AIX Security Expert High level security scenario
This is a scenario for AIX® Security Expert High level security.
The AIX Security Expert view of security levels is derived in part from the National Institute of Standards and Technology document Security Configuration Checklists Progarm for IT Pruducts - Guidance for CheckLists Users and Developers (search for the publication name on the NIS Web site: http://www.nist.gov/index.html). However, High, Medium, and Low level security mean different things to different people. It is important to understand the environment in which your system operates. If you chose a security level that too high, you could lock yourself out of your computer. If you chose a security level that is too low, your computer might be vulnerable to a cyber attack.
This is an example of an environment that requires High Level Security. Bob will be colocating his system with an Internet service provider. The system will be connected directly to the Internet, will run as a HTTP server, will contain sensitive user data, and needs to be administered remotely by Bob. The system should be set up and tested on an isolated local network before the system is put online with the ISP.
High level security is the correct security level for this environment, but Bob needs remote access to the system. High level security does not permit telnet, rlogin, ftp, and other common connections that transmit passwords over the network in the clear. These passwords can easily be snooped by someone on the Internet. Bob needs a secure method to log in remotely, such as openssh. Bob can read the complete AIX Security Expert documentation to see if there is anything unique to his environment that might be inhibited by High level security. If so, he can deselect this when the detailed High level security panel is displayed. Bob should also configure and start the HTTP server or any other services he intends to offer on his system.
When Bob then selects High level security, AIX Security Expert will recognize that the running services are required and will not block access to their ports. Access to all other ports could be a vulnerability and High level security will block these ports. After testing this configuration, Bob's machine is now ready to go live on the Internet.