Planning network security

 

When connecting to an untrusted network, your security policy must describe a comprehensive security scheme, including the security measures that you will implement at the network level.

Installing a firewall is one of the best means of deploying a comprehensive set of network security measures. Also, your Internet Service Provider (ISP) can and should provide an important element in your network security plan. Your network security scheme should outline what security measures your Internet Service Provider (ISP) will provide, such as filtering rules for the ISP router connection and public Domain Name Service (DNS) precautions. Continue to check with your ISP periodically to ensure they are continually upgrading their security measures, this will also help you keep your security plans current.

Although a firewall certainly represents one of your main lines of defense in your total security plan, it should not be your only line of defense. Because Internet security risks occur at a variety of levels, you need to set up security measures that provide multiple layers of defense against these risks.

While a firewall provides a tremendous amount of protection from certain kinds of attack, a firewall is only part of your total security solution. For instance, a firewall cannot necessarily protect data that you send over the Internet through applications such as SMTP mail, FTP, and TELNET. Unless you choose to encrypt this data, anyone on the Internet can access it as it travels to its destination.

Choosing network security options

Network security solutions that guard against unauthorized access generally rely on firewall technologies to provide the protection. To protect your system, you can choose to use a full-capability firewall product or you can choose to put into effect specific network security technologies as part of the i5/OS® TCP/IP implementation. This implementation consists of the Packet rules feature, which includes IP filtering and NAT, and the HTTP for iSeries™ proxy server feature.

Choosing to use either the Packet rules feature or a firewall depends on your network environment, access requirements, and security needs. You should strongly consider using a firewall product as your main line of defense whenever you connect your system or your internal network to the Internet or other untrusted network.

A firewall is preferable in this case because a firewall typically is a dedicated hardware and software device with a limited number of interfaces for external access. When you use the i5/OS TCP/IP technologies for Internet access protection you are using a general purpose computing platform with a myriad number of interfaces and applications open to external access.

The difference is important for a number of reasons. For example, a dedicated firewall product does not provide any other functions or applications beyond those that comprise the firewall itself. Consequently, if an attacker successfully circumvents the firewall and gains access to the system, the attacker can not do much. Whereas, if an attacker circumvents the TCP/IP security functions on your system, the attacker potentially could have access to a variety of useful applications, services, and data. The attacker can then use these to wreck havoc on the system itself or to gain access to other systems in your internal network.

So, is it ever acceptable to use the TCP/IP security features? As with all the security choices that you make, base your decision on the cost versus benefit trade-offs that you are willing to make. You must analyze your business goals and decide what risks you are willing to accept versus the cost of how you provide security to minimize these risks. The following table provides information about when it is appropriate to use TCP/IP security features versus a fully functional firewall device. You can use this table to determine whether you should use a firewall, TCP/IP security features, or a combination of both to provide your network and system protection.

Security technology Best use of i5/OS TCP/IP technology Best use of a fully functional firewall
IP packet filtering

  • To provide additional protection for a single system, such as a public web server or an intranet system with sensitive data.

  • To protect a subnetwork of a corporate intranet when the system is acting as a gateway (casual router) to the rest of the network.

  • To control communication with a somewhat trusted partner over a private network or extranet where the system is acting as a gateway.

  • To protect an entire corporate network from the Internet or other untrusted network to which your network is connected.

  • To protect a large subnetwork with heavy traffic from the remainder of a corporate network.
Network Address Translation (NAT)

  • To enable the connection of two private networks with incompatible addressing structures.

  • To hide addresses in a subnetwork from a less trusted network.

  • To hide addresses of clients accessing the Internet or other untrusted network. To use as an alternative to Proxy and SOCKS servers.

  • To make services of a system in a private network available to clients on the Internet.
Proxy server To proxy at remote locations in a corporate network when a central firewall provides access to the Internet. To proxy an entire corporate network when accessing the Internet.

 

Parent topic:

Planning your security strategy