Getting Started with IBM Firewall for AS/400

Transcription

1 Getting Started with IBM Firewall for AS/400 Version 4

2

3 Getting Started with IBM Firewall for AS/400 Version 4

4 ii Getting Started with IBM Firewall for AS/400

5 Contents Chapter 1. Getting started with IBM Firewall for AS/ About firewalls Firewall components How a firewall works What a firewall can do to protect your network What a firewall cannot do to protect your network Understanding Internet security issues Trusted networks Security policies Security serices Network security objecties Network security considerations Types of Internet attacks Firewall security principles Understanding TCP/IP, networking, and the Internet TCP/IP addressing and structure How masks affect Internet Protocol (IP) addressing Understanding subnets IBM Firewall for AS/400 features IBM Firewall for AS/400 components IBM Firewall for AS/400 Internet Protocol (IP) packet filtering component.. 17 IBM Firewall for AS/400 network address translation (NAT) component IBM Firewall for AS/400 proxy serer component IBM Firewall for AS/400 SOCKS serer component IBM Firewall for AS/400 mail relay serice IBM Firewall for AS/400 split domain name serices (DNS) component IBM Firewall for AS/400 audit and eent reporting serices IBM Firewall for AS/400 irtual priate network (VPN) component Firewall configurations Dual-homed gateway firewall Screened host firewall Chapter 2. Planning your firewall installation and configuration IBM Firewall for AS/400 installation requirements IBM Firewall for AS/400 software requirements IBM Firewall for AS/400 hardware requirements IBM Firewall for AS/400 user profile requirements Secure Sockets Layer (SSL) considerations for IBM Firewall for AS/ Positioning your public serer in relation to your firewall Placing a public serer in front of the firewall Placing a public serer behind the firewall Firewall and network configurations: Example scenarios Example scenario: Public serer in front of the firewall Example scenario: Public serer in front of the firewall with secure side subnets Example scenario: Public serer behind the firewall IBM Firewall for AS/400 planning worksheets Chapter 3. Installing and configuring your firewall Firewall basic configuration: Scenario oeriew Firewall basic configuration: Scenario objecties Firewall basic configuration: Scenario network configuration Firewall basic configuration: Scenario adantages Copyright IBM Corp iii

6 Firewall basic configuration: Scenario disadantages Firewall basic configuration: Reiewing your planning worksheets Verifying firewall hardware, software, and configuration prerequisites Recording the resource name of the Integrated PC Serer Verifying the memory aailable on your Integrated PC Serer Verifying the installation of firewall prerequisite licensed programs Verifying that the latest program temporary fixes (PTFs) are applied Verifying the basic TCP/IP interface configuration on the firewall home AS/400 system Verifying that the IBM HTTP Serer is started Verifying the firewall administration workstation HOSTS table entries Verifying that the Web browser supports JaaScript Installing IBM Firewall for AS/ Completing the firewall installation worksheet Installing the firewall from the AS/400 Tasks browser interface Preparing for Basic configuration of your firewall Stopping the firewall Varying off the firewall network serer description (NWSD) Adding a TCP/IP routing entry to the firewall network serer description (NWSD) Adding the firewall domain name serer to the firewall NWSD Updating the secure mail serer host table Routing outbound mail to the firewall Starting the firewall Varying on the firewall network serer description Verify that the firewall network serer description is ready Starting the firewall application Verifying the status of the firewall objects and jobs Performing firewall Basic configuration Completing the configuration planning worksheet Configuring the firewall from the AS/400 Tasks browser interface Adding the secure mail serer to the firewall domain name serer Configuring your clients to access Internet serices through the firewall Configuring client domain name serices (DNS) to use the firewall domain name serer Configuring the client Web browser to use the firewall proxy or SOCKS serer Chapter 4. Configuring your clients to use the firewall for Internet access. 95 Configuring a client to use the firewall Verifying that a Windows 95 client can identify the client LAN adapter Verifying TCP/IP configuration for a Client PC Configuring domain name serices (DNS) for a firewall client on the secure network Configuring a firewall client to use a gateway Testing the firewall client configuration Configuring a client Web browser to use SOCKS or proxy serers Adding SOCKS support to firewall clients Configuring SOCKS support for AS/ Defining the network to which the AS/400 system is connected directly Defining which network that the AS/400 client must use SOCKS to access. 104 Defining a domain name serer for the SOCKS serer Testing Your AS/400 SOCKS Configuration i Getting Started with IBM Firewall for AS/400

