• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Firewall: Getting started
 

Firewall: Getting started

on

  • 5,042 views

 

Statistics

Views

Total Views
5,042
Views on SlideShare
5,042
Embed Views
0

Actions

Likes
1
Downloads
237
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Firewall: Getting started Firewall: Getting started Document Transcript

    • Firewall: Getting started Version 4 SC41-5424-02
    • Firewall: Getting started Version 4 SC41-5424-02
    • ii Firewall: Getting started
    • Contents Part 1. Firewall: Getting started . . . 1 Secure Sockets Layer (SSL) considerations for IBM Firewall for AS/400 . . . . . . . . . 47 Positioning your public server in relation to your Chapter 1. Print this topic . . . . . . . 3 firewall . . . . . . . . . . . . . . . . 48 Placing a public server in front of the firewall . . 48 Chapter 2. Understanding IBM Firewall Placing a public server behind the firewall . . . 51 for AS/400 . . . . . . . . . . . . . . 5 Firewall and network configurations: Example About firewalls . . . . . . . . . . . . . 5 scenarios . . . . . . . . . . . . . . . 53 Firewall components. . . . . . . . . . . 6 Example scenario: Public server in front of the How a firewall works . . . . . . . . . . 6 firewall . . . . . . . . . . . . . . . 53 What a firewall can do to protect your network . 6 Example scenario: Public server in front of the What a firewall cannot do to protect your network 7 firewall with secure side subnets . . . . . . 54 Understanding Internet security issues. . . . . . 7 Example scenario: Public server behind the Trusted networks . . . . . . . . . . . . 8 firewall . . . . . . . . . . . . . . . 55 Understanding security policies . . . . . . . 8 IBM Firewall for AS/400 planning worksheets. . . 56 Security services . . . . . . . . . . . . 8 Network security objectives . . . . . . . . 9 Chapter 4. Installing and configuring Network security considerations . . . . . . . 9 your firewall . . . . . . . . . . . . 61 Types of Internet attacks . . . . . . . . . 10 Firewall basic configuration: Scenario overview . . 61 Firewall security principles . . . . . . . . 11 Firewall basic configuration: Scenario objectives 62 Understanding TCP/IP, networking, and the Firewall basic configuration: Scenario network Internet. . . . . . . . . . . . . . . . 12 configuration . . . . . . . . . . . . . 63 TCP/IP addressing and structure . . . . . . 12 Firewall basic configuration: Scenario advantages 64 How masks affect Internet Protocol (IP) Firewall basic configuration: Scenario addressing. . . . . . . . . . . . . . 14 disadvantages . . . . . . . . . . . . 64 Understanding subnets . . . . . . . . . 15 Firewall basic configuration: Reviewing your IBM Firewall for AS/400 features . . . . . . . 18 planning worksheets . . . . . . . . . . . 64 IBM Firewall for AS/400 components. . . . . . 20 Verifying firewall hardware, software, and IBM Firewall for AS/400 Internet Protocol (IP) configuration prerequisites . . . . . . . . . 69 packet filtering component . . . . . . . . 21 Recording the resource name of the Integrated IBM Firewall for AS/400 network address Netfinity Server for AS/400 . . . . . . . . 69 translation (NAT) component . . . . . . . 31 Verifying the memory available on your IBM Firewall for AS/400 proxy server component 32 Integrated Netfinity Server for AS/400 . . . . 70 IBM Firewall for AS/400 TELNET proxy server 34 Verifying the installation of firewall prerequisite IBM Firewall for AS/400 SOCKS server licensed programs . . . . . . . . . . . 70 component . . . . . . . . . . . . . 34 Verifying that the latest program temporary fixes IBM Firewall for AS/400 mail relay service . . . 37 (PTFs) are applied . . . . . . . . . . . 71 IBM Firewall for AS/400 split domain name Verifying the basic TCP/IP interface services (DNS) component . . . . . . . . 38 configuration on the firewall home AS/400 IBM Firewall for AS/400 audit and event system . . . . . . . . . . . . . . . 72 reporting services . . . . . . . . . . . 40 Verifying that the IBM HTTP Server is started . . 73 IBM Firewall for AS/400 virtual private network Verifying that the Web browser supports (VPN) component . . . . . . . . . . . 41 JavaScript . . . . . . . . . . . . . . 73 Firewall configurations . . . . . . . . . . 41 Installing IBM Firewall for AS/400 . . . . . . 74 Dual-homed gateway firewall . . . . . . . 42 Completing the firewall installation worksheet . 75 Screened host firewall . . . . . . . . . . 43 Installing the firewall from the AS/400 Tasks browser interface . . . . . . . . . . . 75 Chapter 3. Planning your firewall Preparing for Basic configuration of your firewall . 77 installation and configuration . . . . . 45 Stopping the firewall . . . . . . . . . . 78 IBM Firewall for AS/400 installation requirements 45 Varying off the firewall network server IBM Firewall for AS/400 software requirements 45 description (NWSD) . . . . . . . . . . 78 IBM Firewall for AS/400 hardware requirements 46 Configuring the internal DNS in the firewall IBM Firewall for AS/400 user profile NWSD . . . . . . . . . . . . . . . 78 requirements . . . . . . . . . . . . . 47 Adding the firewall domain name server to the firewall NWSD . . . . . . . . . . . . 79 © Copyright IBM Corp. 1998, 1999 iii
    • Updating the secure mail server host table . . . 80 Chapter 5. Configuring your clients to Routing outbound mail to the firewall . . . . 81 use the firewall for Internet access . . 93 Starting the firewall . . . . . . . . . . . 82 Configuring a client to use the firewall . . . . . 93 Varying on the firewall network server Verifying that a Windows 95 client can identify description . . . . . . . . . . . . . 83 the client LAN adapter . . . . . . . . . 93 Verify that the firewall network server Verifying TCP/IP configuration for a Client PC 94 description is ready. . . . . . . . . . . 83 Configuring domain name services for a firewall Starting the firewall application. . . . . . . 84 client on the secure network . . . . . . . . 94 Verifying the status of the firewall objects and Configuring a firewall client to use a gateway . . 96 jobs . . . . . . . . . . . . . . . . 84 Testing the firewall client configuration . . . . 97 Performing firewall Basic configuration . . . . . 85 Configuring a client Web browser to use SOCKS Completing the Firewall Basic configuration or proxy servers . . . . . . . . . . . . 98 planning worksheet . . . . . . . . . . 85 Adding SOCKS support to firewall clients . . . . 100 Configuring the firewall from the AS/400 Tasks Configuring SOCKS support for AS/400 . . . . 101 browser interface . . . . . . . . . . . 87 Defining the network to which the AS/400 Adding the secure mail server to the firewall system is connected directly . . . . . . . 101 domain name server . . . . . . . . . . 88 Defining which network that the AS/400 client Configuring fowarders in the internal DNS . . . 90 must use SOCKS to access . . . . . . . . 102 Configuring your clients to access Internet services Defining a domain name server for the SOCKS through the firewall . . . . . . . . . . . 90 server . . . . . . . . . . . . . . . 102 Configuring client domain name services (DNS) Testing Your AS/400 SOCKS Configuration . . 103 to use the firewall domain name server . . . . 90 Configuring the client Web browser to use the firewall proxy or SOCKS server . . . . . . 91 iv Firewall: Getting started
    • Part 1. Firewall: Getting started Note: End of Currency (EOC) for Integration Services for FSIOP (5768SA2) and IBM Firewall for AS/400 is 5/31/01. The Firewall: Getting started topic explains planning and basic configuration of IBM Firewall for AS/400. The following topics will provide details on planning, scenario examples, and how to configure your firewall: v See print this topic if you would like a PDF copy of this topic. v Understanding IBM Firewall for AS/400 provides conceptual information on firewall terms and Internet security issues. v Planning your firewall installation and configuration provides step-by-step planning guidelines that help you prepare for your firewall installation. v Installing and configuring your firewall provides step-by-step procedures for installing and configuring your firewall. v Configuring your clients to use the firewall for Internet access provides instructions on setting up your users to use the firewall. © Copyright IBM Corp. 1998, 1999 1
    • 2 Firewall: Getting started
    • Chapter 1. Print this topic You can view or download a PDF version of this document for viewing or printing. You must have Adobe® Acrobat® Reader installed to view PDF files. You can download a copy from Adobe . To view or download the PDF version, select Firewall: Getting started (about 736 KB or 112 pages). To save a PDF on your workstation for viewing or printing: 1. Open the PDF in your browser (click the link above). 2. In the menu of your browser, click File. 3. Click Save As... 4. Navigate to the directory in which you would like to save the PDF. 5. Click Save. © Copyright IBM Corp. 1998, 1999 3
    • 4 Firewall: Getting started
    • Chapter 2. Understanding IBM Firewall for AS/400 A firewall represents a substantial portion of your network security policy. Therefore, you must understand exactly what a firewall is and what a firewall can do for you. Each firewall product uses different sets of security features. To understand what a firewall can do to protect your network, review these topics: v About firewalls v Understanding Internet security issues When you connect your network to the Internet, you must use Transmission Control Protocol/Internet Protocol (TCP/IP) and ensure that you configure your network properly. You can prevent many problems with firewall installation and firewall configuration by making sure that you configure TCP/IP properly. Consequently, you should review the topic, Understanding TCP/IP, networking, and the Internet, before you start planning your firewall installation. To understand what IBM Firewall for AS/400 can do to protect your network, review these topics: v IBM Firewall for AS/400 features v IBM Firewall for AS/400 components v Firewall configurations To learn how to get your firewall up and running, review these topics: v Planning your firewall installation and configuration. v Installing and configuring your firewall. v Configuring your clients to use the firewall for Internet access. About firewalls A firewall is a blockade between a secure internal network and an untrusted network such as the Internet. Most companies use a firewall to connect an internal network safely to the Internet. You can use a firewall to secure one internal network from another on an intranet also. A firewall provides a controlled single point of contact (called a chokepoint) between your secure internal network and the untrusted network. The firewall: v Lets users in your internal network use authorized resources that are located on the outside network. v Prevents unauthorized users on the outside network from using resources on your internal network. When you use a firewall as your gateway to the Internet (or other network), you reduce the risk to your internal network considerably. Using a firewall also makes administering network security easier because firewall functions carry out most of your security policy. To better understand what a firewall does and how you can use one to protect your network, review these topics: v Firewall components. v How a firewall works. v What a firewall can do to protect your network. v What a firewall cannot do to protect your network. © Copyright IBM Corp. 1998, 1999 5
    • Firewall components A firewall is a collection of hardware and software that, when used together, prevent unauthorized access to a portion of a network. A firewall consists of the following components: v Hardware. Firewall hardware usually consists of a separate computer dedicated to running the firewall software functions. v Software. Firewall software can consist of some or all of these applications: – Packet filters – Proxy servers – SOCKS servers – Network address translation (NAT) services – Logging and monitoring software – Virtual private network (VPN) services How a firewall works To understand how a firewall works, imagine that your network is a building to which you want to control access. Your building has a lobby as the only entry point. In this lobby, you have receptionists to welcome visitors, security guards to watch visitors, video cameras to record visitor actions, and badge readers to authenticate visitors who enter the building. These measures may work well to control access to your building. But, if an unauthorized person succeeds in entering your building, you have no way to protect the building against this intruder’s actions. If you monitor the intruder’s movements, however, you have a chance to detect any suspicious activity from the intruder. When you define your firewall strategy, you may think it is sufficient to prohibit everything that presents a risk for the organization and allow everything else. However, because computer criminals constantly create new attack methods, you must anticipate ways to prevent these attacks. As in the example of the building, you also need to monitor for signs that, somehow, someone has breached your defenses. Generally, it is much more damaging and costly to recover from a break-in than to prevent one. In the case of a firewall, your best strategy is to permit only those applications that you have tested and have confidence in. If you follow this strategy, you must exhaustively define the list of services you must run on your firewall. You can characterize each service by the direction of the connection (from inside to outside, or outside to inside). You should also list users who you will authorize to use each service and the machines that can issue a connection for it. What a firewall can do to protect your network You install a firewall between your network and your connection point to the Internet (or other untrusted network). The firewall then allows you to limit the points of entry into your network. A firewall provides a single point of contact (called a chokepoint) between your network and the Internet (see the figure below). Because you have a single point of contact, you have more control over which traffic to allow into and out of your network. 6 Firewall: Getting started
    • Figure 1. A firewall controls traffic between your secure network and the Internet A firewall appears as a single address to the public. The firewall provides access to the untrusted network through proxy or SOCKS servers or network address translation (NAT) while hiding your internal network addresses. Consequently, the firewall maintains the privacy of your internal network. Keeping information about your network private is one way in which the firewall makes an impersonation attack (spoofing) less likely. A firewall allows you to control traffic into and out of your network to minimize the risk of attack to your network. A firewall securely filters all traffic that enters your network so that only specific types of traffic for specific destinations can enter. This minimizes the risk that someone could use TELNET or file transfer protocol (FTP) to gain access to your internal systems. What a firewall cannot do to protect your network While a firewall provides a tremendous amount of protection from certain kinds of attack, a firewall is only part of your total security solution. For instance, a firewall cannot necessarily protect data that you send over the Internet through applications such as SMTP mail, FTP, and TELNET. Unless you choose to encrypt this data, anyone on the Internet can access it as it travels to its destination. Understanding Internet security issues When connecting to an untrusted network, you must ensure that your security policy provides you with the best protection possible. A firewall certainly represents a large portion of your total security solution. However, because a firewall is only the first line of defense for your network, you must ensure that your security policy provides additional coverage. To ensure that your firewall provides the protection that you need, review these security concepts: v Trusted networks v Security policies v Security services v Network security objectives v Network security considerations v Types of Internet attacks v Firewall security principles Chapter 2. Understanding IBM Firewall for AS/400 7
    • Trusted networks Any network over which you have control of the security policies is a trusted network. In a trusted network, you (or your organization) can physically configure and audit the computers to ensure that your organization’s security policy is implemented and enforced. Any network over which you do not have this level of control should be considered an untrusted network. You (or your organization) cannot verify the security practices of any other network. Therefore, you must assume that the other network is not secure and treat traffic from it accordingly. Otherwise, you add a level of risk to your own network operations. If someone compromises the other network’s security, your own network is vulnerable. You have no way of auditing that system to ensure its integrity. You also have no way of protecting yourself if someone on that system attempts to attack your network. Understanding security policies A security policy is a written document that defines the security controls that you institute for your computer systems. A security policy also describes the risks that you intend these controls to minimize. Additionally, a security policy defines what actions should be taken if someone breaches your security controls. The most important rule that your security policy should express is: Anything that is not explicitly permitted should, by default, be denied. In other words, actions that you do not specifically allow should be automatically disallowed. This ensures that new types of attacks are unlikely to get past your defenses, even though you may have no knowledge of them and have nothing in your security controls to defend specifically against them. A security policy contains such rules as who can have access to certain services or which services can be run from a given computer. The policy also contains information about what processes and controls you have instituted to enforce these rules. If you connect to the Internet, your security policy should stipulate that you install and use a firewall to control access to and from the Internet. Once you create a security policy, you must ensure that it is put into effect. This may involve establishing more restrictive password rules, installing and running virus protection software, holding classes to educate users on security rules, and so on. Security services The National Institute for Standards and Technology (NIST) defines five major security services. While a firewall provides security for your network, a firewall does not generally provide coverage for all of these NIST security services. To completely protect your network, your security policy should address each of these as well: Authentication Assurance that the resource at the other end of the session is really what it claims to be. Access control Assurance that the resource requesting access to data or a service has authorization to access the requested data or service. 8 Firewall: Getting started
    • Integrity Assurance that the information that arrives is the same as the information that was sent. Confidentiality Assurance that sensitive information is not visible to an eavesdropper. (Encryption is the best way to ensure confidentiality.) Nonrepudiation Assurance that a transaction can be proven to have taken place; Nonrepudiation is also called accountability. Firewalls cannot provide all of these security services. Therefore, you should ensure that you have additional security functions to provide these security services for your network. Network security objectives Although the network security objectives that you develop depend on your particular situation, there are some general objectives you should consider: v Protect your resources: – Your Internet servers – Your internal network, workstations, and systems – Your data – Your company image v Provide your customers with safe Internet transactions. Ensure that the following conditions are in place: – Communicating parties can identify each other (authentication). – Unintended parties cannot read information exchanged between parties (confidentiality). – Unauthorized parties cannot alter data (integrity). – Participating parties cannot repudiate transactions (accountability). Your security policy should describe how you will fulfill these objectives. Network security considerations Whenever you create a security policy, you must balance providing services against controlling access to functions and data. With networked computers, security is more difficult because the communication channel itself is open to attack. Although there are several types of Internet attacks, you can characterize such attacks in two ways: Passive attacks These attacks are difficult to detect and involve someone tapping or tracing communications. Sniffing is an example of a passive attack. You should assume that someone is eavesdropping on every communication that you send across the Internet or any other untrusted network. Active attacks These attacks involve someone trying to break into or take over your computer. Spoofing is an example of an active attack. You may be certain that no one has compromised your own machines. However, you cannot be certain about the machines at the other end of the connection. Realistically, you must extend your circle of trust to some of those machines or not use the Internet at all. It may seem that once you start thinking about computer security, you can reach a point where nothing seems safe anymore. Is this justifiable? After all, we do not Chapter 2. Understanding IBM Firewall for AS/400 9
    • (usually) worry about people tapping our telephone conversations or reading our mail. We happily send credit card numbers, private messages, gossip, and scandal when using those media. The difference with the Internet is that the carrier is not a regulated, well-defined entity. In fact, you have no idea through whose computers your message passes on the way to its destination. Types of Internet attacks There are several kinds of passive or active attacks of which you should be aware. These are among the most common: v Sniffing v Internet Protocol (IP) spoofing v Denial of service Sniffing Computer criminals (crackers) use a technique called sniffing to acquire information that they can use to break into your systems. Sniffing programs can ″overhear″ critical unencrypted data that passes over the Internet, such as user IDs and passwords. A cracker can take the captured information and use it to gain access to your network. To protect your network from sniffing attacks, take these security measures: v Use your firewall filtering rules to control which information (packets) comes into your network. The filter rules can check that packets from external hosts cannot pass through the firewall. v Use a firewall to translate the internal host names and addresses of any outgoing traffic to the name and address of the firewall. This hides such critical information from outside users and sniffing programs. v Educate your users about the risk of using their internal passwords and user IDs to access external hosts. If they do so, attackers could capture this information from the external hosts and use it if they successfully break into your system. State in your security policy that they must use different user IDs and passwords on external untrusted systems. Internet Protocol (IP) spoofing Generally, when you set up a network, you assume that you can trust any given host on that network. Consequently, a network host does not usually require authentication from other hosts on the same network that communicate with it. When you eliminate authentication between hosts you provide easier and faster communications within the network. However, you should require authentication from hosts outside your network. You cannot assume that you can trust these hosts to be who they say they are. In an Internet Protocol (IP) spoofing attack, an untrusted external host impersonates a trusted known host on your network. This impersonation allows the host to bypass your security controls to connect to your network. The impersonation is successful because the external host uses an IP address of a known host on your network. Because the external host users an internal network address, other hosts on the network can communicate with it without requiring authentication. To prevent IP spoofing, take these security measures: v Avoid using IP addresses as a means of authenticating a source communication. This ensures that a ″correct″ IP address alone is not sufficient to gain access to your resources. v Require a password or more secure authentication to access a host, regardless of the origin of the request for access. 10 Firewall: Getting started
    • v Use encrypted authentication methods. v Use a firewall to ensure that the originator of a connection is not using IP source forwarding to impersonate another system. This helps ensure that a requesting host identity is authentic. v Use your firewall to conceal all your internal network IP addresses from outsiders. Typically, a firewall uses a single IP address for all outbound transactions, regardless of the internal IP address of the user. The firewall routes the inbound traffic to the correct internal host. The security measures that you use to defend against IP spoofing depend on several factors. These factors include your analysis of the risk your network faces from this type of attack, the amount of money you are willing to spend, and the amount of convenience you are willing to trade for better security. Denial of service A denial of service occurs when an attack brings down one or more hosts on your network such that the host is unable to perform its functions properly. This type of attack can affect entire networks. Although it is difficult to predict the form that a denial of service may take, the following examples illustrate how such an attack can affect your network: v A rogue packet enters your network and interferes with normal operations because it cannot be processed appropriately. v Traffic flooding (such as a large number of bogus mail messages) overtaxes your mail server’s processing capabilities, stopping further network traffic. v A router is attacked and disabled, thereby partitioning your network. v A virus is introduced that ties up significant amounts of processing resources. v Devices, such as the firewall or a router, meant to protect the network are subverted. Firewall security principles You should follow these principles when you set up a firewall: v Develop a written network security policy and follow it. The firewall can implement many aspects of your security policy and become a part of a network security solution. v Make sure that the only connection to the Internet (or other untrusted network) is through the firewall. Be sure you include any dial-up connections. The firewall should provide a chokepoint, forcing all traffic to and from the Internet to flow through the firewall. Any traffic that bypasses the firewall increases the risks to your network substantially. v Allow only those activities that you expressly permit. For example, permit only the TCP/IP services that you need (such as HTTP and e-mail) rather than permit all TCP/IP services. This limits the number of security exposures that you must monitor and take precautions against. v Keep it simple. Configuration errors are a major source of security holes. The firewall should have limited security policy information to keep its configuration as simple as possible. v Do not allow any direct TCP/IP connections between applications on internal systems and servers on the Internet (or other untrusted network). A direct connection allows the server to learn information about the client system. The server can try to trick the client into performing an inappropriate action by sending certain responses. v Never trust information from untrusted systems. The routing table update that you receive from a neighboring router may redirect your network traffic to an unintended destination. Be aware that another system can impersonate a secure system. When attackers use this type of attack, they impersonate a trusted Chapter 2. Understanding IBM Firewall for AS/400 11
    • known host on your network. This impersonation, which is also called IP spoofing, allows the host to bypass your security controls to connect to your network. While these principles are good in theory, as with all security policies, they should be tempered with reality. In some cases, such as when you use a production system to run a public Web server for e-commerce, you should place the public server behind the firewall to protect it and the data it contains. You can carefully open a hole in the firewall to allow any necessary traffic to flow between the Web server and the Internet. Understanding TCP/IP, networking, and the Internet The Internet uses TCP/IP as its only communications protocol. Therefore, if you connect to the Internet, you must use TCP/IP for your connection. To successfully work with TCP/IP, you must have a basic understanding of what TCP/IP is, how it works, and how it affects your network. For some basic background information about TCP/IP and the network structure, review these topics: v TCP/IP addressing and structure v How masks affect IP addressing v Understanding subnets TCP/IP addressing and structure You must understand the structure and addressing system that TCP/IP uses. This knowledge is essential in order to successfully set up TCP/IP networks, define filter rules for firewalls, and follow packet routing through the network. To learn more about TCP/IP addressing, review these basic explanations of key terms and concepts: v TCP/IP v Hosts v Understanding the Internet Protocol (IP) address format v IP address classes v IP addresses reserved for private intranet use Transmission Control Protocol/Internet Protocol (TCP/IP) Transmission Control Protocol/Internet Protocol (TCP/IP) is a set of network protocols that connects networks. TCP/IP allows computers to share resources and exchange information across a network. TCP/IP allows hosts to communicate with each other regardless of the host or user’s physical location, the operating system, or the network medium. TCP/IP operates in many different network environments, including the Internet and corporate intranets. Transmission Control Protocol (TCP) provides host-to-host transmission. TCP takes a stream of data and breaks it into segments. It sends each segment individually by using Internet Protocol (IP) and then reassembles the segments into the original stream. If the transmission loses or damages any segments, TCP detects this and re-sends the segments. IP routes data from its source to its destination. IP is responsible for routing packets from one host to another host. The other host can be on the same network or on another network. Hosts In Internet terms, a host is any system or adapter connected to a network. The term does not imply any particular type of system. A host can be a client, a server, or both, depending on the applications that you run on the system. 12 Firewall: Getting started
