Firewall: Getting started

4,996 views
4,863 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,996
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
256
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Firewall: Getting started

  1. 1. Firewall: Getting started Version 4 SC41-5424-02
  2. 2. Firewall: Getting started Version 4 SC41-5424-02
  3. 3. ii Firewall: Getting started
  4. 4. Contents Part 1. Firewall: Getting started . . . 1 Secure Sockets Layer (SSL) considerations for IBM Firewall for AS/400 . . . . . . . . . 47 Positioning your public server in relation to your Chapter 1. Print this topic . . . . . . . 3 firewall . . . . . . . . . . . . . . . . 48 Placing a public server in front of the firewall . . 48 Chapter 2. Understanding IBM Firewall Placing a public server behind the firewall . . . 51 for AS/400 . . . . . . . . . . . . . . 5 Firewall and network configurations: Example About firewalls . . . . . . . . . . . . . 5 scenarios . . . . . . . . . . . . . . . 53 Firewall components. . . . . . . . . . . 6 Example scenario: Public server in front of the How a firewall works . . . . . . . . . . 6 firewall . . . . . . . . . . . . . . . 53 What a firewall can do to protect your network . 6 Example scenario: Public server in front of the What a firewall cannot do to protect your network 7 firewall with secure side subnets . . . . . . 54 Understanding Internet security issues. . . . . . 7 Example scenario: Public server behind the Trusted networks . . . . . . . . . . . . 8 firewall . . . . . . . . . . . . . . . 55 Understanding security policies . . . . . . . 8 IBM Firewall for AS/400 planning worksheets. . . 56 Security services . . . . . . . . . . . . 8 Network security objectives . . . . . . . . 9 Chapter 4. Installing and configuring Network security considerations . . . . . . . 9 your firewall . . . . . . . . . . . . 61 Types of Internet attacks . . . . . . . . . 10 Firewall basic configuration: Scenario overview . . 61 Firewall security principles . . . . . . . . 11 Firewall basic configuration: Scenario objectives 62 Understanding TCP/IP, networking, and the Firewall basic configuration: Scenario network Internet. . . . . . . . . . . . . . . . 12 configuration . . . . . . . . . . . . . 63 TCP/IP addressing and structure . . . . . . 12 Firewall basic configuration: Scenario advantages 64 How masks affect Internet Protocol (IP) Firewall basic configuration: Scenario addressing. . . . . . . . . . . . . . 14 disadvantages . . . . . . . . . . . . 64 Understanding subnets . . . . . . . . . 15 Firewall basic configuration: Reviewing your IBM Firewall for AS/400 features . . . . . . . 18 planning worksheets . . . . . . . . . . . 64 IBM Firewall for AS/400 components. . . . . . 20 Verifying firewall hardware, software, and IBM Firewall for AS/400 Internet Protocol (IP) configuration prerequisites . . . . . . . . . 69 packet filtering component . . . . . . . . 21 Recording the resource name of the Integrated IBM Firewall for AS/400 network address Netfinity Server for AS/400 . . . . . . . . 69 translation (NAT) component . . . . . . . 31 Verifying the memory available on your IBM Firewall for AS/400 proxy server component 32 Integrated Netfinity Server for AS/400 . . . . 70 IBM Firewall for AS/400 TELNET proxy server 34 Verifying the installation of firewall prerequisite IBM Firewall for AS/400 SOCKS server licensed programs . . . . . . . . . . . 70 component . . . . . . . . . . . . . 34 Verifying that the latest program temporary fixes IBM Firewall for AS/400 mail relay service . . . 37 (PTFs) are applied . . . . . . . . . . . 71 IBM Firewall for AS/400 split domain name Verifying the basic TCP/IP interface services (DNS) component . . . . . . . . 38 configuration on the firewall home AS/400 IBM Firewall for AS/400 audit and event system . . . . . . . . . . . . . . . 72 reporting services . . . . . . . . . . . 40 Verifying that the IBM HTTP Server is started . . 73 IBM Firewall for AS/400 virtual private network Verifying that the Web browser supports (VPN) component . . . . . . . . . . . 41 JavaScript . . . . . . . . . . . . . . 73 Firewall configurations . . . . . . . . . . 41 Installing IBM Firewall for AS/400 . . . . . . 74 Dual-homed gateway firewall . . . . . . . 42 Completing the firewall installation worksheet . 75 Screened host firewall . . . . . . . . . . 43 Installing the firewall from the AS/400 Tasks browser interface . . . . . . . . . . . 75 Chapter 3. Planning your firewall Preparing for Basic configuration of your firewall . 77 installation and configuration . . . . . 45 Stopping the firewall . . . . . . . . . . 78 IBM Firewall for AS/400 installation requirements 45 Varying off the firewall network server IBM Firewall for AS/400 software requirements 45 description (NWSD) . . . . . . . . . . 78 IBM Firewall for AS/400 hardware requirements 46 Configuring the internal DNS in the firewall IBM Firewall for AS/400 user profile NWSD . . . . . . . . . . . . . . . 78 requirements . . . . . . . . . . . . . 47 Adding the firewall domain name server to the firewall NWSD . . . . . . . . . . . . 79 © Copyright IBM Corp. 1998, 1999 iii
  5. 5. Updating the secure mail server host table . . . 80 Chapter 5. Configuring your clients to Routing outbound mail to the firewall . . . . 81 use the firewall for Internet access . . 93 Starting the firewall . . . . . . . . . . . 82 Configuring a client to use the firewall . . . . . 93 Varying on the firewall network server Verifying that a Windows 95 client can identify description . . . . . . . . . . . . . 83 the client LAN adapter . . . . . . . . . 93 Verify that the firewall network server Verifying TCP/IP configuration for a Client PC 94 description is ready. . . . . . . . . . . 83 Configuring domain name services for a firewall Starting the firewall application. . . . . . . 84 client on the secure network . . . . . . . . 94 Verifying the status of the firewall objects and Configuring a firewall client to use a gateway . . 96 jobs . . . . . . . . . . . . . . . . 84 Testing the firewall client configuration . . . . 97 Performing firewall Basic configuration . . . . . 85 Configuring a client Web browser to use SOCKS Completing the Firewall Basic configuration or proxy servers . . . . . . . . . . . . 98 planning worksheet . . . . . . . . . . 85 Adding SOCKS support to firewall clients . . . . 100 Configuring the firewall from the AS/400 Tasks Configuring SOCKS support for AS/400 . . . . 101 browser interface . . . . . . . . . . . 87 Defining the network to which the AS/400 Adding the secure mail server to the firewall system is connected directly . . . . . . . 101 domain name server . . . . . . . . . . 88 Defining which network that the AS/400 client Configuring fowarders in the internal DNS . . . 90 must use SOCKS to access . . . . . . . . 102 Configuring your clients to access Internet services Defining a domain name server for the SOCKS through the firewall . . . . . . . . . . . 90 server . . . . . . . . . . . . . . . 102 Configuring client domain name services (DNS) Testing Your AS/400 SOCKS Configuration . . 103 to use the firewall domain name server . . . . 90 Configuring the client Web browser to use the firewall proxy or SOCKS server . . . . . . 91 iv Firewall: Getting started
  6. 6. Part 1. Firewall: Getting started Note: End of Currency (EOC) for Integration Services for FSIOP (5768SA2) and IBM Firewall for AS/400 is 5/31/01. The Firewall: Getting started topic explains planning and basic configuration of IBM Firewall for AS/400. The following topics will provide details on planning, scenario examples, and how to configure your firewall: v See print this topic if you would like a PDF copy of this topic. v Understanding IBM Firewall for AS/400 provides conceptual information on firewall terms and Internet security issues. v Planning your firewall installation and configuration provides step-by-step planning guidelines that help you prepare for your firewall installation. v Installing and configuring your firewall provides step-by-step procedures for installing and configuring your firewall. v Configuring your clients to use the firewall for Internet access provides instructions on setting up your users to use the firewall. © Copyright IBM Corp. 1998, 1999 1
  7. 7. 2 Firewall: Getting started
  8. 8. Chapter 1. Print this topic You can view or download a PDF version of this document for viewing or printing. You must have Adobe® Acrobat® Reader installed to view PDF files. You can download a copy from Adobe . To view or download the PDF version, select Firewall: Getting started (about 736 KB or 112 pages). To save a PDF on your workstation for viewing or printing: 1. Open the PDF in your browser (click the link above). 2. In the menu of your browser, click File. 3. Click Save As... 4. Navigate to the directory in which you would like to save the PDF. 5. Click Save. © Copyright IBM Corp. 1998, 1999 3
  9. 9. 4 Firewall: Getting started