7 Chapter 1. Getting started with IBM Firewall for AS/400 About firewalls Because a firewall represents a substantial portion of your network security policy, you must understand exactly what a firewall is and what a firewall can do for you. Each firewall product uses different sets of security features. To understand what a firewall can do to protect your network, reiew these topics: About firewalls Understanding Internet security issues When you connect your network to the Internet, you must use TCP/IP and ensure that your network is configured properly. You can preent many firewall installation and configuration problems by making sure that you configure TCP/IP properly. Consequently, you should reiew the topic, Understanding TCP/IP, networking, and the Internet, before you start planning your firewall installation. To understand what IBM Firewall for AS/400 can do to protect your network, reiew these topics: IBM Firewall for AS/400 features IBM Firewall for AS/400 components Firewall configurations To learn how to get your firewall up and running, reiew these topics: Planning your firewall installation and configuration. Installing and configuring your firewall. Configuring your clients to use the firewall for Internet access. A firewall is a blockade between a secure internal network and an untrusted network such as the Internet. Most companies use a firewall to connect an internal network safely to the Internet. You can use a firewall to secure one internal network from another on an intranet also. A firewall proides a controlled single point of contact (called a chokepoint) between your secure internal network and the untrusted network. The firewall: Lets users in your internal network use authorized resources that are located on the outside network. Preents unauthorized users on the outside network from using resources on your internal network. When you use a firewall as your gateway to the Internet (or other network), you reduce the risk to your internal network considerably. Using a firewall also makes administering network security easier because firewall functions carry out most of your security policy. To better understand what a firewall does and how you can use one to protect your network, reiew these topics: Firewall components. How a firewall works. What a firewall can do to protect your network. What a firewall cannot do to protect your network. Copyright IBM Corp

8 Firewall components How a firewall works A firewall is a collection of hardware and software that, when used together, preent unauthorized access to a portion of a network. A firewall consists of the following components: Hardware. Firewall hardware usually consists of a separate computer dedicated to running the firewall software functions. Software. Firewall software can consist of some or all of these applications: Packet filters Proxy serers SOCKS serers Network address translation (NAT) serices Logging and monitoring software Virtual priate network (VPN) serices To understand how a firewall works, imagine that your network is a building to which you want to control access. Your building has a lobby as the only entry point. In this lobby, you hae receptionists to welcome isitors, security guards to watch isitors, ideo cameras to record isitor actions, and badge readers to authenticate isitors who enter the building. These measures may work well to control access to your building. But, if an unauthorized person succeeds in entering your building, you hae no way to protect the building against this intruder s actions. If you monitor the intruder s moements, howeer, you hae a chance to detect any suspicious actiity from the intruder. When you define your firewall strategy, you may think it is sufficient to prohibit eerything that presents a risk for the organization and allow eerything else. Howeer, because computer criminals constantly create new attack methods, you must anticipate ways to preent these attacks. As in the example of the building, you also need to monitor for signs that, somehow, someone has breached your defenses. Generally, it is much more damaging and costly to recoer from a break-in than to preent one. In the case of a firewall, your best strategy is to permit only those applications that you hae tested and hae confidence in. If you follow this strategy, you must exhaustiely define the list of serices you must run on your firewall. You can characterize each serice by the direction of the connection (from inside to outside, or outside to inside). You should also list users that you will authorize to use each serice and the machines that can issue a connection for it. What a firewall can do to protect your network You install a firewall between your network and your connection point to the Internet (or other untrusted network). The firewall then allows you to limit the points of entry into your network. A firewall proides a single point of contact (called a chokepoint) between your network and the Internet (see Figure 1 on page 3). Because you hae a single point of contact, you hae more control oer which traffic to allow into and out of your network. 2 Getting Started with IBM Firewall for AS/400

9 Figure 1. A firewall controls traffic between your secure network and the Internet A firewall appears as a single address to the public. The firewall proides access to the untrusted network through proxy or SOCKS serers or network address translation (NAT) while hiding your internal network addresses. Consequently, the firewall maintains the priacy of your internal network. Keeping information about your network priate is one way in which the firewall makes an impersonation attack (spoofing) less likely. A firewall allows you to control traffic into and out of your network to minimize the risk of attack to your network. A firewall securely filters all traffic that enters your network so that only specific types of traffic for specific destinations can enter. This minimizes the risk that someone could use TELNET or file transfer protocol (FTP) to gain access to your internal systems. What a firewall cannot do to protect your network While a firewall proides a tremendous amount of protection from certain kinds of attack, a firewall is only part of your total security solution. For instance, a firewall cannot necessarily protect data that you send oer the Internet through applications such as SMTP mail, FTP, and TELNET. Unless you choose to encrypt this data, anyone on the Internet can access it as it traels to its destination. Understanding Internet security issues When connecting to an untrusted network, you must ensure that your security policy proides you with the best protection possible. A firewall certainly represents a large portion of your total security solution. Howeer, because a firewall is only the first line of defense for your network, you must ensure that your security policy proides additional coerage. To ensure that your firewall proides the protection that you need, reiew these security concepts: Trusted networks Security policies Chapter 1. Getting started with IBM Firewall for AS/400 3