    • A dual-homed or multi-homed host is a system that has more than one connection into the network. A two-port Integrated PC server is an example of a dual-homed host. Understanding the Internet Protocol (IP) address format Internet Protocol (IP) uses a 32-bit, two-part logical address field. The 32 bits consist of four octets (eight bits per octet). One part of the logical address is for the network address and the other is for the host address. You define each part of the address to TCP/IP by using a 32-bit binary mask that you apply to the address. The network portion of the address is indicated in the mask by placing a ″1″ in each bit of the mask that represents the network portion. The host portion of the address is indicated in the mask by placing a ″0″ in the mask position. The following table uses a mask to illustrate which portion of an IP address is for the host versus the network in an unsubnetted Class C address. Table 1. Internet address structure 32-Bit Address 11010000 11011110 10010110 00001011 208. 222. 150. 11 Two Address Portion 11111111 11111111 11111111 00000000 255. 255. 255. 0 The network portion of the address should be contiguous, starting at the left side of the address and moving to the right. The network mask is ″anded″ with the IP address to generate the network address. The address and the mask are written in dotted decimal format; each portion of the decimal format allows a maximum value of 255. You can derive the decimal format by converting each octet to its decimal value. If the IP address is 208.222.150.11, for example, the network address part of the address is 208.222.150.0, and the host part of the address is 11. The host portion of the address cannot be all ″1″s or all ″0″s. TCP/IP reserves these two values for its own use. The full IP address of 208.222.150.11 is commonly referred to as the address of the system (although the address actually describes the host interface). While this works with a simple system, multi-homed systems must have multiple addresses because they have multiple interfaces. Internet Protocol (IP) address classes Three classes of Internet Protocol (IP) addresses are in common use today: Class A, B, C, and D and E. The address class determines how many hosts can exist on a network. You can use the value of the first octet to determine the class of network. The possible values for the first octet are: v Class A (Address range 0 - 127): – 127 networks with up to 16,777,216 hosts each. – Intended for use with a large number of hosts. – Network mask is 255.0.0.0. v Class B (Address range 128 - 191): – 16,384 networks with up to 65,536 hosts each. – Intended for use with a moderate number of hosts. – Network mask is 255.255.0.0. v Class C (Address range 192 - 223): – 2,097,152 networks with up to 254 hosts each (0 and 255 are reserved). – Intended for use with a smaller number of hosts. – Network mask is 255.255.255.0. Chapter 2. Understanding IBM Firewall for AS/400 13
    • – Most common address type issued by an Internet Service Provider (ISP). v Class D and E (Address range 224 - 255): – The Internet Assigned Numbers Authority (IANA) has reserved these classes for future use. Internet Protocol (IP) addresses reserved for private intranet use The Internet Assigned Numbers Authority (IANA) reserves three blocks of the Internet Protocol (IP) address space for private intranets. The following table shows which address blocks IANA reserves. Table 2. Addresses reserved for private Internet (intranet) use Class of Network Start of Address Block End of Address Block A 10.0.0.0 10.255.255.255 B 172.16.0.0 172.31.255.255 C 192.168.0.0 192.168.255.255 Although these addresses cannot route through the Internet, you can use them for your internal network. Refer to RFC 1918 for more details about Internet recommendations for private addresses. How masks affect Internet Protocol (IP) addressing A mask is a pattern or template that you apply to an Internet Protocol (IP) address to specify which bits are significant and which bits are irrelevant. When you apply a mask to an IP address, you perform a bitwise ″and″ operation. You then use the product of the operation to perform some type of test. You can use masks in TCP/IP to define networks, to route packets, and to write filter rules. In TCP/IP, a mask consists of 32 bits (four octets). To make it easier to read, you write the mask in dotted decimal format (for example, 255.255.255.240). In the mask, a ″1″ (one) bit defines the significant positions and a ″0″ (zero) bit defines the irrelevant positions. Masks usually specify a range; however, you can use a mask of all ones to specify a single value. By specifying a range, you can apply a single rule, network interface definition, or routing entry to many individual host addresses. When you create fewer entries to define one of these items, you are less likely to introduce errors. When you add a TCP/IP address to an interface, you also specify a subnet mask. TCP/IP applies the subnet mask to the address and calculates the range of addresses that are local to this adapter. When TCP/IP has packets for one of these local addresses, it tries to communicate directly with the interface assigned to the address by using the local link. If TCP/IP cannot establish the connection, TCP/IP checks the routing table to look for another route to the address. To define a route, you enter the destination address, subnet mask, and the next hop address. TCP/IP applies the subnet mask to the destination address. TCP/IP then calculates the range of addresses that can be reached through this next hop. When TCP/IP has packets for one of these addresses, it forwards the packet to the system (usually a router) at the next hop address. The next hop system either delivers the packet to a local host or forwards the packet to yet another hop. Or, the system may generate a non-delivered message because the packet cannot be forwarded due to bad routing information. If you want a specific address to be routed to a specific next hop, specify the host address and a subnet mask of 255.255.255.255 (all ″1″s). This means that this route applies only to the one specific host address. 14 Firewall: Getting started
    • When you write filter rules, you may specify a mask to apply to the ″from″ address and a mask to apply to the ″to″ address. The firewall applies these masks to the source and destination addresses in the packet. The firewall then compares the result to the from address and to address value in the filter rule. This allows you to write a single rule that applies to a large number of hosts. If you want the rule to apply to a single host, use the value 255.255.255.255 (all ″1″s) in the appropriate mask field. To better understand the effect that applying a mask has on an IP address, see Example: Performing an ″AND″ operation on an address and mask. Example: Performing an ″AND″ operation on an address and mask You perform an ″AND″ operation when you apply Boolean algebra to the binary representation of both the Internet Protocol (IP) address and the mask. The rules of an ″AND″ state that, if both digits are a ″1″ (one), then one is the product. If either digit is a ″0″ (zero), then zero is the product. In the following example (see Figure 2), you perform an ″AND″ on the address 208.222.150.11 with the mask 255.255.255.240. This operation results in an address of 208.222.150.0. In this mask, the four right-most bits are not significant (they have a value of zero). Therefore, 208.222.150.0 is the result when you apply the mask to every address between 208.222.150.0 and 208.222.150.15. When you reach 208.222.150.16, the last octet of the address is 00010000. When you complete the ″AND″ operation with the mask for the address, the result is 208.222.150.16. When you apply the mask to any addresses in the range 208.222.150.16 through 208.222.150.31, the result is a value of 208.222.150.16. Figure 2. ″ANDING″ an Address Understanding subnets A subnet is a physical segment of a local area network (LAN). Most networks are divided into smaller network segments by using subnets to take advantage of better address distribution and better traffic distribution. You create subnets by applying subnet masks to the network portion of your Internet Protocol (IP) addresses. Chapter 2. Understanding IBM Firewall for AS/400 15
    • Each subnet has a unique network address. When you subnet your network, you use routers to join the subnets to form a complete network. Each router contains information that allows them to send the network traffic to the correct subnet of the network. When you install a firewall, you may need to subnet your network. You should review these topics first: v Why you may need to subnet your network v Creating subnets v Determining the number of subnets that you need in your network Why you may need to subnet your network A subnet is a physical segment of a local area network (LAN). There are several reasons to subnet a network: v You have more than one type of physical network segment installed in the network. v You expect a large number of hosts in your network, which requires splitting a network into smaller networks for improved network performance. v Your network covers a large physical area. Growing distances require splitting a network into smaller networks with routers between them. This reduces collisions caused by propagation delay in a large network segment. You assign subnet addresses to your network locally. After subnetting, your entire network appears as one IP network to the outside world and your routers handle the traffic flow in your network. The firewall Integrated Netfinity Server has two physical LAN adapters, as well as the AS/400 *INTERNAL attachment, which functions as an internal LAN adapter. Each of these adapters is in a separate subnet because it is connected to different physical segments of the network. Creating subnets Your Internet service provider (ISP) provides you with a network address and a network mask. (In most implementations of TCP/IP, the network mask is also referred to as a subnet mask.) In some cases, the ISP provides you with a complete class C address, which allows you to have up to 254 hosts on your network. In other cases, the ISP provides you with a portion of a class C network address. The ISP also provides you with a subnet mask. Before you can subnet your network, you must determine the following values: 1. How many subnets you need in your network. 2. What your current subnet mask is. 3. What your current network address is. Determining the number of subnets you need in your network To create subnets for your network, you must first determine how many subnets you need. You can use the table below to help you make this determination. The number of subnets that you need is based on the number of hosts that you have in a subnet. To create subnets for your network, follow these steps: 1. Determine how many subnets you need for your desired network configuration. 2. Use the table to determine the number of subnets that are required to obtain the number of subnets that you need. 16 Firewall: Getting started
    • If the number of subnets you need is not a power of two, you must round up the number to the next power of two. You must round up because the mask that you apply to the address is binary. For example, if you determine that you need two subnets, then the final number of subnets that you need is two. If you determine that you need three subnets, then the final number of subnets that you need is four (the next power of two). 3. Use Table 3 to determine the values that you need to create a subnet mask. 4. Apply the subnet mask to your Internet Protocol (IP) address range. Applying a subnet mask allows you to create the specific subnet addresses that you need. 5. Use Table 3 to determine the decimal value of the last octet in each subnet. 6. Use Table 3 to determine the number of hosts that you can have in each subnet. Table 3. Possible subnet masks and values Power of Number Last Octet Last Octet Last Octet of Network Hosts per 2 of of Subnet of Subnet Values (n.n.n.X) Segment in Subnets Mask Mask a Class C Required (Binary) (Decimal) Network 0 1 00000000 0 0 254 1 2 10000000 128 0,128 126 2 4 11000000 192 0,64,128,192 62 3 8 11100000 224 0,32,64,96,128,160,192, 224 30 4 16 11110000 240 0,16,32,...240 (step by 16) 14 5 32 11111000 248 0,8,16,24,...248 (step by 8) 6 6 64 11111100 252 0,4,8,12,...252 (step by 4) 2 7 128 11111110 254 Not valid for class C 0 subnet 8 255 11111111 255 This is a host address N/A For examples of how to subnet a network, review the topic Example: Further subnetting an already subnetted network. Example: Further subnetting an already subnetted network: In this example, you have a network address that is already a subnet itself. You examine your configuration and determine that you need two subnets. You need one subnet for the non-secure port of the firewall and one for the public-secure network in which your public server resides. The Internet service provider (ISP) gave you part of a class C address. This network address is 208.222.150.248 with a subnet mask of 255.255.255.248. This means that you have six host addresses available. You need one of these for the ISP router, which leaves you with five to distribute. Chapter 2. Understanding IBM Firewall for AS/400 17
    • Table 4. Possible subnet masks and values Power of Number Last Octet Last Octet Last Octet of Network Hosts per 2 of of Subnet of Subnet Values (n.n.n.X) Segment in Subnets Mask Mask a Class C Required (Binary) (Decimal) Network 0 1 00000000 0 0 254 1 2 10000000 128 0,128 126 2 4 11000000 192 0,64,128,192 62 3 8 11100000 224 0,32,64,96,128,160,192, 224 30 4 16 11110000 240 0,16,32,...240 (step by 16) 14 5 32 11111000 248 0,8,16,24,...248 (step by 8) 6 6 64 11111100 252 0,4,8,12,...252 (step by 4) 2 7 128 11111110 254 Not valid for class C 0 subnet 8 255 11111111 255 This is a host address N/A Based on the information in the Table 4, you need to add another ″1″ to the current mask as shown in the Table 5. Table 5. Splitting an existing subnet Convert the existing mask to binary 255. 255. 255. 248 11111111 11111111 11111111 11111000 Change the first zero in the mask to a one 11111111 11111111 11111111 11111100 255. 255. 255. 252 Convert the mask back to decimal To do this, you must: 1. Convert the existing mask to binary. 2. Change the first zero in the mask to a one. 3. Convert the mask back to decimal. The results of the conversion operation provides two sets of addresses. You can use one set of addresses on the perimeter (non-secure) network. You can use the other set of addresses for the *INTERNAL port of the Integrated PC Server. The hosts in the first subnet have addresses of 208.222.150.249 and 208.222.150.250. The hosts in the other subnet have addresses of 208.222.150.253 and 208.222.150.254. If you need any more systems than two on the perimeter network, this solution will not work. You must obtain a larger range of addresses from your ISP. IBM Firewall for AS/400 features IBM Firewall for AS/400 is an application gateway firewall and a circuit gateway firewall. You can use one or both types of functions. The firewall product provides a number of technologies that you can use to protect your internal network, including: v Internet Protocol (IP) packet filtering for TCP, UDP, and ICMP packets v Network address translation (NAT) services v SOCKS server 18 Firewall: Getting started
    • v Proxy server for HTTP, HTTPS, FTP, and Gopher for Web browsers v TELNET proxy v Mail relay v Split domain name services (DNS) v Logging v Real-time monitoring v Virtual private network (VPN) services IBM Firewall for AS/400 consolidates security administration to enforce I/T security policy and minimize the opportunity for security configuration errors. The firewall provides privacy by preventing outsiders from accessing network information through the Internet. You can log traffic to and from the Internet, which allows you to monitor network use and misuse. Firewall configuration is flexible, which enables support for various security policies. The administrator decides which services the firewall should permit and which the firewall should block. The IBM Firewall for AS/400 software guides the administrator through the basic installation and configuration of the firewall. The software that the firewall uses resides on a read-only disk. This eliminates the possibility of virus introduction or modification of programs that perform communication security functions. The main processor and firewall communicate over an internal system bus that is not subject to sniffing programs on local area networks. You can set the firewall to issue notifications to the AS/400 system operator (QSYSOPR) when a pre-configured condition on the firewall occurs. The main processor can disable the firewall when it detects tampering, regardless of the state of the firewall. You can administer the firewall through a Web browser on the internal (secure) network. You can use the Secure Sockets Layer (SSL) for session encryption to protect the administration session. The software authenticates the administrator with OS/400 security support so that you need not require separate user IDs and passwords. You should install the IBM Firewall for AS/400 on a two-port Integrated Netfinity Server for AS/400. Configure one port of the Integrated Netfinity Server to connect the firewall to your internal secure network. Configure the other port to connect the firewall to the Internet or other untrusted network. The firewall can distinguish which network (trusted or untrusted) sent an IP packet. The firewall can also distinguish which port is the appropriate port for the originating packets on each network. Consequently, the firewall is not susceptible to spoofing attacks in which untrusted hosts try to masquerade as trusted ones. The AS/400 system operator receives notifications (in the QSYSOPR message queue) when important firewall events occur, such as attempted intrusions. The system sends all high severity error messages (Type = Alert) immediately. The system sends lower severity messages (Type = Error, Warning, Information, or Debug) when they reach a user-defined threshold. If the system detects an error condition that may result from tampering (such as the logging function ends), all firewall functions are set to end immediately. Installing the firewall on an Integrated Netfinity Server separates the processor that you use for application programs from the processor that you use for security programs. This separation eliminates the possibility of the programs interfering with each other. Compromised security programs that are running on the firewall cannot directly affect the AS/400 main processor in functionality or performance. Chapter 2. Understanding IBM Firewall for AS/400 19
    • In addition, the IBM OS/400 TCP/IP protocol stack is completely independent of the TCP/IP stack on the Integrated Netfinity Server. The firewall also has separate storage, which prevents attackers from accessing AS/400 data. This storage is on a read-only disk to eliminate the possibility of virus introduction or modification of programs that perform communication security functions. You can use the firewall, proxy, or SOCKS servers or NAT to provide internal users with safe access to services on the Internet. The proxy and SOCKS servers break TCP/IP connections at the firewall to hide internal information from the untrusted network. The servers also provide additional logging capabilities. You can use NAT to provide Internet users with easy access to a public server behind the firewall. The firewall still protects your network because NAT hides your internal IP addresses. The firewall also protects internal information by using two DNS servers, one that you provide on the internal network and one on the firewall. The firewall name server contains names visible to the untrusted network only, such as an external Web server. The firewall name server resolves outside names in response to requests from the internal name server. Your internal name server contains only the names of the internal network. Your internal name server forwards requests that it cannot resolve to the firewall name server. The firewall DNS server does not provide name serving functions for the internal network. You are not required to have an internal DNS server to successfully implement a firewall. However, having one makes client configuration easier because you do not have to maintain host tables on each system. OS/400 includes DNS support, which you should use for your internal network. The firewall protects your internal mail server from attack by providing a mail relay function. The mail relay function passes mail between an external mail server on the firewall and an internal one. The firewall translates addresses of outgoing mail to the public address of the firewall secure port. This translation hides any internal information from the untrusted network. The firewall also provides VPN technology so that you can set up encrypted sessions between your firewall and other compatible firewalls. IBM Firewall for AS/400 components A firewall consists of a set of software components, each of which provides particular security features for your network. Which components you use depends on your security needs. These components work together to provide your network traffic security controls. Because they are interdependent, each component works with and affects the other components. Review these topics to get the details that you need to work with firewall components and common firewall configurations: v Internet Protocol (IP) packet filtering for TCP, UDP, and ICMP packets v Network address translation (NAT) services v Proxy server for HTTP, HTTPS, FTP, and Gopher for Web browsers v Proxy server for TELNET(not through a Web browser) v SOCKS server v Mail relay service v Split Domain Name Services (DNS) v Audit and event reporting services v Virtual private network (VPN) services 20 Firewall: Getting started
    • IBM Firewall for AS/400 Internet Protocol (IP) packet filtering component Internet Protocol (IP) packet filtering is the core protection mechanism of a firewall. Packet filters are sets of rules that limit IP packet flow into or out of a secure network (Figure 3). As the firewall administrator, you define policies that determine which packets the firewall should permit or deny access into your network. You can then use the firewall administration facility to institute these policies as filter rules that your firewall can use. If there is no matching rule, the firewall has a built-in default rule to deny the packet access and discard the packet. You can have your firewall use any of the following packet data to filter packets: v Source IP address v Destination IP address v Protocol (TCP, UDP, and ICMP) v Acknowledge (ACK) flag v Source port v Destination port v Direction (inbound, outbound, or both) v Network interface (secure port, non-secure port, or both) v Whether the packet is a fragment Figure 3. Packet filters control traffic between your network and the untrusted network The dynamic packet filtering technology of the firewall supports RealAudio. However, you must use network address translation (NAT) to allow RealAudio packets to cross the firewall. You can designate the firewall to log information about the packets it processes. Log records allow you to analyze traffic that flows into and out of your network, as well as traffic that the firewall denies. Packet filtering is the foundation of a firewall. All other firewall capabilities depend on the packet filtering function. You must have a thorough understanding of what filter rules are and how they work. With this knowledge, you can ensure Chapter 2. Understanding IBM Firewall for AS/400 21
    • that your firewall filter rules control traffic into and out of your secure network properly. These articles describe basic IP packet characteristics and how filter rules control the flow of packets: v Internet Protocol (IP) filtering and routers v Internet Protocol (IP) v Types of Internet Protocol (IP) communications protocols v Internet Protocol (IP) forwarding v Well-known ports v Understanding firewall filter syntax Internet protocol (IP) filtering and routers Although routers can often filter packets, they do not usually provide a logging facility. Without logging, you cannot trace information related to a breach in security, such as where and how the breach occurred. In addition to this limitation, router manufacturers do not use a common set of standards for functions. Consequently, routers from different manufacturers provide different functionality. Some routers provide facilities to prevent Internet Protocol (IP) spoofing and some do not. Some routers can allow access for some client applications (TELNET) but not others (FTP). Routers also do not use a standard syntax for filter rules. You must learn the syntax specific to each router in your network to create filter rules for the routers. Most routers allow you to filter packets based on at least the following header information: v Source IP address v Destination IP address v Direction of flow (inbound, outbound, or both) Internet Protocol (IP) The Internet Protocol (IP) suite is the primary means of organizing communications on the Internet. IP functions include: v Defining the datagram (basic unit of transmission that is also called a packet) v Defining the Internet addressing scheme v Routing datagrams to remote hosts v Fragmenting and reassembling packets v Moving data between the network access layer and the host-to-host transport layer IP packets carry the IP information. Each packet contains a header with identifying information about the packet. Your firewall can filter IP packets by using the header information. To understand what the IP header contains, see the topic Understanding Internet Protocol (IP) packets. Understanding Internet Protocol (IP) packets: An Internet Protocol (IP) packet consists of a formatted header and the payload data. The header consists of fields that contain identifying data about the packet. The table below illustrates the IP packet structure. The payload contains the actual information that is transmitted. The payload data may include an additional header that provides session level protocol information (for example, TCP, UDP, and so forth). 22 Firewall: Getting started
    • Table 6. Internet protocol (IP) packet structure Version Length Type of service Total length Identification Flags Fragment offset Time to live Protocol Header checksum Source IP address Destination IP address Options Padding Data The important fields for filtering purposes are these: v Source address v Destination address v Fragmentation indicator v Protocol ID The firewall uses the source and destination address together with the protocol ID to define which packets may access which service. Different types of networks support different sizes of packets. Consequently, a router sometimes must break a large packet into fragments to pass it from one network to another. The firewall or receiving router must be aware of the fragmentation. This awareness is necessary because only the first fragment contains the identifying header information for higher layer protocols, such as UDP and TCP. Later fragments can override header fields, such as the source and destination address. The packet fragmentation indicator tells the firewall how to handle fragmented packets. Attackers can use the weaknesses inherent in fragmentation as a way to infiltrate a network. Therefore, consider configuring the firewall to allow only non-fragmented packets. Refer to RFC 1858, Security Considerations for IP Fragment Filtering, for more information. Types of Internet Protocol (IP) communications protocols The Internet Protocol (IP) suite consists of several lower-level communications protocols: v Internet Control Message Protocol (ICMP) v Transmission Control Protocol (TCP) v User Datagram Protocol (UDP) An extension to IP, called IP security architecture (IPSec), provides security protocols for the TCP/IP network layer. IPSec is an industry (non-IBM) standard. If you plan to use your firewall to create a virtual private network (VPN) between firewalls, you should be familiar with these IPSec protocols: v Encapsulating Security Payload (ESP) protocol v Authentication Header (AH) protocol Internet Control Message Protocol (ICMP): The Internet Control Message Protocol (ICMP) communicates errors and other information between hosts. The PING application makes use of the ICMP echo and echo reply functions to provide an easy way to discover whether an address can be reached in the network. ICMP is also used by network components such as routers to pass control information between them. ICMP provides information about transport problems, such as whether a host can be reached or the sender is sending packets too fast. Table 7 shows ICMP message which of consists three control fields and the message data: Chapter 2. Understanding IBM Firewall for AS/400 23
    • v The Type field describes what type of message is contained in the ICMP datagram. v The Code field contains the error code reported by the message. v The Checksum field is generated based upon the entire contents of the ICMP message. v The message data contains the details of the message. In the case of a redirect message (Type = 5), the message data contains the address of a new router to use. Table 7. Internet control message protocol (ICMP) message format Type Code Checksum ICMP data (depending on the type of message) ICMP messages often provide a means for an attacker to access your network. Consequently, you should prevent most ICMP messages from entering your secure network. For example, an attacker can use PING, with its ability to use ICMP messages, to discover addresses in your secure network. Or, an attacker could use reroute messages in an attempt to capture your data by rerouting your network traffic to an untrusted network. For more information about these and other ICMP functions, see RFC 1700. Transmission Control Protocol (TCP): Transmission Control Protocol (TCP) is the main transport layer protocol of the Internet Protocol (IP) suite. The following IP applications are examples of applications that use TCP for a reliable end-to-end connection: FTP (File Transfer Protocol) FTP transfers files between two Internet sites. FTP allows users to access another Internet site to receive and send files. HTTP (HyperText Transport Protocol) This protocol transports hypertext files across the Internet. TELNET This command and application allows you to login from one Internet site to another. SMTP (Simple Mail Transport Protocol) The main protocol allows users to send and receive e-mail over the Internet. TCP takes care of retransmission, duplicate or lost packets, and reordering of packets. For filtering purposes, the important TCP header information is as follows: v Source port v Destination port v Acknowledge (ACK) flag TCP information is carried in TCP packets. Each packet contains a header with identifying information about the packet. Your firewall can use the header information to filter TCP packets. To understand what the TCP header contains, see the topic “Understanding Transmission Control Protocol (TCP) packets”. Understanding Transmission Control Protocol (TCP) packets: Transmission Control Protocol (TCP) is a reliable, connection-oriented protocol, which establishes a logical end-to-end connection between two hosts. TCP verifies that data is delivered across the network accurately and in the proper sequence. TCP verifies that a packet arrived at the remote host. If it does not, TCP retransmits the packet. 24 Firewall: Getting started
    • A TCP packet consists of a formatted header and the application data. The fields in the header contain identifying data about the packet as illustrated in the following table. The TCP packet is included in the data portion of the Internet Protocol (IP) packet. Table 8. Transmission control protocol (TCP) packet structure Source port Destination port Sequence number Acknowledgment number Offset Reserved Flags Window Checksum Urgent pointer Options Padding Data A TCP connection is uniquely defined by: v Source address from the IP portion of the packet v Source port from the TCP portion of the packet v Destination address from the IP portion of the packet v Destination port from the TCP portion of the packet TCP uses the sequence number and the acknowledgment number (ACK) to keep track of the bytes. The acknowledgment segment performs two functions: positive acknowledgment and flow control. The acknowledgment tells the sender how much data has been received and how much more the receiver can accept. TCP is also responsible for delivering the data received from IP to the correct application. A 16-bit number called the destination port number identifies the application. The first word of the segment header contains the source and destination port. The important fields for filtering purposes are: v Source port v Destination port v Acknowledgment (ACK) flag A three-way synchronization initiates a TCP session (see figure). Notice that the initial request to start a session does not contain an ACK flag. This feature can be useful for creating filter rules to prevent start requests from the untrusted network from entering your internal secure network. Chapter 2. Understanding IBM Firewall for AS/400 25
