Firewall: Getting started

Transcription

1 Firewall: Getting started Version 4 SC

2

3 Firewall: Getting started Version 4 SC

4 ii Firewall: Getting started

5 Contents Part 1. Firewall: Getting started... 1 Chapter 1. Print this topic Chapter 2. Understanding IBM Firewall for AS/ About firewalls Firewall components How a firewall works What a firewall can do to protect your network. 6 What a firewall cannot do to protect your network 7 Understanding Internet security issues Trusted networks Understanding security policies Security services Network security objectives Network security considerations Types of Internet attacks Firewall security principles Understanding TCP/IP, networking, and the Internet TCP/IP addressing and structure How masks affect Internet Protocol (IP) addressing Understanding subnets IBM Firewall for AS/400 features IBM Firewall for AS/400 components IBM Firewall for AS/400 Internet Protocol (IP) packet filtering component IBM Firewall for AS/400 network address translation (NAT) component IBM Firewall for AS/400 proxy server component 32 IBM Firewall for AS/400 TELNET proxy server 34 IBM Firewall for AS/400 SOCKS server component IBM Firewall for AS/400 mail relay service IBM Firewall for AS/400 split domain name services (DNS) component IBM Firewall for AS/400 audit and event reporting services IBM Firewall for AS/400 virtual private network (VPN) component Firewall configurations Dual-homed gateway firewall Screened host firewall Chapter 3. Planning your firewall installation and configuration IBM Firewall for AS/400 installation requirements 45 IBM Firewall for AS/400 software requirements 45 IBM Firewall for AS/400 hardware requirements 46 IBM Firewall for AS/400 user profile requirements Secure Sockets Layer (SSL) considerations for IBM Firewall for AS/ Positioning your public server in relation to your firewall Placing a public server in front of the firewall.. 48 Placing a public server behind the firewall Firewall and network configurations: Example scenarios Example scenario: Public server in front of the firewall Example scenario: Public server in front of the firewall with secure side subnets Example scenario: Public server behind the firewall IBM Firewall for AS/400 planning worksheets Chapter 4. Installing and configuring your firewall Firewall basic configuration: Scenario overview.. 61 Firewall basic configuration: Scenario objectives 62 Firewall basic configuration: Scenario network configuration Firewall basic configuration: Scenario advantages 64 Firewall basic configuration: Scenario disadvantages Firewall basic configuration: Reviewing your planning worksheets Verifying firewall hardware, software, and configuration prerequisites Recording the resource name of the Integrated Netfinity Server for AS/ Verifying the memory available on your Integrated Netfinity Server for AS/ Verifying the installation of firewall prerequisite licensed programs Verifying that the latest program temporary fixes (PTFs) are applied Verifying the basic TCP/IP interface configuration on the firewall home AS/400 system Verifying that the IBM HTTP Server is started.. 73 Verifying that the Web browser supports JavaScript Installing IBM Firewall for AS/ Completing the firewall installation worksheet. 75 Installing the firewall from the AS/400 Tasks browser interface Preparing for Basic configuration of your firewall. 77 Stopping the firewall Varying off the firewall network server description (NWSD) Configuring the internal DNS in the firewall NWSD Adding the firewall domain name server to the firewall NWSD Copyright IBM Corp. 1998, 1999 iii

6 Updating the secure mail server host table Routing outbound mail to the firewall Starting the firewall Varying on the firewall network server description Verify that the firewall network server description is ready Starting the firewall application Verifying the status of the firewall objects and jobs Performing firewall Basic configuration Completing the Firewall Basic configuration planning worksheet Configuring the firewall from the AS/400 Tasks browser interface Adding the secure mail server to the firewall domain name server Configuring fowarders in the internal DNS Configuring your clients to access Internet services through the firewall Configuring client domain name services (DNS) to use the firewall domain name server Configuring the client Web browser to use the firewall proxy or SOCKS server Chapter 5. Configuring your clients to use the firewall for Internet access.. 93 Configuring a client to use the firewall Verifying that a Windows 95 client can identify the client LAN adapter Verifying TCP/IP configuration for a Client PC 94 Configuring domain name services for a firewall client on the secure network Configuring a firewall client to use a gateway.. 96 Testing the firewall client configuration Configuring a client Web browser to use SOCKS or proxy servers Adding SOCKS support to firewall clients Configuring SOCKS support for AS/ Defining the network to which the AS/400 system is connected directly Defining which network that the AS/400 client must use SOCKS to access Defining a domain name server for the SOCKS server Testing Your AS/400 SOCKS Configuration iv Firewall: Getting started

