Skip to main content

Security Zones on IBM System z: Defining and Enforcing Multiple Security Zones


Note: This is publication is now archived. For reference only.


Published on 17 February 2011

  1. .EPUB (0.6 MB)
  2. .PDF (0.7 MB)

Share this page:   

IBM Form #: REDP-4652-00

Authors: Alan Altmark

    menu icon


    Many customers wanting to do Linux® server consolidation and deployment to IBM® System z® experience challenges in balancing the security of a physical “air gap” with the low cost of consolidation on a single box: It goes against their instincts and training. Being able to understand the security implications, capabilities, advantages, and risks of virtual server consolidation helps to lower or remove barriers to growth and the decision to say “Yes” to System z.

    This IBM Redpaper™ publication describes the architecture of traditional network security zones (Internet, DMZ, application, data, and maintenance) that can be securely manifested on System z through the application of best practices for System z hardware management and z/VM® virtual network configuration. This paper also discusses the Law of Unintended Consequences as it applies to shared Open Systems Adapters and HiperSockets™. We also discuss the location of firewalls, enforcement options, and an introduction to labeled security in a z/VM environment.

    You learn how to properly build virtual security zones and integrate virtual servers into your existing security zones. We also discuss using the Resource Access Control Facility (RACF®) Security Server on z/VM to prevent a “red zone” server from connecting to a “green zone” network or “green zone” data.

    Table of Contents


    Preparing the hardware

    A multizone network


    Virtual switches, VLANs, and traffic separation

    Enforcing the rules with Resource Access Control Facility


    Reference information


    Others who read this also read