    • For instance, you want to allow internal users to use port 25 to start an e-mail session with a server on the untrusted network. You also want to permit your internal users to receive responses from port 25. You can create two filter rules that allow this traffic. However, you do not want to permit start requests from port 25 to access your internal network. To block these requests, you must ensure that the filter rules deny inbound packets that do not contain the ACK flag. User Datagram Protocol (UDP): User Datagram Protocol (UDP) is a transport layer protocol, although systems use Transmission Control Protocol (TCP) more often. Domain Name System (DNS) and Simple Network Management Protocol (SNMP) use UDP. UDP does not provide a reliable end-to-end connection. Unlike TCP, UDP does not handle retransmission of packets, duplicate or lost packets, and reordering of packets. Once the system sends a packet, the sender receives no confirmation that the packet reached its destination: UDP does not provide any acknowledgment (ACK) information. Consequently, it is difficult (sometimes impossible) to tell if the UDP packet is a response to a request generated from the secure network or from the untrusted network. Encapsulated Security Payload (ESP) protocol: The Encapsulated Security Payload (ESP) protocol is part of the Internet Protocol security architecture (IPSec). ESP provides an integrity check, authentication, and encryption to Internet Protocol (IP) datagrams. ESP allows you to select which of its services to use. The IBM Firewall for AS/400 virtual private network (VPN) component uses all three ESP services to protect your VPN traffic. This ensures that an intruder cannot forge packets in order to mount cryptanalytic attacks. You cannot apply ESP to fragmented IP packets. However, after you apply ESP to an IP packet, intermediate routers can fragment the packet for delivery. If the destination system receives a fragmented packet, the destination system reassembles the packet before applying ESP processing to it. If you request ESP processing for an IP packet that appears to be a fragment, the packet is discarded. These safeguards prevent the overlapping fragment attack. This attack exploits the fragment assembly algorithm in order to create forged packets and force them through a firewall. If a destination system receives an ESP packet that is both encrypted and authenticated, it authenticates the packet first. If authentication fails, the receiving system discards the packet without decrypting it. This two-step procedure saves computing resources, and reduces the risk of a denial of service attack. You can use ESP in one of two modes: transport mode or tunnel mode. VPNs use ESP in tunnel mode to create a new IP datagram, which contains the original IP datagram as its payload. If the firewall used both authentication and encryption for ESP, the original packet is completely protected. However, the IP header is not protected. In tunnel mode, the IP addresses in the outer headers do not have to be the same as the addresses in the inner headers. For example, two firewalls may operate an ESP tunnel to secure all traffic between the networks that they connect together (a VPN). Tunnel mode provides total protection of the encapsulated IP datagram and allows the firewall to route datagrams that use private IP addresses. In the IBM Firewall for AS/400 implementation of VPNs, an unprotected IP header is not a problem. This is because you create VPNs between compatible firewall 26 Firewall: Getting started
    • products only. Consequently, the IP header contains public addresses for the firewalls on each end of the connection only. Your internal network information is hidden from outsiders who may attempt to sniff the information from the packet header. VPN technology often uses ESP and Authentication Header (AH) protocols jointly to provide a total security solution. IBM Firewall for AS/400 VPN services use both protocols. Authentication Header (AH) protocol: The Authentication Header (AH) protocol is part of the Internet Protocol security architecture (IPSec) and provides integrity and authentication to Internet Protocol (IP) datagrams. AH authenticates as much of the IP datagram as possible. The payload (data) of the IP packet is considered immutable and AH always protects it. However, some fields in the IP header change while in transit and the receiver cannot predict their value. These fields are called mutable and AH cannot protect them. To protect the information in these fields, you should use Encapsulated Security Payload (ESP) protocol tunneling. You cannot apply AH protocol to fragmented IP packets. However, after you apply AH protocol to an IP packet, the intermediate routers can fragment the packet for delivery. If the destination system receives a fragmented packet, the destination system reassembles the packet before applying AH processing to it. If AH processing is requested for an IP packet that appears to be a fragment, the packet is discarded. These safeguards prevent the overlapping fragment attack. This attack exploits the fragment assembly algorithm in order to create forged packets and force them through a firewall. You can use AH in one of two modes: transport mode or tunnel mode. Virtual private networks (VPNs) use AH in tunnel mode to create a new IP datagram, which contains the original IP datagram as its payload. In tunnel mode, the IP addresses in the outer headers do not have to be the same as the addresses in the inner headers. For example, two firewalls may operate an AH tunnel to authenticate all traffic between the networks that they connect together (a VPN). Tunnel mode provides total protection of the encapsulated IP datagram and allows the firewall to route datagrams that use private IP addresses. VPN technology often uses ESP and AH protocols jointly to provide a total security solution. IBM Firewall for AS/400 VPN services use both protocols. Internet Protocol (IP) forwarding You can use the proxy and SOCKS servers or network address translation (NAT) to allow users on your internal network to access the untrusted network. Although NAT provides better performance and is easier to maintain, NAT uses Internet Protocol (IP) forwarding. You can also use NAT to allow users in the untrusted network to access public servers behind your firewall. IP forwarding takes packets from the non-secure firewall port and sends them to the secure network. The firewall forwards only those packets that pass the filter rules. Virtual private networks (VPNs) also use IP forwarding. However, when you set a VPN to use authentication, the risk from IP forwarding is minimal. Use IP forwarding with caution. When you allow IP forwarding, the firewall cannot break the TCP/IP connection at the firewall. This exposes your internal network to more risk because an attacker could exploit any holes in filtering rules to access your internal network. Chapter 2. Understanding IBM Firewall for AS/400 27
    • Well-known ports Each Internet application (for example, TELNET) uses Internet Protocol (IP) to send communications from a client port to a well-known port on a server. Intruders often try to sneak into a secure network by checking whether they can gain access through obscure, little-used ports. Configure your Internet applications to use only their associated well-known ports, unless you use native address translation to map ports. You can then create filter rules to block communications that deviate from this usage. The following table contains a list of well-known ports for common Internet applications. For a complete list of well-known ports, refer to RFC 1700. Table 9. Well-known ports for common Internet applications and services Service Port number / protocol Simple mail transfer protocol (SMTP) 25/TCP Post office protocol (POP) 3 110/TCP TELNET 23/TCP File transfer protocol (FTP) - data 20/TCP File transfer protocol (FTP) - control 21/TCP Domain name services (DNS) 53/TCP or 53/UDP Gopher 70/TCP Hypertext transfer protocol (HTTP) /www 80/TCP Internet relay chat (IRC) 6xxx/TCP SOCKS 1080/TCP Understanding firewall filter syntax Your firewall protection is only as good as the filter rules that the firewall uses. To ensure that your firewall controls network traffic correctly, you must understand the syntax of the filter rules that it employs. With a thorough understanding of filter syntax, you can easily make changes to your firewall filter rules as needed. A filter rule is a set of parsed instructions that the firewall uses to interpret how it should handle traffic into and out of your secure network. When a packet arrives at the firewall, the firewall compares the information in the packet to the field values as specified in each filter rule. When the firewall matches the packet to a rule, the matching process ends and the firewall applies the action of the rule to the packet. If there is no matching rule, the firewall has a built-in default rule to deny access and discard the packet. The IBM Firewall for AS/400 allows a maximum of 512 rule definitions. The sections of a filter rule include: Action The first field of a filter rule specifies what action the firewall should take if a packet matches all the conditions of the rule. The field can have one of two values: ″permit″ or ″deny.″ The firewall applies each section of a filter rule to a packet until it determines whether the packet completely matches a rule. If the packet matches, the firewall applies the specified action to the packet. If the action value is permit, the firewall routes the packet. If the action value is deny, the firewall discards the packet. 28 Firewall: Getting started
    • From Address This field specifies the source address of the packet. From Mask This field specifies which mask the firewall should apply to the source address of the packet. The firewall applies the mask as bitwise ″AND″, which is the same way Internet Protocol (IP) subnet address masks are applied. The firewall considers the source address a match if the result of the mask application is equal to the desired address. By using the mask, you can write a single rule that applies to a range of addresses rather than a single address. This may reduce the number of rules required. For example, to match any address beginning with 10.2.1, specify an address of 10.2.1.0 and a mask of 255.255.255.0. To Address This field specifies the destination address of the packet. To Mask This field specifies which mask the firewall should apply to the destination address of the packet. The firewall applies the mask as bitwise ″AND″, which is the same way IP subnet address masks are applied. The firewall considers the destination address a match if the result of the mask application is equal to the desired address. By using the mask, you can write a single rule that applies to a range of addresses rather than a single address. This may reduce the number of rules required. For example, to match any address beginning with 10.2.1, specify an address of 10.2.1.0 and a mask of 255.255.255.0. Protocol This field specifies a protocol type for the IP packet. It may have any of the following values: v All - matches any protocol type. v ICMP - matches Internet Control Message Protocol (ICMP) requests only. v TCP - matches Transmission Control Protocol (TCP) packets only. v TCP/ACK - matches only TCP packets with a value of ″on″ for the Acknowledge (ACK) bit. v UDP - matches User Datagram Protocol (UDP) packets only. v ESP - matches Encapsulating Security Payload (ESP) packets only. v AH - matches Authentication Header (AH) packets only. If the protocol type for the packet matches the specified protocol in a deny rule, the firewall rejects the packet. This allows you to create filter rules that block packets of a specific protocol, such as all UDP traffic. From Port Operation This field specifies the type of logical operation the firewall should apply to the source port value or Internet Control Message Protocol (ICMP) type value of the packet. If the packet protocol is ICMP, the firewall applies the logical operation to the ICMP type value of the packet. If the protocol for the packet is anything else, the firewall applies the logical operation to the source port value for the packet. The port operation field can have one of the following operands: v Any v Eq (Equal) v Gt (Greater than) v Neq (Not equal) Chapter 2. Understanding IBM Firewall for AS/400 29
    • v Lt (Less than) v Le (Less than or equal to) v Ge (Greater than or equal to) From Port of ICMP Type This field specifies the value of the source port number or ICMP type field for the packet. The firewall applies the specified operand in the From Port Operation to this value to determine whether the packet matches the rule. To Port Operation This field specifies the type of logical operation the firewall should apply to the destination port or ICMP type value of the packet. If the packet protocol is ICMP, the firewall applies the logical operation to the ICMP type value of the packet. If the protocol for the packet is anything else, the firewall applies the logical operation to the destination port value for the packet. The port operation field can have one of these operands: v Any v Eq (Equal) v Gt (Greater than) v Neq (Not equal) v Lt (Less than) v Le (Less than or equal to) v Ge (Greater than or equal to) To Port or ICMP Type This field specifies the value of the destination port number or ICMP type field for the packet. The firewall applies the specified operand in the From Port Operation to this value to determine whether the packet matches the rule. Interface (I) This field specifies the port on the Integrated Netfinity Server to which the rule applies. There are three possible values: v Secure port (includes the *INTERNAL port) v Non-secure port v Both Routing (RT) This field specifies whether the packet has the firewall as a destination or source (local) or whether the destination and the source are both other hosts (route). If the firewall is neither the destination nor the source, the firewall may act as a packet router and forward the packet (route). This field can have the following possible values: v Local - coming to or from the firewall itself (proxy and SOCKS server). v Route - going through the firewall (IP forwarding). v Both - packet routing information is irrelevant. Direction This field specifies whether the packet is going into or coming out of the interface (port) as specified in the Interface field. The direction is always from the perspective of the firewall. Possible values for this field are as follows: v Inbound (to the firewall) v Outbound (from the firewall) v Both (direction is irrelevant) 30 Firewall: Getting started
    • IP Fragments This field specifies how the firewall should handle packet fragments. Possible values for this field are as follows: v Match all (y) - Fragmentation is not relevant for whether the packet matches the rule. v Match fragments (o) - The packet must be fragmented to match this rule. v Match non-fragments (n) - The packet must not be fragmented to match this rule. Packet Logging This field specifies whether the firewall should write a log record for the packet if the packet matches the rule. There are two possible values: yes and no. VPN This field specifies whether the filter rule will use virtual private network (VPN) encryption or decryption. There are two values: zero or a whole number. If the value is zero, the filter rule will not use VPN encryption or decryption on the packet. If the value is a whole number, the number corresponds to a specific VPN configuration number. This number tells the firewall what encryption, decryption, or authentication algorithms to use. IBM Firewall for AS/400 network address translation (NAT) component IBM Firewall for AS/400 network address translation (NAT) services allow you to hide internal network information, such as Internet Protocol (IP) addresses from an untrusted network. For example, you can use NAT to hide the IP address of a public server on the secure side of the firewall. You can use NAT to dynamically translate secure client IP addresses to a reserved pool of registered IP addresses for communicating with the untrusted network. This is sometimes referred to as masquerading. NAT also allows you to use private IP addresses rather than publicly registered ones on your internal network. NAT advantages NAT is more efficient than the SOCKS or proxy servers. Because NAT uses fewer computing resources, your firewall may have better performance. NAT also supports a much wider range of services than the proxy server. Your internal clients do not have to provide support for proxy or SOCKS. Because some types of clients do not provide this support, using NAT allows you to support Internet access for a wider range of clients. If you want to put your public server behind the firewall, NAT allows you to do so safely and easily. During Basic configuration, the firewall application automatically uses NAT to configure HTTP and HTTPS access through the firewall to the public server. The firewall can then protect your server, while translating the internal address to a reserved publicly registered IP address. Outsiders only see the public address. If you use NAT port mapping, you can use the non-secure firewall IP address as the publicly registered address for your public server. Note: If you use port mapping, the port that you map to must not already be in use. For example, you use proxy servers for HTTP access on port 80. Therefore, you must map HTTP traffic to the public server to a port other than 80. Chapter 2. Understanding IBM Firewall for AS/400 31
    • NAT disadvantages When you use NAT to provide local users with access to services on the Internet you must have a pool of public addresses to use for translation purposes. When you use SOCKS and proxy servers, however, you need only one public address for the firewall non-secure port. NAT is also not as adept as either the SOCKS or proxy servers in detecting attacks. NAT does not provide logging services. The firewall only logs traffic that matches those filter rules that have a log field value of yes. Additionally, NAT requires that you permit IP forwarding to open a hole in your firewall. Using IP forwarding can increase your internal network’s security risk. IBM Firewall for AS/400 proxy server component The IBM Firewall for AS/400 proxy server is a TCP/IP application that re-sends requests and responses between clients on your secure internal network and servers on the untrusted network. The proxy server breaks the TCP/IP connection to hide your internal network information (such as internal Internet Protocol (IP) addresses). Hosts outside your network perceive the proxy server as the source of the communication (see figure). Figure 4. Proxy server provides caching and logging functions Typically, you use proxy servers to provide your internal users with access to an untrusted network. Each TCP/IP application requires its own proxy server. The IBM Firewall for AS/400 provides the following proxy servers: v File transfer protocol (FTP), either passive or active v Hypertext Transfer Protocol (HTTP) v Hypertext Transfer Protocol + Secure Sockets Layer (HTTPS) v Gopher 32 Firewall: Getting started
    • v Wide Area Information System (WAIS) v TELNET (not through a Web browser) These proxy servers are available only through a Web browser. Consequently, your clients must have Web browsers that support the applications that you want clients to access through a proxy server. When clients cannot use a browser to access an application, you must use a SOCKS server or network address translation (NAT) instead. You can use proxy servers in conjunction with packet filtering to provide your users with selective access to services on the untrusted network. Users on the untrusted network do not use the proxy server to access local services on the secure network, such as a Web server. During Basic configuration, the firewall application creates filter rules to block access to the proxy server from the untrusted network. These filter rules protect the proxy (and your internal network) from attack. The proxy protects the firewall host because the user does not have to log in to the firewall directly to access the requested service. Proxy servers can also provide other services such as caching and logging. To understand how the IBM Firewall for AS/400 proxy server component works, review these topics: v Proxy logging services v Proxy caching services v Proxy server advantages v Proxy server disadvantages v IBM Firewall for AS/400 TELNET proxy server Proxy logging services Proxy servers can provide logging services, which allow you to obtain information about your network traffic. Proxies can log the uniform resource locators (URLs) that users access. By logging the URLs, the network administrator can see which users access which resources. You can use this information to generate utilization reports. The proxy server writes one log record each time a connection is established, not one entry per packet. The proxy server writes log records when you set the logging level in the firewall to informational (i). Proxy caching services Proxy servers can provide caching services. You can use the firewall advanced proxy settings option to specify that the proxy server cache pages. You can specify the cache and buffer sizes, as well as other parameters for the caching function. The proxy server caching option stores Web pages as users access them. Therefore, users may experience improved response time when they access Web pages that users across the internal network have accessed recently. However, setting the proxy to perform extensive caching may result in slower performance if caching uses too many firewall resources. Also, older cached pages may not be the most current version that a Web site provides. Proxy server advantages When you use proxy servers to control access to the untrusted network, you gain the following advantages: v The proxy server breaks the TCP/IP connection to hide your internal network information (such as internal host names and Internet Protocol (IP) addresses). v You can set the proxy server to require user authentication before it accepts and forwards the user requests for services (TELNET only). v The proxy server provides advanced logging capabilities so that you can record access information. Proxy server logging capabilities are superior to those of the SOCKS server because the proxy server provides the URL that the user accesses. Chapter 2. Understanding IBM Firewall for AS/400 33
    • v Proxy servers help you control which services users can access. If you do not create a proxy for the service, users cannot access the service because each service must have its own proxy. (This is true as long as you do not allow access to the service through a SOCKS server or network address translation.) Proxy server disadvantages When you use the proxy server to provide access to the untrusted network, be aware of the following disadvantages: v A unique server application is required for each service that you want a client to access. You must use either a SOCKS server or network address translation (NAT) to access a service for which there is no proxy server. For example, if you want to use Client Access/400 across the Internet. v Proxy server performance is slower than either SOCKS or NAT. IBM Firewall for AS/400 TELNET proxy server The IBM Firewall for AS/400 TELNET proxy server provides your internal users with remote terminal access to hosts outside your network. Like any proxy server, the TELNET proxy breaks the TCP/IP connection at the firewall to hide your internal names and addresses from outsiders. Using advanced proxy settings, you can set the TELNET proxy to require user authentication before it accepts and forwards the user’s requests for services. The TELNET proxy limits users to a restricted shell environment where only certain services are permitted. The TELNET proxy server supports VT-100 type connections only. For other TELNET terminal types, use a SOCKS server. TELNET proxy server disadvantages Using the TELNET proxy is a two-step process for users. Consequently, the proxy server is not transparent to the client user. IBM Firewall for AS/400 SOCKS server component The IBM Firewall for AS/400 SOCKS server is a TCP/IP application that re-sends requests and responses between clients on your secure internal network and servers on the untrusted network. The SOCKS server breaks the TCP/IP connection to hide your internal network information (such as internal Internet Protocol (IP) addresses). Hosts outside your network perceive the SOCKS server as the source of the communication. See Figure 5 on page 35. 34 Firewall: Getting started
    • Figure 5. SOCKS server traffic flow A SOCKS server is a kind of multi-talented proxy server. You can configure the SOCKS server to control which IP addresses you permit to use it and which application services you allow through it. You can use the SOCKS daemon configuration options to configure the SOCKS server to require that the firewall authenticate users. The firewall graphical user interface makes it easy for you to set up the SOCKS server to handle these services: v File Transfer protocol (FTP) (passive or active) with a Web browser v FTP without a Web browser v Hypertext transfer Protocol (HTTP) v Hypertext Transfer Protocol + Secure Sockets Layer (HTTPS) v Gopher v Internet Relay Chat (IRC) v TELNET (transparently) v Client Access v Lightweight Directory Application Protocol (LDAP) v Secure LDAP v Post Office Protocol (POP) 3 mail server access from the Internet v Lotus Notes replication from the Internet v Distributed relational database application (DRDA) To use a SOCKS server, the client must support the SOCKS protocol. Most popular Web browsers support SOCKS. Some operating systems (such as IBM OS/400) support SOCKS in the TCP/IP protocol stack so that all client applications can use a SOCKS server. You can also obtain add-on packages that provide SOCKS support for other types of clients. To understand how the IBM Firewall for AS/400 SOCKS server component works, review these topics: Chapter 2. Understanding IBM Firewall for AS/400 35
    • v SOCKS logging services v SOCKS server advantages v SOCKS server disadvantages SOCKS SOCKS is a client/server architecture that transports TCP/IP traffic through a secure gateway. A single SOCKS server can handle several TCP/IP applications, such as FTP and TELNET. To use SOCKS, your Web browser or TCP/IP stack must support SOCKS. Because SOCKS operates at a lower level in the TCP/IP stack, it tends to be faster than a proxy server. However, SOCKS does not provide caching. Consequently, a proxy server, which provides caching, may offer faster performance if your users often access the same URLs. Two standards for SOCKS servers are currently accepted: SOCKS 4 and SOCKS 5. SOCKS 5 requires client authentication to the server, which provides additional security. To use the SOCKS 5 authentication feature, you must set a SOCKS daemon rule in the firewall for each particular SOCKS application to authenticate users. The firewall and the firewall home AS/400 use the same set of user IDs and passwords. Additionally, each client must have SOCKS 5 support. You can set up SOCKS support on the firewall for the desired TCP/IP applications when you perform firewall Basic configuration. Although you should add SOCKS support during Basic configuration, you can add it later by choosing SOCKS from the firewall Configuration menu. Most PC operating systems do not provide native SOCKS support. OS/2 Merlin is an exception; it provides SOCKS in the TCP/IP stack. If you want to use PC clients other than OS/2, you must add SOCKS support. Most Web browsers provide SOCKS support. Consequently, if you will not use Internet services that your browser cannot provide, you probably do not need to add SOCKS support to the PC client. If you need to add SOCKS support, you can find several products on the Web. Most of these products work for Microsoft Windows 95; some work for Windows 3.1 and Windows NT. These products are usually Windows dynamic link libraries (DLLs) that extend the functionality of the Winsock DLL. These products allow SOCKS 4 and SOCKS 5 applications to work without a browser for applications such as FTP and TELNET. Note: The PING command uses Internet control message protocol (ICMP) and does not work through a SOCKS server. SOCKS logging services SOCKS servers can provide limited logging services so that you can obtain information about your network traffic. The SOCKS server logs the fact that a connection was established or ended between two hosts. The log record contains the source and destination address and port. The SOCKS server does not log URLs. If you configure the SOCKS server to require a user ID, the server also logs user ID information. When the connection ends, the log records the number of bytes that were sent. You can use the log information to generate utilization reports. The SOCKS server writes one log record each time the user establishes or ends a connection, not one entry per packet. The SOCKS server writes log records when you set the logging level in the firewall to informational (i). SOCKS server advantages When you use a SOCKS server to control access to the untrusted network, you gain the following advantages: 36 Firewall: Getting started
    • v The SOCKS server breaks the TCP/IP connection, which hides your internal network information (such as internal host names and Internet Protocol (IP) addresses). v You can configure the SOCKS server to require user authentication before it accepts and forwards user requests for services. This feature requires a client that supports SOCKS 5, which is the first version of SOCKS that supports user authentication. v The SOCKS server provides logging capabilities so that you can record utilization information. v The SOCKS server helps you control which services users can access. If you do not specify a permission for the service through the SOCKS server, users cannot access the service. (As long as you do not allow the service through a proxy server or network address translation.) SOCKS server disadvantages When you use a SOCKS server to control access to the untrusted network, be aware of the following disadvantages: v Clients that do not support SOCKS cannot use the SOCKS server to access services on the untrusted network. v The SOCKS server does not provide a caching option. IBM Firewall for AS/400 mail relay service The IBM Firewall for AS/400 uses a mail relay service to exchange mail with other mail servers on the Internet through simple mail transport protocol (SMTP). The firewall delivers all incoming mail to an internal mail server (such as an AS/400 post office protocol (POP) 3 server), which stores the mail for user retrieval. See Figure 6. Figure 6. Firewall mail relay traffic flow The firewall mail server works with the firewall domain name server to relay mail between the internal mail server and Internet mail servers. The mail relay server uses SMTP. Using the firewall mail server isolates your internal secure mail server so that your internal network is not visible to the outside world. When mail flows through the firewall, the firewall rewrites e-mail addresses so that all internal users have a single mail domain. This domain is your company’s public domain (for example, mycompany.com). Chapter 2. Understanding IBM Firewall for AS/400 37