7 Part 1. Firewall: Getting started Note: End of Currency (EOC) for Integration Services for FSIOP (5768SA2) and IBM Firewall for AS/400 is 5/31/01. The Firewall: Getting started topic explains planning and basic configuration of IBM Firewall for AS/400. The following topics will provide details on planning, scenario examples, and how to configure your firewall: v See print this topic if you would like a PDF copy of this topic. v v v v Understanding IBM Firewall for AS/400 provides conceptual information on firewall terms and Internet security issues. Planning your firewall installation and configuration provides step-by-step planning guidelines that help you prepare for your firewall installation. Installing and configuring your firewall provides step-by-step procedures for installing and configuring your firewall. Configuring your clients to use the firewall for Internet access provides instructions on setting up your users to use the firewall. Copyright IBM Corp. 1998,

8 2 Firewall: Getting started

9 Chapter 1. Print this topic You can view or download a PDF version of this document for viewing or printing. You must have Adobe Acrobat Reader installed to view PDF files. You can download a copy from Adobe. To view or download the PDF version, select Firewall: Getting started (about 736 KB or 112 pages). To save a PDF on your workstation for viewing or printing: 1. Open the PDF in your browser (click the link above). 2. In the menu of your browser, click File. 3. Click Save As Navigate to the directory in which you would like to save the PDF. 5. Click Save. Copyright IBM Corp. 1998,

10 4 Firewall: Getting started

11 Chapter 2. Understanding IBM Firewall for AS/400 About firewalls A firewall represents a substantial portion of your network security policy. Therefore, you must understand exactly what a firewall is and what a firewall can do for you. Each firewall product uses different sets of security features. To understand what a firewall can do to protect your network, review these topics: v About firewalls v Understanding Internet security issues When you connect your network to the Internet, you must use Transmission Control Protocol/Internet Protocol (TCP/IP) and ensure that you configure your network properly. You can prevent many problems with firewall installation and firewall configuration by making sure that you configure TCP/IP properly. Consequently, you should review the topic, Understanding TCP/IP, networking, and the Internet, before you start planning your firewall installation. To understand what IBM Firewall for AS/400 can do to protect your network, review these topics: v IBM Firewall for AS/400 features v IBM Firewall for AS/400 components v Firewall configurations To learn how to get your firewall up and running, review these topics: v Planning your firewall installation and configuration. v Installing and configuring your firewall. v Configuring your clients to use the firewall for Internet access. A firewall is a blockade between a secure internal network and an untrusted network such as the Internet. Most companies use a firewall to connect an internal network safely to the Internet. You can use a firewall to secure one internal network from another on an intranet also. A firewall provides a controlled single point of contact (called a chokepoint) between your secure internal network and the untrusted network. The firewall: v Lets users in your internal network use authorized resources that are located on the outside network. v Prevents unauthorized users on the outside network from using resources on your internal network. When you use a firewall as your gateway to the Internet (or other network), you reduce the risk to your internal network considerably. Using a firewall also makes administering network security easier because firewall functions carry out most of your security policy. To better understand what a firewall does and how you can use one to protect your network, review these topics: v Firewall components. v How a firewall works. v What a firewall can do to protect your network. v What a firewall cannot do to protect your network. Copyright IBM Corp. 1998,

12 Firewall components A firewall is a collection of hardware and software that, when used together, prevent unauthorized access to a portion of a network. A firewall consists of the following components: v Hardware. Firewall hardware usually consists of a separate computer dedicated to running the firewall software functions. v Software. Firewall software can consist of some or all of these applications: Packet filters Proxy servers SOCKS servers Network address translation (NAT) services Logging and monitoring software Virtual private network (VPN) services How a firewall works To understand how a firewall works, imagine that your network is a building to which you want to control access. Your building has a lobby as the only entry point. In this lobby, you have receptionists to welcome visitors, security guards to watch visitors, video cameras to record visitor actions, and badge readers to authenticate visitors who enter the building. These measures may work well to control access to your building. But, if an unauthorized person succeeds in entering your building, you have no way to protect the building against this intruder s actions. If you monitor the intruder s movements, however, you have a chance to detect any suspicious activity from the intruder. When you define your firewall strategy, you may think it is sufficient to prohibit everything that presents a risk for the organization and allow everything else. However, because computer criminals constantly create new attack methods, you must anticipate ways to prevent these attacks. As in the example of the building, you also need to monitor for signs that, somehow, someone has breached your defenses. Generally, it is much more damaging and costly to recover from a break-in than to prevent one. In the case of a firewall, your best strategy is to permit only those applications that you have tested and have confidence in. If you follow this strategy, you must exhaustively define the list of services you must run on your firewall. You can characterize each service by the direction of the connection (from inside to outside, or outside to inside). You should also list users who you will authorize to use each service and the machines that can issue a connection for it. What a firewall can do to protect your network You install a firewall between your network and your connection point to the Internet (or other untrusted network). The firewall then allows you to limit the points of entry into your network. A firewall provides a single point of contact (called a chokepoint) between your network and the Internet (see the figure below). Because you have a single point of contact, you have more control over which traffic to allow into and out of your network. 6 Firewall: Getting started

