Networking Security IP packet security

Networking Security IP packet security

Networking Security IP packet security

Copyright International Business Machines Corporation 1998,2000. All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents Part 1. IP packet security (filtering and NAT).............. 1 Chapter 1. What s new for V4R5.... 3 Chapter 2. Print this topic....... 5 Chapter 3. What is IP packet security?. 7 IP packet security terms.......... 7 Network address translation (NAT)....... 8 Static or map NAT........... 9 Masquerade or hide NAT........ 10 Masquerade or port-mapped NAT..... 11 IP filtering............... 12 IP packet header............ 13 Organizing NAT rules with IP filter rules.... 13 Chapter 4. Why IP packet security?.. 15 Example: Mapping your IP addresses (static NAT) 15 Example: Setting filter rules to allow HTTP and FTP 17 Example: Combining NAT and IP filtering.... 18 Example: Hiding your IP addresses (masquerade NAT)................ 20 Chapter 5. System requirements for IP packet security........... 23 Chapter 6. Planning for IP packet security.............. 25 IP packet security versus other security solutions.. 25 Chapter 7. Creating and activating IP packet security rules........ 27 Accessing the IP packet security functions.... 27 Defining addresses and services....... 28 Making comments about your NAT and IP filter rules................. 29 Creating network address translation (NAT) rules 29 Creating IP filter rules........... 30 Including files in IP packet security...... 32 Defining IP filter interfaces......... 32 Verifying NAT and IP filter rules....... 33 Saving, activating, and deactivating NAT and IP filter rules............... 34 Chapter 8. NAT and IP filter administration........... 35 Viewing NAT and IP filter rules....... 35 Editing NAT and IP filter rules........ 36 Backing up NAT and IP filter rules...... 36 Journaling and auditing rule actions...... 37 Chapter 9. Troubleshooting NAT and IP filtering.............. 39 Chapter 10. Other information about IP packet security (filtering and NAT)... 41 Copyright IBM Corp. 1998,2000 iii

iv Networking Security IP packet security

Part 1. IP packet security (filtering and NAT) IP packet security contains network address translation (NAT) and Internet Protocol (IP) filtering. You manage your TCP/IP traffic with these two components. NAT and IP filtering act like a firewall to protect your internal IP addresses from intruders. The links below explain the why, what, and how of IP packet security in TCP/IP. In order to use IP packet security, you need TCP/IP installed on your AS/400. v What s new in IP packet security? for V4R5. v v v Print this topic to view a hardcopy of IP packet security. What is IP packet security? This topic explains the concepts of NAT and IP filtering. It includes topics such as mapping and hiding addresses. It also has a dictionary for common terms that are used throughout this topic. Why IP packet security? This topic gives you four real life scenarios and illustrations to describe NAT and IP filtering. After each scenario is a sample configuration. Getting Started Step 1. System requirements for IP packet security cover the prerequisites you will need to implement NAT and filter rules. Step 2. Developing a security plan is extremely important to determine what resources you need to protect and from whom you need to protect them. It also compares IP packet security to other security options to help you make an informed decision about what is best for your particular security needs. Step 3. Creating and activating NAT and IP filter rules allows the network manager to define filter rules and control TCP/IP traffic. Depending on your security plan, you may be using NAT (hide or map) rules, IP filter rules, or both. Step 4. NAT and IP filter administration help you manage your filter rules. Some of the features include journaling, editing, and viewing your rules. For more information on IP packet security, see: v Troubleshooting NAT and IP filtering v Other information about IP packet security (filtering and NAT) Copyright IBM Corp. 1998,2000 1

2 Networking Security IP packet security

Chapter 1. What s new for V4R5 IP packet security (filtering and NAT) includes a few new changes in V4R5. The basic overall structure is reorganized and easier to use. The largest addition to V4R5 are the scenarios. They cover different real world uses for IP packet security. Each scenario includes a sample configuration. Use the following link to view the new scenarios: Why IP packet security? Copyright IBM Corp. 1998,2000 3

4 Networking Security IP packet security

Chapter 2. Print this topic You can view or download a PDF version of this document for viewing or printing. You must have Adobe Acrobat Reader installed to view PDF files. You can download a copy from the Adobe Acrobat Web site. To view or download the PDF version, select IP packet security (about 448 KB or 41 pages). To save a PDF on your workstation for viewing or printing: 1. Open the PDF in your browser (click the link above). 2. In the menu of your browser, click File. 3. Click Save As... 4. Navigate to the directory in which you would like to save the PDF. 5. Click Save. Copyright IBM Corp. 1998,2000 5

