Security Zones on IBM System z: Defining and Enforcing Multiple Security Zones

An IBM Redguide publication

Note: This is publication is now archived. For reference only.

Published 17 February 2011

cover image

IBM Form #: REDP-4652-00
(22 pages)

More options

Rate and comment

Authors: Alan Altmark

Abstract

Many customers wanting to do Linux® server consolidation and deployment to IBM® System z® experience challenges in balancing the security of a physical “air gap” with the low cost of consolidation on a single box: It goes against their instincts and training. Being able to understand the security implications, capabilities, advantages, and risks of virtual server consolidation helps to lower or remove barriers to growth and the decision to say “Yes” to System z.

This IBM Redpaper™ publication describes the architecture of traditional network security zones (Internet, DMZ, application, data, and maintenance) that can be securely manifested on System z through the application of best practices for System z hardware management and z/VM® virtual network configuration. This paper also discusses the Law of Unintended Consequences as it applies to shared Open Systems Adapters and HiperSockets™. We also discuss the location of firewalls, enforcement options, and an introduction to labeled security in a z/VM environment.

You learn how to properly build virtual security zones and integrate virtual servers into your existing security zones. We also discuss using the Resource Access Control Facility (RACF®) Security Server on z/VM to prevent a “red zone” server from connecting to a “green zone” network or “green zone” data.

Table of contents

Introduction
Preparing the hardware
A multizone network
Firewalls
Virtual switches, VLANs, and traffic separation
Enforcing the rules with Resource Access Control Facility
Summary
Reference information

Others who read this publication also read

Follow IBM Redbooks

Follow IBM Redbooks