    • Clients send mail to the secure mail server and retrieve mail from the secure mail server. The secure mail server interacts with the mail relay on the firewall to route mail between the secure network and the Internet. The mail relay on the firewall uses the firewall name server to resolve domain names in the mail address to the numeric IP address. The mail relay uses the internal name server to retrieve mail routing information to deliver incoming mail to the secure mail server. Without an internal name server, you must configure the firewall mail relay to retrieve mail routing information about the secure mail server from its own DNS server. This ensures that incoming mail is delivered without errors and that your internal network addresses remain invisible to the outside world. IBM Firewall for AS/400 split domain name services (DNS) component The firewall protects internal information by using two domain name system (DNS) servers. One domain name server is on the firewall; you must provide the other name server on the internal network. The firewall name server contains names that are visible only to the untrusted network, such as an external Web server. The firewall name server is responsible for resolving external host names in response to requests from the internal name server. You can also choose to use the Internet service provider (ISP) DNS server for resolving external names, if you prefer. The internal name server that you provide contains only the names of hosts on the internal network. This internal name server is responsible for forwarding requests from the internal secure network that it cannot resolve to the firewall name server. The firewall DNS server does not provide name serving functions for the internal network. However, you can use the DNS servers that AS/400 provides. To understand how the IBM Firewall for AS/400 domain name services (DNS) component works, review these topics: v Domain name services (DNS) v Domain name servers v How domain name services (DNS) work Domain name services (DNS) Host locations on the Internet or a TCP/IP network are specified by numeric Internet Protocol (IP) addresses. Most users have difficulty memorizing the hundreds or thousands of addresses that they need to connect to other hosts. As a result, most people use symbolic names to distinguish hosts from one another. Computers, however, need the numeric IP address in order to find the requested device and communicate with it. Consequently, there has to be a way in which host names are translated into numeric IP addresses. Domain name services (DNS) provides this translation function. Domain name servers A domain name services (DNS) server manages the TCP/IP address information for a portion of a network. For a small network, the server may manage the entire domain. The set of devices that a server manages is called a zone. A single name server can manage more than one zone. To ensure continuous service, each zone usually has a backup name server (called a secondary name server) designated for it. The records in the primary server and the secondary server are identical. This ensures that, if the primary server is unavailable, the secondary server can provide the necessary translation resolution. 38 Firewall: Getting started
    • DNS is a hierarchical system of zones in which each name server can communicate with the one above it in the hierarchy. Each name server can also communicate with the one below it (if one exists). The name server for a given zone is responsible for having the address information for each host in that zone. Each name server also has the address of at least one other name server. When the name server receives a translation request it cannot answer, it can take one of two actions. The server can either send the request to another name server or it can send a response that specifies an alternate name server to handle the request. How domain name services (DNS) work The domain name system (DNS) is critical to making the Internet work. DNS provides information about the various hosts that are hooked into the Internet. DNS is both distributed and hierarchical. This means that no one server has all the answers, but each server knows where to get the answers it does not know on its own. At the top of this system are the root name servers. These servers know where to find all the authoritative top-level domain name servers. In turn, the top-level name servers know where to find the next level of authoritative name servers, and so forth. Thus, the domain name database is distributed across the Internet. This distribution allows easier manageability and faster response times than would occur if each host had to maintain a comprehensive database for all domain names and addresses on the Internet. When a client program requests access to a particular host by domain name, the program sends a request to a designated primary name server. This is usually a name server on the local network. If this name server is unable to provide an Internet Protocol (IP) address for the requested domain name, the server can do one of two things. It can query another name server for the information. Or, it can return the name and address of the next logical name server for the client program to query. This process continues until a name server can provide the translation or until it returns an error message that the IP address is unknown. DNS operates in much the same way a phone book does. You know the name of the person you want to call, but you do not know the phone number. To resolve this problem, you look it up in the phone book. Similarly, when you use a client program, such as FTP or a Web browser, you may know the name of the host you want to ″call,″ but not the numeric IP address. The client program must also resolve this problem, which it does by using a function called a resolver. The resolver takes the host and domain name you specified and queries a domain name server (the resolver’s ″phone book″) for the corresponding numeric IP address it needs to make the call. If the name server does not have the needed address, it knows the name of another name server that may know the address. Here is an example of how DNS works. A user wants to FTP to the IBM PC Company FTP host. The user knows the host name is ftp.pcco.ibm.com and provides this name to the FTP client. The client then queries the local name server for the IP address. The local name server is in another domain than the one that the client requested. Therefore, the name server does not have the necessary information. The name server does, however, have the name and address for the .com name server (the root name server). What happens next depends on whether the client request is recursive or iterative. If the request is recursive, the local name server queries the root server for the FTP client. The root name server also does not have a specific entry for the requested Chapter 2. Understanding IBM Firewall for AS/400 39
    • host. It does, however, know the name and address for the next level domain (ibm.com) and sends this information back to the local name server. The local name server then sends a new query to the ibm.com name server. It also does not have the needed address, but it knows the name and address for the pcco.ibm.com name server and returns that information. The local name server sends a new query to the pcco.ibm.com name server, which can return the needed address for the host (FTP) in its domain. The local name server passes this information back to the FTP client program, which uses the address to contact the requested host. If the FTP client request is iterative, the local name server sends information about the root name server back to the FTP client. The FTP client then makes a new query to the root name server and so forth, until it receives the necessary IP address. As you can see, without DNS it is difficult to communicate with hosts outside of your local network. Without a DNS server, you need an extensive (and accurate) memory for numeric IP addresses. Otherwise, you must maintain a huge (and possibly incomplete) set of host tables on each client. IBM Firewall for AS/400 audit and event reporting services IBM Firewall for AS/400 provides extensive logging features, as well as real-time monitoring. To understand how the IBM Firewall for AS/400 audit and event reporting works, review these topics: v Firewall logging services v Firewall monitoring services Firewall logging services You can specify that the firewall log information about the packets it processes. You can then use the log records to analyze traffic flowing into and out of your network. You can also analyze traffic that the firewall does not allow into your network. The firewall maintains entries in the system log files whenever users attempt to access hosts through the various firewall servers. Rule violations and user authentication may create log entries. For example, you can have the firewall log: v Packets that the firewall denies v The uniform resource locators (URLs) that users access v Occurrences of TELNET sessions that users establish You can also log a variety of other activities. The firewall writes log records for proxy and SOCKS servers when you set the logging level in the firewall to informational (i). You can view log files from the firewall Web browser facility or from AS/400. The firewall application also supports various logging levels. For instance, you can set the firewall to log exception conditions only or to log all traffic through the firewall. The system archives the log file to the AS/400 Integrated File System for safekeeping. You can convert these log files into more specific database files based on the types of messages in the logs. You can then query these database records to display the log information or to create reports. Firewall monitoring services The AS/400 system monitors firewall functions that run on the Integrated Netfinity Server. By default, the AS/400 system operator (through the QSYSOPR message 40 Firewall: Getting started
    • queue) receives notifications when important firewall events occur, such as attempted intrusions. The system sends all high severity error messages (Type = Alert) immediately. The system sends lower severity messages (Type = Error, Warning, Information, or Debug) when they reach a user-defined threshold. If the system detects an error condition that may be a result of tampering, all firewall functions end immediately. For example, if the logging function ends, it may indicate that someone is trying to bypass the firewall. All firewall functions end to ensure that no one can communicate with your internal secure network until you investigate the situation. IBM Firewall for AS/400 virtual private network (VPN) component IBM Firewall for AS/400 provides virtual private network (VPN) technologies. When you use VPNs, you can create encrypted connections between the firewall and several other IBM firewall products. You can think of a VPN as an extension of your private network across a more public network, such as the Internet. Using a VPN creates a secure private connection, essentially through a private ″tunnel.″ IBM Firewall for AS/400 VPN technology is compatible with IBM Firewall for AIX 3.1, IBM eNetwork Firewall V3.2, and IBM Secure Network Gateway for AIX V2.2. You can import or export VPN settings to files in the integrated file system. You and your VPN partner can then use these files to coordinate and set up the configuration for both ends of the VPN. IBM Firewall for AS/400 VPN technology uses two Internet Protocol (IP) security architecture (IPSec) protocols to protect traffic that flows through the VPN tunnel. The Encapsulated Security Payload (ESP) protocol provides an integrity check, authentication, and encryption to IP datagrams. The IBM Firewall for AS/400 VPN component uses all three ESP services to protect your VPN traffic. This ensures that an intruder cannot forge packets in order to mount cryptanalytic attacks. In tunnel mode, the IP addresses in the outer headers do not have to be the same as the addresses in the inner headers. Consequently, the IP header contains public addresses for the firewalls on each end of the connection only. Your internal network information is hidden from outsiders who may attempt to sniff the information from the packet header. IBM Firewall for AS/400 VPN technology also uses the Authentication Header (AH) to provide integrity and authentication to IP packets. AH authenticates as much of the IP datagram as possible. VPNs use AH in tunnel mode to create a new IP datagram, which contains the original IP datagram as its payload. In tunnel mode, the IP addresses in the outer headers do not have to be the same as the addresses in the inner headers. For example, two firewalls may operate an AH tunnel to authenticate all traffic between the networks that they connect together (a VPN). Tunnel mode provides total protection of the encapsulated IP datagram and allows the firewall to route datagrams that use private IP addresses. Note: If you want to use your firewall to create VPN, you must also install the IBM Cryptographic Access Provider (AC1, AC2, or AC3). Firewall configurations A firewall consists of one or more software elements that run on one or more hosts. The hosts may be general purpose computer systems or specialized systems such as routers. Chapter 2. Understanding IBM Firewall for AS/400 41
    • You can combine firewall elements to create many different firewall configurations. The elements of IBM Firewall for AS/400 provide two common firewall configuration types: the dual-homed gateway and screened host firewall. Dual-homed gateway firewall The dual-homed gateway is one of the most popular firewall configurations because it is both the most secure and the most versatile. Consequently, the dual-homed gateway is your best firewall configuration choice. The dual-homed gateway has one physical connection to the internal secure network and one to the non-secure network (see figure). A separate local area network (LAN) adapter is responsible for communications between the firewall home AS/400 system and the internal secure network. Figure 7. Dual-Homed Gateway Firewall Clients on the internal secure network must use either network address translation (NAT) or a SOCKS or proxy server to access services on the Internet. Internet hosts or clients see only the address of the firewall when interacting with hosts or clients on the internal secure network. Because the firewall provides split domain name services, the names of internal hosts are not visible on the Internet, yet internal users have access to all systems, including the Web server on the non-secure network. If the router that connects the internal network to the Internet has packet filtering features, you can configure it to reject undesirable inbound connections. This ensures that the router allows only those packets that you specify to access either the Web server on the perimeter network or the firewall. The firewall packet filters provide additional limits for what traffic can reach the internal secure network. You do not need to assign public IP addresses to the internal secure network because the network does not directly participate with the Internet. You increase the security of your internal network when you use the IP addresses reserved for 42 Firewall: Getting started
    • private Internets because most routers automatically reject them. Refer to the topic IP addresses reserved for private Internet (intranet) use for a complete list of these addresses. Any filter rule errors that you make on the router or firewall do not expose your internal systems to direct attack from the Internet. The physical separation of the two networks protect the AS/400 system and its clients. There are no significant disadvantages for this configuration. However, if you put your public server behind the firewall, you must allow Internet Protocol (IP) forwarding so that Internet users can access it. Also, if you want to access production data behind the firewall for a public server outside the firewall, you must either open a hole in the firewall or use some form of backup media to physically transfer the data to the server. Screened host firewall Although the screened host firewall configuration is similar to the dual-homed gateway firewall, the separation of the internal secure network from the perimeter network is logical rather than physical. This configuration relies on the router packet filter rules only to allow traffic between the Internet, firewall, and public Web server (see figure). In this configuration, the Web server can easily communicate with the internal servers. This communication makes it easy to update the Web server with dynamic data from the production system. However, if someone successfully attacks the Web server, the attacker can use the Web server as a starting place to attack your internal systems. Generally, you should not use this configuration because the security policy is split between the firewall and the router. This means that both systems must be reviewed and maintained. A hole in one system may be overlooked because it is thought that the other system is closing it. Figure 8. Screened Host Firewall The screened host configuration requires only one LAN adapter in the firewall, which makes this solution less expensive to implement. However, the disadvantages of this configuration can result in considerable recovery expenses. Chapter 2. Understanding IBM Firewall for AS/400 43
    • In this configuration, the Internet router is your most important line of defense. You must ensure that you configure the router packet filter rules correctly because there is no physical separation between the internal and perimeter networks. Holes in the router filter rules can give an attacker the means to access and can cause damage to your internal network because the attacker may be able to bypass the firewall. 44 Firewall: Getting started
    • Chapter 3. Planning your firewall installation and configuration To ensure that you install and configure your firewall properly, you must carefully gather information about your network, security needs, and public server placement. You must use this information to carefully plan how you will install and configure the firewall. Because planning is the most critical step for successfully getting your firewall up and running, review these topics: v IBM Firewall for AS/400 installation requirements. v Positioning your public server in relation to your firewall. v Firewall and network configurations: Sample scenarios. v IBM Firewall for AS/400 planning worksheets. Frequent updates are made to the AS/400 Firewall home page. You should check it as part of your planning process. The address for the home page is: http://www.as400.ibm.com/firewall IBM Firewall for AS/400 installation requirements Before you install IBM Firewall for AS/400, you must verify two things. Both the firewall home AS/400 system and the firewall administration workstation must meet the software and hardware requirements. To determine what the requirements are, review these topics: v IBM Firewall for AS/400 software requirements v IBM Firewall for AS/400 hardware requirements v IBM Firewall for AS/400 user profile requirements v Secure Sockets Layer (SSL) considerations for IBM Firewall for AS/400 IBM Firewall for AS/400 software requirements IBM Firewall for AS/400 resides and runs on an Integrated Netfinity Server for AS/400 that is installed on the AS/400 system. The firewall requires these types of software: v Licensed programs installed on the firewall home AS/400 system and Integrated Netfinity Server. v Software installed on the firewall administration PC v Software installed on firewall clients IBM Firewall for AS/400 licensed program requirements IBM Firewall for AS/400 resides on an AS/400 Integrated Netfinity Server and uses TCP/IP for communications. Consequently, you must have certain AS/400 licensed programs installed on the firewall home AS/400 system to ensure that you can install the firewall correctly. The table below provides a list of AS/400 licensed programs that you must have installed. © Copyright IBM Corp. 1998, 1999 45
    • Licensed Program Description 5769-SS1 OS/400, Version 4 Release 3 5769-TC1 TCP/IP Connectivity Utilities 5769-SA2 Integration Services for FSIOP 5769-DG1 IBM HTTP Server for AS/400 5769-FW1 Firewall for AS/400 5769-AC1, AC2, AC3 Cryptographic Access Provider (Used to create Virtual Private Networks) Note: To create virtual private networks, you must also install the IBM Cryptographic Access Provider (5769–AC1, AC2, or AC3). If you vary on before installing ACx, you must RSTLICPGM the firewall, and reapply firewall PTFs. Note: If you want to convert firewall logs to DB2 tables and use interactive SQL to build views of your log data, you must install DB2 for AS/400 Query Manager and SQL Development Kit (5769–ST1) licensed programs. IBM Firewall for AS/400 administration PC software requirements You administer the firewall through a Web browser on a PC in your internal network. This firewall administration PC requires the following software: v TCP/IP support (must be configured and operational) v A Web browser that supports HTML frames and JavaScript (for example, Netscape Navigator 3.0 and 4.0, as well as Microsoft Internet Explorer 4.0, work well) IBM Firewall for AS/400 client software requirements Each client on your internal secure network should have the following installed software to access firewall services: v A Web browser that supports HTML frames and Java Script v FTP software (if you authorize the client to use FTP) v SOCKS support (if you want the client to use the firewall SOCKS server to connect to the Internet) IBM Firewall for AS/400 hardware requirements IBM Firewall for AS/400 resides and runs from an Integrated Netfinity Server on the firewall home AS/400 system. You must use a PC or workstation to configure and administer the firewall. To review the hardware requirements for both the firewall home AS/400 system and the firewall administration PC, see these topics: v IBM Firewall for AS/400 administration PC hardware requirements v IBM Firewall for AS/400 hardware requirements for the firewall home AS/400 system IBM Firewall for AS/400 administration PC hardware requirements The PC or workstation that you use to configure and administer the firewall must have the following hardware: v Token-ring or Ethernet adapter to communicate with the Integrated Netfinity Server adapter or another line on the firewall home AS/400 system that uses TCP/IP v A processor and memory sufficient to run the operating system and Web browser that you use to administer the firewall 46 Firewall: Getting started
    • For detailed procedures to verify these requirements, see the topic “Verifying firewall hardware, software, and configuration prerequisites” on page 69. IBM Firewall for AS/400 hardware requirements for the firewall home AS/400 system The firewall home AS/400 must have a dedicated Integrated Netfinity Server installed. You must use this Integrated Netfinity Server solely for the firewall, and it must have the following features: v At least 32 MB memory (preferably 64 MB) v Two communication ports If possible, you should use the Pentium® models of the Integrated Netfinity Server. The 486 Integrated Netfinity Server works; however, you will get better performance by using the Pentium models. For detailed procedures to verify these requirements, see the topic “Verifying firewall hardware, software, and configuration prerequisites” on page 69. IBM Firewall for AS/400 user profile requirements To install, configure, or administer the firewall, the firewall administrator user profile must have the following user class and special authorities: v User class of *SECOFR v Special authorities of *SECADM, *ALLOBJ, and *IOSYSCFG The firewall requires a user profile if you enable the user authentication feature for either the TELNET proxy or the SOCKS server. Secure Sockets Layer (SSL) considerations for IBM Firewall for AS/400 The Secure Sockets Layer (SSL) supports encryption for communication between hosts. You can use SSL to encrypt communication sessions between the firewall administration PC and the firewall. Using SSL enhances firewall administration security. Consequently, using SSL is strongly recommended, especially if you want to administer the firewall remotely or from a non-secure workstation. Note: To administer the firewall remotely, you must change the filter rule that describes what traffic can access port 2010. You must change this filter rule to allow access to the port from the non-secure side of the firewall. If you change this filter rule, ensure that your changes do not provide an opportunity for an attacker to exploit the change to attack your firewall. To use SSL, you need: v IBM HTTP Server for AS/400 (5769–DG1) v Cryptographic Access Provider licensed program for AS/400 (AC1, AC2, or AC3) Note: You must also install this program if you want to use your firewall to create virtual private networks. You must install this product before you vary on the Integrated Netfinity Server for the first time. If you do not install the product prior to vary on, the product will be deleted from your system. v A digital certificate for your firewall server. For more information about obtaining and using digital certificates, see the HTTP Server for AS/400 Webmaster’s Guide. v A Web browser that supports SSL Chapter 3. Planning your firewall installation and configuration 47
    • Positioning your public server in relation to your firewall One reason companies connect to the Internet is to provide some type of service to Internet users. This can range from a simple Web site that contains product information to a fully integrated e-commerce site. Another reason companies connect to the Internet is to provide an e-mail connection for their company. This may be a traditional simple mail transfer protocol (SMTP) connection or it may be a full-function Domino server. Whatever reason your company has for connecting to the Internet, the company must protect its network. A firewall provides the best protection. If you provide services to Internet users, you must decide where to place your public server. You can put your public server: v On the perimeter network in front of the firewall v On the internal network behind the firewall The answer to the question of where to place your Web server is: ″It depends.″ Review the information in these topics to help you decide where to place your server: v Placing a public server in front of the firewall v Placing a public server behind the firewall After reading these topics, you should have a better understanding of the trade-offs you must make based on your choice of server location. You may also notice that the same item is listed as a disadvantage in one section and an advantage in another. Placing a public server in front of the firewall As with all other processes in your company, security must be balanced with usability. Placing the public server in front of the firewall provides the highest level of protection for your internal secure network. The firewall blocks all access to the internal network from the Internet. Figure 9 on page 49 provides a sample illustration of this network configuration. 48 Firewall: Getting started
    • Figure 9. Public server in front of the firewall To learn about the advantages and disadvantages of placing the server in front of the firewall, review these topics: v Advantages of placing your public server in front of the firewall v Disadvantages of placing your public server in front of the firewall Advantages of placing your public server in front of the firewall When you place your public server in front of the firewall, you gain the following advantages: v Server traffic does not add to the traffic flow through the firewall and consume firewall resources. v You do not need to allow Internet Protocol (IP) forwarding in the firewall to provide services to the Web. However, if you use network address translation (NAT) services, you must allow IP forwarding. v Internet users can access the public server even when the firewall home AS/400 is down. v The firewall blocks all access to the production network and data. v The public server is in the public part of the network. Therefore, you need not subnet the addresses that you receive from your Internet service provider (ISP). Having the public server in front of the firewall reduces the amount of traffic that flows through the firewall. Consequently, the firewall can use more resources for other things, such as caching and logging. This may provide better performance for the users in the internal network who access the Internet. However, the speed of the line provided to the ISP is usually the biggest performance limitation. A good rule of thumb is to divide the line speed by 10 (8 data bits plus a start and stop bit). Using this equation, you can determine the maximum number of bytes per second that the line can transfer in one direction. For example, if you have a 56K bps line to the ISP, expect a maximum of 5600 bytes of data to flow per second. This does not include any overhead that the protocol that you use may add, for example, TCP/IP. Chapter 3. Planning your firewall installation and configuration 49
    • With IP forwarding turned off in the firewall, unintended access through the firewall is less likely if you add a rule incorrectly. The firewall is, therefore, easier to set up because the firewall application generates all the rules, which ensures that human errors are less likely. However, if you use NAT to allow internal clients to access Internet services, you must allow IP forwarding. When you take down the firewall home AS/400 system for backups or service, you must end the firewall. Because the public server is in front of the firewall, Internet users can still access the public server. The firewall blocks access to the secure internal network. In the event of a successful attack on the public server, the attacker can compromise the data on the public server system only. Because the public server is outside the firewall, the public server is in the public portion of your network. Consequently, you do not need to subnet the registered network address that you receive from your ISP. You must obtain at least four registered addresses from your ISP to support this network configuration. See the topic Understanding TCP/IP, networking, and the Internet for more details on IP addresses and subnets. Disadvantages of placing your public server in front of the firewall When you place your public server in front of the firewall, you must be aware of the following disadvantages: v When you place the public server in front of the firewall, the firewall does not protect the public server. The router to the ISP and the security that you set up on the server itself provide the only protection for the public server. In most cases, the ISP handles the configuration of their router. If your public server is a V4R3 AS/400 system, you can use native packet filtering to protect the server. v The firewall cannot log traffic to or from the public server. Consequently, you have no record of attempted or successful attacks on the public server. However, if your public server is a V4R3 AS/400 system, you can have the server log traffic. You must implement measures to prevent unauthorized access to any services that are started on the public server for administrative reasons. For example, TELNET, FTP, IBM HTTP Server for AS/400, and so forth. v Updating the public server with production data requires that you either open a hole in the firewall or that you physically transfer the data. Consequently, data on the public server may not be current. v You must have two systems: an AS/400 at V4R3 to support the firewall Integrated PC Server and another system to provide the public service. If you plan to use the public server solely for HTTP serving and other read-only activities, then the server should be fairly safe. You can safely use well-written CGI programs because they use HTTP forms to update data. However, if you start any services that can provide direct access to the server, such as TELNET, the server becomes open to attack. You should only put data on the public server that you can afford to lose and can easily replace. This type of public server is sometimes referred to as a ″sacrificial lamb.″ Most routers cannot log access attempts. When the public server is in front of the firewall, the server may be your only source for log information. Information about discarded packets or attacks on the public server cannot be captured, unless the server is a V4R3 AS/400 system. You also cannot obtain information about the effects of a successful attack. 50 Firewall: Getting started
    • You may need to start the TELNET or FTP server on the public server for administrative reasons. If you choose to do this, make sure that the ISP router has filters in place to prevent access to these services from the Internet. Start these services only when you need to actively use them, and end them as soon as you are done. In the case of FTP, you can use carefully coded exit programs to provide additional protection. You can also use exit points for TELNET. You can find more information about coding exit programs in the TCP/IP Configuration and Reference (SC41-5420) or on the AS/400 Technical Studio Web site. Note: If you provide these services to Internet users, remember that these services do not encrypt user IDs, passwords, or the data that you transfer. Consequently, a potential attacker can view everything that you do is through these services. You may choose to implement anonymous FTP, but anonymous FTP requires that you use exit programs. When you place the public server in front of the firewall, you may need a method for updating the server with new data from the internal network. The simplest and most secure way to do the update is to use a tape to load a new copy of the data. This method keeps the internal network separate from the public network, but does require human intervention. Placing a public server behind the firewall Placing the public server behind the firewall provides both a high level of security for your internal secure network and more protection for the public server. The firewall blocks all access to the internal network from the Internet. The figure below provides a sample illustration of this network configuration. To learn about the advantages and disadvantages of placing the server behind the firewall, review these topics: v Advantages of placing your public server behind the firewall v Disadvantages of placing your public server behind the firewall Chapter 3. Planning your firewall installation and configuration 51