  10. 10. Chapter 2. Understanding IBM Firewall for AS/400 A firewall represents a substantial portion of your network security policy. Therefore, you must understand exactly what a firewall is and what a firewall can do for you. Each firewall product uses different sets of security features. To understand what a firewall can do to protect your network, review these topics: v About firewalls v Understanding Internet security issues When you connect your network to the Internet, you must use Transmission Control Protocol/Internet Protocol (TCP/IP) and ensure that you configure your network properly. You can prevent many problems with firewall installation and firewall configuration by making sure that you configure TCP/IP properly. Consequently, you should review the topic, Understanding TCP/IP, networking, and the Internet, before you start planning your firewall installation. To understand what IBM Firewall for AS/400 can do to protect your network, review these topics: v IBM Firewall for AS/400 features v IBM Firewall for AS/400 components v Firewall configurations To learn how to get your firewall up and running, review these topics: v Planning your firewall installation and configuration. v Installing and configuring your firewall. v Configuring your clients to use the firewall for Internet access. About firewalls A firewall is a blockade between a secure internal network and an untrusted network such as the Internet. Most companies use a firewall to connect an internal network safely to the Internet. You can use a firewall to secure one internal network from another on an intranet also. A firewall provides a controlled single point of contact (called a chokepoint) between your secure internal network and the untrusted network. The firewall: v Lets users in your internal network use authorized resources that are located on the outside network. v Prevents unauthorized users on the outside network from using resources on your internal network. When you use a firewall as your gateway to the Internet (or other network), you reduce the risk to your internal network considerably. Using a firewall also makes administering network security easier because firewall functions carry out most of your security policy. To better understand what a firewall does and how you can use one to protect your network, review these topics: v Firewall components. v How a firewall works. v What a firewall can do to protect your network. v What a firewall cannot do to protect your network. © Copyright IBM Corp. 1998, 1999 5
  11. 11. Firewall components A firewall is a collection of hardware and software that, when used together, prevent unauthorized access to a portion of a network. A firewall consists of the following components: v Hardware. Firewall hardware usually consists of a separate computer dedicated to running the firewall software functions. v Software. Firewall software can consist of some or all of these applications: – Packet filters – Proxy servers – SOCKS servers – Network address translation (NAT) services – Logging and monitoring software – Virtual private network (VPN) services How a firewall works To understand how a firewall works, imagine that your network is a building to which you want to control access. Your building has a lobby as the only entry point. In this lobby, you have receptionists to welcome visitors, security guards to watch visitors, video cameras to record visitor actions, and badge readers to authenticate visitors who enter the building. These measures may work well to control access to your building. But, if an unauthorized person succeeds in entering your building, you have no way to protect the building against this intruder’s actions. If you monitor the intruder’s movements, however, you have a chance to detect any suspicious activity from the intruder. When you define your firewall strategy, you may think it is sufficient to prohibit everything that presents a risk for the organization and allow everything else. However, because computer criminals constantly create new attack methods, you must anticipate ways to prevent these attacks. As in the example of the building, you also need to monitor for signs that, somehow, someone has breached your defenses. Generally, it is much more damaging and costly to recover from a break-in than to prevent one. In the case of a firewall, your best strategy is to permit only those applications that you have tested and have confidence in. If you follow this strategy, you must exhaustively define the list of services you must run on your firewall. You can characterize each service by the direction of the connection (from inside to outside, or outside to inside). You should also list users who you will authorize to use each service and the machines that can issue a connection for it. What a firewall can do to protect your network You install a firewall between your network and your connection point to the Internet (or other untrusted network). The firewall then allows you to limit the points of entry into your network. A firewall provides a single point of contact (called a chokepoint) between your network and the Internet (see the figure below). Because you have a single point of contact, you have more control over which traffic to allow into and out of your network. 6 Firewall: Getting started
  12. 12. Figure 1. A firewall controls traffic between your secure network and the Internet A firewall appears as a single address to the public. The firewall provides access to the untrusted network through proxy or SOCKS servers or network address translation (NAT) while hiding your internal network addresses. Consequently, the firewall maintains the privacy of your internal network. Keeping information about your network private is one way in which the firewall makes an impersonation attack (spoofing) less likely. A firewall allows you to control traffic into and out of your network to minimize the risk of attack to your network. A firewall securely filters all traffic that enters your network so that only specific types of traffic for specific destinations can enter. This minimizes the risk that someone could use TELNET or file transfer protocol (FTP) to gain access to your internal systems. What a firewall cannot do to protect your network While a firewall provides a tremendous amount of protection from certain kinds of attack, a firewall is only part of your total security solution. For instance, a firewall cannot necessarily protect data that you send over the Internet through applications such as SMTP mail, FTP, and TELNET. Unless you choose to encrypt this data, anyone on the Internet can access it as it travels to its destination. Understanding Internet security issues When connecting to an untrusted network, you must ensure that your security policy provides you with the best protection possible. A firewall certainly represents a large portion of your total security solution. However, because a firewall is only the first line of defense for your network, you must ensure that your security policy provides additional coverage. To ensure that your firewall provides the protection that you need, review these security concepts: v Trusted networks v Security policies v Security services v Network security objectives v Network security considerations v Types of Internet attacks v Firewall security principles Chapter 2. Understanding IBM Firewall for AS/400 7
  13. 13. Trusted networks Any network over which you have control of the security policies is a trusted network. In a trusted network, you (or your organization) can physically configure and audit the computers to ensure that your organization’s security policy is implemented and enforced. Any network over which you do not have this level of control should be considered an untrusted network. You (or your organization) cannot verify the security practices of any other network. Therefore, you must assume that the other network is not secure and treat traffic from it accordingly. Otherwise, you add a level of risk to your own network operations. If someone compromises the other network’s security, your own network is vulnerable. You have no way of auditing that system to ensure its integrity. You also have no way of protecting yourself if someone on that system attempts to attack your network. Understanding security policies A security policy is a written document that defines the security controls that you institute for your computer systems. A security policy also describes the risks that you intend these controls to minimize. Additionally, a security policy defines what actions should be taken if someone breaches your security controls. The most important rule that your security policy should express is: Anything that is not explicitly permitted should, by default, be denied. In other words, actions that you do not specifically allow should be automatically disallowed. This ensures that new types of attacks are unlikely to get past your defenses, even though you may have no knowledge of them and have nothing in your security controls to defend specifically against them. A security policy contains such rules as who can have access to certain services or which services can be run from a given computer. The policy also contains information about what processes and controls you have instituted to enforce these rules. If you connect to the Internet, your security policy should stipulate that you install and use a firewall to control access to and from the Internet. Once you create a security policy, you must ensure that it is put into effect. This may involve establishing more restrictive password rules, installing and running virus protection software, holding classes to educate users on security rules, and so on. Security services The National Institute for Standards and Technology (NIST) defines five major security services. While a firewall provides security for your network, a firewall does not generally provide coverage for all of these NIST security services. To completely protect your network, your security policy should address each of these as well: Authentication Assurance that the resource at the other end of the session is really what it claims to be. Access control Assurance that the resource requesting access to data or a service has authorization to access the requested data or service. 8 Firewall: Getting started
