include:
Several of these applications also support the use of digital certificates for client authentication. SSL relies on digital certificates to authenticate the communication parties and to create a secure connection.
iSeries Virtual Private Networking (VPN)
You can use your iSeries system VPN connections to establish a secure communications channel between two endpoints. Like an SSL connection, the data that travels between the endpoints can be encrypted, thereby providing both data confidentiality and data integrity. VPN connections, however, allow you to limit the traffic flow to the endpoints that you specify and to restrict the type of traffic that can use the connection. Therefore, VPN connections provide some network level security by helping you to protect your network resources from unauthorized access.
Which method should you use?
Both of these security methods discuss the need for secure authentication, data confidentiality and data integrity. Which of these methods you should use depends on several factors. Factors to consider are who you are communicating with, what applications you use to communicate with them, how secure you need the communication to be, and what trade-offs in cost and performance you are willing to make to secure this communication.
Also, if you want to use a specific application with SSL, that application must be set up to use SSL. Although many applications cannot take advantage of SSL yet, many others, like Telnet and iSeries Access Express, have added SSL capability. VPNs, however, allow you to protect all IP traffic that flows between specific connection endpoints.
For example, you may use HTTP over SSL currently to allow a business partner to communicate with a Web server on your internal network. If the Web server is the only secure application that you need between you and your business partner, then you may not want to switch to a VPN connection. However, if you want to expand your communications, you may want to use a VPN connection instead. Also, you may have a situation in which you need to protect traffic in a portion of your network, but you do not want to individually configure each client and server to use SSL. You might create a gateway-to-gateway VPN connection for that portion of the network. This would secure the traffic, but the connection is transparent to individual servers and clients on either side of the connection.