6 Networking Security IP packet security

Chapter 3. What is IP packet security? IP packet security terms IP packet security is network address translation (NAT) and Internet Protocol (IP) filtering. These two components take place at the IP layer of the TCP/IP protocol. They help protect your system against potential risks that are associated with TCP/IP traffic. IP security includes IP packet security and IPSec (V4R4 and V4R5). In Operations Navigator, IP packet security is NAT and IP filtering. This Information Center topic will only describe NAT and filtering. For more information about VPN, review AS/400 Virtual Private Networking (VPN) in the Information Center. The links below give a description of each component in IP packet security. There is also a dictionary link to help clarify some common terms that are used throughout this topic. v IP packet security terms v NAT (network address translation) v IP filtering v Organizing NAT rules with IP filter rules The following list defines common terms that are used throughout this filtering and NAT Information Center topic. Border Border is a public address that forms a border between a trusted and an untrusted network. It describes the IP address as an actual interface on the AS/400. The system needs to know the type of address you are defining. For example, your PCs IP address is trusted, but your server s public IP address is border. Firewall A logical barrier around systems in a network. A firewall consists of hardware, software, and a security policy that control the access and flow of information between secure or trusted systems and nonsecure or untrusted systems. Internet Control Message Protocol (ICMP) Internet Control Message Protocol communicates information between hosts. When a destination host or router needs to inform the source host about an error in datagram processing, it uses ICMP. For example, the PING application uses ICMP. The most important information for filtering purposes includes: v Type v Code Internet Protocol (IP) Internet Protocol contains data that identifies the datagram packet. The most important information for filtering purposes includes: v Source address v Destination address Copyright IBM Corp. 1998,2000 7

v Protocol ID v Fragmentation Indicator IPSec IPSec is a collection of Internet Engineering Task Force (IETF) standards. They define an architecture at the Internet protocol (IP) layer that protects IP traffic by using various security services (such as encryption and authentication). IPSec is expected to become the standard for virtual private networks (VPNs) on the Internet. Maxcon Maxcon is the number of conversations that can be active at one time. The system asks you to define this number when you set up NAT masquerade rules. The default value is 128. Maxcon only pertains to Masquerade NAT rules. NAT conversation A NAT conversation is a relationship between any of the following IP addresses and port numbers: v Private source IP address and source port number (without NAT) v Public (NAT) source IP address and public (NAT) source port number v Destination IP address and port number (an external network) Transmission Control Protocol (TCP) Transmission Control Protocol is a reliable connection-oriented protocol. It manages lost packets, duplicate packets, reorders packets, and provides retransmission. The most important information for filtering purposes includes: v Source port v Destination port v Starting TCP packet flag Timeout Timeout controls the amount of time a conversation is allowed to last. If you have Timeout set too short, the conversation is stopped too quickly. The default value is 16. User Datagram Protocol (UDP) User Datagram Protocol operates on the same level as TCP--transport layer protocol. However, UDP is does not add reliability, flow control or error recovery to IP. DNS (Domain Name Server) and SNMP (Simple Network Management Protocol) use UDP. The most important information for filtering purposes includes: v Source port v Destination port Virtual Private Network (VPN) VPN is an extension of a company s intranet over the existing framework of either a public or private network. A VPN ensures that the data that is sent between the two endpoints of its connection remains secure. Network address translation (NAT) IP addresses are depleting rapidly due to widespread Internet growth. Organizations are using private networks, which allow them to select any IP addresses they want. However, if two companies have duplicate IP addresses, they will have problems. In order to communicate on the Internet, you must have a unique, registered address. Network address translation (NAT) allows you to 8 Networking Security IP packet security