    • Advantages of placing your public server behind the firewall When you place your public server behind the firewall, you gain the following advantages: v The firewall protects the public server. You are not dependent on the Internet service provider (ISP) router for protection of the public server. v You can use the firewall logging function to detect and recover from attacks on the public server. v The public server and production data are on the same side of the firewall, which may make it easier for you to update the server with production data. v You can use the same AS/400 system to run the firewall Integrated PC Server and run the public server. v During Basic configuration for your firewall, the application automatically configures HTTP and HTTPS access to your public server through network address translation services (NAT). NAT allows the firewall to route traffic from the Internet to your public server while hiding your internal addresses. Using NAT also lowers the number of registered IP addresses that you must obtain because your public server can use a private address. NAT translates this address either to a reserved public address or to the firewall public address. The firewall can also log packets that the server receives. If you choose to use this feature, you get a log that contains information about packets that the firewall accepts and forwards. You can also get log entries for packets that the firewall discards. You can use these logs to determine if someone has been attacking your network. You must set up these logging features before you can use them. With the firewall protecting the public server and the production systems, you can easily use built-in tools such as distributed relational database architecture (DRDA) or FTP to move data between systems without having to modify the firewall. This allows you to access existing data and systems when implementing Internet-based applications. You need one system running OS/400 at V4R3 or later to support the firewall Integrated PC Server and code. You can use this same system as the public server because the firewall protects the system and the internal network from attack. You can use NAT in the firewall to route traffic from the Internet to your public server and hide your internal addresses. The firewall uses the NAT settings to map the publicly registered IP address of the server to the private address for the server on your internal network. You can use the address of the firewall non-secure port as the public address of the server. This lowers the number of registered IP addresses that you must obtain for your network. Note: You may need to specify that the firewall send HTTP and HTTPS traffic for the public server to ports other than the well-known ports for these services. You must do this only if you use proxy or SOCKS servers to provide internal users with access to Internet services. Disadvantages of placing your public server behind the firewall When you place your public server behind the firewall, you must be aware of the following disadvantages: v Server traffic flows through the firewall. This extra traffic consumes more firewall resources that you could otherwise use for caching, logging, and so forth. v Internet Protocol (IP) forwarding is active on the firewall so that Internet users can reach your public server. v You may need to perform additional configuration for the firewall and your public server. For example, you may want to allow Notes clients on the Internet 52 Firewall: Getting started
    • to access a Lotus Domino server behind the firewall. To allow this traffic to flow through the firewall, you must add filter rules to the firewall configuration manually. v When the firewall home AS/400 is down, no traffic can flow between the Internet and the secure network. Consequently, Internet users cannot access your public server and internal users cannot access the Internet. When you place the public server behind the firewall, you increase the amount of traffic that flows through the firewall. This may consume firewall resources that you can otherwise use to service internal users that access the Internet. However, firewall resource limitations are not likely to create a bottleneck in your Internet performance. The bottleneck, if any, is more likely to be caused by the speed of the line that you use to connect to the ISP. You can find information about calculating the line throughput, in the topic Advantages of placing your public server in front of the firewall. During firewall Basic configuration, the application configures network address translation services (NAT) to route traffic to a public server behind the firewall. NAT uses IP forwarding. When IP forwarding is active, the firewall forwards any packet that it receives. IP forwarding can increase your networkÆs vulnerability to attack. However, before forwarding the packet, the firewall checks the packet against the filter rules to determine whether to route or discard the packet. Well written filter rules ensure that only those packets that you authorize to reach your internal network and public server do so. However, if you add or change a rule incorrectly, you can disable the firewall. The rule could allow the firewall to forward everything because everything passes a rule. For this reason, you need to have a good understanding of how to write filter rules. You should also examine your firewall configuration regularly. When you shut down the firewall home AS/400 system for service or the QSYSWRK subsystem ends, the firewall application ends. When the firewall application ends, the firewall is not available to forward packets. Although your internal network remains protected in this case, Internet users cannot reach your public server. Firewall and network configurations: Example scenarios To make it easier for you to plan your network and firewall configuration, this topic describes some sample configuration scenarios for your review. Each sample scenario contains network configuration diagrams. After each diagram is a basic description of the scenario and information about the addressing in the scenario. As you examine each scenario, notice that the main difference between the scenarios is the network configuration. The services that you provide to Internet clients and the services that your users access from the Internet affect the configuration of the firewall, but generally do not affect the network configuration. To help you plan your own firewall configuration, look through these sample scenarios and find the scenario diagram that best matches your environment: v Example scenario: Public server in front of the firewall v Example scenario: Public server in front of the firewall with secure side subnets v Example scenario: Public server behind the firewall Example scenario: Public server in front of the firewall Figure 10 on page 54 shows a basic network configuration with a public server (WWW) on the non-secure perimeter network. This configuration provides access Chapter 3. Planning your firewall installation and configuration 53
    • to the Internet from the internal secure network by using proxy or SOCKS servers or network address translation (NAT). During Basic configuration, you select the Internet services that local users can access from the internal secure side of the network. These selections do not affect the network configuration. The configuration prevents access to the internal secure network from the non-secure network or Internet. An additional LAN adapter connected to the firewall home AS/400 in the internal secure network provides access to the IBM HTTP Server for firewall installation. Figure 10. Public server in front of the firewall All hosts in the internal secure network are located on the same LAN segment as the secure port of the firewall. In this configuration, the internal secure LAN appears as one segment. There are two reasons that the LAN can appear as one segment. One is that there is only one physical segment in the LAN. Another is that bridges, which are transparent to TCP/IP protocol, connect multiple LAN segments. For a discussion of the advantages and disadvantages of this scenario, review the topic Placing a public server in front of the firewall. You can find detailed information for setting up this scenario in the topic, Installing and configuring your firewall. Example scenario: Public server in front of the firewall with secure side subnets The figure below shows a basic network configuration with a public server (WWW) on the non-secure perimeter network. The hosts in the internal secure network are located on multiple LAN segments. These hosts are connected to the secure port of the firewall by using a router. A typical network has many subnets in the internal secure network; however, for simplicity, the figure only shows two subnets in the internal secure network. 54 Firewall: Getting started
    • Figure 11. Public Server in front of the firewall with secure side subnets For a discussion of the advantages and disadvantages of this scenario, review the topic Placing a public server in front of the firewall. You can find detailed information for setting up this scenario in the topic Installing and configuring your firewall. Example scenario: Public server behind the firewall Figure 12 on page 56 shows a basic network configuration with a public server (WWW) behind the firewall on the internal secure network. You provide access to the Internet from the internal secure network by using proxy or SOCKS servers or by using network address translation (NAT). During Basic configuration, you select the Internet services that your users access from the internal network. These selections do not affect the network configuration. Basic configuration automatically uses NAT to allow access to the public server on the internal secure network from the Internet. The firewall filter rules and the Internet service provider (ISP) router protect the internal secure network. An additional LAN adapter connected to firewall home AS/400 in the internal secure network provides access to the IBM HTTP Server for firewall installation. Chapter 3. Planning your firewall installation and configuration 55
    • Figure 12. Public server behind the firewall The secure port of the firewall is connected to a LAN segment that becomes the public secure network. The hosts in the internal secure network may be located on different LAN segments. For a discussion of the advantages and disadvantages of this scenario, review the topic Placing a public server behind the firewall. You can find detailed information for setting up this scenario in the topic Installing and configuring your firewall. IBM Firewall for AS/400 planning worksheets This topic provides information about how to plan your firewall installation and configuration. There are worksheets that you can use to help you plan. Use the worksheets to gather detailed information about your firewall Integrated Netfinity Server, home AS/400 system, network, Internet service provider (ISP), and Internet service usage plans. You need this information to adequately plan your Internet, network, and firewall strategy. You can also use this information to configure your firewall and your public server. Table 10. Planning worksheet for ensuring that your AS/400 system meets all prerequisites for installing firewall Prerequisite Checklist (all answers should be YES before you proceed Answers with firewall installation) Is your OS/400 V4R3 or later? Is Firewall for AS/400 licensed program (5769-FW1) installed? Is the OS/400 System Openness Includes option needed for 5769-SA2 installed? Is Integration Services for FSIOP (5769-SA2) installed? Is TCP/IP Connectivity Utilities for AS/400 (5769-TC1) installed? 56 Firewall: Getting started
    • Table 10. Planning worksheet for ensuring that your AS/400 system meets all prerequisites for installing firewall (continued) Prerequisite Checklist (all answers should be YES before you proceed Answers with firewall installation) Is IBM HTTP Server for AS/400 (5769-DG1) installed? If you plan to create virtual private networks, is Cryptographic Access Provider (5769-AC1, AC2, AC3) installed? Did you verify that the most current PTFs available are installed? (A list of these is available at http://www.as400.ibm.com/firewall Support --> Code Updates.) Does the firewall Integrated Netfinity Server have two ports? Is TCP/IP configured in your AS/400 system (including IP interfaces, routes, local host name, and local domain name)? Is the firewall Integrated Netfinity Server installed in the firewall home AS/400 system? Did you verify that both ports of the firewall Integrated Netfinity Server are working properly? Is the secure port of the firewall Integrated Netfinity Server connected to the internal network? Is the non-secure port of the firewall Integrated Netfinity Server the same LAN type (Ethernet or token-ring) as the LAN segment connected to the ISP? Is the non-secure port of the firewall Integrated Netfinity Server connected to a separate MAU or hub? (This port should be in the LAN segment that connects to the ISP router.) Does your firewall administration workstation have a browser that supports HTML frames and Java Script (for example, Netscape Navigator 3.0+ or Microsoft Internet Explorer 4.0+)? Table 11. Planning worksheet for your network configuration Network Checklist Answers Provide a diagram of your network, including hosts, routers, bridges, host IP addresses, subnet masks, and mail servers. Include the firewall home AS/400 system and the firewall Integrated Netfinity Server in your diagram. Does your AS/400 system have a LAN adapter (other than those in the firewall Integrated Netfinity Server)? Do you have a DNS server in your secure network? Will the DNS administrator be available when you set up the firewall? Is your secure DNS a subdomain of your public domain name? If you do not have DNS in the secure network, have you updated host tables and the DNS configuration for your clients? Are the Internet Protocol (IP) addresses that you use in your internal network valid (registered) Internet addresses? See following Note. Do you have multiple subnets (and, therefore, routers) in your secure network? Do you have a network administrator, and will the administrator be available when you install and configure your firewall? Do you have e-mail set up in your secure network? Chapter 3. Planning your firewall installation and configuration 57
    • Table 11. Planning worksheet for your network configuration (continued) Network Checklist Answers Do you have subdomains within your secure network? If yes, list the names of each subdomain. If your secure mail server is not in the firewall home AS/400 system, is it a TCP/IP host? List the operating systems of the hosts in your network (PCs, servers, and so forth) that have access to the Internet through the firewall. Is TCP/IP installed and configured on the clients (such as Windows 95) of the users that access the Internet? Do you want users on the internal network to access Internet services through the SOCKS server? If you do, then do the Transmission Control Protocol/Internet Protocol (TCP/IP) client applications support SOCKS? For example, Netscape browser, SOCKSCap, AutoSOCKS, TCP/IP SOCKSified stack? Note: If you use private (unregistered) IP addresses in the secure network, you should be aware of these limitations: v You must use either the proxy or SOCKS servers or NAT services on the firewall to access the Internet. v You must use NAT if you want users to access RealAudio or Internet Relay Chat services. However, using reserved Internet address ranges (for example, 10.*.*.*, 172.16.*.*, or 192.168.*.*) improves your overall security. This improvement occurs because routers on the Internet discard packets from reserved addresses if they are accidently routed to the Internet. Table 12. Planning worksheet for your connection to your Internet service provider (ISP) Internet Service Provider (ISP) Checklist Answers Have you selected an ISP? Is your connection to the ISP installed and verified? Is your ISP responsible for configuring the router that connects your perimeter network to the ISP? Will a technical support person from the ISP organization be available when you configure your firewall? Have you registered your public domain name (mycompany.com) with the InterNIC? Have you agreed with your ISP whose DNS will be the authority for your public domain? (Will the ISP DNS or the firewall DNS resolve IP addresses for your public servers?) Table 13. Planning worksheet for services that you want to use from the Internet Accessing Services From the Internet Checklist Answers Do you have a security policy that covers how your company employees are to use services from the Internet? If not, spell out your security policies before continuing. For example, will you restrict which users or departments are allowed to surf the Net? Will you allow TELNET or RealAudio? 58 Firewall: Getting started
    • Table 13. Planning worksheet for services that you want to use from the Internet (continued) Accessing Services From the Internet Checklist Answers Have your users received the necessary training? For example: v Do your users understand the risks of downloading software from the Internet? v Are Java applets permitted? (Is Java enabled in the browser?) v Is antivirus software installed on your users’ clients? v Do your users know that they should run antivirus software every time they download software from the Internet? v Do your users know how to identify a secure transaction? v Do users know how to use the firewall to access the Internet? What Internet services are you planning to use now and in the near future? These are services that users on the secure network will initiate. v E-mail v Hypertext Transfer Protocol (HTTP) v HTTPS (secure HTTP) v File transfer protocol (FTP) (passive or active?) v TELNET v RealAudio v Client Access/400 v Lightweight directory access protocol (LDAP) v Secure LDAP v Post office protocol (POP)3 v Gopher v Wide area information servers (WAIS) v Internet relay chat (IRC) v Lotus Notes v Distributed relational database architecture (DRDA) v NetNews transfer protocol (NNTP) v Secure NNTP How will you allow users to access these services? Will you permit the services through a proxy or SOCKS server, or through NAT? Do you know how to decide which method you should use for each service that you decide to allow? Table 14. Planning worksheet for services you want to provide on the Internet Providing Services to Internet Users Checklist Answers Will you provide local services to Internet users now or in the future (for example, HTTP, FTP, POP, and so forth)? Do you understand the risks associated with accessing sensitive data without using encryption (for example, HTTPS) or using passwords over the Internet? Do you understand the trade-offs between locating the server or servers in the perimeter network versus behind the firewall? Is your public server or servers located in your perimeter network? Is your public server or servers located in your secure network behind the firewall? Use Table 15 to plan how to update your public server if it is in front of your firewall on the perimeter network. Chapter 3. Planning your firewall installation and configuration 59
    • Table 15. Planning worksheet for the connection between your public server in the perimeter network and your production systems Connections Between Public Server and Production System Checklist Answers Does your public server need access to production data? What applications are you planning to use to transfer data between production systems and your public servers? Check all that apply. v Net.Data v DDM v Distributed relational database architecture (DRDA) What services are required to manage your public servers (in the perimeter network) from the secure network? v File transfer protocol (FTP) v TELNET v Client Access/400 v DDM v Distributed relational database architecture (DRDA) v Simple network management protocol (SNMP) Use Table 16 to list all the services that you will provide to Internet users and indicate where you will locate each service. Table 16. Planning worksheet for local services you plan to provide to Internet users Service Public Server Public Server on Public Server on Public Server on on perimeter firewall home second Integrated separate system network AS/400 System Netfinity Server in in secure Home AS/400 system network HTTP POP FTP TELNET CA/400 60 Firewall: Getting started
    • Chapter 4. Installing and configuring your firewall This topic describes the tasks that you must perform to install and configure your firewall when using the firewall Basic configuration option. Even if Basic configuration does not totally satisfy your particular requirements, you always should start by installing your firewall and running Basic configuration. You can then further customize or update the original configuration by using the more advanced configuration options. This scenario provides information for installing and configuring a firewall with the most common network and firewall configuration. To determine whether your firewall configuration needs are similar to the ones described in this scenario, see the topic Firewall basic configuration: Scenario overview. IMPORTANT: Remember in our scenario we assume that an internal DNS exists inside your firewall. We strongly recommend having an internal DNS for the following reasons: v An intenal DNS eliminates extra configuration of host tables, mail, etc. v An intenal DNS eliminates mail problems that occur when there is not an internal DNS. v An intenal DNS makes it easier to configure and manage your network. However, if you DO NOT have an internal DNS, we provide alternate steps for configuring an external server that exists outside your firewall. To configure your firewall in this scenario, perform these tasks: 1. Complete and review the planning worksheets. 2. Verify hardware, software, and configuration prerequisites. 3. Install the firewall based on answers in the planning worksheet. 4. Prepare for Basic configuration of your firewall. 5. Start the firewall. 6. Perform Basic configuration for the firewall based on your answers in the planning worksheet. 7. Configure clients on the internal network to access Internet services through the firewall. Firewall basic configuration: Scenario overview This scenario provides a complete set of instructions for a typical firewall installation and configuration. In this scenario, we assume that you want your employees to access certain Internet services safely. For example, you want your local users to: v Exchange e-mail with other Internet users. v Surf the Internet. v Use file transfer protocol (FTP) to download software from the Internet. You also assume want to have a presence on the Internet. Therefore, you will want to complete the following tasks before you begin your configuration: v Install a public Web server to advertise your products, so customers can visit your site and puchase product electronically. v Install and configure an internal DNS server. © Copyright IBM Corp. 1998, 1999 61
    • IMPORTANT: Remember in our scenario we assume that an internal DNS exists inside your secure network. We strongly recommend that you have an internal DNS for the following reasons: v An internal DNS eliminates extra configuration of host tables, mail, etc. v An internal DNS eliminates mail problems that occur when there is not an internal DNS. v An internal DNS makes it easier to configure and manage your network. However, if you DO NOT have an internal DNS, we provide alternate steps for configuring the firewall server that exists outside your firewall. For more details about this scenario configuration, review these topics: v Firewall basic configuration: Scenario objectives v Firewall basic configuration: Scenario advantages v Firewall basic configuration: Scenario disadvantages v Firewall basic configuration: Scenario network configuration Firewall basic configuration: Scenario objectives There are two objectives in this scenario: 1. To provide your local users with access to services from the Internet. The primary objective is to allow your users to access Internet services through the firewall. To ensure network security, you must ensure that Internet users cannot access the secure (internal) network. The secure (internal) network is located behind the firewall. 2. To provide services to Internet users through a public server that you place in front of the firewall on the perimeter network. You protect the server with host security and the Internet router. This router may belong to your Internet service provider (ISP). You (or the ISP) must configure the router to allow only those incoming requests to the services that you want to provide from the public server. Note: This scenario assumes that you have a public server behind the firewall. However, you can use the procedures to configure your firewall even if your public server is behind the firewall. When your public server is behind the firewall, Basic configuration does the configuration for you. Basic configuration automatically configures your firewall to use network address translation (NAT) to provide HTTP and HTTPS access to the public server. You do not need a public address for the server; you can use the non-secure firewall port public address as the public address for the server. You need take no special steps unless you want to have internal users access the Internet through proxy or SOCKS servers. If you use proxy or SOCKS servers, and use the firewall non-secure port as the public server address, then you must specify that HTTP and HTTPS traffic for the public server use ports other than the well-known ones. This is called port mapping. You can specify these ports during Basic configuration. If you want to allow other traffic to pass through the firewall to the public server, you must add NAT settings and filter rules to your firewall configuration. For more information about these advanced configuration options, see Firewall advanced topics in the AS/400 Information Center. 62 Firewall: Getting started
    • Firewall basic configuration: Scenario network configuration Figure 13 depicts the network configuration for this scenario. Figure 13. Scenario configuration with internal DNS and secure subnets These scenario characteristics influence the firewall configuration: v The secure network has a local Domain Name Services (DNS) server. For more information about configuring an AS/400 DNS server to work with your firewall, see the Redbook AS/400 TCP/IP Autoconfiguration: DNS and DHCP Support (SG24-5147). This link will take you to the Redbook home page, where you can search for keywords or titles. v The secure network has subnets. v Internal users need access to HTTP and FTP servers on the Internet and need to exchange e-mail with other Internet users. v Internet users have access to services through a public server located on the perimeter network. Note: This scenario assumes that you have an internal DNS server. When your public server is behind the firewall, Basic configuration does the configuration for you. Basic configuration automatically configures your firewall to use network address translation (NAT) to provide HTTP and HTTPS access to the public server. You do not need a public address for the server; you can use the non-secure firewall port public address as the public address for the server. You need take no special steps unless you want to have internal users access the Internet through proxy or SOCKS servers. If you use proxy or SOCKS servers, and use the firewall non-secure port as the public server address, then you must specify that HTTP and HTTPS Chapter 4. Installing and configuring your firewall 63
    • traffic for the public server use ports other than the well-known ones. This is called port mapping. You can specify these ports during Basic configuration. Firewall basic configuration: Scenario advantages The main advantages of this scenario are: v Users in the secure (internal) network may access services from the Internet while the firewall denies intruders access to the secure (internal) network. v The firewall breaks TCP/IP connections between the internal secure (internal) network and the untrusted network. v The firewall blocks the incoming requests to the secure (internal) network. The firewall allows IP forwarding only if you choose to use network address translation (NAT) services to provide users with Internet access. v Having an internal DNS server, in addition to your ISP DNS, allows an extra layer of protection in case of an external attack on your firewall. The internal DNS server contains the Internet Protocol (IP) addresses and host names of the internal network instead of the firewall, thus protecting it from an attack. v An internal DNS also makes it easier to manage the growth of your network. If, for example, you wanted to add another workstation to your internal server, you would only need to configure it and create an entry for it in the DNS. Without a secure (internal) DNS, adding a new workstation requires more of you. You would need to configure the new workstation and create an entry for it in the HOST table of every system in the secure (internal) network. v In addition, using an internal DNS makes configuring the Firewall to work with your mail server or mail servers easier for you. Note: When you disable IP forwarding, the firewall does not route the incoming requests into the internal network. This provides your internal network with additional protection from mistakes in your firewall filter rules. Use of IP forwarding does not necessarily create an additional risk to your network. For example, if you use NAT to provide users with access to the Internet, you must use IP forwarding. However, if you create no filter rules beyond those that the application creates for you, you do not occur a significant security risk. Firewall basic configuration: Scenario disadvantages The disadvantages of this scenario apply only if you provide public services to Internet users, and allow internal users access to Internet services. The disadvantages of this scenario are: v The first time you configure an internal DNS can be difficult. To learn more about the initial configuration of an internal DNS see, AS/400 TCP/IP Autoconfiguration: DNS and DHCP Support (SG24-5147). This link will take you to the Redbook home page, where you can search for keywords or titles. v To manage the public server on the perimeter network requires extra effort. You must physically access that system, or permit management functions (for example, TELNET, FTP, Client Access/400) to flow as outbound traffic through the firewall. To permit these management functions, you must create the appropriate firewall filter rules. Firewall basic configuration: Reviewing your planning worksheets Before you install the firewall, you must review your planning worksheets. This ensures that you have all the information that you need to properly install and configure the firewall for your scenario. 64 Firewall: Getting started