  14. 14. Integrity Assurance that the information that arrives is the same as the information that was sent. Confidentiality Assurance that sensitive information is not visible to an eavesdropper. (Encryption is the best way to ensure confidentiality.) Nonrepudiation Assurance that a transaction can be proven to have taken place; Nonrepudiation is also called accountability. Firewalls cannot provide all of these security services. Therefore, you should ensure that you have additional security functions to provide these security services for your network. Network security objectives Although the network security objectives that you develop depend on your particular situation, there are some general objectives you should consider: v Protect your resources: – Your Internet servers – Your internal network, workstations, and systems – Your data – Your company image v Provide your customers with safe Internet transactions. Ensure that the following conditions are in place: – Communicating parties can identify each other (authentication). – Unintended parties cannot read information exchanged between parties (confidentiality). – Unauthorized parties cannot alter data (integrity). – Participating parties cannot repudiate transactions (accountability). Your security policy should describe how you will fulfill these objectives. Network security considerations Whenever you create a security policy, you must balance providing services against controlling access to functions and data. With networked computers, security is more difficult because the communication channel itself is open to attack. Although there are several types of Internet attacks, you can characterize such attacks in two ways: Passive attacks These attacks are difficult to detect and involve someone tapping or tracing communications. Sniffing is an example of a passive attack. You should assume that someone is eavesdropping on every communication that you send across the Internet or any other untrusted network. Active attacks These attacks involve someone trying to break into or take over your computer. Spoofing is an example of an active attack. You may be certain that no one has compromised your own machines. However, you cannot be certain about the machines at the other end of the connection. Realistically, you must extend your circle of trust to some of those machines or not use the Internet at all. It may seem that once you start thinking about computer security, you can reach a point where nothing seems safe anymore. Is this justifiable? After all, we do not Chapter 2. Understanding IBM Firewall for AS/400 9
  15. 15. (usually) worry about people tapping our telephone conversations or reading our mail. We happily send credit card numbers, private messages, gossip, and scandal when using those media. The difference with the Internet is that the carrier is not a regulated, well-defined entity. In fact, you have no idea through whose computers your message passes on the way to its destination. Types of Internet attacks There are several kinds of passive or active attacks of which you should be aware. These are among the most common: v Sniffing v Internet Protocol (IP) spoofing v Denial of service Sniffing Computer criminals (crackers) use a technique called sniffing to acquire information that they can use to break into your systems. Sniffing programs can ″overhear″ critical unencrypted data that passes over the Internet, such as user IDs and passwords. A cracker can take the captured information and use it to gain access to your network. To protect your network from sniffing attacks, take these security measures: v Use your firewall filtering rules to control which information (packets) comes into your network. The filter rules can check that packets from external hosts cannot pass through the firewall. v Use a firewall to translate the internal host names and addresses of any outgoing traffic to the name and address of the firewall. This hides such critical information from outside users and sniffing programs. v Educate your users about the risk of using their internal passwords and user IDs to access external hosts. If they do so, attackers could capture this information from the external hosts and use it if they successfully break into your system. State in your security policy that they must use different user IDs and passwords on external untrusted systems. Internet Protocol (IP) spoofing Generally, when you set up a network, you assume that you can trust any given host on that network. Consequently, a network host does not usually require authentication from other hosts on the same network that communicate with it. When you eliminate authentication between hosts you provide easier and faster communications within the network. However, you should require authentication from hosts outside your network. You cannot assume that you can trust these hosts to be who they say they are. In an Internet Protocol (IP) spoofing attack, an untrusted external host impersonates a trusted known host on your network. This impersonation allows the host to bypass your security controls to connect to your network. The impersonation is successful because the external host uses an IP address of a known host on your network. Because the external host users an internal network address, other hosts on the network can communicate with it without requiring authentication. To prevent IP spoofing, take these security measures: v Avoid using IP addresses as a means of authenticating a source communication. This ensures that a ″correct″ IP address alone is not sufficient to gain access to your resources. v Require a password or more secure authentication to access a host, regardless of the origin of the request for access. 10 Firewall: Getting started
  16. 16. v Use encrypted authentication methods. v Use a firewall to ensure that the originator of a connection is not using IP source forwarding to impersonate another system. This helps ensure that a requesting host identity is authentic. v Use your firewall to conceal all your internal network IP addresses from outsiders. Typically, a firewall uses a single IP address for all outbound transactions, regardless of the internal IP address of the user. The firewall routes the inbound traffic to the correct internal host. The security measures that you use to defend against IP spoofing depend on several factors. These factors include your analysis of the risk your network faces from this type of attack, the amount of money you are willing to spend, and the amount of convenience you are willing to trade for better security. Denial of service A denial of service occurs when an attack brings down one or more hosts on your network such that the host is unable to perform its functions properly. This type of attack can affect entire networks. Although it is difficult to predict the form that a denial of service may take, the following examples illustrate how such an attack can affect your network: v A rogue packet enters your network and interferes with normal operations because it cannot be processed appropriately. v Traffic flooding (such as a large number of bogus mail messages) overtaxes your mail server’s processing capabilities, stopping further network traffic. v A router is attacked and disabled, thereby partitioning your network. v A virus is introduced that ties up significant amounts of processing resources. v Devices, such as the firewall or a router, meant to protect the network are subverted. Firewall security principles You should follow these principles when you set up a firewall: v Develop a written network security policy and follow it. The firewall can implement many aspects of your security policy and become a part of a network security