access the Internet safely without having to change your network IP addresses. Just as the name implies, NAT is a mechanism that translates one Internet Protocol (IP) address into another. IP packet security contains two basic types of NAT: static and masquerade NAT. In addition, masquerade or hide NAT has a variation, called port-mapped. This type of NAT allows you to specify a specific port number to replace a port number from a private IP address. Review the links below for more detailed information about the various forms of NAT: v Static, or Map, NAT v Masquerade, or Hide, NAT v Masquerade, or Hide port-mapped, NAT You can create NAT rules to do two of the following things: 1. Map addresses to take advantage of static NAT. 2. Hide addresses to take advantage of the various masquerade NATs. By hiding or mapping addresses, NAT solves various addressing problems. The examples below explain some problems that NAT can resolve. v Hiding internal IP addresses from public knowledge. You are configuring an AS/400 as a public Web server. However, you do not want external networks to know your server s real internal IP addresses. You can create NAT rules that translate your private addresses to public addresses that can access the Internet. In this instance, the true address of the server remains hidden, making the server less vulnerable to attack. v Converting an IP address for an internal host into a different IP address. You want private IP addresses on your internal network to communicate with Internet hosts. To arrange this, you can convert an IP address for an internal host into a different IP address. You must use public IP addresses to communicate with Internet hosts. Therefore, you use NAT to convert your private IP addresses to public addresses. This ensures that IP traffic from your internal host is routed through the Internet. v Making the IP addresses of two different networks compatible. You want to allow a host system in another network, such as a vendor company, to communicate with a specific host in your internal network. However, both networks use private addresses (10.x.x.x), which creates a possible address conflict for routing the traffic between the two hosts. To avoid conflict, you can use NAT to convert the address of your internal host to a different IP address. Static or map NAT Static, or map, NAT is a one-to-one mapping of private IP addresses to public IP addresses. It allows you to map an IP address on your internal network to an IP address that you want to make public. Static NAT allows communication to be initiated from your internal network or an external network, like the Internet. It is especially useful if you have a server within your internal network that you want to allow public users to access. In this case, you want to create a NAT rule that maps the actual server address to a public Chapter 3. What is IP packet security? 9

address. The public address will become external information. This ensures that private information remains out of the hands of someone who might attack your systems. The following list highlights the features of static NAT: v One-to-one mapping v External and internal network initiation v The address you associate or map to, can be any address v The address you associate or map to becomes un-usable as an IP interface v Does not use port number NAT Warning Use caution if you decide to map a PC to the well-known address of the AS/400. The well known address is the IP address reserved for most Internet and intranet traffic. If you do map to this IP address, all traffic translated by NAT will be sent to the internal private address. Since the interface will be reserved for NAT, your AS/400 and the interface become unusable. Review Example: Map your IP addresses for a real scenario and illustration of Static NAT. Masquerade or hide NAT Masquerade, or hide, NAT allows you to keep the outside world (meaning outside the AS/400) from knowing your PCs actual address. All traffic is routed from your PC to your AS/400, which essentially makes the AS/400 the gateway for your PC. Here is how it works. Masquerade NAT allows you to translate multiple IP addresses to another single IP address. You can use masquerade NAT to hide one or more IP addresses on your internal network behind an IP address that you want to make public. This public address is the address you are translating to and has to be a defined interface on your AS/400 server. To be a defined interface, the public address must be defined as a type BORDER address. Hiding multiple addresses To hide multiple addresses, you specify a range of addresses to be translated through the AS/400 NAT server. Here is the general process: 1. The translated IP address replaces the source IP address. This occurs in the IP header of the IP packet. 2. The IP source port number (if there is one) in a Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) header is replaced with a temporary port number. 3. An existing conversation is the relationship between the new IP source address and port number. 4. This existing conversation allows your NAT server to untranslate IP datagrams from the outside machine. To view an IP datagram header, visit IP packet header. Note: The address you are translating to, must have a type=border for NAT to operate correctly. 10 Networking Security IP packet security