10 Security serices Network security objecties Network security considerations Types of Internet attacks Firewall security principles Trusted networks Security policies Security serices Any network oer which you hae control of the security policies is a trusted network. In a trusted network, you (or your organization) can physically configure and audit the computers to ensure that your organization s security policy is implemented and enforced. Any network oer which you do not hae this leel of control should be considered an untrusted network. You (or your organization) cannot erify the security practices of any other network. Therefore, you must assume that the other network is not secure and treat traffic from it accordingly. Otherwise, you add a leel of risk to your own network operations. If someone compromises the other network s security, your own network is ulnerable. You hae no way of auditing that system to ensure its integrity. You also hae no way of protecting yourself if someone on that system attempts to attack your network. A security policy is a written document that defines the security controls that you institute for your computer systems. A security policy also describes the risks that you intend these controls to minimize. Additionally, a security policy defines what actions should be taken if someone breaches your security controls. The most important rule that your security policy should express is: Anything that is not explicitly permitted, should, by default, be denied. In other words, actions that you do not specifically allow should be automatically disallowed. This ensures that new types of attacks are unlikely to get past your defenses, een though you may hae no knowledge of them and hae nothing in your security controls to defend specifically against them. A security policy contains rules such as who can hae access to certain serices or which serices can be run from a gien computer. The policy also contains information about what processes and controls you hae instituted to enforce these rules. If you connect to the Internet, your security policy should stipulate that you install and use a firewall to control access to and from the Internet. Once you create a security policy, you must ensure that it is put into effect. This may inole establishing more restrictie password rules, installing and running irus protection software, holding classes to educate users on security rules, and so on. The National Institute for Standards and Technology (NIST) defines fie major security serices. While a firewall proides security for your network, a firewall does not generally proide coerage for all of these NIST security serices. To completely protect your network, your security policy should address each of these as well: 4 Getting Started with IBM Firewall for AS/400

11 Network security objecties Authentication Assurance that the resource at the other end of the session is really what it claims to be. Access control Assurance that the resource requesting access to data or a serice has authorization to access the requested data or serice. Integrity Assurance that the information that arries is the same as the information that was sent. Confidentiality Assurance that sensitie information is not isible to an eaesdropper. (Encryption is the best way to ensure confidentiality.) Nonrepudiation Assurance that a transaction can be proed to hae taken place also called accountability. Firewalls cannot proide all of these security serices. Therefore, you should ensure that you hae additional security functions to proide these security serices for your network. Although the network security objecties that you deelop depend on your particular situation, there are some general objecties you should consider: Protect your resources: Your Internet serers Your internal network, workstations, and systems Your data Your company image Proide your customers with safe Internet transactions. Ensure that the following conditions are in place: Communicating parties can identify each other (authentication). Unintended parties cannot read information exchanged between parties (confidentiality). Unauthorized parties cannot alter data (integrity). Participating parties cannot repudiate transactions (accountability). Your security policy should describe how you will fulfill these objecties. Network security considerations Wheneer you create a security policy, you must balance proiding serices against controlling access to functions and data. With networked computers, security is more difficult because the communication channel itself is open to attack. Although there are seeral types of Internet attacks, you can characterize such attacks in two ways: Passie attacks These attacks inole someone tapping or tracing communications and are difficult to detect. Sniffing is an example of a passie attack. You should Chapter 1. Getting started with IBM Firewall for AS/400 5

