ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaj4_5.4.0.1/rzaj45zhcryptointro.htm

151 lines
11 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Transmission security options" />
<meta name="abstract" content="Use this information to learn about the security measures that you can use to protect your data as it flows across an untrusted network, such as the Internet. Learn more about security measures for using the Secure Sockets Layer (SSL), iSeries Access Express, and Virtual Private Network (VPN) connections." />
<meta name="description" content="Use this information to learn about the security measures that you can use to protect your data as it flows across an untrusted network, such as the Internet. Learn more about security measures for using the Secure Sockets Layer (SSL), iSeries Access Express, and Virtual Private Network (VPN) connections." />
<meta name="DC.Relation" scheme="URI" content="rzaj4secoverview.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaj45bydigitalcerts.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaj45zxaddingvpn.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaj40a0internetsecurity.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaj45lbasiccorpusage.htm" />
<meta name="DC.Relation" scheme="URI" content="../apis/unix9.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaj45bydigitalcerts.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaj45zxaddingvpn.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1999, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1999, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaj45zhcryptointro" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Transmission security options</title>
</head>
<body id="rzaj45zhcryptointro"><a name="rzaj45zhcryptointro"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Transmission security options</h1>
<div><p><span>Use this information to learn about
the security measures that you can use to protect your data as it flows across
an untrusted network, such as the Internet. Learn more about security measures
for using the Secure Sockets Layer (SSL), iSeries™ Access Express, and Virtual Private
Network (VPN) connections.</span></p>
<p>Remember that the JKL Toy company scenario has two primary iSeries systems.
They use one for development and the other for production applications. Both
of these systems handle mission-critical data and applications. Consequently,
they chose to add a new iSeries system on a perimeter network to handle their
intranet and Internet applications.</p>
<p>Establishing a perimeter network ensures that they have some physical separation
between their internal network and the Internet. This separation decreases
the Internet risks to which their internal systems are vulnerable. By designating
the new iSeries server
as an Internet server only, the company also decreases the complexity of managing
their network security.</p>
<p><img src="./delta.gif" alt="Start of change" />Because of the pervasive need for security in an Internet environment, IBM<sup>®</sup> is
continually developing security offerings to ensure a secure networking environment
for conducting e-business on the Internet. In an Internet environment you
must ensure that you provide both system specific and application specific
security. However, moving confidential information through a company intranet
or across an Internet connection further increases the need to enact stronger
security solutions. To combat these risks you should put security measures
into effect that protect the transmission of data while it travels over the
Internet.<img src="./deltaend.gif" alt="End of change" /></p>
<p>You can minimize the risks associated with moving information across untrusted
systems with two specific transmission level security offerings for iSeries: Secure
Sockets Layer (SSL) secure communications and Virtual Private Networking (VPN)
connections.</p>
<p><strong><a href="../rzain/rzainoverview.htm">Securing applications with SSL</a></strong></p>
<p>The Secure Sockets Layer (SSL) protocol is a de facto industry standard
for securing communication between clients and servers. SSL was originally
developed for web browser applications, but an increasing number of other
applications are now able to use SSL. For iSeries server, these include:</p>
<ul><li>IBM HTTP
Server for iSeries (original
and powered by Apache)</li>
<li>FTP server</li>
<li>Telnet server</li>
<li>Distributed relational database architecture (DRDA<sup>®</sup>) and distributed data management</li>
<li>(DDM) server</li>
<li>Management Central in iSeries Navigator</li>
<li>Directory Services Server (LDAP)</li>
<li>iSeries Access
Express applications, including iSeries Navigator, and applications that
are written to the iSeries Access Express set of application programming
interfaces (APIs)</li>
<li>Programs developed with Developer Kit for Java™ and client applications that use IBM Toolkit
for Java</li>
<li>Programs developed with Secure Sockets Layer (SSL) Application Programmable