    • The example planning worksheets below illustrate the information that you need to provide in order to successful install and configure the firewall for this scenario. You can use these example worksheets to help you complete your own worksheets. Note: Use the questions from the worksheets as a checklist for tasks that you must perform before you install the firewall. Table 17. Planning worksheet for ensuring that your AS/400 system meets all prerequisites for installing firewall Prerequisite Checklist (all answers should be YES before you proceed Answers with the Installation) Is your OS/400 V4R3 or later? Yes (V4R3) Is Firewall for AS/400 licensed program (5769-FW1) installed? Yes Is the OS/400 System Openness Includes option needed for 5769-SA2 Yes installed? Is Integration Services for FSIOP (5769-SA2) installed? Yes Is TCP/IP Connectivity Utilities for AS/400 (5769-TC1) installed? Yes Is IBM HTTP Server for AS/400 (5769-DG1) installed? Yes If you plan to create virtual private networks, is Cryptographic Access No Provider (5769-AC1, AC2, or AC3) installed? Did you verify that the most current PTFs are installed? Yes Does the firewall Integrated Netfinity Server have two ports? Yes Is TCP/IP configured in your AS/400 system (including IP interfaces, Yes routes, local host name, and local domain name)? Is the firewall Integrated Netfinity Server installed in the firewall home Yes AS/400 system? Did you verify that both ports of the firewall Integrated Netfinity Yes Server are working properly? Is the secure port of the firewall Integrated Netfinity Server connected Yes to the internal network? Is the non-secure port of the firewall Integrated Netfinity Server the Yes same LAN type (Ethernet or token-ring) as the LAN segment connected to the ISP? Is the non-secure port of the firewall Integrated Netfinity Server Yes connected to a separate MAU or HUB? (This port should be in the LAN segment that connects to the ISP router.0 Does your firewall administration workstation have a browser that Yes supports HTML frames and JavaAScript (for example, Netscape Navigator 3.0+ or Microsoft Internet Explorer 4.0+)? Chapter 4. Installing and configuring your firewall 65
    • Table 18. Planning worksheet for your network configuration Network Checklist Answers Provide a diagram of your network, including hosts, routers, bridges, host IP addresses, subnet masks, and mail servers. Include the firewall home AS/400 system and the firewall Integrated Netfinity Server in your diagram. Does your AS/400 system have a LAN adapter (other than Yes those in the firewall Integrated Netfinity Server)? Do you have a DNS server in your secure network? Yes Will the DNS administrator be available when you set up the Yes firewall? Is your secure domain a subdomain of your public domain Yes name? private.mycompany.comis a subdomain of mycompany.com If you do not have DNS in the secure network, have you N/A updated host tables and the DNS configuration for your clients? Are the Internet Protocol (IP) addresses that you use in your Yes internal network valid (registered) Internet addresses? See following note. Do you have multiple subnets (and, therefore, routers) in your Yes secure network? Do you have a network administrator, and will the Yes administrator be available when you install and configure your firewall? Do you have e-mail set up in your secure network? Yes Do you have multiple domains in your secure network? If so, Yes. othercompany.com list them. Is TCP/IP installed and configured on the clients (such as Yes. See Client Windows 95) of the users that access the Internet? configuration. Do you want users on the internal network to access Internet Yes, except for TELNET. services through the SOCKS server. If you do, then do the Yes, clients support TCP/IP client applications support SOCKS? SOCKS. Note: If you use private (unregistered) Internet Protocol (IP) addresses in the secure network, you should be aware of these limitations: v You must use either the proxy or SOCKS servers or network address translation (NAT) services on the firewall to access the Internet. v You must use NAT if you want users to access RealAudio or Internet Relay Chat services. However, using reserved Internet address ranges (for example, 10.*.*.*, 172.16.*.*, or 192.168.*.*) improves your overall security. This improvement occurs because routers on the Internet discard packets from reserved addresses if they are accidently routed to the Internet. 66 Firewall: Getting started
    • Table 19. Planning worksheet for your connection to your Internet service provider (ISP) Internet Service Provider (ISP) Checklist Answers Have you selected an ISP? Yes Is your connection to the ISP installed and verified? Yes Is your ISP responsible for configuring the router that connects your Yes perimeter network to the ISP? Will a technical support person from the ISP organization be available Yes when you configure your firewall? Have you registered your public domain name (mycompany.com) with Yes the InterNIC? Have you agreed with your ISP whose DNS will be the authority for Yes, the firewall your public domain? (Will the ISP DNS or the firewall DNS resolve IP DNS. addresses for your public servers?) Table 20. Planning worksheet for services that you want to use from the Internet Accessing Services From the Internet Checklist Answers Do you have a security policy that covers how your employees are to Yes use services from the Internet? If not, spell out your security policies before continuing. For example, will you restrict which users or departments are allowed to surf the Net? Will you allow TELNET or RealAudio? Have your users received the necessary training? For example: Yes to all except v Do your users understand the risks of downloading software from Java applets are the Internet? not permitted, v Are Java applets permitted? (Is Java enabled in the browser?) nor is Java v Is antivirus software installed on your users’ clients? enabled in the v Do your users know they should run antivirus software every time browser. they download software from the Internet? v Do your users know how to identify a secure transaction? v Do users know how to use the firewall to access the Internet? What Internet services are you planning to use now and in the near For now e-mail, future? These are services that users on the secure network will initiate. HTTP, HTTPS, v E-mail and FTP. TELNET v Hypertext Transfer Protocol (HTTP) in the future. No v HTTPS (secure HTTP) for all others. v File transfer protocol (FTP) (passive or active?) v TELNET v RealAudio v Client Access/400 v Lightweight directory access protocol (LDAP) v Secure LDAP v Post office protocol (POP) 3 v Gopher v Wide area information servers (WAIS) v Internet relay chat (IRC) v Lotus Notes v Distributed relational database architecture (DRDA) v NNTP (Network New Transfer Protocol) v Secure NNTP (Secure Network New Transfer Protocol) How will you allow users to access these services? Will you permit the SOCKS (if services through a proxy or SOCKS server, or through NAT? Do you SOCKS clients are know how to decide which method you should use for each service available. that you decide to allow? Chapter 4. Installing and configuring your firewall 67
    • Table 21. Planning worksheet for services you want to provide on the Internet Providing Services to Internet Users Checklist Answers Will you provide local services to Internet users now or in the future HTTP (for example, HTTP, FTP, POP, and so forth)? Do you understand the risks associated with accessing sensitive data Yes without using encryption (for example, HTTPS) or using passwords over the Internet? Do you understand the trade-offs between locating the server or servers Yes in the perimeter network versus behind the firewall? Is your public server or servers located in your secure network behind Yes the firewall? If the answer is YES, have you planned for the additional router that N/A you may need between the public host and the rest of your secure network. (You may also need an additional router if your server is on an Integrated Netfinity Server in the home AS/400 system.) If your public server is in the secure network, is it located on an N/A Integrated Netfinity Server in the home AS/400 system (for example, NT or Domino server)? If your public server is in the secure network, is it located in the home N/A AS/400 system? If your public server is on the secure network, is it located in a separate N/A system from the home AS/400 system? Table 22. Planning worksheet for the connection between your public server in the perimeter network and your production systems Connections Between Public Servers and Production System Answers Checklist Does your public server need access to production data? What applications are you planning to use to transfer data between production systems and your public servers? Check all that apply. v Net.Data v DDM v Distributed relational database architecture (DRDA) What services are required to manage your public servers (in the perimeter network) from the secure network? v File transfer protocol (FTP) v TELNET v Client Access/400 v DDM v Distributed relational database architecture (DRDA) v Simple network management protocol (SNMP) Use the following table to list all services that you will provide to Internet users and indicate where you will locate each of these services. You can then use this list to determine configuration options that you may need for your firewall. 68 Firewall: Getting started
    • Table 23. Planning worksheet for local services you plan to provide to Internet users Service Public Server on Public Server on Public Server on Public Server on the perimeter Home AS/400 second Integrated separate system network System Netfinity Server in in secure firewall home AS/400 network system HTTP Yes N/A N/A N/A POP FTP TELNET CA/400 After you review your planning worksheets, verify that all hardware, software, and configuration prerequisites have been met before you install the firewall. Verifying firewall hardware, software, and configuration prerequisites When you completed your planning worksheets, you should have verified that the firewall Integrated Netfinity Server is installed in the firewall home AS/400 system. Also, you should have verified that it is a two-port Integrated Netfinity Server. Additionally, you need a LAN adapter, other than those in the firewall Integrated Netfinity Server, available on the firewall home AS/400 system. Before you install the firewall, you must verify that all hardware, software, and configuration requirements are in place. Your firewall home AS/400 system must be at V4R3 or later. You must have program temporary fix (PTF) cumulative packet C7217410 (or later) installed on the system. Review these topics to be sure that you are ready to install your firewall: 1. Recording the resource name of the Integrated Netfinity Server. 2. Verifying the memory available on your Integrated Netfinity Server. 3. Verifying the installation of firewall prerequisite licensed programs. 4. Verifying that the latest program temporary fixes (PTFs) are applied. 5. Verifying the basic TCP/IP interface configuration on the home AS/400 system. 6. Verifying that the system started the IBM HTTP Server.. 7. Verifying that the Web browser supports JavaScript. After you verify that all hardware, software, and configuration requirements are in place, you can install the firewall product. IMPORTANT: Remember in our scenario we assume that an internal DNS exists inside your firewall. If you do not have an internal DNS, we provide alternate steps for configuring the firewall DNS. Although most of the process is similar, you will need to do some different tasks based on the location of your server. We will indicate where these variations occur by providing a link to the topic. Recording the resource name of the Integrated Netfinity Server for AS/400 The firewall Integrated Netfinity Server must be installed in the firewall home AS/400 system. You need to know the resource name of the Integrated Netfinity Server where you will install the firewall. You must have this information during firewall installation and to check the amount of memory for the Integrated Netfinity Server. Chapter 4. Installing and configuring your firewall 69
    • To record the Integrated Netfinity Server resource name: 1. On an AS/400 command line, type: DSPHDWRSC TYPE(*CMN) to view the Display Communications Resources panel. 2. Find the Integrated Netfinity Server where you are installing the firewall and write down its resource name. After you record the Integrated Netfinity Server resource name, verify that it meets the memory requirements for the firewall. Verifying the memory available on your Integrated Netfinity Server for AS/400 The Integrated Netfinity Server on which you install the firewall must have at least 32 MB of memory. To verify the amount of memory on your Integrated Netfinity Server, you must determine what its resource name is. Note: If possible, you should use the Pentium models of the Integrated Netfinity Server. The 486 Integrated Netfinity Server works; however, you will get better performance by using the Pentium models. To verify the amount of memory on your Integrated Netfinity Server before installing IBM Firewall for AS/400, complete these steps: 1. On an AS/400 command line, type STRSST to display the System Service Tools (SST) menu. 2. Type option 1 (Start a service tool), and press Enter to view the Start a Service Tool display. 3. Type option 7 (Start hardware service manager), and press Enter. This displays the Hardware Service Manager menu. 4. Type option 2 (Logical hardware resource), and press Enter to view The Logical Hardware Resources menu. 5. Type option 1 (System bus resource), and press Enter to view the Logical Hardware Resources on System Bus display. 6. Use your Page Down key until you find the communication IOP resource for your Integrated Netfinity Server. 7. Type option 5 (Display detail) in the Opt field for the selected resource to view detailed information about the resource. The Memory installed on IOP field shows the amount of memory on the Integrated Netfinity Server. After you verify that the Integrated Netfinity Server meets the memory requirements, you must verify that the all firewall prerequisite license programs are installed. Verifying the installation of firewall prerequisite licensed programs Several AS/400 licensed programs must be installed on the firewall home AS/400 system before you can install and configure the firewall. To determine if the firewall home AS/400 system has the required licensed programs installed: 70 Firewall: Getting started
    • 1. On an AS/400 command line, type GO LICPGM and press Enter. The Work with Licensed Programs menu displays. 2. Type option 10 (Display installed licensed programs) to display the Installed Licensed Programs panel. This panel lists all licensed programs that are installed. 3. Browse the display to verify that all of the following required licensed programs are installed: v Firewall for AS/400, 5769-FW1 v Integration Services for FSIOP, 5769-SA2 v TCP/IP Connectivity Utilities for AS/400, 5769-TC1 v IBM HTTP Server for AS/400, 5769-DG1 v Cryptographic Access Provider, 5769–AC1, AC2, or AC3 (for creating virtual private networks) Note: If the firewall licensed program (5769-FW1) is not installed, install it now. Note: If you plan on creating a virtual private network and the Cryptographic Access Provider (5769–AC1, AC2, or AC3) is not installed, install it now. Installing IBM Firewall for AS/400 licensed program Before you can install the IBM Firewall for AS/400 product, you must install the IBM Firewall for AS/400 licensed program. To install the IBM Firewall for AS/400 product (5769-FW1), complete the following steps: 1. From an AS/400 command line, type: GO LICPGM and press Enter. This shows the Work with Licensed Programs display. 2. Load the CD with the IBM Firewall for AS/400 licensed product (5769-FW1) in the CD-drive on the AS/400 system. 3. From the Work with Licensed Programs display command line, type 11 (Install licensed programs) and press Enter to show the Install Licensed Programs display. 4. Press your Page Down key until you find the firewall licensed program 5769-FW1 Firewall for AS/400 in the displayed list. 5. In the opt column for the firewall program, type 1 (Install for the 5769-FW1 Firewall for AS/400 product). This shows the Confirm Install of Licensed Programs display. 6. Press Enter to confirm the installation and view the Install Options display. 7. In the Installation device field, type the name of your installation device (for example, OPT01). After the installation process completes, a message that the Licensed program is successfully installed appears. After you verify that all required licensed programs are installed, confirm that the latest PTFs are applied. Verifying that the latest program temporary fixes (PTFs) are applied Before you install the IBM Firewall for AS/400 product, you must verify that the latest PTFs for these products are applied: Chapter 4. Installing and configuring your firewall 71
    • v IBM Firewall for AS/400 v Integration Services for FSIOP v TCP/IP Connectivity Utilities v IBM HTTP Server for AS/400 For the latest news on PTFs, check the Firewall for AS/400 home page at http://www.as400.ibm.com/firewall. Once the Web page displays in your browser, follow these steps to list the PTFs that you might need: 1. Click the Support icon in the frame on the left to display support options. 2. Click Code Updates to display a list of available PTFs. 3. Use the DSPPTF command on your home AS/400 system to verify that the latest cumulative (CUM) PTF package and other recommended PTFs are installed. 4. Order any PTFs that you do not have by using the SNDPTFORD command. For more information on ordering and applying PTFs, see the topic in the AS/400 Information Center. If you are unable to access this Web page, call IBM Service Support. After you verify that the latest PTFs have been applied, verify the basic TCP/IP interface configuration on the firewall home AS/400 system. Verifying the basic TCP/IP interface configuration on the firewall home AS/400 system Before you install the firewall, you must ensure that you have configured basic TCP/IP services. You must ensure that you have started the necessary TCP/IP servers on the firewall home AS/400 system. To ensure that you have configured your TCP/IP interface properly, verify the following elements of your TCP/IP configuration: v Verify the TCP/IP interface configuration for the AS/400 LAN adapter. v Verify the home AS/400 host and secure domain names. After you verify your TCP/IP configuration, you should verify that you have started the IBM HTTP Server for AS/400. Verifying the TCP/IP interface configuration on the firewall home AS/400 LAN adapter To check the configuration of the TCP/IP interface, complete these steps: 1. On an AS/400 command line, type: GO CFGTCP and press Enter to view the Configure TCP (CFGTCP) menu. 2. Select option 1 (Work with TCP/IP Interfaces) to view the Work with TCP/IP Interfaces display. 3. Locate your firewall home AS/400 LAN adapter. You can find the LAN adapter listed under the Line Description column. 4. Press F11 to view status for the LAN adapter and verify that the status is active. Note: If the TCP/IP interface for the LAN adapter is inactive, start the interface by using option 9 on the Work with TCP/IP Interfaces display. Then press F5 to refresh the display and verify that the interface has started. After you verify that the LAN adapter is active, you must verify that the firewall home AS/400 host and secure domain names are configured. 72 Firewall: Getting started
    • Verifying the firewall home AS/400 host and secure domain names Before you install the firewall, ensure that you have configured a host and secure domain name for the firewall home AS/400 system. To verify that the home AS/400 system has a host and secure domain name, complete these steps: 1. On an AS/400 command line, type: GO CFGTCP and press Enter to view the Configure TCP menu. 2. Select option 12 (Change local domain and host names) to see the Change Local Domain and Host Names display. 3. Verify that the Local domain name and Local host name fields have the correct values for the secure network. Note: In this scenario, the secure network does have a DNS server. Therefore, you should designate a DNS server for the firewall home AS/400 system. You can verify this in V4R3 by using option 12 on the Configure TCP/IP display. After you verify that the firewall home AS/400 system has a host and secure domain name, verify that the IBM HTTP Server is started. Verifying that the IBM HTTP Server is started You must start the IBM HTTP Server before you can use it to install the firewall. To verify that the system has started the IBM HTTP Server, complete these steps: 1. On an AS/400 command line, type WRKSBSJOB SBS(QSYSWRK) and press Enter to view the Work with Subsystem Jobs display. 2. Verify that there are *ADMIN jobs that are listed as active. If there are, the system has started the *ADMIN server. 3. If you have no *ADMIN jobs started, start them now. From an AS/400 command line, type: STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN) and press Enter to start the *ADMIN instance of the HTTP server. Wait a few minutes and repeat step one to check the status of the *ADMIN jobs. After you verify that your system started the IBM HTTP Server, you need to perform two other tasks: v Verify that the firewall administration HOSTS table has the necessary entries. v Verify that the Web browser supports JavaScript. Verifying that the Web browser supports JavaScript You must use a Web browser that supports HTML frames and JavaScript to install and configure the firewall. You must also ensure Netscape Navigator 3.0 and 4.0, as well as Microsoft Internet Explorer 4.0 all work as well. Although this procedure provides the steps for Netscape 3.0, you should be able to apply the settings described to the other products as well. Chapter 4. Installing and configuring your firewall 73
    • To verify that JavaScript is enabled in Netscape Navigator 3.0, complete these steps: 1. Click Options on the menu bar to display the pull-down menu. 2. Select Network Preferences from the menu to display the Preferences window. 3. Select the Languages tab. 4. Verify that Enable JavaScript checkbox is selected. After you verify that all hardware, software, and configuration prerequisites are met, you can install the firewall product. Installing IBM Firewall for AS/400 After you complete your planning worksheets and verify that all hardware, software, and configuration requirements are in place, you can install the firewall product. Before installing the firewall, you must complete the installation worksheet. You should also review the special considerations and assumptions that apply to your scenario before you use this worksheet. The scenario for these procedures has the following considerations and assumptions: v Only internal users in the secure network behind the firewall can start all TCP/IP connections. v The public server is located in the perimeter network in front of the firewall. There are no public servers behind the firewall. v Your Internet service provider (ISP) has assigned three public Internet Protocol (IP) addresses to you, one for each of these: – Firewall non-secure port – Public server in the perimeter network – ISP route The ISP has also given you the IP address of the Internet DNS to which your firewall DNS should forward name resolution queries. v You have registered your public domain name (mycompany.com, for example) with the InterNIC. v Your secure domain name (private.mycompany.com, for example) is a subdomain of your public domain or is the same as your public domain. v Your secure network has multiple subnets. The firewall administration workstation and the secure port of the firewall are in different subnets. v Your secure network does have an internal DNS. Using an internal DNS simplifies network management because host name to address mapping is performed in a central location. Using a DNS server is more important in complex network environments, such as those that include firewalls. Although you can configure the firewall to operate without an internal DNS server, this creates restrictions that limit the flexibility of your network. These restrictions are: – The secure (internal) domain name must be the same as, or a subdomain of, the non-secure (external) domain name. For example, if the external domain name is mycompany.com, then valid secure domain names are mycompany.com, private.mycompany.com, and secure.mycompany.com. – Only those clients that you have manually configured to include the firewall secure port as the DNS can resolve Internet names. Firewall installation procedures To install the IBM Firewall for AS/400 on the Integrated Netfinity Server and prepare for Basic configuration of the firewall, complete these tasks: 1. Complete the installation worksheet. 74 Firewall: Getting started
    • 2. Install the firewall product on the Integrated Netfinity Server . After you install the firewall, you must perform some network configuration changes before you can do Basic configuration for your firewall. You can find more information about making these changes in the topic, Preparing for Basic configuration of your firewall. Completing the firewall installation worksheet You must complete this worksheet before you install the firewall. Table 24. Firewall installation worksheet Required installation information Answers for the scenario Integrated PC Server - If you have more than one CC12 Integrated PC Server, you must know which is the one where you want to install the firewall (for example, CC01). You can use the WRKHDWRSC command to find this information. Firewall Name - Create a new unique name for your FIREWALL firewall. You also use this name to create a network server description (NWSD) object (for example, FRW01). Port 1 Port 2 Type of LAN - Ethernet, 4 Mbps token-ring, or 16 16M, TRN 16M, TRN Mbps token-ring. Adapter Address - create a new unique address for 400009010011 400009010012 each port. This address must not already be in use on your LAN (for example, 400000000000 or 020000000000). Port IP address * (for example, 10.1.2.3) 10.5.69.129 208.222.150.11 Port Subnet Mask * (for example, 255.255.255.0) 255.255255.0 255.255.255.0 IP address of your router * (for example, 10.2.3.1) 208.222.150.1 * If you are connecting to the Internet, you may need to consult with your Internet service provider (ISP) for this value. After you complete the worksheet, you are ready to install the firewall product from the AS/400 Tasks browser interface. Installing the firewall from the AS/400 Tasks browser interface After you update the administration workstation HOSTS file and complete the installation worksheet. You can install the firewall on the Integrated PC Server. You must have already installed the licensed program, IBM Firewall for AS/400 (5969-FW1), on the firewall home AS/400 system. To install the firewall, you must access the AS/400 Tasks browser interface. To do so, you need access to the IBM HTTP Server that runs on the firewall home AS/400 system. (To check the status of the IBM HTTP Server, see the topic Verifying that the IBM HTTP Server is started. To install the firewall on the Integrated PC Server, follow these steps: 1. Open a Web browser session on the firewall administration workstation and enter the following Web address: http://HOME400:2001 Chapter 4. Installing and configuring your firewall 75
    • This sends an HTTP request to the IBM HTTP Server on the firewall home AS/400 system. A user name and password display appears. 2. Enter your AS/400 user profile and password in the appropriate fields to validate your authority to access the AS/400 Tasks page. The AS/400 Tasks page appears. This page may contain different entries based on the products that you have installed on your system. Note: Any user with a valid user ID and password can access the AS/400 Tasks page. You need special authorities of *SECADM, *ALLOBJ, and *IOSYSCFG to successfully install, configure, and administer the firewall. 3. Click the IBM Firewall for AS/400 icon to display the IBM Firewall for AS/400 browser interface. Note: If you have problems accessing the IBM HTTP Server in the firewall home AS/400 system, verify that the *ADMIN server jobs in QSYSWRK are active. You can find this procedure in the topic Verifying that the IBM HTTP Server is started. 4. Click the Installation icon in the frame on the left to begin installing the firewall Tip: Do not use the Web browser Forward and Back navigation buttons or resize the browser window. The firewall product Web pages expire from cache immediately after you view them to ensure that you see the most current versions only. Therefore, you must use the navigation buttons on the Web pages themselves to prevent an interruption in the display. 5. Follow the firewall installation page instructions. Use the information from your installation worksheet to complete the HTML forms. At the end of the installation, The Complete the Firewall Installation page displays. This page shows you a summary of the information that you provided for installing the firewall. 6. Review the information. If the information is correct, click the Install button to complete the installation. Note: Do not start the firewall yet. There are some configuration changes that you must make that require the firewall network server to be varied off. When you install the firewall, several things happen on your AS/400 system. After you install the firewall, you must perform some network configuration changes before you do Basic configuration for your firewall. You can find more information about making these changes in the topic Prepare for Basic configuration of your firewall. What happens on your AS/400 System when you install the firewall When you install the firewall on the Integrated PC Server, you submit a job to the AS/400 system to do the following: v Create a network server description (NWSD) for the firewall. This object represents the firewall as a TCP/IP host. The network server description name is the same as the firewall name. v Create three line descriptions (*LIND): – A line description for the firewall port 1 (FIREWALL01). – A line description for the firewall port 2 (FIREWALL02). 76 Firewall: Getting started
    • – A line description for the firewall *INTERNAL port (FIREWALL00). This internal LAN line communicates between the server application that runs on the Integrated PC Server and the firewall home AS/400 system. v Create a network server storage space (FIREWALL00). Labeled K drive, this drive is read-write. The drive provides storage for logs, a mail queue, and cache. v Create two server storage spaces (*SVRSTG) in QUSRSYS: – FIREWALL1 - Labeled C drive, this drive is read-only and is the OS/2 boot drive. – FIREWALL3 - Labeled E drive, this drive is read-write and provides storage for configuration files. v Creates a TCP/IP interface for the *INTERNAL firewall port (firewall00) on the firewall home AS/400 system. This interface uses the name of the firewall extended with 00. Preparing for Basic configuration of your firewall This type of common firewall installation requires that you make some configuration changes to your network information, the firewall, and secure mail server. You must make these changes before you perform Basic configuration for the firewall. For instance, the firewall Basic configuration feature assumes that you have a simple internal network that consists of a single subnetwork. If you have multiple subnetworks, you must update the firewall system configuration so that the firewall can return information to clients on the secure network. IMPORTANT: Remember in our scenario we assume that an internal DNS exists inside your secure network. We strongly recommend that you have an internal DNS for the following reasons: v An internal DNS eliminates extra configuration of host tables, mail, etc. v An internal DNS eliminates mail problems that occur when there is not an internal DNS. v An internal DNS makes it easier to configure and manage your network. However, if you DO NOT have an internal DNS, we provide alternate steps for configuring the firewall server that exists outside your firewall. To review the requirements for this scenario, see the topic Firewall basic configuration: Scenario overview If you DO have an internal DNS, you can prepare for Basic configuration by completing these tasks: 1. Stop the firewall application. 2. Vary off the firewall network server description (NWSD). 3. Configure the internal DNS in the firewall NWSD. 4. Route outbound mail to the firewall. After you complete your configuration changes, you can start the firewall so that you can perform Basic configuration. If you DO NOT have an internal DNS, you can prepare for Basic configuration by completing these tasks: v Stop the firewall application. v Vary off the firewall network server description (NWSD). v Add the firewall domain name server to the firewall NWSD.If you are migrating from an external server to an internal DNS, see the Redbook AS/400 TCP/IP Chapter 4. Installing and configuring your firewall 77