12 Types of Internet attacks assume that someone is eaesdropping on eery communication that you send across the Internet or any other untrusted network. Actie attacks These attacks inole someone trying to break into or take oer your computer. Spoofing is an example of a actie attack. You may be certain that no one has compromised your own machines. Howeer, you cannot be certain about the machines at the other end of the connection. Realistically, you must extend your circle of trust to some of those machines or not use the Internet at all. It may seem that once you start thinking about computer security, you can reach a point where nothing seems safe anymore. Is this justifiable? After all, we do not (usually) worry about people tapping our telephone conersations or reading our mail. We happily send credit card numbers, priate messages, gossip, and scandal when using those media. The difference with the Internet is that the carrier is not a regulated, well-defined entity. In fact, you hae no idea through whose computers your message passes on the way to its destination. There are seeral kinds of passie or actie attacks of which you should be aware. These are among the most common: Sniffing Internet Protocol (IP) spoofing Denial of serice Sniffing Computer criminals (crackers) use a technique called sniffing to acquire information that they can use to break into your systems. Sniffing programs can oerhear critical unencrypted data that passes oer the Internet, such as user IDs and passwords. A cracker can take the captured information and use it to gain access to your network. To protect your network from sniffing attacks, take these security measures: Use your firewall filtering rules to control which information (packets) come into your network. The filter rules can check that packets from external hosts cannot pass through the firewall. Use a firewall to translate the internal host names and addresses of any outgoing traffic to the name and address of the firewall. This hides such critical information from outside users and sniffing programs. Educate your users about the risk of using their internal passwords and user IDs to access external hosts. If they do so, attackers could capture this information from the external hosts to use it if they successfully break into your system. State in your security policy that they must use different user IDs and passwords on external untrusted systems. Internet Protocol (IP) spoofing Generally, when you set up a network, you assume that you can trust any gien host on that network. Consequently, a network host does not usually require authentication from other hosts on the same network that communicate with it. When you eliminate authentication between hosts you proide easier and faster 6 Getting Started with IBM Firewall for AS/400

13 communications within the network. Howeer, you should require authentication from hosts outside your network. You cannot assume that you can trust these hosts to be who they say they are. In an Internet Protocol (IP) spoofing attack, an untrusted external host impersonates a trusted known host on your network. This impersonation allows the host to bypass your security controls to connect to your network. The impersonation is successful because the external host uses an IP address of a known host on your network. Because the external host users an internal network address, other hosts on the network can communicate with it without requiring authentication. To preent IP spoofing, take these security measures: Aoid using IP addresses as a means of authenticating a source communication. This ensures that a correct IP address alone is not sufficient to gain access to your resources. Require a password or more secure authentication to access a host, regardless of the origin of the request for access. Use encrypted authentication methods. Use a firewall to ensure that the originator of a connection is not using IP source forwarding to impersonate another system. This helps ensure that a requesting host identity is authentic. Use your firewall to conceal all your internal network IP addresses from outsiders. Typically, a firewall uses a single IP address for all outbound transactions, regardless of the internal IP address of the user. The firewall routes the inbound traffic to the correct internal host. The security measures that you use to defend against IP spoofing depend seeral factors. These factors include your analysis of the risk your network faces from this type of attack, the amount of money you are willing to spend, and the amount of conenience you are willing to trade for better security. Denial of serice Firewall security principles A denial of serice occurs when an attack brings down one or more hosts on your network such that the host is unable to perform its functions properly. This type of attack can affect entire networks. Although it is difficult to predict the form that a denial of serice may take, the following examples illustrate how such an attack can affect your network: A rogue packet enters your network and interferes with normal operations because it cannot be processed appropriately. Traffic flooding (such as a large number of bogus mail messages) oertaxes your mail serer s processing capabilities, stopping further network traffic. A router is attacked and disabled, thereby partitioning your network. A irus is introduced that ties up significant amounts of processing resources. Deices meant to protect the network, such as the firewall or a router, are suberted. You should follow these principles when you set up a firewall: Chapter 1. Getting started with IBM Firewall for AS/400 7

14 Deelop a written network security policy and follow it. The firewall can implement many aspects of your security policy and become a part of a network security solution. Make sure that the only connection to the Internet (or other untrusted network) is through the firewall. Be sure you include any dial-up connections. The firewall should proide a chokepoint, forcing all traffic to and from the Internet to flow through the firewall. Any traffic that bypasses the firewall increases the risks to your network substantially. Allow only those actiities that your expressly permit. For example, permit only the TCP/IP serices that you need (such as HTTP and ) rather than permit all TCP/IP serices. This limits the number of security exposures that you must monitor and take precautions against. Keep it simple. Configuration errors are a major source of security holes. The firewall should hae limited security policy information to keep its configuration as simple as possible. Do not allow any direct TCP/IP connections between applications on internal systems and serers on the Internet (or other untrusted network). A direct connection allows the serer to learn information about the client system. The serer can try to trick the client into performing an inappropriate action by sending certain responses. Neer trust information from untrusted systems. The routing table update that you receie from a neighboring router may redirect your network traffic to an unintended destination. Be aware that another system can impersonate a secure system. While these principles are good in theory, as with all security policies, they should be tempered with reality. In some cases, such as when you use a production system to run a public Web serer for e-commerce, you should place the public serer behind the firewall to protect it and the data it contains. You can carefully open a hole in the firewall to allow any necessary traffic to flow between the Web serer and the Internet. Understanding TCP/IP, networking, and the Internet The Internet uses TCP/IP as its only communications protocol. Therefore, if you connect to the Internet, you must use TCP/IP for your connection. To successfully work with TCP/IP, you must hae a basic understanding of what TCP/IP is, how it works, and how it affects your network. For some basic background information about TCP/IP and the network structure, reiew these topics: TCP/IP addressing and structure How masks affect IP addressing Understanding subnets TCP/IP addressing and structure You must understand the structure and addressing system that TCP/IP uses. This knowledge is essential in order to successfully set up TCP/IP networks, define filter rules for firewalls, and follow packet routing through the network. To learn more about TCP/IP addressing, reiew these basic explanations of key terms and concepts: TCP/IP Hosts 8 Getting Started with IBM Firewall for AS/400