solution. v Make sure that the only connection to the Internet (or other untrusted network) is through the firewall. Be sure you include any dial-up connections. The firewall should provide a chokepoint, forcing all traffic to and from the Internet to flow through the firewall. Any traffic that bypasses the firewall increases the risks to your network substantially. v Allow only those activities that you expressly permit. For example, permit only the TCP/IP services that you need (such as HTTP and e-mail) rather than permit all TCP/IP services. This limits the number of security exposures that you must monitor and take precautions against. v Keep it simple. Configuration errors are a major source of security holes. The firewall should have limited security policy information to keep its configuration as simple as possible. v Do not allow any direct TCP/IP connections between applications on internal systems and servers on the Internet (or other untrusted network). A direct connection allows the server to learn information about the client system. The server can try to trick the client into performing an inappropriate action by sending certain responses. v Never trust information from untrusted systems. The routing table update that you receive from a neighboring router may redirect your network traffic to an unintended destination. Be aware that another system can impersonate a secure system. When attackers use this type of attack, they impersonate a trusted Chapter 2. Understanding IBM Firewall for AS/400 11
  17. 17. known host on your network. This impersonation, which is also called IP spoofing, allows the host to bypass your security controls to connect to your network. While these principles are good in theory, as with all security policies, they should be tempered with reality. In some cases, such as when you use a production system to run a public Web server for e-commerce, you should place the public server behind the firewall to protect it and the data it contains. You can carefully open a hole in the firewall to allow any necessary traffic to flow between the Web server and the Internet. Understanding TCP/IP, networking, and the Internet The Internet uses TCP/IP as its only communications protocol. Therefore, if you connect to the Internet, you must use TCP/IP for your connection. To successfully work with TCP/IP, you must have a basic understanding of what TCP/IP is, how it works, and how it affects your network. For some basic background information about TCP/IP and the network structure, review these topics: v TCP/IP addressing and structure v How masks affect IP addressing v Understanding subnets TCP/IP addressing and structure You must understand the structure and addressing system that TCP/IP uses. This knowledge is essential in order to successfully set up TCP/IP networks, define filter rules for firewalls, and follow packet routing through the network. To learn more about TCP/IP addressing, review these basic explanations of key terms and concepts: v TCP/IP v Hosts v Understanding the Internet Protocol (IP) address format v IP address classes v IP addresses reserved for private intranet use Transmission Control Protocol/Internet Protocol (TCP/IP) Transmission Control Protocol/Internet Protocol (TCP/IP) is a set of network protocols that connects networks. TCP/IP allows computers to share resources and exchange information across a network. TCP/IP allows hosts to communicate with each other regardless of the host or user’s physical location, the operating system, or the network medium. TCP/IP operates in many different network environments, including the Internet and corporate intranets. Transmission Control Protocol (TCP) provides host-to-host transmission. TCP takes a stream of data and breaks it into segments. It sends each segment individually by using Internet Protocol (IP) and then reassembles the segments into the original stream. If the transmission loses or damages any segments, TCP detects this and re-sends the segments. IP routes data from its source to its destination. IP is responsible for routing packets from one host to another host. The other host can be on the same network or on another network. Hosts In Internet terms, a host is any system or adapter connected to a network. The term does not imply any particular type of system. A host can be a client, a server, or both, depending on the applications that you run on the system. 12 Firewall: Getting started
  18. 18. A dual-homed or multi-homed host is a system that has more than one connection into the network. A two-port Integrated PC server is an example of a dual-homed host. Understanding the Internet Protocol (IP) address format Internet Protocol (IP) uses a 32-bit, two-part logical address field. The 32 bits consist of four octets (eight bits per octet). One part of the logical address is for the network address and the other is for the host address. You define each part of the address to TCP/IP by using a 32-bit binary mask that you apply to the address. The network portion of the address is indicated in the mask by placing a ″1″ in each bit of the mask that represents the network portion. The host portion of the address is indicated in the mask by placing a ″0″ in the mask position. The following table uses a mask to illustrate which portion of an IP address is for the host versus the network in an unsubnetted Class C address. Table 1. Internet address structure 32-Bit Address 11010000 11011110 10010110 00001011 208. 222. 150. 11 Two Address Portion 11111111 11111111 11111111 00000000 255. 255. 255. 0 The network portion of the address should be contiguous, starting at the left side of the address and moving to the right. The network mask is ″anded″ with the IP address to generate the network address. The address and the mask are written in dotted decimal format; each portion of the decimal format allows a maximum value of 255. You can derive the decimal format by converting each octet to its decimal value. If the IP address is 208.222.150.11, for example, the network address part of the address is 208.222.150.0, and the host part of the address is 11. The host portion of the address cannot be all ″1″s or all ″0″s. TCP/IP reserves these two values for its own use. The full IP address of 208.222.150.11 is commonly referred to as the address of the system (although the address actually describes the host interface). While this works with a simple system, multi-homed systems must have multiple addresses because they have multiple interfaces. Internet Protocol (IP) address classes Three classes of Internet Protocol (IP) addresses are in common use today: Class A, B, C, and D and E. The address class determines how many hosts can exist on a network. You can use the value of the first octet to determine the class of network. The possible values for the first octet are: v Class A (Address range 0 - 127): – 127 networks with up to 16,777,216 hosts each. – Intended for use with a large number of hosts. – Network mask is 255.0.0.0. v Class B (Address range 128 - 191): – 16,384 networks with up to 65,536 hosts each. – Intended for use with a moderate number of hosts. – Network mask is 255.255.0.0. v Class C (Address range 192 - 223): – 2,097,152 networks with up to 254 hosts each (0 and 255 are reserved). – Intended for use with a smaller number of hosts. – Network mask is 255.255.255.0. Chapter 2. Understanding IBM Firewall for AS/400 13
  19. 19. – Most common address type issued by an Internet Service Provider (ISP). v Class D and E (Address range 224 - 255): – The Internet Assigned Numbers Authority (IANA) has reserved these classes for future use. Internet Protocol (IP) addresses reserved for private intranet use The Internet Assigned Numbers Authority (IANA) reserves three blocks of the Internet Protocol (IP) address space for private intranets. The following table shows which address blocks IANA reserves. Table 2. Addresses reserved for private Internet (intranet) use Class of Network Start of Address Block End of Address Block A 10.0.0.0 10.255.255.255 B 172.16.0.0 172.31.255.255 C 192.168.0.0 192.168.255.255 Although these addresses cannot route through the Internet, you can use them for your internal network. Refer to RFC 1918 for more details about Internet recommendations for private addresses. How masks affect Internet Protocol (IP) addressing A mask is a pattern or template that you apply to an Internet Protocol (IP) address to specify which bits are significant and which bits are irrelevant. When you apply a mask to an IP address, you perform a bitwise ″and″ operation. You then use the product of the operation to perform some type of test. You can use masks in TCP/IP to define networks, to route packets, and to write filter rules. In TCP/IP, a mask consists of 32 bits (four octets). To make it easier to read, you write the mask in dotted decimal format (for example, 255.255.255.240). In the mask, a ″1″ (one) bit defines the significant positions and a ″0″ (zero) bit defines the irrelevant