13 Figure 1. A firewall controls traffic between your secure network and the Internet A firewall appears as a single address to the public. The firewall provides access to the untrusted network through proxy or SOCKS servers or network address translation (NAT) while hiding your internal network addresses. Consequently, the firewall maintains the privacy of your internal network. Keeping information about your network private is one way in which the firewall makes an impersonation attack (spoofing) less likely. A firewall allows you to control traffic into and out of your network to minimize the risk of attack to your network. A firewall securely filters all traffic that enters your network so that only specific types of traffic for specific destinations can enter. This minimizes the risk that someone could use TELNET or file transfer protocol (FTP) to gain access to your internal systems. What a firewall cannot do to protect your network While a firewall provides a tremendous amount of protection from certain kinds of attack, a firewall is only part of your total security solution. For instance, a firewall cannot necessarily protect data that you send over the Internet through applications such as SMTP mail, FTP, and TELNET. Unless you choose to encrypt this data, anyone on the Internet can access it as it travels to its destination. Understanding Internet security issues When connecting to an untrusted network, you must ensure that your security policy provides you with the best protection possible. A firewall certainly represents a large portion of your total security solution. However, because a firewall is only the first line of defense for your network, you must ensure that your security policy provides additional coverage. To ensure that your firewall provides the protection that you need, review these security concepts: v Trusted networks v Security policies v Security services v Network security objectives v Network security considerations v Types of Internet attacks v Firewall security principles Chapter 2. Understanding IBM Firewall for AS/400 7

14 Trusted networks Any network over which you have control of the security policies is a trusted network. In a trusted network, you (or your organization) can physically configure and audit the computers to ensure that your organization s security policy is implemented and enforced. Any network over which you do not have this level of control should be considered an untrusted network. You (or your organization) cannot verify the security practices of any other network. Therefore, you must assume that the other network is not secure and treat traffic from it accordingly. Otherwise, you add a level of risk to your own network operations. If someone compromises the other network s security, your own network is vulnerable. You have no way of auditing that system to ensure its integrity. You also have no way of protecting yourself if someone on that system attempts to attack your network. Understanding security policies A security policy is a written document that defines the security controls that you institute for your computer systems. A security policy also describes the risks that you intend these controls to minimize. Additionally, a security policy defines what actions should be taken if someone breaches your security controls. The most important rule that your security policy should express is: Anything that is not explicitly permitted should, by default, be denied. In other words, actions that you do not specifically allow should be automatically disallowed. This ensures that new types of attacks are unlikely to get past your defenses, even though you may have no knowledge of them and have nothing in your security controls to defend specifically against them. A security policy contains such rules as who can have access to certain services or which services can be run from a given computer. The policy also contains information about what processes and controls you have instituted to enforce these rules. If you connect to the Internet, your security policy should stipulate that you install and use a firewall to control access to and from the Internet. Once you create a security policy, you must ensure that it is put into effect. This may involve establishing more restrictive password rules, installing and running virus protection software, holding classes to educate users on security rules, and so on. Security services The National Institute for Standards and Technology (NIST) defines five major security services. While a firewall provides security for your network, a firewall does not generally provide coverage for all of these NIST security services. To completely protect your network, your security policy should address each of these as well: Authentication Assurance that the resource at the other end of the session is really what it claims to be. Access control Assurance that the resource requesting access to data or a service has authorization to access the requested data or service. 8 Firewall: Getting started

15 Integrity Assurance that the information that arrives is the same as the information that was sent. Confidentiality Assurance that sensitive information is not visible to an eavesdropper. (Encryption is the best way to ensure confidentiality.) Nonrepudiation Assurance that a transaction can be proven to have taken place; Nonrepudiation is also called accountability. Firewalls cannot provide all of these security services. Therefore, you should ensure that you have additional security functions to provide these security services for your network. Network security objectives Although the network security objectives that you develop depend on your particular situation, there are some general objectives you should consider: v Protect your resources: Your Internet servers Your internal network, workstations, and systems Your data Your company image v Provide your customers with safe Internet transactions. Ensure that the following conditions are in place: Communicating parties can identify each other (authentication). Unintended parties cannot read information exchanged between parties (confidentiality). Unauthorized parties cannot alter data (integrity). Participating parties cannot repudiate transactions (accountability). Your security policy should describe how you will fulfill these objectives. Network security considerations Whenever you create a security policy, you must balance providing services against controlling access to functions and data. With networked computers, security is more difficult because the communication channel itself is open to attack. Although there are several types of Internet attacks, you can characterize such attacks in two ways: Passive attacks These attacks are difficult to detect and involve someone tapping or tracing communications. Sniffing is an example of a passive attack. You should assume that someone is eavesdropping on every communication that you send across the Internet or any other untrusted network. Active attacks These attacks involve someone trying to break into or take over your computer. Spoofing is an example of an active attack. You may be certain that no one has compromised your own machines. However, you cannot be certain about the machines at the other end of the connection. Realistically, you must extend your circle of trust to some of those machines or not use the Internet at all. It may seem that once you start thinking about computer security, you can reach a point where nothing seems safe anymore. Is this justifiable? After all, we do not Chapter 2. Understanding IBM Firewall for AS/400 9