15 Understanding the Internet Protocol (IP) address format IP address classes IP addresses resered for priate Internet (intranet) use Transmission Control Protocol/Internet Protocol (TCP/IP) Transmission Control Protocol/Internet Protocol (TCP/IP) is a set of network protocols that connects networks. TCP/IP allows computers to share resources and exchange information across a network. TCP/IP allows hosts to communicate with each other regardless of the host or user s physical location, the operating system, or the network medium. TCP/IP operates in many different network enironments, including the Internet and corporate internets (intranets). Transmission Control Protocol (TCP) proides host-to-host transmission. TCP takes a stream of data and breaks it into segments. It sends each segment indiidually by using Internet Protocol (IP) and then reassembles the segments into the original stream. If the transmission loses or damages any segments, TCP detects this and re-sends the segments. IP routes data from its source to its destination. IP is responsible for routing packets from one host to another host. The other host can be on the same network or on another network. Hosts Table 1. Internet address structure In Internet terms, a host is any system or adapter connected to a network. The term does not imply any particular type of system. A host can be a client, a serer, or both, depending on the applications that you run on the system. A dual-homed or multi-homed host is a system that has more than one connection into the network. A two-port Integrated PC serer is an example of a dual-homed host. Understanding the Internet Protocol (IP) address format The Internet Protocol (IP) uses a 32-bit, two-part logical address field. The 32 bits consist of four octets (eight bits per octet). One part of the logical address is for the network address and the other is for the host address. You define each part of the address to TCP/IP by using a 32-bit binary mask that you apply to the address. The network portion of the address is indicated in the mask by placing a 1 in each bit of the mask that represents the network portion. The host portion of the address is indicated in the mask by placing a 0 in the mask position. The following table uses a mask to illustrate which portion of an IP address is for the host ersus the network in an unsubnetted Class C address. 32-Bit Address Two Address Portion The network portion of the address should be contiguous, starting at the left side of the address and moing to the right. The network mask is anded with the IP Chapter 1. Getting started with IBM Firewall for AS/400 9

16 address to generate the network address. The address and the mask are written in dotted decimal format; each portion of the decimal format allows a maximum alue of 255. You can derie the decimal format by conerting each octet to its decimal alue. If the IP address is , for example, the network address part of the address is , and the host part of the address is 11. The host portion of the address cannot be all 1 s or all 0 s. TCP/IP reseres these two alues for its own use. The full IP address of is commonly referred to as the address of the system (although the address actually describes the host interface). While this works with a simple system, multi-homed systems must hae multiple addresses because they hae multiple interfaces. Internet Protocol (IP) address classes Three classes of Internet Protocol (IP) addresses are in common use today: Class A, B, and C. The address class determines how many hosts can exist on a network. You can use the alue of the first octet to determine the class of network. The possible alues for the first octet are: Class A (Address range 0-127): 127 networks with up to 16,777,216 hosts each. Intended for use with a large number of hosts. Network mask is Class B (Address range ): 16,384 networks with up to 65,536 hosts each. Intended for use with a moderate number of hosts. Network mask is Class C (Address range ): 2,097,152 networks with up to 254 hosts each (0 and 255 are resered). Intended for use with a smaller number of hosts. Network mask is Most common address type issued by an Internet Serice Proider (ISP). Class D and E (Address range ): The Internet Assigned Numbers Authority (IANA) has resered these classes for future use. Internet Protocol (IP) addresses resered for priate Internet (intranet) use The Internet Assigned Numbers Authority (IANA) reseres three blocks of the Internet Protocol (IP) address space for priate intranets. The following table shows which address blocks IANA reseres. Table 2. Addresses resered for priate Internet (intranet) use Class of Network Start of Address Block End of Address Block A B C Although these addresses cannot route through the Internet, you can use them for your internal network. Refer to RFC 1918 for more details about Internet recommendations for priate addresses. 10 Getting Started with IBM Firewall for AS/400