    • Autoconfiguration: DNS and DHCP Support (SG24-5147). This link will take you to the Redbook home page, where you can search for keywords or titles. v Update the secure mail server host table. v Route outbound mail to the firewall. After you complete your configuration changes, you can start the firewall so that you can perform Basic configuration. Stopping the firewall To allow traffic to travel between your secure clients and the firewall, you must add a TCP/IP routing entry to the firewall network server description (NWSD). Before you can add a TCP/IP routing entry to the firewall NWSD, you must stop the firewall application, as follows: On an AS/400 command line, type: ENDNWSAPP NWSAPP (*FIREWALL) NWS (firewall) and press Enter. The message ″Network server application ended for network server firewall″ displays. Where firewall occurs in the command, type the name of your firewall. Next, you must vary off the firewall NWSD before you can add a TCP/IP routing entry for it. Varying off the firewall network server description (NWSD) Before you can add a TCP/IP routing entry to the firewall network server description (NWSD), you must vary off the firewall NWSD, as follows: On an AS/400 command line, type: VRYCFG CFGOBJ(firewall) CFGTYPE(*NWS) STATUS(*OFF) and press Enter. The message ″Vary off completed for Network Server description firewall″ displays. Where firewall occurs in the command, type the host name of your firewall. If you have an internal DNS, you must Configure the internal DNS in the firewall NWSD. If you DO NOT have an internal DNS, you must Add the firewall domain name server to the firewall NWSD. If you are migrating from an external server to an internal DNS, see the Redbook AS/400 TCP/IP Autoconfiguration: DNS and DHCP Support (SG24-5147). Configuring the internal DNS in the firewall NWSD After installation but before basic configuration of your firewall, you need to configure the internal DNS in the firewall NWSD. To configure the internal DNS in the firewall NWSD, you need to complete a two step process. The first step includes changing the Domain name server: Internet address value on CFGTCP option 12 (Changes TCP/IP Domain) to the loopback IP address (127.0.01). The second step includes changing the firewall’s NWSD parameter TCP/IP name server system = *SYS to the internal port IP address. 78 Firewall: Getting started
    • The firewall needs to know the IP address of the DNS in the internal network. This information is used primarily to resolve the secure mail the secure server IP address. By default, IBM Firewall for AS/400 uses the IP address specified in the parameter Domain name server: Internet address in the CFGTCP option 12 (Changes TCP/IP Domain) of the AS/400 system that houses the firewall. The firewall installation program uses this value in the parameter TCP/IP name server system = *SYS when it creates in the Network Server Description (NWSD) to represe On the other hand, the parameter Domain name server: Internet address in CFGTCP option 12 specifies the IP address of the DNS server that AS/400 TCP/IP clients query to resolve names to IP addresses. If the DNS server runs on the same AS/400 system as the AS/400 TCP/IP clients, we recommend that you specify the loopback IP address (127.0.0.1) in CFGTCP option 12. Since both the TCP/IP clients resolver and the DNS server are in the same physical AS/400 system, specifying the loopback IP address (127.0.0.1) greatly improves performance and reduces overhead. To change the Domain name server: Internet address to the loopback IP address, complete the following: 1. At the AS/400 command line, type CHGTCPDMN. 2. In the Domain name server: Internet address parameter, type the loopback IP address (127.0.0.1). 3. Press F5 to refresh. 4. Press F3 to exit. Note: To be able to specify the loopback address (127.0.0.1) in the Domain name server: Internet address parameter in CFGTCP option 12, you must have the following PTF (or superseding PTF) installed in your AS/400 system: v OS/400 V4R3: 5759-SS1 PTF SF1353 v OS/400 V4R3: 5759-SS1 PTF SF1352 Naturally, the AS/400 loopback IP address (127.0.01) should not be specified in the firewall’s NWSD parameter TCP/IP name server system; you should specify the *INTERNAL port IP address instead. This value will begin with 192.168.x.x.x. To specify the internal port IP address (the 192.168.x.x.x value) in the firewall’s NWSD parameter TCP/IP name server system, complete the following tasks: 1. At the AS/400 command line, type CHGNWSD. 2. In the TCP/IP name server system parameter, type the *INTERNAL port IP address (192.168.x.x.x value). 3. Press F5 to refresh. 4. Press F3 to exit. After you have configured the internal DNS in the firewall NWSD, you must Route outbound mail to the firewall. Adding the firewall domain name server to the firewall NWSD Note: You need to complete this step only if you DO NOT have an internal DNS. Some applications that run in the firewall query the domain name services (DNS) server in the secure network for host name to IP address resolution. For example, proxy servers and Firewall mail server make these queries. If there is an internal DNS server, it forwards those queries to the firewall DNS server. The firewall DNS Chapter 4. Installing and configuring your firewall 79
    • server, in turn, queries the Internet service provider (ISP) DNS server if it is unable to resolve the name. You must configure the firewall to use itself for name resolution services. You must perform this step only if you do not have a DNS server on your internal network. To do this, you must change the name server parameter of the firewall network server description (NWSD). The name server parameter must specify the Internet Protocol (IP) address for the *INTERNAL port of the firewall. From an AS/400 command line, type CHGNWSD NWSD(firewall) TCPNAMSVR('192.168.12.2') and press Enter. Where firewall occurs in the command, type the name of your firewall NWSD. After you configure the firewall to use itself for name resolution, you must update the secure mail server host table.. For more information about configuring an AS/400 DNS server to work with your firewall, see the Redbook AS/400 TCP/IP Autoconfiguration: DNS and DHCP Support (SG24-5147). Updating the secure mail server host table Note: You need to complete this step only if you DO NOT have an internal DNS. If you do not have a domain name services (DNS) server in the secure network, you must update the host table of the secure mail server. You must add the firewall, home AS/400 system, and public domain to the secure mail server host table . You then must update the firewall configuration to handle the mail relay function. See the topic Adding the secure mail server to the firewall domain name server for more information. You must add the fully qualified firewall host name with the Internet Protocol (IP) address assigned to the *INTERNAL port. This enables the AS/400 simple mail transfer protocol (SMTP) server to send outgoing mail to the firewall across the internal LAN connection. This assumes that your secure mail server is in the firewall home AS/400 system. The mail relay function in the firewall adds SMTP records in the protocol portion of the mail. These records change the SMTP domain name of inbound mail from the public SMTP domain to the fully qualified name of the secure mail server. The SMTP domain name is the portion of the mail address that follows the @ symbol. For example, the address user@mycompany.com changes to user@home400.private.mycompany.com. The SMTP server receives the mail and determines if the system should stop the mail or forwarded the mail to another system. To determine this, the server checks to see if the SMTP domain is on this system. The server looks up the SMTP domain name. It uses the name resolver to check if an address returned matches a TCP/IP address assigned to an interface on this system. If there is a match, then the server looks at the local system distribution directory to find the user. If there is no match, the server forwards the mail based on the SMTP attributes. When there is no internal DNS server, the SMTP server uses a host table for these lookups. 80 Firewall: Getting started
    • You must add two entries to the host table. You must add an entry for the SMTP domain name that you use for mail on the internal network with a local IP address. Also, you must add an entry for the public SMTP domain name with a local IP address. This prevents the server from forwarding mail addresses with the public SMTP domain name to the firewall. Forwarding this mail would pass it back to the firewall home AS/400 system. If you have mail working already, you must determine what other entries that you need in the host table to support your configuration. Note: You can use different names for the secure (internal) and public (external) domains. If you do, you must configure your secure (internal) domain so that the public name is an alias for the secure (internal) domain name. To update the home AS/400 host table, follow these steps: 1. From an AS/400 command line, type CFGTCP and press Enter to view the Configure TCP menu. 2. Select menu option 10 (Work with TCP/IP host table entries) and press Enter. 3. Select option 1 (Add) to view the Add TCP/IP Interface display. 4. Add the following information to the firewall home AS/400 host table: v The fully qualified firewall host name and its IP address, for example, 192.168.12.2 firewall.private.mycompany.com. v The public domain name and the fully qualified host name of the firewall home AS/400 system. You must include a local host IP address, for example, 10.5.69.212 mycompany.com and home400.private.mycompany.com. Attention: If your secure mail server is an SMTP server is not on the firewall home AS/400 system, you must update that server’s host table. You must add the fully qualified firewall host name and secure port IP address to the secure mail server’s host table. Also, you must point the secure mail server to the firewall for mail routing. This ensures that the mail server can forward mail to the firewall. For example, you would add a pointer to 10.5.69.129 firewall.private.mycompany.com. After you update the internal mail server host table, you must change server attributes so that the server routes outbound mail to the firewall. Routing outbound mail to the firewall Your Simple Mail Transfer Protocol (SMTP) server must route mail for Internet users to the firewall. To ensure this, you must configure the SMTP attributes in the firewall home AS/400 system to point to the firewall as the mail router. You must enter the name of the firewall in the Mail router field. This tells the SMTP daemon where to forward mail that it cannot deliver itself. You must enter *YES in the Firewall field. This tells the SMTP daemon that it is located behind a firewall. The SMTP daemon looks up where to send mail. When the daemon is behind a firewall, it may resolve a name to a server located on the other side of the firewall. When this occurs, the daemon tries to send the mail directly to the server. Because you configure the firewall to block these packets, the daemon cannot make the necessary connection. If the firewall field says *YES, the daemon forwards the mail to the mail router that you specify in the Mail router field. The daemon returns a ″non-deliverable″ message to the sender if you do not configure these fields correctly. Chapter 4. Installing and configuring your firewall 81
    • Note: Your should have your SMTP server configured and working properly before you change attributes for it. To change the attributes so that your server routes the mail properly, follow these steps: 1. On an AS/400 command line, type CHGSMTPA and press Enter to view the Change SMTP Attributes display. 2. In the Mail router field, type the fully qualified firewall host name, for example, firewall.private.company.com. 3. In the Firewall field, type the value *YES. 4. Press Enter to save your changes. After you make your SMTP attribute changes, you are ready to vary on the firewall network server description. Starting the firewall There are two methods of starting your firewall. The first uses the Start icon on the Web browser interface. The second uses the AS/400 command line to start your firewall. You need to use this method if you do not have a Web browser or if you are sharing a LAN adapter between your Integrated Netfinity Server and your AS/400. Using the Start icon to start the Firewall through a Web browser New for V4R4, the Start button has been greatly improved. The Start button checks to see that the Network Server Description has been varied on. If the NWSD has not been varied on, the Start button automatically varies on for you. We highly recommend that you use this feature because it saves time and is easier. To start the firewall complete the following: 1. Start a Web browser session and enter the URL http://firewall:2001 Where firewall appears in the URL, type the name of your firewall. The Username and Password Required window displays. 2. Type your user ID and password in the appropriate fields and press Enter to display the IBM Firewall for AS/400 welcome page. Note: To access the firewall Web facility, your user ID must have special authorities for *SECADM, *ALLOBJ, and *IOSYSCFG. 3. Click the Start icon on the menu on the left side of the screen. 4. At the Start the Firewall page, click Start. Note: Starting the firewall may take some time. 5. At the Firewall Starting page, click continue. 6. After the firewall is listening for communications on port 2001, the Start Successful page displays. When you see port 2001 is listening for communications, you can click the Configuration in the browser to access Basic configuration. After you get the firewall running, you are ready to perform Basic configuration. 82 Firewall: Getting started
    • Using the AS/400 command line to start the firewall If you do not have a Web browser or you are sharing a LAN adapter between your Integrated Netfinity Server and your AS/400, you need to use the AS/400 command line to start the firewall. To start the firewall and to make sure that everything associated with the firewall starts, complete these tasks: 1. Vary on the firewall network server description (NWSD). 2. Verify that the firewall NWSD is ready. 3. Start the firewall application. 4. Verify the status of firewall objects and jobs. Varying on the firewall network server description You must vary on the firewall network server description (NWSD) before you start your firewall. On an AS/400 command line, type VRYCFG CFGOBJ(firewall) CFGTYPE(*NWS) STATUS(*ON) RESET(*YES) and press Enter. Where firewall occurs in the command, type the name of your firewall. After the command processes, the message ″Vary on completed for Network Server Description firewall″ appears. You must verify that the firewall NWSD is ready before you start the firewall application. Note: A status of active on the Work with Configuration Status display does not necessarily indicate that the NWSD has completed its start-up processing. Verify that the firewall network server description is ready After you vary on the firewall network server description (NWSD), you must verify that it has completed its start-up processing. The NWSD must complete its start-up processing before you can successfully start the firewall application. To determine whether the firewall NWSD is ready, you must display the job log of the monitor job for the network server, as follows: 1. On an AS/400 command line, type: WRKSBSJOB SBS(QSYSWRK) and press Enter to view the Work with Subsystem Jobs display. This display lists all jobs running in the QSYSWRK subsystem. 2. Page through the jobs until you find a job entry that has the same name as your firewall. This entry must show a function of PGM-QFPAMONB. 3. To work with the job, type a 5 in the Opt field of the desired entry and press Enter. This shows the Work with Job display. 4. Type 10 on the command line to display the job log for the job and press Enter. 5. Press F10 (Display detailed messages) to view more information and messages about the job. 6. Look for the message ″Network server FIREWALL is active.″ If you do not see this message, wait a moment more, and refresh the display by pressing F5. After you verify that the firewall NWSD is ready, you can start the firewall application. Chapter 4. Installing and configuring your firewall 83
    • Starting the firewall application After you vary on the firewall network server description and verify that it is ready, you can start the firewall application. You must start the firewall application before traffic can flow between your secure network and the non-secure network. On an AS/400 command line, type: STRNWSAPP NWSAPP(*FIREWALL) NWS(firewall) and press Enter. Where firewall occurs in the command, type the host name that you assigned to your firewall. The message ″Network server application started for network server firewall″ displays. After you start the firewall, you must verify the status of firewall objects and jobs before you perform Basic configuration. Verifying the status of the firewall objects and jobs When you start the firewall application, several firewall objects either must be active or varied on. Also certain firewall jobs must be running before you perform the Basic configuration. If these objects are not active, you may have problems accessing or using the Basic configuration function. To verify the status of the firewall network server, follow these steps: 1. On an AS/400 command line, type WRKCFGSTS CFGTYPE(*NWS) CFGD(firewall) and press Enter to view the Work with Configuration Status display. Where firewall occurs in the command, type the name of your firewall network server description. 2. Verify that the following firewall objects are either active or varied on before you perform Basic configuration: v The Firewall Network Server (active) v The line over the *INTERNAL port (FIREWALL00) (active) v The line over the firewall secure port (FIREWALL01) (active or varied on) v The line over the non-secure port (FIREWALL02) (active or varied on) If these objects are not active, you may have problems in accessing or using the Basic configuration. 3. Verify the status of the firewall jobs in QSYSWRK, by using the command Two firewall jobs (listed with the firewall name) must be active in QSYSWRK. To verify the status of the firewall jobs in QSYSWRK, follow these steps: 1. On an AS/400 command line, type WRKSBSJOB SBS(QSYSWRK) and press Enter to view the Work with Subsystem Jobs display. This display lists all jobs running in the QSYSWRK subsystem. 2. Page through the jobs until you find two jobs listed under the firewall name. One job runs under the QSYS user and the other under the QFIREWALL user. Note: Both firewall jobs must be active in QSYSWRK for the firewall to function properly. If one or both cancel, study the corresponding job log to find the problem. Make sure that the AS/400 *INTERNAL port IP interface is active. 84 Firewall: Getting started
    • Tip: If you use the Web browser to start the firewall, you get a message that the firewall is started. However, it may take another few minutes before all the firewall servers are up. To determine whether the firewall is ready, you must manually verify that port 2001 is listening for communications. Follow these steps to verify that port 2001 is active: On an AS/400 command line, type SBMNWSCMD ('netstat -s') and press Enter. A list of port numbers that the firewall uses displays. When you see port 2001 is listening for communications, you can click the Configuration icon in the browser to access Basic configuration. After you verify the status of firewall objects and jobs, you can perform Basic configuration for the firewall. Performing firewall Basic configuration After you start the firewall application and ensure that it is ready, you can configure your firewall. The Basic configuration feature greatly simplifies firewall configuration for most general requirements, such as the ones in this scenario. To review the requirements for this scenario, see the topic Firewall basic configuration: Scenario overview. Basic configuration allows you to select all of the services that you want to permit to run through the firewall. When you configure services for local users, these services can flow from the inside to the outside of the firewall only. Note: Basic configuration also allows you to specify that the firewall should permit HTTP and HTTPS traffic to reach a public server behind the firewall. If you want to allow other types of traffic to reach the public server, you must create additional filter rules manually. Even if Basic configuration does not satisfy all your requirements, it should always be your starting point. You can then use advanced configuration options to further customize your firewall. To perform Basic configuration for your firewall, complete these tasks: 1. Complete the configuration planning worksheet. 2. Use the AS/400 Tasks browser interface to perform Basic configuration. 3. Add the secure mail server to the firewall domain name server. Note: You need to complete this step only if you DO NOT have an internal DNS. After you have completed Basic configuration, you need to complete these tasks to prepare for advanced DNS for configuration: v Configuring forwarders in the internal DNS. Completing the Firewall Basic configuration planning worksheet Before you perform Basic configuration, you must complete the configuration planning worksheet. Use your planning worksheets to help you complete the configuration worksheet. Chapter 4. Installing and configuring your firewall 85
    • Note: If the requirements of your situation match those of this scenario, you can use all the procedures for performing Basic configuration as is. If your requirements do not entirely match those of this scenario, you will need to adjust the instructions accordingly. This scenario uses the planning worksheets from “Firewall basic configuration: Reviewing your planning worksheets” on page 64. These worksheets specify that you want to enable e-mail, FTP, and HTTP. In the future, you will add TELNET. Because it is easier to configure services by using Basic configuration, you should configure TELNET now. However, do not start the TELNET proxy server until you are ready to allow your authorized users to use TELNET over the Internet. Note: Both TELNET and FTP send user IDs and passwords in the clear. The firewall cannot protect you against attackers who might sniff the lines to acquire this information, unless you use a virtual private network (VPN). VPNs can encrypt and protect user IDs and passwords that pass between the two end points of the VPN. However, you can establish a VPN between firewall products only. For more information about VPNs,under Firewall: Advanced topics in the AS/400 Information Center. Because all your clients support SOCKS, you choose to enable HTTP, HTTPS, and FTP through a SOCKS server. Your users are using Netscape Navigator 3.0 or later as clients, so both HTTP and FTP can use SOCKS in the Netscape browser. You might also configure HTTP through proxy so that you can see the difference in the SOCKS and proxy logging capabilities and compare performance. You should configure TELNET through a proxy server to force users to log on to the firewall. They must validate their user IDs and passwords before they can start a TELNET request to a server in the Internet. Note: When you run Basic configuration, you lose your existing customized configuration. Typically, you use Basic configuration for the initial configuration of the firewall and use advanced configuration functions after that. However, when you use the advanced configuration functions, you often have to create your own filter rules and other settings. These actions increase the risk that you may create a rule or setting incorrectly. Poorly written rules or settings could cause the firewall to perform incorrectly. During Basic configuration, however, the application creates all the filter rules and other settings to make your configuration options work properly. Consequently, it may be better to use Basic configuration to make your changes, if the Basic configuration feature covers what you need to do. 86 Firewall: Getting started
    • Table 25. Configuration planning worksheet Configuration information requirements Scenario answers Secure (internal) mail server name - If you have a secure mail HOME400.private. mycompany.com server, enter the name here. For example, if the mail server’s host name is mailsvr and it is part of the domain mynetwork.mycompany.com, enter: mailsvr.mynetwork.mycompany.com. Multiple domains within a secure (internal) mail server name - If domain1.mynetwork.com you have multiple domains within you internal network, enter the domain2.mynetwork.com names here. For example if a domain name within you internal network isdomain1 and it is part of the domain1.mynetwork.com, enter domain1.mynetwork.com. Secure (internal) Port - If your Integrated Netfinity Server has two port1 ports, you need to know which one is attached to your secure port. Non-Secure (external) Domain Name * - This is the domain that is mycompany.com outside of the firewall and accessible by outsiders. If your secure domain name is mynetwork.mycompany.com, you probably should name your non-secure domain mycompany.com. Non-Secure (external) Domain Name Server IP Addresses * (for 203.5.100.76 example, 208.222.150.7). Non-Secure (external) Hosts * - List the names and IP addresses of www - 208.222.150.2 up to four non-secure hosts. These are systems that are placed outside of the firewall. For example, you may want to place a WWW server machine outside of the firewall. Network address translation (NAT) - Decide which services you N/A want to configure. Proxy Server - Decide which services you want to configure. HTTP, TELNET Socks Server - Decide which services you want to configure. HTTP, HTTPS, FTP * If you are connecting to the Internet, you may need to consult with your Internet service provider for this value. After you complete the configuration planning worksheet, you can configure the firewall from the AS/400 Tasks browser interface. Configuring the firewall from the AS/400 Tasks browser interface To configure the firewall, you must access the firewall browser interface from the AS/400 Tasks page. Once you display the browser interface, the frame on the left contains new icons for Configuration, Administration, Start, and Stop. The configuration and administration functions of the firewall must access the IBM HTTP Server that runs in the firewall. Consequently, the IBM HTTP Server must be active to access these functions. See the topic Verifying that the IBM HTTP Server is started for more information. Note: If you have problems accessing the IBM HTTP Server in the firewall: v Make sure that the fully qualified firewall name (for example, firewall.private.mycompany.com) resolves to the firewall secure port IP address. Either the DNS server in the secure network or the corresponding entry in the administration workstation HOSTS name should resolve the name. Chapter 4. Installing and configuring your firewall 87
    • v Make sure that the firewall is started. Both firewall jobs must be active in QSYSWRK as described in the topicVerifying the status of the firewall objects and jobs. To perform Basic configuration for your firewall, follow these steps; 1. Use your Web browser to access the firewall. 2. Click the Configuration icon to view the Configuration Menu page. 3. Click Basic and follow the configuration instructions. Enter the information that you collected in the configuration planning worksheet. After you complete all the browser forms, the Review Configuration page appears. This page shows a summary of the information that you entered. 4. Review the information. If the information is correct, click OK to complete Basic configuration. If some information is incorrect, you can make changes directly in the Review Configuration page. After you complete Basic configuration, you must add the secure mail server to the firewall domain name server. Adding the secure mail server to the firewall domain name server Note: You need to complete this step only if you DO NOT have an internal DNS. If your secure network does not have a DNS server, you must update the firewall DNS server configuration. You must add records to the DNS server configuration so that it can resolve the secure mail server name to its IP address. You must add a mail exchanger (MX) record and an address (A) record to the DNS server that runs on the firewall. The MX and A records point to the secure mail server on your internal network. In this scenario, these records point to the firewall home AS/400 system. If the secure mail server is on another system, the records should point to that system’s IP address. To add the required records, follow these steps: 1. In your browser, go to the following Web address: http://firewall.private.mycompany.com:2001/cgi-bin/db2www/fsdns.mac/main to display the Advanced Domain Name Settings page. 2. Click the Domain button to display the Resource Settings page. 3. Select the MX record (for example, mycompany.com. IN MX 0 FIREWALL.mycompany.com.) in the list box and click the Insert button. This allows you to insert another MX record for the secure mail server after the selected record. The Change Advanced DNS Settings Page (Part 1 of 2) displays. 4. Select MX as the Record type and click the OK button to view the Change Advanced DNS Settings (Page 2 of 2) page. Do not enter any other information on the first page. 5. Type information that is appropriate for your scenario into the following fields and click the OK button to add the record. v Domain Name (for example, home400.private.mycompany.com.) v Mail Exchanger (for example, home400.private.mycompany.com.) Important: Do not forget the trailing dot (.) at the end of the domain name. 6. Click the OK button to display the Update DNS Settings page. 88 Firewall: Getting started
    • 7. Click No so that no changes are made at this point. You must add another record first. 8. Select an A type record (for example, WWW IN A 108.222.150.2) from the list box and click the Insert button. This allows you to insert an A (address) record for the secure mail server. The Change Advanced DNS Settings Page (Part 1 of 2) displays. 9. Select A for the Record type and click the OK button to view the second Change Advanced DNS Settings Page (Part 2 of 2). 10. Type the information that is appropriate for your scenario into the following fields and click the OK button to add the A record. v Domain Name (for example, home400.private.mycompany.com.) v Mail Exchanger (for example, 192.168.12.1) Important: Do not forget the trailing dot (.) at the end of the domain name. 11. Click the OK button to display the Update DNS Settings page. 12. Click Yes to update the firewall DNS settings. Note: If the internal mail server is the firewall home AS/400 system, the firewall must send mail to AS/400 over the internal LAN connection. Use the AS/400 IP address that you assigned to the *INTERNAL port in the address (A) record. If the internal mail server is not the firewall home AS/400 system, use the corresponding IP address for that host. To ensure that you have entered the new records correctly, review the named.dom file. This file contains all the records that the firewall DNS server uses. Ensure that all the records that require trailing dots (.) have them. You can do this by using the browser interface or by using an AS/400 command. To review the named.dom file from the AS/400 system, type: SBMNWSCMD CMD('type e:mptnetcnamedbnamed.dom')SERVER(FIREWALL) Where FIREWALL appears in the command, type the name that you assigned to your firewall. The AS/400 sends the results of the command to the job log. You may want to print the job log and keep it as documentation. The results in your job log should look similar to the ones in the example below: ; Last Update: 19971209 18:44:19 adan ; Created by IBM Firewall for AS/400 0973370719 @ IN SOA FIREWALL.mycompany.com. postmaster.mycompany.com. (0973370719 3600 600 360000 86400) IN NS FIREWALL.mycompany.com. mycompany.com. IN MX 0 FIREWALL.mycompany.com. home400.private.mycompany.com. IN MX 0 home400.private.mycompany.com. FIREWALL.mycompany.com. IN A 208.222.150.11 www IN A 208.222.150.2 home400.private.mycompany.com. IN A 192.168.12.1 Command submitted to server FIREWALL. Note: v If you use the DNS configuration option, you lose any entries that you make through the Advanced Domain Name Server Settings. You should record any changes that you make through Advanced Domain Name Server Settings so that you can reapply them if you use the DNS configuration option. v Hosts in the Internet can query the IP address of the internal mail server because the firewall combines internal and external DNS functions. Chapter 4. Installing and configuring your firewall 89
