Provides you with a concise discussion on which security options you should choose based on your Internet usage plans
Network security solutions that guard against unauthorized access generally rely on firewall technologies to provide the protection. To protect your iSeries™ system, you can choose to use a full-capability firewall product or you can choose to put into effect specific network security technologies as part of the i5/OS™ TCP/IP implementation. This implementation consists of the Packet rules feature (which includes IP filtering and NAT) and HTTP for iSeries proxy server feature.
Choosing to use either the Packet rules feature or a firewall depends on your network environment, access requirements, and security needs. You should strongly consider using a firewall product as your main line of defense whenever you connect your iSeries server, or your internal network, to the Internet or other untrusted network.
A firewall is preferable in this case because a firewall typically is a dedicated hardware and software device with a limited number of interfaces for external access. When you use the i5/OS TCP/IP technologies for Internet access protection you are using a general purpose computing platform with a myriad number of interfaces and applications open to external access.
The difference is important for a number of reasons. For example, a dedicated firewall product does not provide any other functions or applications beyond those that comprise the firewall itself. Consequently, if an attacker successfully circumvents the firewall and gains access to the it, the attacker cannot do much. Whereas, if an attacker circumvents the TCP/IP security functions on your iSeries, the attacker potentially might have access to a variety of useful applications, services, and data. The attacker can then use these to wreck havoc on the system itself or to gain access to other systems in your internal network.
So, is it ever acceptable to use the iSeries TCP/IP security features? As with all the security choices that you make, you must base your decision on the cost versus benefit trade-offs that you are willing to make. You must analyze your business goals and decide what risks you are willing to accept versus the cost of how you provide security to minimize these risks. The following table provides information about when it is appropriate to use TCP/IP security features versus a fully functional firewall device. You can use this table to determine whether you should use a firewall, TCP/IP security features, or a combination of both to provide your network and system protection.
Security technology | Best use of i5/OS TCP/IP technology | Best use of a fully functional firewall |
---|---|---|
IP packet filtering |
|
|
Network Address Translation (NAT) |
|
|
Proxy server |
|
|