17 How masks affect Internet Protocol (IP) addressing A mask is a pattern or template that you apply to an Internet Protocol (IP) address to specify which bits are significant and which bits are irreleant. When you apply a mask to an IP address, you perform a bitwise and operation. You then use the product of the operation to perform some type of test. You can use masks in TCP/IP to define networks, to route packets, and to write filter rules. In TCP/IP, a mask consists of 32 bits (four octets). To make it easier to read, you write the mask in dotted decimal format (for example, ). In the mask, a 1 (one) bit defines the significant positions and a 0 (zero) bit defines the irreleant positions. Masks usually specify a range; howeer, you can use a mask of all ones to specify a single alue. By specifying a range, you can apply a single rule, network interface definition, or routing entry to many indiidual host addresses. When you create fewer entries to define one of these items, you are less likely to introduce errors. When you add a TCP/IP address to an interface, you also specify a subnet mask. TCP/IP applies the subnet mask to the address and calculates the range of addresses that are local to this adapter. When TCP/IP has packets for one of these local addresses, it tries to communicate directly with the interface assigned to the address by using the local link. If TCP/IP cannot establish the connection, TCP/IP checks the routing table to look for another route to the address. To define a route, you enter the destination address, subnet mask, and the next hop address. TCP/IP applies the subnet mask to the destination address. TCP/IP then calculates the range of addresses that can be reached through this next hop. When TCP/IP has packets for one of these addresses, it forwards the packet to the system (usually a router) at the next hop address. The next hop system either deliers the packet to a local host or forwards the packet to yet another hop. Or, the system may generate a non-deliered message because the packet cannot be forwarded due to bad routing information. If you want a specific address to be routed to a specific next hop, specify the host address and a subnet mask of (all 1 s). This means that this route applies only to the one specific host address. When you write filter rules, you may specify a mask to apply to the from address and a mask to apply to the to address. The firewall applies these masks to the source and destination addresses in the packet. The firewall then compares the result to the from address and to address alue in the filter rule. This allows you to write a single rule that applies to a large number of hosts. If you want the rule to apply to a single host, use the alue (all 1 s) in the appropriate mask field. To better understand the effect that applying a mask has on an IP address, see Example: Performing an AND operation on an address and mask. Example: Performing an AND operation on an address and mask You perform an AND operation when you apply Boolean algebra to the binary representation of both the Internet Protocol (IP) address and the mask. The rules of an AND state that, if both digits are a 1 (one), then one is the product. If either digit is a 0 (zero), then zero is the product. In the following example (see Figure 2 on page 12), you perform an AND on the address with the mask This operation results in an address of In this mask, the four right-most bits are not significant (they hae a alue of zero). Chapter 1. Getting started with IBM Firewall for AS/400 11

18 Therefore, is the result when you apply the mask to eery address between and When you reach , the last octet of the address is When you complete the AND operation with the mask for the address, the result is When you apply the mask to any addresses in the range through , the result is a alue of Figure 2. ANDING an Address Understanding subnets A subnet is a physical segment of a local area network (LAN). Most networks are diided into smaller network segments by using subnets to take adantage of better address distribution and better traffic distribution. You create subnets by applying subnet masks to the network portion of your Internet Protocol (IP) addresses. Each subnet has a unique network address. When you subnet your network, you use routers to join the subnets to form a complete network. Each router contains information that allows them to send the network traffic to the correct subnet of the network. When you install a firewall, you may need to subnet your network. You should reiew these topics first: Why you may need to subnet your network Creating subnets Determining the number of subnets that you need in your network Why you may need to subnet your network A subnet is a physical segment of a local area network (LAN). There are seeral reasons to subnet a network: You hae more than one type of physical network segment installed in the network. You expect a large number of hosts in your network, which requires splitting a network into smaller networks for improed network performance. 12 Getting Started with IBM Firewall for AS/400