positions. Masks usually specify a range; however, you can use a mask of all ones to specify a single value. By specifying a range, you can apply a single rule, network interface definition, or routing entry to many individual host addresses. When you create fewer entries to define one of these items, you are less likely to introduce errors. When you add a TCP/IP address to an interface, you also specify a subnet mask. TCP/IP applies the subnet mask to the address and calculates the range of addresses that are local to this adapter. When TCP/IP has packets for one of these local addresses, it tries to communicate directly with the interface assigned to the address by using the local link. If TCP/IP cannot establish the connection, TCP/IP checks the routing table to look for another route to the address. To define a route, you enter the destination address, subnet mask, and the next hop address. TCP/IP applies the subnet mask to the destination address. TCP/IP then calculates the range of addresses that can be reached through this next hop. When TCP/IP has packets for one of these addresses, it forwards the packet to the system (usually a router) at the next hop address. The next hop system either delivers the packet to a local host or forwards the packet to yet another hop. Or, the system may generate a non-delivered message because the packet cannot be forwarded due to bad routing information. If you want a specific address to be routed to a specific next hop, specify the host address and a subnet mask of 255.255.255.255 (all ″1″s). This means that this route applies only to the one specific host address. 14 Firewall: Getting started
  20. 20. When you write filter rules, you may specify a mask to apply to the ″from″ address and a mask to apply to the ″to″ address. The firewall applies these masks to the source and destination addresses in the packet. The firewall then compares the result to the from address and to address value in the filter rule. This allows you to write a single rule that applies to a large number of hosts. If you want the rule to apply to a single host, use the value 255.255.255.255 (all ″1″s) in the appropriate mask field. To better understand the effect that applying a mask has on an IP address, see Example: Performing an ″AND″ operation on an address and mask. Example: Performing an ″AND″ operation on an address and mask You perform an ″AND″ operation when you apply Boolean algebra to the binary representation of both the Internet Protocol (IP) address and the mask. The rules of an ″AND″ state that, if both digits are a ″1″ (one), then one is the product. If either digit is a ″0″ (zero), then zero is the product. In the following example (see Figure 2), you perform an ″AND″ on the address 208.222.150.11 with the mask 255.255.255.240. This operation results in an address of 208.222.150.0. In this mask, the four right-most bits are not significant (they have a value of zero). Therefore, 208.222.150.0 is the result when you apply the mask to every address between 208.222.150.0 and 208.222.150.15. When you reach 208.222.150.16, the last octet of the address is 00010000. When you complete the ″AND″ operation with the mask for the address, the result is 208.222.150.16. When you apply the mask to any addresses in the range 208.222.150.16 through 208.222.150.31, the result is a value of 208.222.150.16. Figure 2. ″ANDING″ an Address Understanding subnets A subnet is a physical segment of a local area network (LAN). Most networks are divided into smaller network segments by using subnets to take advantage of better address distribution and better traffic distribution. You create subnets by applying subnet masks to the network portion of your Internet Protocol (IP) addresses. Chapter 2. Understanding IBM Firewall for AS/400 15
  21. 21. Each subnet has a unique network address. When you subnet your network, you use routers to join the subnets to form a complete network. Each router contains information that allows them to send the network traffic to the correct subnet of the network. When you install a firewall, you may need to subnet your network. You should review these topics first: v Why you may need to subnet your network v Creating subnets v Determining the number of subnets that you need in your network Why you may need to subnet your network A subnet is a physical segment of a local area network (LAN). There are several reasons to subnet a network: v You have more than one type of physical network segment installed in the network. v You expect a large number of hosts in your network, which requires splitting a network into smaller networks for improved network performance. v Your network covers a large physical area. Growing distances require splitting a network into smaller networks with routers between them. This reduces collisions caused by propagation delay in a large network segment. You assign subnet addresses to your network locally. After subnetting, your entire network appears as one IP network to the outside world and your routers handle the traffic flow in your network. The firewall Integrated Netfinity Server has two physical LAN adapters, as well as the AS/400 *INTERNAL attachment, which functions as an internal LAN adapter. Each of these adapters is in a separate subnet because it is connected to different physical segments of the network. Creating subnets Your Internet service provider (ISP) provides you with a network address and a network mask. (In most implementations of TCP/IP, the network mask is also referred to as a subnet mask.) In some cases, the ISP provides you with a complete class C address, which allows you to have up to 254 hosts on your network. In other cases, the ISP provides you with a portion of a class C network address. The ISP also provides you with a subnet mask. Before you can subnet your network, you must determine the following values: 1. How many subnets you need in your network. 2. What your current subnet mask is. 3. What your current network address is. Determining the number of subnets you need in your network To create subnets for your network, you must first determine how many subnets you need. You can use the table below to help you make this determination. The number of subnets that you need is based on the number of hosts that you have in a subnet. To create subnets for your network, follow these steps: 1. Determine how many subnets you need for your desired network configuration. 2. Use the table to determine the number of subnets that are required to obtain the number of subnets that you need. 16 Firewall: Getting started
  22. 22. If the number of subnets you need is not a power of two, you must round up the number to the next power of two. You must round up because the mask that you apply to the address is binary. For example, if you determine that you need two subnets, then the final number of subnets that you need is two. If you determine that you need three subnets, then the final number of subnets that you need is four (the next power of two). 3. Use Table 3 to determine the values that you need to create a subnet mask. 4. Apply the subnet mask to your Internet Protocol (IP) address range. Applying a subnet mask allows you to create the specific subnet addresses that you need. 5. Use Table 3 to determine the decimal value of the last octet in each subnet. 6. Use Table 3 to determine the number of hosts that you can have in each subnet. Table 3. Possible subnet masks and values Power of Number Last Octet Last Octet Last Octet of Network Hosts per 2 of of Subnet of Subnet Values (n.n.n.X) Segment in Subnets Mask Mask a Class C Required (Binary) (Decimal) Network 0 1 00000000 0 0 254 1 2 10000000 128 0,128 126 2 4 11000000 192 0,64,128,192 62 3 8 11100000 224 0,32,64,96,128,160,192, 224 30 4 16 11110000 240 0,16,32,...240 (step by 16) 14 5 32 11111000 248 0,8,16,24,...248 (step by 8) 6 6 64 11111100 252 0,4,8,12,...252 (step by 4) 2 7 128 11111110 254 Not valid for class C 0 subnet 8 255 11111111 255 This is a host address N/A For examples of how to subnet a network, review the topic Example: Further subnetting an already subnetted network. Example: Further subnetting an already subnetted network: In this example, you have a network address that is already a subnet itself. You examine your configuration and determine that you need two subnets. You need one subnet for the non-secure port of the firewall and one for the public-secure network in which your public server resides. The Internet service provider (ISP) gave you part of a class C address. This network address is 208.222.150.248 with a subnet mask of 255.255.255.248. This means that you have six host addresses available. You need one of these for the ISP router, which leaves you with five to distribute. Chapter 2. Understanding IBM Firewall for AS/400 17
