Logo: TUG TORONTO USERS GROUP for Midrange Systems
e -server magazine

July 1997: Volume 12, Number 6

Communicating with Sam

Internet Security

By Sam Johnston

From the questions submitted, the selected issue to be addressed in this issue is:



am currently investigating Internet for my local area network and have contacted several local Internet Service Providers (ISPs). The solution which I am considering implementing in my network is a 128 Kb ISDN connection to my ISP using a mini-ISDN router. However, I am concerned about Internet security and enabling a direct link onto my network. What can I do to ensure my internal LAN is secure? Additionally, I hope to roll out E-Mail throughout our organization and extend our internal E-Mail to support Internet E-Mail.

Background: My LAN network consists of an AS/400 and a Novell 4.1 Server with 60 PCs running a combination of Windows 3.1 and Windows 95. We have standardized our LAN protocol on TCP/IP to the AS/400 and Novell Server.

Sam's Answer:

ou are not alone in your concerns about opening your business up to the Internet. There are a number of key issues which you should be aware of;

  1. Security of your internal database from unauthorized access,
  2. Computer “hackers” breaking into your system and vandalizing your systems,
  3. Virus downloads compromising your data and/or systems,
  4. IP address conflicts between ISP provided addresses and existing internal addresses,
  5. Resource “time-wasting” surfing the net.

Using this framework I will attempt to address the particular concerns in your environment. The network protocol on your LAN is TCP/IP which is also the protocol of the Internet. Also, your proposed connection to the Internet is a direct LAN-attached connection through your ISP of choice. This poses some direct concerns. Since your business systems (AS/400 and Novell Server) are running TCP/IP protocol on the LAN they can be accessed directly from your ISPs network and presumably the Internet. This poses a direct risk as in item 1 and 2 above. But there are solutions, namely the use of a firewall. There are essentially two options for firewalls: (i) host an internal firewall at your premise or, (ii) purchase firewall services from your ISP. Hosting your own firewall provides the benefit of security control within your organization and easy customization of firewall “policies” that control security and operational access. It also provides flexibility in enabling your interior LAN to use any IP addressing scheme while surfing the net with the ISP provided addressing scheme through the use of Network Address Translation (NAT) or proxy access through a single Firewall IP address (item 4 above). Firewalls also enable policies to control the accessible web sites and to track usage which addresses item 5 above.

When designing a firewall integration strategy it is critical to determine what sort of Internet access is required and ensure that your internal network is secure. This is often achieved by creating isolated networks at your premise to support various security zones whereby all local users have access to the Internet outbound, and services such as Internet mail serving and web serving can be located where they can be accessed both internally and externally. A picture is worth a thousand words!! T < G

Note: Any TUG member wishing to submit a question to Sam can e-mail or forward their typewritten material to the TUG office, or to Intesys. We would be pleased to publish your question and Sam's answer in an upcoming issue of the TUG/400 e-server magazine.