19 Your network coers a large physical area. Growing distances require splitting a network into smaller networks with routers between them. This reduces collisions caused by propagation delay in a large network segment. You assign subnet addresses to your network locally. After subnetting, your entire network appears as one IP network to the outside world and your routers handle the traffic flow in your network. The firewall Integrated PC Serer has two physical LAN adapters, as well as the AS/400 *INTERNAL attachment, which functions as an internal LAN adapter. Each of these adapters is in a separate subnet because they are connected to different physical segments of the network. Creating subnets Your Internet serice proider (ISP) proides you with a network address and a network mask. (In most implementations of TCP/IP, the network mask is also referred to as a subnet mask.) In some cases, the ISP proides you with a complete class C address, which allows you to hae up to 254 hosts on your network. In other cases, the ISP proides you with a portion of a class C network address. The ISP also proides you with a subnet mask. Before you can subnet your network, you must determine the following alues: 1. How many subnets you need in your network. 2. What your current subnet mask is. 3. What your current network address is. Determining the number of subnets you need in your network To create subnets for your network, you must first determine how many subnets you need. You can use the table below to help you make this determination. The number of subnets that you need is based on the number of hosts that you hae in a subnet. To create subnets for your network, follow these steps: 1. Determine how many subnets you need for your desired network configuration. 2. Use the table to determine the number of subnets that are required to obtain the number of subnets that you need. If the number of subnets you need is not a power of two, you must round up the number to the next power of two. You must round up because the mask that you apply to the address is binary. For example, if you determine that you need two subnets, then the final number of subnets that you need is two. If you determine that you need three subnets, then the final number of subnets that you need is four (the next power of two). 3. Use the table to determine the alues that you need to create a subnet mask. 4. Apply the subnet mask to your Internet Protocol (IP) address range. Applying a subnet mask allows you to create the specific subnet addresses that you need. 5. Use the table to determine the decimal alue of the last octet in each subnet. 6. Use the table to determine the number of hosts that you can hae in each subnet. Chapter 1. Getting started with IBM Firewall for AS/400 13

20 Table 3. Possible subnet masks and alues Power of 2 Number of Subnets Required Last Octet of Subnet Mask (Binary) Last Octet of Subnet Mask (Decimal) Last Octet of Network Values (n.n.n.x) , ,64,128, ,32,64,96,128,160,192, ,16,32, (step by 14 16) ,8,16,24, (step by 6 8) ,4,8,12, (step by 4) Not alid for class C 0 subnet This is a host address N/A For examples of how to subnet a network, reiew the topic Example: Further subnetting an already subnetted network. Hosts per Segment in a Class C Network Example: Further subnetting an already subnetted network: In this example, you hae a network address that is already a subnet itself. You examine your configuration and determine that you need two subnets. You need one subnet for the non-secure port of the firewall and one for the public-secure network in which your public serer resides. The Internet serice proider (ISP) gae you part of a class C address. This network address is with a subnet mask of This means that you hae six host addresses aailable. You need one of these for the ISP router, which leaes you with fie to distribute. Table 4. Possible subnet masks and alues Power of 2 Number of Subnets Required Last Octet of Subnet Mask (Binary) Last Octet of Subnet Mask (Decimal) Last Octet of Network Values (n.n.n.x) , ,64,128, ,32,64,96,128,160,192, ,16,32, (step by 14 16) ,8,16,24, (step by 6 8) ,4,8,12, (step by 4) Not alid for class C 0 subnet This is a host address N/A Hosts per Segment in a Class C Network 14 Getting Started with IBM Firewall for AS/400

21 Table 5. Splitting an existing subnet Based on the information in the preceding table, you need to add another 1 to the current mask as shown in the next table. Conert the existing mask to binary Change the first zero in the mask to a one Conert the mask back to decimal To do this, you must: 1. Conert the existing mask to binary. 2. Change the first zero in the mask to a one. 3. Conert the mask back to decimal. The results of the conersion operation proides two sets of addresses. You can use one set of addresses on the perimeter (non-secure) network. You can use the other set of addresses for the *INTERNAL port of the Integrated PC Serer. The hosts in the first subnet hae addresses of and The hosts in the other subnet hae addresses of and If you need any more systems than two on the perimeter network, this solution will not work. You must obtain a larger range of addresses from your ISP. IBM Firewall for AS/400 features IBM Firewall for AS/400 is an application gateway firewall and a circuit gateway firewall. You can use one or both types of functions. The firewall product proides a number of technologies that you can use to protect your internal network, including: Internet Protocol (IP) packet filtering for TCP, UDP, and ICMP packets Network address translation (NAT) serices SOCKS serer Proxy serer for HTTP, HTTPS, FTP, and Gopher for Web browsers TELNET proxy Mail relay Split domain name serices (DNS) Logging Real-time monitoring Virtual priate network (VPN) serices IBM Firewall for AS/400 consolidates security administration to enforce I/T security policy and minimize the opportunity for security configuration errors. The firewall proides priacy by preenting outsiders from accessing network information through the Internet. You can log traffic to and from the Internet, which allows you to monitor network use and misuse. Firewall configuration is flexible, which enables support for arious security policies. The administrator decides which serices the firewall should permit and which the firewall should block. Chapter 1. Getting started with IBM Firewall for AS/400 15