16 (usually) worry about people tapping our telephone conversations or reading our mail. We happily send credit card numbers, private messages, gossip, and scandal when using those media. The difference with the Internet is that the carrier is not a regulated, well-defined entity. In fact, you have no idea through whose computers your message passes on the way to its destination. Types of Internet attacks There are several kinds of passive or active attacks of which you should be aware. These are among the most common: v Sniffing v Internet Protocol (IP) spoofing v Denial of service Sniffing Computer criminals (crackers) use a technique called sniffing to acquire information that they can use to break into your systems. Sniffing programs can overhear critical unencrypted data that passes over the Internet, such as user IDs and passwords. A cracker can take the captured information and use it to gain access to your network. To protect your network from sniffing attacks, take these security measures: v Use your firewall filtering rules to control which information (packets) comes into your network. The filter rules can check that packets from external hosts cannot pass through the firewall. v Use a firewall to translate the internal host names and addresses of any outgoing traffic to the name and address of the firewall. This hides such critical information from outside users and sniffing programs. v Educate your users about the risk of using their internal passwords and user IDs to access external hosts. If they do so, attackers could capture this information from the external hosts and use it if they successfully break into your system. State in your security policy that they must use different user IDs and passwords on external untrusted systems. Internet Protocol (IP) spoofing Generally, when you set up a network, you assume that you can trust any given host on that network. Consequently, a network host does not usually require authentication from other hosts on the same network that communicate with it. When you eliminate authentication between hosts you provide easier and faster communications within the network. However, you should require authentication from hosts outside your network. You cannot assume that you can trust these hosts to be who they say they are. In an Internet Protocol (IP) spoofing attack, an untrusted external host impersonates a trusted known host on your network. This impersonation allows the host to bypass your security controls to connect to your network. The impersonation is successful because the external host uses an IP address of a known host on your network. Because the external host users an internal network address, other hosts on the network can communicate with it without requiring authentication. To prevent IP spoofing, take these security measures: v Avoid using IP addresses as a means of authenticating a source communication. This ensures that a correct IP address alone is not sufficient to gain access to your resources. v Require a password or more secure authentication to access a host, regardless of the origin of the request for access. 10 Firewall: Getting started

17 v Use encrypted authentication methods. v Use a firewall to ensure that the originator of a connection is not using IP source forwarding to impersonate another system. This helps ensure that a requesting host identity is authentic. v Use your firewall to conceal all your internal network IP addresses from outsiders. Typically, a firewall uses a single IP address for all outbound transactions, regardless of the internal IP address of the user. The firewall routes the inbound traffic to the correct internal host. The security measures that you use to defend against IP spoofing depend on several factors. These factors include your analysis of the risk your network faces from this type of attack, the amount of money you are willing to spend, and the amount of convenience you are willing to trade for better security. Denial of service A denial of service occurs when an attack brings down one or more hosts on your network such that the host is unable to perform its functions properly. This type of attack can affect entire networks. Although it is difficult to predict the form that a denial of service may take, the following examples illustrate how such an attack can affect your network: v A rogue packet enters your network and interferes with normal operations because it cannot be processed appropriately. v Traffic flooding (such as a large number of bogus mail messages) overtaxes your mail server s processing capabilities, stopping further network traffic. v A router is attacked and disabled, thereby partitioning your network. v A virus is introduced that ties up significant amounts of processing resources. v Devices, such as the firewall or a router, meant to protect the network are subverted. Firewall security principles You should follow these principles when you set up a firewall: v Develop a written network security policy and follow it. The firewall can implement many aspects of your security policy and become a part of a network security solution. v Make sure that the only connection to the Internet (or other untrusted network) is through the firewall. Be sure you include any dial-up connections. The firewall should provide a chokepoint, forcing all traffic to and from the Internet to flow through the firewall. Any traffic that bypasses the firewall increases the risks to your network substantially. v Allow only those activities that you expressly permit. For example, permit only the TCP/IP services that you need (such as HTTP and ) rather than permit all TCP/IP services. This limits the number of security exposures that you must monitor and take precautions against. v Keep it simple. Configuration errors are a major source of security holes. The firewall should have limited security policy information to keep its configuration as simple as possible. v Do not allow any direct TCP/IP connections between applications on internal systems and servers on the Internet (or other untrusted network). A direct connection allows the server to learn information about the client system. The server can try to trick the client into performing an inappropriate action by sending certain responses. v Never trust information from untrusted systems. The routing table update that you receive from a neighboring router may redirect your network traffic to an unintended destination. Be aware that another system can impersonate a secure system. When attackers use this type of attack, they impersonate a trusted Chapter 2. Understanding IBM Firewall for AS/400 11