    • However, the filter rules that you create during Basic configuration prevent Internet users from accessing your internal mail server. When you finish configuring your firewall, you must configure clients on the secure network to use it to access Internet services. Configuring fowarders in the internal DNS If you designate the firewall name server in your internal DNS as forwarders, all off-site queries are sent to the forwarders. The DNS in the firewall builds a rich cache of information. For a given query in a remote domain, the firewall DNS can answer the query with its cache. To configure the forwarders directive to send unresolved queries to the firewall DNS, use the following steps: 1. Go to the DNS configuration for your secure domain name through the Operation Navigator. 2. Right-click on the DNS server that corresponds with the domain name and select Properties. 3. Click the Domain button to display the Resource Settings page. 4. Click the Forwarders tab. 5. Click on Add to add the IP addresses of the firewall secure port. 6. Click on Contact only forwarders for off-site queries. 7. Click the OK and close the DNS server configuration. When you finish configuring forwarders, see configure clients on the secure network to use it to access Internet services. Configuring your clients to access Internet services through the firewall After you configure your firewall, you must configure clients on the secure network to access the Internet through the firewall. To do this, you must: 1. Configure client domain name services (DNS) to use the firewall domain name server. 2. Configure the client Web browser to use the firewall proxy or SOCKS server. Configuring client domain name services (DNS) to use the firewall domain name server You must configure domain name services (DNS) for clients that use the firewall to access HTTP services on the Internet. You must add the firewall secure port IP address to the client DNS configuration. Although this procedure describes how to configure DNS for Windows 95 clients, you can apply the concepts to other kinds of clients. To change the client DNS configuration, follow these steps: 1. Double-click the My Computer icon. 2. Double-click the Control Panel icon. 3. Double-click the Network icon. 4. Click the Configuration tab. 5. Double-click the TCP/IP protocol list item. 6. Click the DNS Configuration tab. 7. Click the Enable DNS radio button and add the secure IP address of the firewall to the DNS search order field. 8. Close all open windows and restart the client. 90 Firewall: Getting started
    • If clients must use proxy or SOCKS servers to access Internet services, you must configure the client Web browser to use these servers. Configuring the client Web browser to use the firewall proxy or SOCKS server If a client must use proxy or SOCKS servers to access Internet services, you must configure the client Web browser to use these servers. Therefore, you must add the firewall secure port IP address to the SOCKS server (or proxy server) configuration for the client Web browser. Although this procedure describes how to configure Netscape Navigator 3.0, you can adapt the procedure for other Web browsers. To add the address to the Web browser, follow these steps: 1. Click Options from the menu bar, followed by Network Preferences from the pull-down menu to display the Preferences window. 2. Select the Proxies tab. 3. Select Manual Proxy Configuration and click the View button to display the Manual Proxy Configuration window. 4. Type the firewall secure port IP address into the SOCKS host field and 1080 into the port field. 5. Click the OK button to accept the entries and return to the Preferences window. 6. Click the OK button to save the new preferences. After you configure your clients, you can begin using your firewall. Chapter 4. Installing and configuring your firewall 91
    • 92 Firewall: Getting started
    • Chapter 5. Configuring your clients to use the firewall for Internet access After you install and configure the firewall, you must configure your clients on the internal network to access the non-secure network through the firewall. Before configuring your clients, you must ensure that the LAN adapter is installed and recognized by the client operating system. You must also ensure that TCP/IP is loaded on the system. If the LAN adapter is not installed correctly, refer to the documentation that came with the adapter for installation instructions. If TCP/IP is not loaded on the system, refer to the documentation that came with the client operating system. These instructions describe how to configure a typical client to access Internet services through the firewall. Because Windows 95 is the most common client in use, the instructions cover how to configure a Windows 95 client. Although specific instructions vary for other types of clients, you should be able to apply this information to other client platforms. Windows 95, like most PC operating systems, does not provide native SOCKS support. OS/2 Merlin is an exception; it provides SOCKS in the TCP/IP stack. Fortunately, most Web browsers for Windows 95 provide SOCKS support. If you plan to use Internet services that your browser cannot provide, you must add SOCKS support to firewall clients. You can also configure your AS/400 as a SOCKS client. Configuring a client to use the firewall After you install and configure the firewall, you must configure clients on the internal secure network to access the non-secure network through the firewall. Before you can configure the client, the client must have a suitable LAN adapter installed and correctly identified in Windows 95. To configure the client, complete these steps: 1. Verify that the LAN adapter is installed and that the client operating system recognizes it. 2. Verify that the client TCP/IP settings are correct. 3. Configure domain name services (DNS) for the client. 4. Configure gateway settings for the client, if the client is in a network that uses routers to separate network segments. 5. Testing the firewall client configuration.. 6. Configure the Web browser for proxy or SOCKS. 7. Add SOCKS support, if your want to access Internet services without using the client Web browser. Verifying that a Windows 95 client can identify the client LAN adapter Before configuring the client PC to use the firewall for Internet access, you must verify that the PC has a suitable LAN adapter installed. You must also verify that the client can identify the adapter. This procedure describes how to verify the LAN adapter identification for a Windows 95 client. However, you can apply the concepts to other types of clients. © Copyright IBM Corp. 1998, 1999 93
    • To verify that the identification for the LAN adapter is correct, perform these steps: 1. From your desktop, right-click the Network Neighborhood icon to view the shortcut menu. 2. Select the Properties menu option to open the Network window. 3. Click the Configuration tab and select your LAN adapter from the list box. 4. Select the Properties button to open the Properties folder for the LAN adapter that you selected. 5. Select the Bindings tab to view the protocol settings for the LAN adapter that you selected. 6. Verify that TCP/IP is selected as a bindings option. 7. Select the Cancel button to return to the Network window. Note: If TCP/IP is not selected, you must select it and click the OK button to change the settings. After you verify that the identification for your LAN adapter is correct, you must verify the TCP/IP settings for the client. Verifying TCP/IP configuration for a Client PC After you verify that the firewall administration PC (or other client) LAN adapter identification is correct, verify that the TCP/IP configuration is correct. To verify that TCP/IP is configured properly for the client, complete these steps: 1. From the desktop, right-click the Network Neighborhood icon to view the shortcut menu. 2. Select the Properties menu option to open the Network window. 3. Click the Configuration tab and select TCP/IP from the list box. 4. Select the Properties button to open the TCP/IP Properties folder. 5. Select the IP Address tab. 6. Verify that the IP address and subnet mask are correct for the client. 7. Click the Cancel button to return to the Network window. Note: If the IP address and subnet mask are not correct, enter the correct information and click the OK button to save your changes. After you verify that the IP address settings are correct, you must configure domain name services (DNS) for the client. How you configure DNS depends on whether you have an internal DNS server or whether the client must use a host table for name resolution. Note: After you finish all configuration changes to the client, you must click OK on the Network window to save your changes. Then, you must restart the PC to make the network changes take effect. Configuring domain name services for a firewall client on the secure network After you verify that the client TCP/IP settings are correct, you must configure domain name services (DNS) for the client. How you configure DNS depends on whether you have an internal DNS server or whether the client must use a host table for name resolution. If you do not have a DNS server on the secure network, the client must use a host table for name resolution. You must make changes to the client host table so that the client can resolve names correctly. 94 Firewall: Getting started
    • If you do have a DNS server on the secure network, you must configure DNS support on the client. Changing the host table for a firewall client when the secure network does not have a DNS server If your internal secure network does not have a domain name services (DNS) server, your clients must use host tables for name resolution. Each firewall administration workstation (or other client) must have the secure IP address of the firewall in its local host table. Each client host table must also contain the names and addresses of any other internal systems with which the client must communicate. For example, each administration workstation host table must contain the firewall home AS/400 IP address and the IP address of the firewall secure port. To add the necessary information to the client host table, follow these steps: 1. Open an MS-DOS Prompt window. 2. At the MS-DOS prompt, type the command: DIR C:HOST*.* /S Where C: occurs in the command, type the letter of the drive that contains the operating system. A list of files that start with HOST appears. Find a file with the name HOSTS, and note the directory name that contains the HOSTS file. Windows 95 TCP/IP looks for the HOSTS file in the Windows directory. Note: If you do not find a HOSTS file, a sample file (HOSTS.SAM) should be available. Use this file to create a new HOSTS file to which you can add the necessary information. 3. At the DOS prompt, type: edit c:windowshosts Where c:windows occurs in the command, type the letter of the drive and directory name that contains the HOSTS file. The MS-DOS prompt EDIT window appears. 4. Add a record that contains the IP address, fully qualified AS/400 host name, and the host name of the AS/400 system to the file. Note: The fully qualified name for the AS/400 system consists of the AS/400 host name, followed by a period (.), followed by the AS/400 domain name. You can find these values by selecting option 12 from the Configure TCP (CFGTCP) menu on the AS/400 system. In this example, the fully qualified name is home400.private.company.com and the host name is home400. 5. Add a record that contains the IP address, fully qualified firewall host name, and the host name of the firewall to the file. Note: The fully qualified name for the firewall consists of the firewall NWSD name, followed by a period (.), followed by the AS/400 domain name. You can find the domain name by selecting option 12 from the Configure TCP (CFGTCP) menu on the AS/400 system. In this example, the fully qualified name is fwbasic.private.company.com and the host name is fwbasic. 6. Save the file as C:windowshosts. After you edit the client host table, you may need to configure DNS support for the client. Chapter 5. Configuring your clients to use the firewall for Internet access 95
    • Configuring Domain Name Services support on a firewall client If you are using only the client host table for name resolution, you do not need to configure DNS support for the client. If your secure network has a DNS server, however, you must configure the client to use the secure DNS server for name resolution. The secure DNS server should point to the firewall DNS server to resolve names for hosts outside the secure network. If you do not have a DNS server in the secure network, configure the client to use the firewall as a DNS server. The client can then use the firewall DNS server for external domain name resolution when the client must access the non-secure network. Although this procedure describes how to configure DNS support for a Windows 95 client, you can apply the concepts to other types of clients. To configure DNS support on the client, complete these steps: 1. From the desktop, right-click the Network Neighborhood icon to view the shortcut menu. 2. Select the Properties menu option to open the Network window. 3. Click the Configuration tab and select TCP/IP from the list box. 4. Click the Properties button to open the TCP/IP Properties folder. 5. Select the DNS Configuration tab. 6. Click the Enable DNS radio button. 7. Add the following information to the appropriate fields: v Type a host name for the PC into the Host field. v Type the secure domain name into the Domain field. v To use only the host table, leave the DNS Server Search Order field blank. Otherwise, type one of the following values: – The IP address of the secure DNS server (for example, 10.5.69.2) – The IP address of the secure port of the firewall (for example, 10.5.69.3) 8. Click the ADD button. 9. Click the OK button to save the settings and return to the Network window or click another tab to continue with TCP/IP configuration. Note: After you finish all configuration changes to the client, you must click OK on the Network window to save your changes. Then, you must restart the PC to make the network changes take effect. After you configure DNS, you may need to configure gateway settings for the client, if your network contains routers to separate network segments. Configuring a firewall client to use a gateway You may need to configure a client to use a gateway if your network uses routers to separate segments of the network. When a client is not directly connected to the network segment that contains the remote host, the client passes its data to the gateway. This gateway, or next hop router, should be able to route the data to the remote host. Although this procedure describes how to configure a gateway for a Windows 95 client, you can apply the concepts to other types of clients. To configure the client to use a gateway, follow these steps: 1. From the Windows desktop, right-click the Network Neighborhood icon to view the shortcut menu. 2. Select the Properties menu option to open the Network window. 3. Click the Configuration tab and select TCP/IP from the list box. 96 Firewall: Getting started
    • 4. Click the Properties button to open the TCP/IP Properties folder. 5. Click the Gateway tab. 6. Type the IP address of the gateway (router) that connects the client to the rest of the network into the New gateway field. 7. Click the Add button. 8. Click the OK button to save your settings and return to the Network window or click another tab to continue with TCP/IP configuration. Note: After you finish all configuration changes to the client, you must click OK on the Network window to save your changes. Then, you must restart the PC to make the network changes take effect. After you configure the gateway entry, you can change any other client network configuration settings that you need for your TCP/IP environment. You should also test the firewall client configuration. Testing the firewall client configuration After you make client configuration changes and restart the client, you should test the configuration to ensure that it works properly. Note: The default firewall filter rules block PING requests through the firewall. Therefore, if you use PING to contact an external host (for example, www.as400.ibm.com), the name should resolve to a valid address (for example, 208.222.150.11). The PING request, however, should time out. To test the client configuration, follow these steps: 1. Open an MS-DOS Prompt window. 2. At the DOS prompt, type: ping 10.5.69.212 and press Enter. Where 10.5.69.212 occurs in the command, type the address of your AS/400 system. A series of messages should appear that shows the address of the system and replies from the system. 3. At the DOS prompt, type: ping home400. and press Enter. Where home400 occurs in the command, type the name of your AS/400 system. A series of messages should appear that shows the address of the system and replies from the system. 4. At the DOS prompt, type: ping 10.5.69.129 Where 10.5.69.129 occurs in the command, type the address of your firewall. A series of messages should appear that shows the address of the firewall and replies from the firewall. 5. At the DOS prompt, type: ping firewall and press Enter. Where firewall occurs in the command, type the name of your firewall. A series of messages should appear that shows the address of the firewall and replies from the firewall. If the message ″Bad IP address hostname″ appears (where hostname is the value that you entered for the PING command), there is an error. This error can be in the PING command (check the spelling of the host name), the client DNS Chapter 5. Configuring your clients to use the firewall for Internet access 97
    • configuration, the DNS server, or the HOSTS name file. You can bypass the DNS name resolution process by using the PING command and the IP address of the target host. If the message ″Request timed out″ appears, the DNS server resolved the name to an address and the PING command tried to contact the target host. Verify that the returned address is valid for the requested name and that the target host is operating. If the address is correct and the host is operating, check the value in the gateway entry. After testing your client configuration, you must configure the client Web browser to use SOCKS or proxy servers to access the non-secure network. Configuring a client Web browser to use SOCKS or proxy servers Because you configure and administer the firewall through a Web-based facility, you must use a Web browser that the firewall facility supports. This Web browser must support Java and JavaScript, as well as SOCKS and HTTP proxies. The browser should also provide a post office protocol (POP) 3 mail client for easy access to Internet e-mail. For the purposes of the firewall administration client, you do not need to enable SOCKS or proxy. The basic network installation with no proxies specified works. However, if you selected proxy or SOCKS servers for Internet access during Basic configuration, you must set up proxy or SOCKS client support for the browser. This allows Web browsing through the firewall to the Internet or other non-secure network. These procedures provide basic setup instructions for three common browsers: Netscape Navigator 3.0, Netscape Communicator 4.04, and Microsoft Internet Explorer 4.0. However, these procedures do not replace the instructions that the specific product documentation provides. Consider the product documentation as the authoritative source of information relating to these products. Refer to the product documentation for detailed instructions if you have questions during the installation. To configure Netscape Navigator 3.0, see the topic Configuring Netscape Navigator 3.0 to use SOCKS or proxies. To configure Netscape Navigator 4.0, see the topic Configuring Netscape Communicator 4.04 to use SOCKS or proxies. To configure Microsoft Internet Explorer, see the topic Configuring Microsoft Internet Explorer 4.0 to use SOCKS or proxies. Configuring Netscape Navigator 3.0 to use SOCKS or proxy servers You must set up proxy or SOCKS client support for the client browser when you specify proxy or SOCKS servers for client Internet access. This allows users to Web browse through the firewall to the Internet or other non-secure network. To configure Netscape Navigator 3.0 to use proxy or SOCKS, start the browser and follow these steps: 1. Select Options from the menu bar. 98 Firewall: Getting started
    • 2. Select the Network Preferences menu option to display the Preferences window. 3. Click the Proxies tab. 4. Click Manual Proxy Configuration. 5. Click View. 6. To use SOCKS support, type the IP address of the secure port of the firewall in the SOCKS Host field and 1080 in the Port field. For example, IP address 10.5.69.3. 7. To use proxy support, enter the following information: v The IP address of the secure port of the firewall in the FTP Proxy field and 80 in the Port field to support FTP proxy from the browser. For example, IP address 10.5.69.3. v The IP address of the secure port of the firewall in the HTTP Proxy field and 80 in the Port field to support HTTP proxy from the browser. For example, IP address 10.5.69.3. v The IP address of the secure port of the firewall in the WAIS Proxy field and 80 in the Port field to support WAIS proxy from the browser. For example, IP address 10.5.69.3. 8. Type the secure domain name (for example, private.mycompany.com) in the No Proxy for field. This name tells the browser that the system directly connected the browser to your secure domain. Therefore it does not need to use proxy or SOCKS servers to reach this domain. List all domains to which the client is connected directly. 9. Click OK to save the configuration. Configuring Netscape Communicator 4.04 to use SOCKS or proxy servers You must set up proxy or SOCKS client support for the client browser when you specify proxy or SOCKS servers for client Internet access. This allows Web browsing through the firewall to the Internet or other non-secure network. To configure Netscape Navigator 4.0 to use proxy or SOCKS, start the browser and follow these steps: 1. Select Edit from the menu bar to display a pull-down menu. 2. Select Preferences from the menu. 3. Click the plus sign (+) beside the Advanced category. 4. Click Proxies. 5. Click Manual Proxy Configuration. 6. Click View. 7. To use SOCKS support, type the IP address of the secure port of the firewall (for example, 10.5.69.3) in the SOCKS Host field and 1080 in the Port field. 8. To use proxy support, enter the following information: v The IP address of the secure port of the firewall in the HTTP field and 80 in the Port field to support HTTP proxy from the browser. v The IP address of the secure port of the firewall in the FTP field and 80 in the Port field to support FTP proxy from the browser. v The IP address of the secure port of the firewall in the WAIS Proxy field and 80 in the Port field to support WAIS proxy from the browser. 9. Type the secure domain name (for example, private.mycompany.com) in the Exceptions field. This name tells the browser that the client is connected to your secure domain directly. List all domains to which the client is connected directly. 10. Click the OK button to save your configuration changes. Chapter 5. Configuring your clients to use the firewall for Internet access 99
    • Configuring Microsoft Internet Explorer 4.0 to use SOCKS or proxy servers You must set up proxy or SOCKS client support for the client browser when you specify proxy or SOCKS servers for client Internet access. This allows Web browsing through the firewall to the Internet or other non-secure network. To configure Microsoft Internet Explorer 4.0 to use proxy or SOCKS servers, start the browser and follow these steps: 1. Right-click the Internet Explorer icon to view a short-cut menu. 2. Select Properties from the menu to display the Properties window. 3. Click the Connection tab. 4. Verify that the browser is configured for a LAN connection. 5. Click Advanced. 6. Select the Access the Internet Using a Proxy Server option. 7. Type the IP address of the secure port of the firewall into the desired proxy or SOCKS field. Adding SOCKS support to firewall clients Most PC operating systems do not provide native SOCKS support. OS/2 Merlin is an exception; it provides SOCKS in the TCP/IP stack. If you want to use PC clients other than OS/2, you must add SOCKS support. Most Web browsers provide SOCKS support. If you will not use Internet services that your browser does not provide, you probably do not need to add SOCKS support to the client. If you need to add SOCKS support, you can find several products on the Web. Most of these products work for Windows 95; some work for Windows 3.1. These products are usually Windows dynamic link libraries (DLLs) that extend the functionality of the Winsock DLL. They allow SOCKS 4 and SOCKS 5 applications to work without a browser for applications such as FTP and TELNET. Note: Microsoft Windows NT also does not provide native SOCKS support. Therefore, if you plan to use Windows NT as a firewall client, you must add SOCKS support. We tested two products: Aventail AutoSOCKS and SocksCap (NEC USA, Inc.). Each is available in a Windows 95 and a Windows 3.1 version on the Web. The Web address for Aventail AutoSOCKS is: http://www.aventail.com/ After you access the site, select the Product & Solutions option. Scroll down to the AutoSOCKS product information. Click Download Evaluation Copy and follow the download instructions. The Web address for SocksCap is: http://www.socks.nec.com/ After you access the site, select the SocksCap button and follow the download instructions. You may want to select other buttons to get additional information about SOCKS and how it works. 100 Firewall: Getting started
    • Configuring SOCKS support for AS/400 If you want to use your AS/400 as a firewall client through the SOCKS server, you configure SOCKS support for the AS/400 system. To configure SOCKS for AS/400 you must use Operations Navigator to access the TCP/IP Properties window for the AS/400 system that you want to configure as a firewall client. To access the TCP/IP Properties window, follow these steps: 1. Start Operations Navigator by clicking Start —> Programs —> IBM AS/400 Client Access —> AS/400 Operations Navigator. The AS/400 Operations Navigator window appears. 2. Double-click the icon that represents the AS/400 system that you want to configure. A list of system components displays. 3. Double-click the Network icon to display a list of network components. 4. Double-click the Protocols icon to display a list of protocols in the panel on the right. 5. Double-click the TCP/IP icon in the right panel to display the TCP/IP Properties window. 6. Click the SOCKS tab in the TCP/IP Properties window to display SOCKS information and options. After you access the SOCKS tab, perform these tasks: v Define the network to which the AS/400 system is directly connected to prevent AS/400 from using a SOCKS server to connect to the network. v Define the network that the AS/400 client must use SOCKS to access and the SOCKS server address that AS/400 must use to access the network. After you configure SOCKS support for the AS/400 system, you may want to define a DNS server for SOCKS to use. You should also test your AS/400 SOCKS configuration. Defining the network to which the AS/400 system is connected directly The AS/400 system should not use a SOCKS server to connect to the network to which it is directly attached. To prevent the AS/400 system from using the SOCKS server, follow these steps to define the direct network connection for the AS/400 system. 1. Use Operations Navigator to access the SOCKS tab in the TCP/IP Properties window. 2. From the SOCKS tab, click the Add button to display the Add SOCKS Destination window. 3. Type the network address of the secure network in the IP address field (for example, 10.0.0.0). 4. Type the subnet mask that describes your secure network in the Mask field (for example 255.0.0.0). Note: This defines the entire 10. network as a direct network, Therefore, the AS/400 system will not use SOCKS to access any host with an address that starts with 10. 5. Click the down arrow in the Connection field and select Direct from the list of options. 6. Click OK to add the destination information. Now you can define which network that the AS/400 client must use SOCKS to access. You may also want to define a DNS server for SOCKS to use. Chapter 5. Configuring your clients to use the firewall for Internet access 101
    • Defining which network that the AS/400 client must use SOCKS to access Before you can use AS/400 as a SOCKS client, you must define which network the AS/400 must use a SOCKS server to access. For example, you might have the AS/400 client use the SOCKS server to access all networks (except the direct connection). To define which networks AS/400 should access through the SOCKS server, follow these steps: 1. Use Operations Navigator to access the SOCKS tab in the TCP/IP Properties window. 2. From the SOCKS tab, click the Add button. The Add SOCKS Destination window appears. 3. Type the address 0.0.0.0 in the IP address field. 4. Type the subnet mask 0.0.0.0 in the Mask field. Note: When a destination address is ″anded″ with a mask of 0.0.0.0, the result is 0.0.0.0. By specifying a mask and address of all zeros, all IP addresses match this destination description. 5. Click the down arrow in the Connection field and select SOCKS server from the list of options. 6. Type the IP address of the SOCKS server in the Server IP address field. On the firewall home AS/400 system, this is the IP address of the *INTERNAL port of the firewall. On other AS/400 systems in the secure network, this is the IP address of the secure port of the firewall. 7. Verify that the Port field has a value of Any. This specifies which remote ports the AS/400 can use this connection to access. 8. Click OK to add the destination information. When you complete the SOCKS configuration, you may want to define a DNS server for SOCKS to use. You should also test your AS/400 SOCKS configuration. Defining a domain name server for the SOCKS server When you configure your AS/400 as a SOCKS client, you may need to define a domain name services (DNS) server for SOCKS to use. You must do this only if domain name servers were not specified when TCP/IP was configured for the AS/400 system. For name or IP address resolution, the system queries the DNS servers configured with TCP/IP first. If they cannot resolve the name or address, then the system queries the DNS server that you specify in the SOCKS client configuration for AS/400. Note: At least one DNS server must be configured using CFGTCP option 12 before SOCKS checks the domain name server configured for SOCKS. To define a DNS server for your AS/400 SOCKS client, follow these steps: 1. Use Operations Navigator to access the SOCKS tab in the TCP/IP Properties window. 2. From the SOCKS tab, type the DNS server IP address in the SOCKS domain name server field. If you do not have an internal DNS server, point the AS/400 system ato the firewall for DNS services. If the internal DNS server cannot resolve external information, type the IP address of the firewall in the SOCKS domain name 102 Firewall: Getting started
    • server field. On the firewall home AS/400 system, this is the IP address of the *INTERNAL port of the firewall. On other AS/400 systems in the secure network, this is the IP address of the secure port of the firewall. 3. Click OK to add the destination information. When you complete the SOCKS configuration, you should test your AS/400 SOCKS configuration. Testing Your AS/400 SOCKS Configuration To quickly test your AS/400 SOCKS client configuration, you can start a TELNET session with a system in the non-secure network. (You must have enabled TELNET in the SOCKS server during firewall configuration.) To test the configuration, perform these steps: 1. Sign on to the AS/400 system. 2. On an AS/400 command line, type telnet locis.loc.gov and press Enter to display the US government’s LIBRARY OF CONGRESS INFORMATION SYSTEM menu. Note: If you do not receive the menu, you may have a problem with DNS, firewall configuration, or your network connection. 3. To exit the system, type 12, and press Enter. 4. Type 12 and press Enter again. Chapter 5. Configuring your clients to use the firewall for Internet access 103
    • 104 Firewall: Getting started
    • Printed in U.S.A. SC41-5424-02