  23. 23. Table 4. Possible subnet masks and values Power of Number Last Octet Last Octet Last Octet of Network Hosts per 2 of of Subnet of Subnet Values (n.n.n.X) Segment in Subnets Mask Mask a Class C Required (Binary) (Decimal) Network 0 1 00000000 0 0 254 1 2 10000000 128 0,128 126 2 4 11000000 192 0,64,128,192 62 3 8 11100000 224 0,32,64,96,128,160,192, 224 30 4 16 11110000 240 0,16,32,...240 (step by 16) 14 5 32 11111000 248 0,8,16,24,...248 (step by 8) 6 6 64 11111100 252 0,4,8,12,...252 (step by 4) 2 7 128 11111110 254 Not valid for class C 0 subnet 8 255 11111111 255 This is a host address N/A Based on the information in the Table 4, you need to add another ″1″ to the current mask as shown in the Table 5. Table 5. Splitting an existing subnet Convert the existing mask to binary 255. 255. 255. 248 11111111 11111111 11111111 11111000 Change the first zero in the mask to a one 11111111 11111111 11111111 11111100 255. 255. 255. 252 Convert the mask back to decimal To do this, you must: 1. Convert the existing mask to binary. 2. Change the first zero in the mask to a one. 3. Convert the mask back to decimal. The results of the conversion operation provides two sets of addresses. You can use one set of addresses on the perimeter (non-secure) network. You can use the other set of addresses for the *INTERNAL port of the Integrated PC Server. The hosts in the first subnet have addresses of 208.222.150.249 and 208.222.150.250. The hosts in the other subnet have addresses of 208.222.150.253 and 208.222.150.254. If you need any more systems than two on the perimeter network, this solution will not work. You must obtain a larger range of addresses from your ISP. IBM Firewall for AS/400 features IBM Firewall for AS/400 is an application gateway firewall and a circuit gateway firewall. You can use one or both types of functions. The firewall product provides a number of technologies that you can use to protect your internal network, including: v Internet Protocol (IP) packet filtering for TCP, UDP, and ICMP packets v Network address translation (NAT) services v SOCKS server 18 Firewall: Getting started
  24. 24. v Proxy server for HTTP, HTTPS, FTP, and Gopher for Web browsers v TELNET proxy v Mail relay v Split domain name services (DNS) v Logging v Real-time monitoring v Virtual private network (VPN) services IBM Firewall for AS/400 consolidates security administration to enforce I/T security policy and minimize the opportunity for security configuration errors. The firewall provides privacy by preventing outsiders from accessing network information through the Internet. You can log traffic to and from the Internet, which allows you to monitor network use and misuse. Firewall configuration is flexible, which enables support for various security policies. The administrator decides which services the firewall should permit and which the firewall should block. The IBM Firewall for AS/400 software guides the administrator through the basic installation and configuration of the firewall. The software that the firewall uses resides on a read-only disk. This eliminates the possibility of virus introduction or modification of programs that perform communication security functions. The main processor and firewall communicate over an internal system bus that is not subject to sniffing programs on local area networks. You can set the firewall to issue notifications to the AS/400 system operator (QSYSOPR) when a pre-configured condition on the firewall occurs. The main processor can disable the firewall when it detects tampering, regardless of the state of the firewall. You can administer the firewall through a Web browser on the internal (secure) network. You can use the Secure Sockets Layer (SSL) for session encryption to protect the administration session. The software authenticates the administrator with OS/400 security support so that you need not require separate user IDs and passwords. You should install the IBM Firewall for AS/400 on a two-port Integrated Netfinity Server for AS/400. Configure one port of the Integrated Netfinity Server to connect the firewall to your internal secure network. Configure the other port to connect the firewall to the Internet or other untrusted network. The firewall can distinguish which network (trusted or untrusted) sent an IP packet. The firewall can also distinguish which port is the appropriate port for the originating packets on each network. Consequently, the firewall is not susceptible to spoofing attacks in which untrusted hosts try to masquerade as trusted ones. The AS/400 system operator receives notifications (in the QSYSOPR message queue) when important firewall events occur, such as attempted intrusions. The system sends all high severity error messages (Type = Alert) immediately. The system sends lower severity messages (Type = Error, Warning, Information, or Debug) when they reach a user-defined threshold. If the system detects an error condition that may result from tampering (such as the logging function ends), all firewall functions are set to end immediately. Installing the firewall on an Integrated Netfinity Server separates the processor that you use for application programs from the processor that you use for security programs. This separation eliminates the possibility of the programs interfering with each other. Compromised security programs that are running on the firewall cannot directly affect the AS/400 main processor in functionality or performance. Chapter 2. Understanding IBM Firewall for AS/400 19
  25. 25. In addition, the IBM OS/400 TCP/IP protocol stack is completely independent of the TCP/IP stack on the Integrated Netfinity Server. The firewall also has separate storage, which prevents attackers from accessing AS/400 data. This storage is on a read-only disk to eliminate the possibility of virus introduction or modification of programs that perform communication security functions. You can use the firewall, proxy, or SOCKS servers or NAT to provide internal users with safe access to services on the Internet. The proxy and SOCKS servers break TCP/IP connections at the firewall to hide internal information from the untrusted network. The servers also provide additional logging capabilities. You can use NAT to provide Internet users with easy access to a public server behind the firewall. The firewall still protects your network because NAT hides your internal IP addresses. The firewall also protects internal information by using two DNS servers, one that you provide on the internal network and one on the firewall. The firewall name server contains names visible to the untrusted network only, such as an external Web server. The firewall name server resolves outside names in response to requests from the internal name server. Your internal name server contains only the names of the internal network. Your internal name server forwards requests that it cannot resolve to the firewall name server. The firewall DNS server does not provide name serving functions for the internal network. You are not required to have an internal DNS server to successfully implement a firewall. However, having one makes client configuration easier because you do not have to maintain host tables on each system. OS/400 includes DNS support, which you should use for your internal network. The firewall protects your internal mail server from attack by providing a mail relay function. The mail relay function passes mail between an external mail server on the firewall and an internal one. The firewall translates addresses of outgoing mail to the public address of the firewall secure port. This translation hides any internal information from the untrusted network. The firewall also provides VPN technology so that you can set up encrypted sessions between your firewall and other compatible firewalls. IBM Firewall for AS/400 components A firewall consists of a set of software components, each of which provides particular security features for your network. Which components you use depends on your security needs. These components work together to provide your network traffic security controls. Because they are interdependent, each component works with and affects the other components. Review these topics to get the details that you need to work with firewall components and common firewall configurations: v Internet Protocol (IP) packet filtering for TCP, UDP, and ICMP packets v Network address translation (NAT) services v Proxy server for HTTP, HTTPS, FTP, and Gopher for Web browsers v Proxy server for TELNET(not through a Web browser) v SOCKS server v Mail relay service v Split Domain Name Services (DNS) v Audit and event reporting services v Virtual private network (VPN) services 20 Firewall: Getting started