18 known host on your network. This impersonation, which is also called IP spoofing, allows the host to bypass your security controls to connect to your network. While these principles are good in theory, as with all security policies, they should be tempered with reality. In some cases, such as when you use a production system to run a public Web server for e-commerce, you should place the public server behind the firewall to protect it and the data it contains. You can carefully open a hole in the firewall to allow any necessary traffic to flow between the Web server and the Internet. Understanding TCP/IP, networking, and the Internet The Internet uses TCP/IP as its only communications protocol. Therefore, if you connect to the Internet, you must use TCP/IP for your connection. To successfully work with TCP/IP, you must have a basic understanding of what TCP/IP is, how it works, and how it affects your network. For some basic background information about TCP/IP and the network structure, review these topics: v TCP/IP addressing and structure v How masks affect IP addressing v Understanding subnets TCP/IP addressing and structure You must understand the structure and addressing system that TCP/IP uses. This knowledge is essential in order to successfully set up TCP/IP networks, define filter rules for firewalls, and follow packet routing through the network. To learn more about TCP/IP addressing, review these basic explanations of key terms and concepts: v TCP/IP v Hosts v Understanding the Internet Protocol (IP) address format v IP address classes v IP addresses reserved for private intranet use Transmission Control Protocol/Internet Protocol (TCP/IP) Transmission Control Protocol/Internet Protocol (TCP/IP) is a set of network protocols that connects networks. TCP/IP allows computers to share resources and exchange information across a network. TCP/IP allows hosts to communicate with each other regardless of the host or user s physical location, the operating system, or the network medium. TCP/IP operates in many different network environments, including the Internet and corporate intranets. Transmission Control Protocol (TCP) provides host-to-host transmission. TCP takes a stream of data and breaks it into segments. It sends each segment individually by using Internet Protocol (IP) and then reassembles the segments into the original stream. If the transmission loses or damages any segments, TCP detects this and re-sends the segments. IP routes data from its source to its destination. IP is responsible for routing packets from one host to another host. The other host can be on the same network or on another network. Hosts In Internet terms, a host is any system or adapter connected to a network. The term does not imply any particular type of system. A host can be a client, a server, or both, depending on the applications that you run on the system. 12 Firewall: Getting started

19 A dual-homed or multi-homed host is a system that has more than one connection into the network. A two-port Integrated PC server is an example of a dual-homed host. Understanding the Internet Protocol (IP) address format Internet Protocol (IP) uses a 32-bit, two-part logical address field. The 32 bits consist of four octets (eight bits per octet). One part of the logical address is for the network address and the other is for the host address. You define each part of the address to TCP/IP by using a 32-bit binary mask that you apply to the address. The network portion of the address is indicated in the mask by placing a 1 in each bit of the mask that represents the network portion. The host portion of the address is indicated in the mask by placing a 0 in the mask position. The following table uses a mask to illustrate which portion of an IP address is for the host versus the network in an unsubnetted Class C address. Table 1. Internet address structure 32-Bit Address Two Address Portion The network portion of the address should be contiguous, starting at the left side of the address and moving to the right. The network mask is anded with the IP address to generate the network address. The address and the mask are written in dotted decimal format; each portion of the decimal format allows a maximum value of 255. You can derive the decimal format by converting each octet to its decimal value. If the IP address is , for example, the network address part of the address is , and the host part of the address is 11. The host portion of the address cannot be all 1 s or all 0 s. TCP/IP reserves these two values for its own use. The full IP address of is commonly referred to as the address of the system (although the address actually describes the host interface). While this works with a simple system, multi-homed systems must have multiple addresses because they have multiple interfaces. Internet Protocol (IP) address classes Three classes of Internet Protocol (IP) addresses are in common use today: Class A, B, C, and D and E. The address class determines how many hosts can exist on a network. You can use the value of the first octet to determine the class of network. The possible values for the first octet are: v Class A (Address range 0-127): 127 networks with up to 16,777,216 hosts each. Intended for use with a large number of hosts. Network mask is v Class B (Address range ): 16,384 networks with up to 65,536 hosts each. Intended for use with a moderate number of hosts. Network mask is v Class C (Address range ): 2,097,152 networks with up to 254 hosts each (0 and 255 are reserved). Intended for use with a smaller number of hosts. Network mask is Chapter 2. Understanding IBM Firewall for AS/400 13

