Security Zones on IBM System z: Defining and Enforcing Multiple Security Zones
Note: This is publication is now archived. For reference only.
Many customers wanting to do Linux® server consolidation and deployment to IBM® System z® experience challenges in balancing the security of a physical “air gap” with the low cost of consolidation on a single box: It goes against their instincts and training. Being able to understand the security implications, capabilities, advantages, and risks of virtual server consolidation helps to lower or remove barriers to growth and the decision to say “Yes” to System z.
This IBM Redpaper™ publication describes the architecture of traditional network security zones (Internet, DMZ, application, data, and maintenance) that can be securely manifested on System z through the application of best practices for System z hardware management and z/VM® virtual network configuration. This paper also discusses the Law of Unintended Consequences as it applies to shared Open Systems Adapters and HiperSockets™. We also discuss the location of firewalls, enforcement options, and an introduction to labeled security in a z/VM environment.
You learn how to properly build virtual security zones and integrate virtual servers into your existing security zones. We also discuss using the Resource Access Control Facility (RACF®) Security Server on z/VM to prevent a “red zone” server from connecting to a “green zone” network or “green zone” data.
Preparing the hardware
A multizone network
Virtual switches, VLANs, and traffic separation
Enforcing the rules with Resource Access Control Facility