  26. 26. IBM Firewall for AS/400 Internet Protocol (IP) packet filtering component Internet Protocol (IP) packet filtering is the core protection mechanism of a firewall. Packet filters are sets of rules that limit IP packet flow into or out of a secure network (Figure 3). As the firewall administrator, you define policies that determine which packets the firewall should permit or deny access into your network. You can then use the firewall administration facility to institute these policies as filter rules that your firewall can use. If there is no matching rule, the firewall has a built-in default rule to deny the packet access and discard the packet. You can have your firewall use any of the following packet data to filter packets: v Source IP address v Destination IP address v Protocol (TCP, UDP, and ICMP) v Acknowledge (ACK) flag v Source port v Destination port v Direction (inbound, outbound, or both) v Network interface (secure port, non-secure port, or both) v Whether the packet is a fragment Figure 3. Packet filters control traffic between your network and the untrusted network The dynamic packet filtering technology of the firewall supports RealAudio. However, you must use network address translation (NAT) to allow RealAudio packets to cross the firewall. You can designate the firewall to log information about the packets it processes. Log records allow you to analyze traffic that flows into and out of your network, as well as traffic that the firewall denies. Packet filtering is the foundation of a firewall. All other firewall capabilities depend on the packet filtering function. You must have a thorough understanding of what filter rules are and how they work. With this knowledge, you can ensure Chapter 2. Understanding IBM Firewall for AS/400 21
  27. 27. that your firewall filter rules control traffic into and out of your secure network properly. These articles describe basic IP packet characteristics and how filter rules control the flow of packets: v Internet Protocol (IP) filtering and routers v Internet Protocol (IP) v Types of Internet Protocol (IP) communications protocols v Internet Protocol (IP) forwarding v Well-known ports v Understanding firewall filter syntax Internet protocol (IP) filtering and routers Although routers can often filter packets, they do not usually provide a logging facility. Without logging, you cannot trace information related to a breach in security, such as where and how the breach occurred. In addition to this limitation, router manufacturers do not use a common set of standards for functions. Consequently, routers from different manufacturers provide different functionality. Some routers provide facilities to prevent Internet Protocol (IP) spoofing and some do not. Some routers can allow access for some client applications (TELNET) but not others (FTP). Routers also do not use a standard syntax for filter rules. You must learn the syntax specific to each router in your network to create filter rules for the routers. Most routers allow you to filter packets based on at least the following header information: v Source IP address v Destination IP address v Direction of flow (inbound, outbound, or both) Internet Protocol (IP) The Internet Protocol (IP) suite is the primary means of organizing communications on the Internet. IP functions include: v Defining the datagram (basic unit of transmission that is also called a packet) v Defining the Internet addressing scheme v Routing datagrams to remote hosts v Fragmenting and reassembling packets v Moving data between the network access layer and the host-to-host transport layer IP packets carry the IP information. Each packet contains a header with identifying information about the packet. Your firewall can filter IP packets by using the header information. To understand what the IP header contains, see the topic Understanding Internet Protocol (IP) packets. Understanding Internet Protocol (IP) packets: An Internet Protocol (IP) packet consists of a formatted header and the payload data. The header consists of fields that contain identifying data about the packet. The table below illustrates the IP packet structure. The payload contains the actual information that is transmitted. The payload data may include an additional header that provides session level protocol information (for example, TCP, UDP, and so forth). 22 Firewall: Getting started
  28. 28. Table 6. Internet protocol (IP) packet structure Version Length Type of service Total length Identification Flags Fragment offset Time to live Protocol Header checksum Source IP address Destination IP address Options Padding Data The important fields for filtering purposes are these: v Source address v Destination address v Fragmentation indicator v Protocol ID The firewall uses the source and destination address together with the protocol ID to define which packets may access which service. Different types of networks support different sizes of packets. Consequently, a router sometimes must break a large packet into fragments to pass it from one network to another. The firewall or receiving router must be aware of the fragmentation. This awareness is necessary because only the first fragment contains the identifying header information for higher layer protocols, such as UDP and TCP. Later fragments can override header fields, such as the source and destination address. The packet fragmentation indicator tells the firewall how to handle fragmented packets. Attackers can use the weaknesses inherent in fragmentation as a way to infiltrate a network. Therefore, consider configuring the firewall to allow only non-fragmented packets. Refer to RFC 1858, Security Considerations for IP Fragment Filtering, for more information. Types of Internet Protocol (IP) communications protocols The Internet Protocol (IP) suite consists of several lower-level communications protocols: v Internet Control Message Protocol (ICMP) v Transmission Control Protocol (TCP) v User Datagram Protocol (UDP) An extension to IP, called IP security architecture (IPSec), provides security protocols for the TCP/IP network layer. IPSec is an industry (non-IBM) standard. If you plan to use your firewall to create a virtual private network (VPN) between firewalls, you should be familiar with these IPSec protocols: v Encapsulating Security Payload (ESP) protocol v Authentication Header (AH) protocol Internet Control Message Protocol (ICMP): The Internet Control Message Protocol (ICMP) communicates errors and other information between hosts. The PING application makes use of the ICMP echo and echo reply functions to provide an easy way to discover whether an address can be reached in the network. ICMP is also used by network components such as routers to pass control information between them. ICMP provides information about transport problems, such as whether a host can be reached or the sender is sending packets too fast. Table 7 shows ICMP message which of consists three control fields and the message data: Chapter 2. Understanding IBM Firewall for AS/400 23
  29. 29. v The Type field describes what type of message is contained in the ICMP datagram. v The Code field contains the error code reported by the message. v The Checksum field is generated based upon the entire contents of the ICMP message. v The message data contains the details of the message. In the case of a redirect message (Type = 5), the message data contains the address of a new router to use. Table 7. Internet control message protocol (ICMP) message format Type Code Checksum ICMP data (depending on the type of message) ICMP messages often provide a means for an attacker to access your network. Consequently, you should prevent most ICMP messages from entering your secure network. For example, an attacker can use PING, with its ability to use ICMP messages, to discover addresses in your secure network. Or, an attacker could use reroute messages in an attempt to capture your data by rerouting your network traffic to an untrusted network. For more information about these and other ICMP functions, see RFC 1700. Transmission Control Protocol (TCP): Transmission Control Protocol (TCP) is the main transport layer protocol of the Internet Protocol (IP) suite. The following IP applications are examples of applications that use TCP for a reliable end-to-end connection: FTP (File Transfer Protocol) FTP transfers files between two Internet sites. FTP allows users to access another Internet site to receive and send files. HTTP (HyperText Transport Protocol) This protocol transports hypertext files across the Internet. TELNET This command and application allows you to login from one Internet site to another. SMTP (Simple Mail Transport Protocol) The main protocol allows users to send and receive e-mail over the Internet. TCP takes care of retransmission, duplicate or lost packets, and reordering of packets. For filtering purposes, the important TCP header information is as follows: v Source port v Destination port v Acknowledge (ACK) flag TCP information is carried in TCP packets. Each packet contains a header with identifying information about the packet. Your firewall can use the header information to filter TCP packets. To understand what the TCP header contains, see the topic “Understanding Transmission Control Protocol (TCP) packets”. Understanding Transmission Control Protocol (TCP) packets: Transmission Control Protocol (TCP) is a reliable, connection-oriented protocol, which establishes a logical end-to-end connection between two hosts. TCP verifies that data is delivered across the network accurately and in the proper sequence. TCP verifies that a packet arrived at the remote host. If it does not, TCP retransmits the packet. 24 Firewall: Getting started