20 Most common address type issued by an Internet Service Provider (ISP). v Class D and E (Address range ): The Internet Assigned Numbers Authority (IANA) has reserved these classes for future use. Internet Protocol (IP) addresses reserved for private intranet use The Internet Assigned Numbers Authority (IANA) reserves three blocks of the Internet Protocol (IP) address space for private intranets. The following table shows which address blocks IANA reserves. Table 2. Addresses reserved for private Internet (intranet) use Class of Network Start of Address Block End of Address Block A B C Although these addresses cannot route through the Internet, you can use them for your internal network. Refer to RFC 1918 for more details about Internet recommendations for private addresses. How masks affect Internet Protocol (IP) addressing A mask is a pattern or template that you apply to an Internet Protocol (IP) address to specify which bits are significant and which bits are irrelevant. When you apply a mask to an IP address, you perform a bitwise and operation. You then use the product of the operation to perform some type of test. You can use masks in TCP/IP to define networks, to route packets, and to write filter rules. In TCP/IP, a mask consists of 32 bits (four octets). To make it easier to read, you write the mask in dotted decimal format (for example, ). In the mask, a 1 (one) bit defines the significant positions and a 0 (zero) bit defines the irrelevant positions. Masks usually specify a range; however, you can use a mask of all ones to specify a single value. By specifying a range, you can apply a single rule, network interface definition, or routing entry to many individual host addresses. When you create fewer entries to define one of these items, you are less likely to introduce errors. When you add a TCP/IP address to an interface, you also specify a subnet mask. TCP/IP applies the subnet mask to the address and calculates the range of addresses that are local to this adapter. When TCP/IP has packets for one of these local addresses, it tries to communicate directly with the interface assigned to the address by using the local link. If TCP/IP cannot establish the connection, TCP/IP checks the routing table to look for another route to the address. To define a route, you enter the destination address, subnet mask, and the next hop address. TCP/IP applies the subnet mask to the destination address. TCP/IP then calculates the range of addresses that can be reached through this next hop. When TCP/IP has packets for one of these addresses, it forwards the packet to the system (usually a router) at the next hop address. The next hop system either delivers the packet to a local host or forwards the packet to yet another hop. Or, the system may generate a non-delivered message because the packet cannot be forwarded due to bad routing information. If you want a specific address to be routed to a specific next hop, specify the host address and a subnet mask of (all 1 s). This means that this route applies only to the one specific host address. 14 Firewall: Getting started

21 When you write filter rules, you may specify a mask to apply to the from address and a mask to apply to the to address. The firewall applies these masks to the source and destination addresses in the packet. The firewall then compares the result to the from address and to address value in the filter rule. This allows you to write a single rule that applies to a large number of hosts. If you want the rule to apply to a single host, use the value (all 1 s) in the appropriate mask field. To better understand the effect that applying a mask has on an IP address, see Example: Performing an AND operation on an address and mask. Example: Performing an AND operation on an address and mask You perform an AND operation when you apply Boolean algebra to the binary representation of both the Internet Protocol (IP) address and the mask. The rules of an AND state that, if both digits are a 1 (one), then one is the product. If either digit is a 0 (zero), then zero is the product. In the following example (see Figure 2), you perform an AND on the address with the mask This operation results in an address of In this mask, the four right-most bits are not significant (they have a value of zero). Therefore, is the result when you apply the mask to every address between and When you reach , the last octet of the address is When you complete the AND operation with the mask for the address, the result is When you apply the mask to any addresses in the range through , the result is a value of Figure 2. ANDING an Address Understanding subnets A subnet is a physical segment of a local area network (LAN). Most networks are divided into smaller network segments by using subnets to take advantage of better address distribution and better traffic distribution. You create subnets by applying subnet masks to the network portion of your Internet Protocol (IP) addresses. Chapter 2. Understanding IBM Firewall for AS/400 15