Interfaces (APIs) which can be used to enable SSL on applications. See the
Secure Sockets Layer APIs for more information about how to write programs
that use SSL.</li>
</ul>
<p>Several of these applications also support the use of digital certificates
for client authentication. SSL relies on digital certificates to authenticate
the communication parties and to create a secure connection.</p>
<p><strong><a href="../rzaja/rzajagetstart.htm">iSeries Virtual
Private Networking (VPN)</a></strong></p>
<p>You can use your iSeries system VPN connections to establish a secure
communications channel between two endpoints. Like an SSL connection, the
data that travels between the endpoints can be encrypted, thereby providing
both data confidentiality and data integrity. VPN connections, however, allow
you to limit the traffic flow to the endpoints that you specify and to restrict
the type of traffic that can use the connection. Therefore, VPN connections
provide some network level security by helping you to protect your network
resources from unauthorized access.</p>
<p><strong>Which method should you use?</strong></p>
<p><img src="./delta.gif" alt="Start of change" />Both of these security methods discuss the need for secure authentication,
data confidentiality and data integrity. Which of these methods you should
use depends on several factors. Factors to consider are who you are communicating
with, what applications you use to communicate with them, how secure you need
the communication to be, and what trade-offs in cost and performance you are
willing to make to secure this communication.<img src="./deltaend.gif" alt="End of change" /></p>
<p><img src="./delta.gif" alt="Start of change" />Also, if you want to use a specific application with SSL, that
application must be set up to use SSL. Although many applications cannot take
advantage of SSL yet, many others, like Telnet and iSeries Access Express, have added SSL
capability. VPNs, however, allow you to protect all IP traffic that flows
between specific connection endpoints.<img src="./deltaend.gif" alt="End of change" /></p>
<p><img src="./delta.gif" alt="Start of change" />For example, you may use HTTP over SSL currently
to allow a business partner to communicate with a Web server on your internal
network. If the Web server is the only secure application that you need between
you and your business partner, then you may not want to switch to a VPN connection.
However, if you want to expand your communications, you may want to use a
VPN connection instead. Also, you may have a situation in which you need to
protect traffic in a portion of your network, but you do not want to individually
configure each client and server to use SSL. You might create a gateway-to-gateway
VPN connection for that portion of the network. This would secure the traffic,
but the connection is transparent to individual servers and clients on either
side of the connection.<img src="./deltaend.gif" alt="End of change" /></p>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="rzaj45bydigitalcerts.htm">Using digital certificates for SSL</a></strong><br />
Digital certificates provide the foundation for using the Secure Sockets Layer (SSL) for secure communications and as a stronger means of authentication.</li>
<li class="ulchildlink"><strong><a href="rzaj45zxaddingvpn.htm">Virtual Private Networks (VPN) for secure private communications</a></strong><br />
You can use a Virtual Private Network (VPN) to communicate privately and securely within your organization.</li>
</ul>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaj4secoverview.htm" title="Accessing the Internet from your LAN is a major step in the evolution of your network that will require you to reassess your security requirements.">iSeries and Internet security</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzaj40a0internetsecurity.htm" title="Your security policy defines what you want to protect and what you expect of your system users.">The layered defense approach to security</a></div>
<div><a href="rzaj45lbasiccorpusage.htm" title="Describes a typical business, the JKL Toy Company which has decided to expand its business objectives by using the Internet. Although the company is fictitious, their plans for using the Internet for e-business and their resulting security needs are representative of many real world company situations.">Scenario: JKL Toy Company e-business plans</a></div>
<div><a href="rzaj45bydigitalcerts.htm" title="Digital certificates provide the foundation for using the Secure Sockets Layer (SSL) for secure communications and as a stronger means of authentication.">Using digital certificates for SSL</a></div>
<div><a href="rzaj45zxaddingvpn.htm" title="You can use a Virtual Private Network (VPN) to communicate privately and securely within your organization.">Virtual Private Networks (VPN) for secure private communications</a></div>
</div>
<div class="relref"><strong>Related reference</strong><br />
<div><a href="../apis/unix9.htm">Secure Sockets Layer APIs</a></div>
</div>
</div>
</body>
</html>