  30. 30. A TCP packet consists of a formatted header and the application data. The fields in the header contain identifying data about the packet as illustrated in the following table. The TCP packet is included in the data portion of the Internet Protocol (IP) packet. Table 8. Transmission control protocol (TCP) packet structure Source port Destination port Sequence number Acknowledgment number Offset Reserved Flags Window Checksum Urgent pointer Options Padding Data A TCP connection is uniquely defined by: v Source address from the IP portion of the packet v Source port from the TCP portion of the packet v Destination address from the IP portion of the packet v Destination port from the TCP portion of the packet TCP uses the sequence number and the acknowledgment number (ACK) to keep track of the bytes. The acknowledgment segment performs two functions: positive acknowledgment and flow control. The acknowledgment tells the sender how much data has been received and how much more the receiver can accept. TCP is also responsible for delivering the data received from IP to the correct application. A 16-bit number called the destination port number identifies the application. The first word of the segment header contains the source and destination port. The important fields for filtering purposes are: v Source port v Destination port v Acknowledgment (ACK) flag A three-way synchronization initiates a TCP session (see figure). Notice that the initial request to start a session does not contain an ACK flag. This feature can be useful for creating filter rules to prevent start requests from the untrusted network from entering your internal secure network. Chapter 2. Understanding IBM Firewall for AS/400 25
  31. 31. For instance, you want to allow internal users to use port 25 to start an e-mail session with a server on the untrusted network. You also want to permit your internal users to receive responses from port 25. You can create two filter rules that allow this traffic. However, you do not want to permit start requests from port 25 to access your internal network. To block these requests, you must ensure that the filter rules deny inbound packets that do not contain the ACK flag. User Datagram Protocol (UDP): User Datagram Protocol (UDP) is a transport layer protocol, although systems use Transmission Control Protocol (TCP) more often. Domain Name System (DNS) and Simple Network Management Protocol (SNMP) use UDP. UDP does not provide a reliable end-to-end connection. Unlike TCP, UDP does not handle retransmission of packets, duplicate or lost packets, and reordering of packets. Once the system sends a packet, the sender receives no confirmation that the packet reached its destination: UDP does not provide any acknowledgment (ACK) information. Consequently, it is difficult (sometimes impossible) to tell if the UDP packet is a response to a request generated from the secure network or from the untrusted network. Encapsulated Security Payload (ESP) protocol: The Encapsulated Security Payload (ESP) protocol is part of the Internet Protocol security architecture (IPSec). ESP provides an integrity check, authentication, and encryption to Internet Protocol (IP) datagrams. ESP allows you to select which of its services to use. The IBM Firewall for AS/400 virtual private network (VPN) component uses all three ESP services to protect your VPN traffic. This ensures that an intruder cannot forge packets in order to mount cryptanalytic attacks. You cannot apply ESP to fragmented IP packets. However, after you apply ESP to an IP packet, intermediate routers can fragment the packet for delivery. If the destination system receives a fragmented packet, the destination system reassembles the packet before applying ESP processing to it. If you request ESP processing for an IP packet that appears to be a fragment, the packet is discarded. These safeguards prevent the overlapping fragment attack. This attack exploits the fragment assembly algorithm in order to create forged packets and force them through a firewall. If a destination system receives an ESP packet that is both encrypted and authenticated, it authenticates the packet first. If authentication fails, the receiving system discards the packet without decrypting it. This two-step procedure saves computing resources, and reduces the risk of a denial of service attack. You can use ESP in one of two modes: transport mode or tunnel mode. VPNs use ESP in tunnel mode to create a new IP datagram, which contains the original IP datagram as its payload. If the firewall used both authentication and encryption for ESP, the original packet is completely protected. However, the IP header is not protected. In tunnel mode, the IP addresses in the outer headers do not have to be the same as the addresses in the inner headers. For example, two firewalls may operate an ESP tunnel to secure all traffic between the networks that they connect together (a VPN). Tunnel mode provides total protection of the encapsulated IP datagram and allows the firewall to route datagrams that use private IP addresses. In the IBM Firewall for AS/400 implementation of VPNs, an unprotected IP header is not a problem. This is because you create VPNs between compatible firewall 26 Firewall: Getting started
  32. 32. products only. Consequently, the IP header contains public addresses for the firewalls on each end of the connection only. Your internal network information is hidden from outsiders who may attempt to sniff the information from the packet header. VPN technology often uses ESP and Authentication Header (AH) protocols jointly to provide a total security solution. IBM Firewall for AS/400 VPN services use both protocols. Authentication Header (AH) protocol: The Authentication Header (AH) protocol is part of the Internet Protocol security architecture (IPSec) and provides integrity and authentication to Internet Protocol (IP) datagrams. AH authenticates as much of the IP datagram as possible. The payload (data) of the IP packet is considered immutable and AH always protects it. However, some fields in the IP header change while in transit and the receiver cannot predict their value. These fields are called mutable and AH cannot protect them. To protect the information in these fields, you should use Encapsulated Security Payload (ESP) protocol tunneling. You cannot apply AH protocol to fragmented IP packets. However, after you apply AH protocol to an IP packet, the intermediate routers can fragment the packet for delivery. If the destination system receives a fragmented packet, the destination system reassembles the packet before applying AH processing to it. If AH processing is requested for an IP packet that appears to be a fragment, the packet is discarded. These safeguards prevent the overlapping fragment attack. This attack exploits the fragment assembly algorithm in order to create forged packets and force them through a firewall. You can use AH in one of two modes: transport mode or tunnel mode. Virtual private networks (VPNs) use AH in tunnel mode to create a new IP datagram, which contains the original IP datagram as its payload. In tunnel mode, the IP addresses in the outer headers do not have to be the same as the addresses in the inner headers. For example, two firewalls may operate an AH tunnel to authenticate all traffic between the networks that they connect together (a VPN). Tunnel mode provides total protection of the encapsulated IP datagram and allows the firewall to route datagrams that use private IP addresses. VPN technology often uses ESP and AH protocols jointly to provide a total security solution. IBM Firewall for AS/400 VPN services use both protocols. Internet Protocol (IP) forwarding You can use the proxy and SOCKS servers or network address translation (NAT) to allow users on your internal network to access the untrusted network. Although NAT provides better performance and is easier to maintain, NAT uses Internet Protocol (IP) forwarding. You can also use NAT to allow users in the untrusted network to access public servers behind your firewall. IP forwarding takes packets from the non-secure firewall port and sends them to the secure network. The firewall forwards only those packets that pass the filter rules. Virtual private networks (VPNs) also use IP forwarding. However, when you set a VPN to use authentication, the risk from IP forwarding is minimal. Use IP forwarding with caution. When you allow IP forwarding, the firewall cannot break the TCP/IP connection at the firewall. This exposes your internal network to more risk because an attacker could exploit any holes in filtering rules to access your internal network. Chapter 2. Understanding IBM Firewall for AS/400 27

×