22 The IBM Firewall for AS/400 software guides the administrator through the basic installation and configuration of the firewall. The software that the firewall uses resides on a read-only disk. This eliminates the possibility of irus introduction or modification of programs that perform communication security functions. The main processor and firewall communicate oer an internal system bus that is not subject to sniffing programs on local area networks. You can set the firewall to issue notifications to the AS/400 system operator (QSYSOPR) when a pre-configured condition on the firewall occurs. The main processor can disable the firewall when it detects tampering, regardless of the state of the firewall. You can administer the firewall through a Web browser on the internal (secure) network. You can use the Secure Sockets Layer (SSL) for session encryption to protect the administration session. The software authenticates the administrator with OS/400 security support so that you need not require separate user IDs and passwords. You should install the IBM Firewall for AS/400 on a two-port Integrated PC Serer. Configure one port of the Integrated PC Serer to connect the firewall to your internal secure network. Configure the other port to connect the firewall to the Internet or other untrusted network. The firewall can distinguish which network (trusted or untrusted) sent an Internet protocol (IP) packet. The firewall can also distinguish which port is the appropriate port for the originating packets on each network. Consequently, the firewall is not susceptible to spoofing attacks in which untrusted hosts try to masquerade as trusted ones. The AS/400 system operator (QSYSOPR message queue) receies notifications when important firewall eents occur, such as attempted intrusions. The system sends all high seerity error messages (Type = Alert) immediately. The system sends lower seerity messages (Type = Error, Warning, Information, or Debug) when they reach a user-defined threshold. If the system detects an error condition that may result from tampering (such as the logging function ends), all firewall functions are set to end immediately. Installing the firewall on an Integrated PC Serer separates the processor that you use for application programs from the processor that you use for security programs. This separation eliminates the possibility of the programs interfering with each other. Compromised security programs that are running on the firewall cannot directly affect the AS/400 main processor in functionality or performance. In addition, the IBM OS/400 TCP/IP protocol stack is completely independent of the TCP/IP stack on the Integrated PC Serer. The firewall also has separate storage, which preents attackers from accessing AS/400 data. This storage is on a read-only disk to eliminate the possibility of irus introduction or modification of programs that perform communication security functions. You can use the firewall proxy or SOCKS serers or network address translation (NAT) to proide internal users with safe access to serices on the Internet. The proxy and SOCKS serers break TCP/IP connections at the firewall to hide internal information from the untrusted network. The serers also proide additional logging capabilities. You can use NAT to proide Internet users with easy access to a public serer behind the firewall. The firewall still protects your network because NAT hides your internal IP addresses. 16 Getting Started with IBM Firewall for AS/400

23 The firewall also protects internal information by using two DNS serers, one that you proide on the internal network and one on the firewall. The firewall name serer contains names isible to the untrusted network only, such as an external Web serer. The firewall name serer resoles outside names in response to requests from the internal name serer. Your internal name serer contains only the names of the internal network. Your internal name serer forwards requests that it cannot resole to the firewall name serer. The firewall DNS serer does not proide name sering functions for the internal network. You are not required to hae an internal DNS serer to successfully implement a firewall. Howeer, haing one makes client configuration easier because you do not hae to maintain host tables on each system. OS/400 includes DNS support, which you should use for your internal network. The firewall protects your internal mail serer from attack by proiding a mail relay function. The mail relay function passes mail between an external mail serer on the firewall and an internal one. The firewall translates addresses of outgoing mail to the public address of the firewall secure port. This translation hides any internal information from the untrusted network. The firewall also proides irtual priate network (VPN) technology so that you can set up encrypted sessions between your firewall and other compatible firewalls. IBM Firewall for AS/400 components A firewall consists of a set of software components, each of which proides particular security features for your network. Which components you use depends on your security needs. These components work together to proide your network traffic security controls. Because they are interdependent, each component works with and affects the other components. Reiew these topics to get the details that you need to work with firewall components and common firewall configurations: Internet Protocol (IP) packet filtering for TCP, UDP, and ICMP packets Network address translation (NAT) serices Proxy serer for HTTP, HTTPS, FTP, and Gopher for Web browsers Proxy serer for TELNET(not through a Web browser) SOCKS serer Mail relay serice Split Domain Name Serices (DNS) Audit and eent reporting serices Virtual priate network (VPN) serices IBM Firewall for AS/400 Internet Protocol (IP) packet filtering component Internet Protocol (IP) packet filtering is the core protection mechanism of a firewall. Packet filters are sets of rules that limit IP packet flow into or out of a secure network Figure 3 on page 18. As the firewall administrator, you define policies that determine which packets the firewall should permit or deny access into your network. You can then use the firewall administration facility to institute these policies as filter rules that your firewall can use. If there is no matching rule, the firewall has a built-in default rule to deny the packet access and discard the packet. You can hae your firewall use any of the following packet data to filter packets: Source IP address Chapter 1. Getting started with IBM Firewall for AS/400 17