22 Each subnet has a unique network address. When you subnet your network, you use routers to join the subnets to form a complete network. Each router contains information that allows them to send the network traffic to the correct subnet of the network. When you install a firewall, you may need to subnet your network. You should review these topics first: v Why you may need to subnet your network v Creating subnets v Determining the number of subnets that you need in your network Why you may need to subnet your network A subnet is a physical segment of a local area network (LAN). There are several reasons to subnet a network: v You have more than one type of physical network segment installed in the network. v You expect a large number of hosts in your network, which requires splitting a network into smaller networks for improved network performance. v Your network covers a large physical area. Growing distances require splitting a network into smaller networks with routers between them. This reduces collisions caused by propagation delay in a large network segment. You assign subnet addresses to your network locally. After subnetting, your entire network appears as one IP network to the outside world and your routers handle the traffic flow in your network. The firewall Integrated Netfinity Server has two physical LAN adapters, as well as the AS/400 *INTERNAL attachment, which functions as an internal LAN adapter. Each of these adapters is in a separate subnet because it is connected to different physical segments of the network. Creating subnets Your Internet service provider (ISP) provides you with a network address and a network mask. (In most implementations of TCP/IP, the network mask is also referred to as a subnet mask.) In some cases, the ISP provides you with a complete class C address, which allows you to have up to 254 hosts on your network. In other cases, the ISP provides you with a portion of a class C network address. The ISP also provides you with a subnet mask. Before you can subnet your network, you must determine the following values: 1. How many subnets you need in your network. 2. What your current subnet mask is. 3. What your current network address is. Determining the number of subnets you need in your network To create subnets for your network, you must first determine how many subnets you need. You can use the table below to help you make this determination. The number of subnets that you need is based on the number of hosts that you have in a subnet. To create subnets for your network, follow these steps: 1. Determine how many subnets you need for your desired network configuration. 2. Use the table to determine the number of subnets that are required to obtain the number of subnets that you need. 16 Firewall: Getting started

23 If the number of subnets you need is not a power of two, you must round up the number to the next power of two. You must round up because the mask that you apply to the address is binary. For example, if you determine that you need two subnets, then the final number of subnets that you need is two. If you determine that you need three subnets, then the final number of subnets that you need is four (the next power of two). 3. Use Table 3 to determine the values that you need to create a subnet mask. 4. Apply the subnet mask to your Internet Protocol (IP) address range. Applying a subnet mask allows you to create the specific subnet addresses that you need. 5. Use Table 3 to determine the decimal value of the last octet in each subnet. 6. Use Table 3 to determine the number of hosts that you can have in each subnet. Table 3. Possible subnet masks and values Power of 2 Number of Subnets Required Last Octet of Subnet Mask (Binary) Last Octet of Subnet Mask (Decimal) Last Octet of Network Values (n.n.n.x) , ,64,128, ,32,64,96,128,160,192, ,16,32, (step by 16) ,8,16,24, (step by 8) ,4,8,12, (step by 4) Not valid for class C 0 subnet This is a host address N/A Hosts per Segment in a Class C Network For examples of how to subnet a network, review the topic Example: Further subnetting an already subnetted network. Example: Further subnetting an already subnetted network: In this example, you have a network address that is already a subnet itself. You examine your configuration and determine that you need two subnets. You need one subnet for the non-secure port of the firewall and one for the public-secure network in which your public server resides. The Internet service provider (ISP) gave you part of a class C address. This network address is with a subnet mask of This means that you have six host addresses available. You need one of these for the ISP router, which leaves you with five to distribute. Chapter 2. Understanding IBM Firewall for AS/400 17

24 Table 4. Possible subnet masks and values Power of 2 Number of Subnets Required Last Octet of Subnet Mask (Binary) Last Octet of Subnet Mask (Decimal) Last Octet of Network Values (n.n.n.x) , ,64,128, ,32,64,96,128,160,192, ,16,32, (step by 16) ,8,16,24, (step by 8) ,4,8,12, (step by 4) Not valid for class C 0 subnet This is a host address N/A Hosts per Segment in a Class C Network Based on the information in the Table 4, you need to add another 1 to the current mask as shown in the Table 5. Table 5. Splitting an existing subnet Convert the existing mask to binary Change the first zero in the mask to a one Convert the mask back to decimal To do this, you must: 1. Convert the existing mask to binary. 2. Change the first zero in the mask to a one. 3. Convert the mask back to decimal. The results of the conversion operation provides two sets of addresses. You can use one set of addresses on the perimeter (non-secure) network. You can use the other set of addresses for the *INTERNAL port of the Integrated PC Server. The hosts in the first subnet have addresses of and The hosts in the other subnet have addresses of and If you need any more systems than two on the perimeter network, this solution will not work. You must obtain a larger range of addresses from your ISP. IBM Firewall for AS/400 features 18 Firewall: Getting started IBM Firewall for AS/400 is an application gateway firewall and a circuit gateway firewall. You can use one or both types of functions. The firewall product provides a number of technologies that you can use to protect your internal network, including: v Internet Protocol (IP) packet filtering for TCP, UDP, and ICMP packets v Network address translation (NAT) services v SOCKS server

