Transmission security options

In order to protect your data when it flows across an untrusted network, such as the Internet, you should put the appropriate security measures into effect. These measures include the Secure Sockets Layer (SSL), IBM® i Access for Windows, and virtual private network (VPN) connections.

Remember that the JKL Toy company scenario has two primary systems. They use one for development and the other for production applications. Both of these systems handle mission-critical data and applications. Consequently, they choose to add a new system on a perimeter network to handle their intranet and Internet applications.

Establishing a perimeter network ensures that they have some physical separation between their internal network and the Internet. This separation decreases the Internet risks to which their internal systems are vulnerable. By designating the new system as only an Internet server, the company also decreases the complexity of managing their network security.

Because of the pervasive need for security in an Internet environment, IBM is continually developing security offerings to ensure a secure networking environment for conducting e-business on the Internet. In an Internet environment you must ensure that you provide both system-specific and application-specific security. However, moving confidential information through a company intranet or across an Internet connection further increases the need to enact stronger security solutions. To combat these risks, you need to put security measures into effect that protect the transmission of data while it travels over the Internet.

You can minimize the risks associated with moving information across untrusted systems with two specific transmission level security offerings for the i5/OS operating system: SSL secure communications and VPN connections.

The SSL protocol is an industry standard for securing communication between clients and servers. SSL was originally developed for Web browser applications, but an increasing number of other applications are now able to use SSL. For the i5/OS operating system, these include:

  • IBM HTTP Server for i5/OS (original and powered by Apache)
  • FTP server
  • Telnet server
  • Distributed Relational Database Architecture (DRDA) and distributed data management (DDM) server
  • Management Central in System i® Navigator
  • Directory Services Server (LDAP)
  • IBM i Access for Windows applications, including System i Navigator, and applications that are written to the IBM i Access for Windows set of application programming interfaces (APIs)
  • Programs developed with Developer Kit for Java™ and client applications that use IBM Toolkit for Java
  • Programs developed with Secure Sockets Layer (SSL) Application Programmable Interfaces (APIs), which can be used to enable SSL on applications. See the Secure Sockets Layer APIs for more information about how to write programs that use SSL.

Several of these applications also support the use of digital certificates for client authentication. SSL relies on digital certificates to authenticate the communication parties and to create a secure connection.

Virtual Private Network

You can use your VPN connections to establish a secure communications channel between two endpoints. Like an SSL connection, the data that travels between the endpoints can be encrypted, thereby providing both data confidentiality and data integrity. VPN connections, however, allow you to limit the traffic flow to the endpoints that you specify and to restrict the type of traffic that can use the connection. Therefore, VPN connections provide some network level security by helping you to protect your network resources from unauthorized access.

Which method should you use

Both SSL and VPN address the need for secure authentication, data confidentiality, and data integrity. Which of these methods you should use depends on several factors. You need to consider who you are communicating with, what applications you use to communicate with them, how secure you need the communication to be, and what trade-offs in cost and performance you are willing to make to secure this communication.

Also, if you want to use a specific application with SSL, that application must be set up to use SSL. Although many applications cannot take advantage of SSL, many others, like Telnet and IBM i Access for Windows, have SSL capability. VPNs, however, allow you to protect all IP traffic that flows between specific connection endpoints.

For example, you can use HTTP over SSL currently to allow a business partner to communicate with a Web server on your internal network. If the Web server is the only secure application that you need between you and your business partner, then you might not want to switch to a VPN connection. However, if you want to expand your communications, you might want to use a VPN connection instead. You might also meet a situation, in which you need to protect traffic in a portion of your network, but you do not want to individually configure each client and server to use SSL. You can create a gateway-to-gateway VPN connection for that portion of the network. This can secure the traffic, but the connection is transparent to individual servers and clients on either side of the connection.