25 v Proxy server for HTTP, HTTPS, FTP, and Gopher for Web browsers v TELNET proxy v Mail relay v Split domain name services (DNS) v Logging v Real-time monitoring v Virtual private network (VPN) services IBM Firewall for AS/400 consolidates security administration to enforce I/T security policy and minimize the opportunity for security configuration errors. The firewall provides privacy by preventing outsiders from accessing network information through the Internet. You can log traffic to and from the Internet, which allows you to monitor network use and misuse. Firewall configuration is flexible, which enables support for various security policies. The administrator decides which services the firewall should permit and which the firewall should block. The IBM Firewall for AS/400 software guides the administrator through the basic installation and configuration of the firewall. The software that the firewall uses resides on a read-only disk. This eliminates the possibility of virus introduction or modification of programs that perform communication security functions. The main processor and firewall communicate over an internal system bus that is not subject to sniffing programs on local area networks. You can set the firewall to issue notifications to the AS/400 system operator (QSYSOPR) when a pre-configured condition on the firewall occurs. The main processor can disable the firewall when it detects tampering, regardless of the state of the firewall. You can administer the firewall through a Web browser on the internal (secure) network. You can use the Secure Sockets Layer (SSL) for session encryption to protect the administration session. The software authenticates the administrator with OS/400 security support so that you need not require separate user IDs and passwords. You should install the IBM Firewall for AS/400 on a two-port Integrated Netfinity Server for AS/400. Configure one port of the Integrated Netfinity Server to connect the firewall to your internal secure network. Configure the other port to connect the firewall to the Internet or other untrusted network. The firewall can distinguish which network (trusted or untrusted) sent an IP packet. The firewall can also distinguish which port is the appropriate port for the originating packets on each network. Consequently, the firewall is not susceptible to spoofing attacks in which untrusted hosts try to masquerade as trusted ones. The AS/400 system operator receives notifications (in the QSYSOPR message queue) when important firewall events occur, such as attempted intrusions. The system sends all high severity error messages (Type = Alert) immediately. The system sends lower severity messages (Type = Error, Warning, Information, or Debug) when they reach a user-defined threshold. If the system detects an error condition that may result from tampering (such as the logging function ends), all firewall functions are set to end immediately. Installing the firewall on an Integrated Netfinity Server separates the processor that you use for application programs from the processor that you use for security programs. This separation eliminates the possibility of the programs interfering with each other. Compromised security programs that are running on the firewall cannot directly affect the AS/400 main processor in functionality or performance. Chapter 2. Understanding IBM Firewall for AS/400 19

26 In addition, the IBM OS/400 TCP/IP protocol stack is completely independent of the TCP/IP stack on the Integrated Netfinity Server. The firewall also has separate storage, which prevents attackers from accessing AS/400 data. This storage is on a read-only disk to eliminate the possibility of virus introduction or modification of programs that perform communication security functions. You can use the firewall, proxy, or SOCKS servers or NAT to provide internal users with safe access to services on the Internet. The proxy and SOCKS servers break TCP/IP connections at the firewall to hide internal information from the untrusted network. The servers also provide additional logging capabilities. You can use NAT to provide Internet users with easy access to a public server behind the firewall. The firewall still protects your network because NAT hides your internal IP addresses. The firewall also protects internal information by using two DNS servers, one that you provide on the internal network and one on the firewall. The firewall name server contains names visible to the untrusted network only, such as an external Web server. The firewall name server resolves outside names in response to requests from the internal name server. Your internal name server contains only the names of the internal network. Your internal name server forwards requests that it cannot resolve to the firewall name server. The firewall DNS server does not provide name serving functions for the internal network. You are not required to have an internal DNS server to successfully implement a firewall. However, having one makes client configuration easier because you do not have to maintain host tables on each system. OS/400 includes DNS support, which you should use for your internal network. The firewall protects your internal mail server from attack by providing a mail relay function. The mail relay function passes mail between an external mail server on the firewall and an internal one. The firewall translates addresses of outgoing mail to the public address of the firewall secure port. This translation hides any internal information from the untrusted network. The firewall also provides VPN technology so that you can set up encrypted sessions between your firewall and other compatible firewalls. IBM Firewall for AS/400 components A firewall consists of a set of software components, each of which provides particular security features for your network. Which components you use depends on your security needs. These components work together to provide your network traffic security controls. Because they are interdependent, each component works with and affects the other components. Review these topics to get the details that you need to work with firewall components and common firewall configurations: v Internet Protocol (IP) packet filtering for TCP, UDP, and ICMP packets v Network address translation (NAT) services v Proxy server for HTTP, HTTPS, FTP, and Gopher for Web browsers v Proxy server for TELNET(not through a Web browser) v SOCKS server v Mail relay service v Split Domain Name Services (DNS) v Audit and event reporting services v Virtual private network (VPN) services 20 Firewall: Getting started