When you use masquerade NAT, an internal system initiates traffic. When this happens, the IP datagram is translated as it passes through the AS/400 NAT server. Masquerade NAT is a great choice because external hosts cannot initiate traffic into your network. As a result, your network gains additional protection from an outside attack. Also, you only need to purchase a single public IP address for multiple internal users. The following list highlights the features of masquerade NAT: v Private IP address or range of IP addresses are bound behind a public IP address on the NAT machine v Internal network initiation only v Port numbers are associated with random port numbers. This means that both the address and the port number are hidden from the Internet. v The registered address on the NAT machine is a usable interface outside of NAT Warning You must set MAXCON high enough to accommodate the number of conversations you want to use. For example, if you are using FTP, your PC will have two conversations active. In this case, you will need to set MAXCON high enough to accommodate multiple conversations for each PC. You need to decide how many concurrent conversations you want to allow in your network. The default value is 128. You must have TIMEOUT (a HIDE rule statement) set high enough to allow enough time for conversations between PCs to end. For Hide NAT to occur properly, there must be an internal conversation in progress. The timeout value tells the code how long to wait for a reply to this internal conversation. The default value is 16. Masquerade NAT only supports the following protocols: TCP, UDP, and ICMP. Remember to view the scenario and illustration in Hide your IP addresses (Masquerade NAT) to show you an example of Masquerade or Hide NAT. Masquerade or port-mapped NAT Port mapped NAT is a variation of masquerade or hide NAT. What is the difference? In port mapped NAT you can specify both the IP address and the port number to translate. This allows both your internal PC and the external machine to initiate IP traffic. You will use this if the external machine (or client) wants to access machines or servers inside a network. Only IP traffic that matches both the IP address and the port number is allowed access. Here is how it works: Internal Initiation As the internal PC with Address 1: Port 1 initiates traffic to an outside machine, the translating code will check the NAT rule file for Address 1: Port 1. If both the source IP address (Address 1) and the source port number (Port 1) match the NAT rule, then NAT starts the conversation and performs the translation. The specified values from the NAT rule replace the IP source address and source port number. Address 1: Port 1 is replaced with Address 2: Port 2. External Initiation An external machine initiates IP traffic with the destination IP address of Address 2. The destination port number is Port 2. The NAT server will untranslate the Chapter 3. What is IP packet security? 11

datagram with or without an existing conversation. In other words, NAT will automatically create a conversation if one does not already exist. Address 2: Port 2 is untranslated to Address 1: Port 1. The following list highlights the features of masquerade port-mapped NAT: v One-to-one relationship v External and internal network initiation v The registered address we hide behind must be defined on the AS/400 performing the NAT operations v The registered address is still usable for IP traffic outside of NAT operations v Source and destination ports are usually the same value. If you want to hide a source port number behind another port number, the client needs to be physically told the value of the destination port number. If not, it is difficult for communication to occur Warning You must set MAXCON high enough to accommodate the number of conversations you want to use. For example, if you are using FTP, your PC will have two conversations active. You will need to set MAXCON high enough to accommodate multiple conversations for each PC. The default value is 128. You must have TIMEOUT (a HIDE rule statement) set high enough to allow enough time for conversations between PCs to end. For Hide NAT to occur properly, there must be an internal conversation in progress. The timeout value tells the code how long to wait for a reply to this internal conversation. The default value is 16. Masquerade NAT only supports the following protocols: TCP, UDP, and ICMP. IP filtering As the second component to IP packet security, packet filtering lets you control what IP traffic you allow in your network. Though not a fully-functional firewall in itself, AS/400 IP packet security provides a solid component that can filter packets for your AS/400. You can use this IP packet filtering component to protect your system. The IP packet filtering component protects your system by filtering packets according to rules that you specify. The rules are based on packet header information. You can apply these filter rules to multiple lines or you can apply different rules to each line. Filter rules are associated with lines, e.g. token ring (trnline), not interfaces. The system checks each packet against each rule that you associate with a line. The rules are checked in a sequential process. Once the system matches the packet to a rule, it stops the process and applies the matching rule. When the system applies the matching rule, it actually performs the action that is specified by that rule. The AS/400 supports 3 actions (V4R4 and beyond): 1. permit allows the datagram to continue 2. deny discards the datagram 3. IPSec sends the datagram by using a VPN connection (You name the VPN connection in the filter rule) Note: In this case, IPSec is an action that you can define in your filter rules. Even though this IP packet security topic does not cover IPSec, it is important to 12 Networking Security IP packet security

note that filtering and Virtual Private Networking (VPN) are closely related when defining filters. For more information about VPN, review AS/400 Virtual Private Networking (VPN). After you apply the rule, the system continues this sequential comparison of rules and packets and assigns actions to all corresponding rules. If the system is unable to find a matching rule for a particular packet, the system automatically discards that packet. The system s default deny rule ensures that the system automatically discards any packet that is not matched to a filter rule. IP packet header You can create filter rules to refer to various portions of IP, TCP, UDP, and ICMP headers. The following list includes the fields you refer to in a filter rule: v Source IP address v Protocol (for example, TCP, UDP) v Destination IP address v Source port v Destination port v IP datagram direction (inbound, outbound, or both) v Forwarded or local v Packet fragments v TCP SYN bit For example, you may create and activate a rule that filters a packet based on the destination IP address, source IP address, and direction (inbound). In this case, the system matches all incoming packets (according to their origin and destination addresses) with corresponding rules. Then the system takes the action that you specified in the rule. The system discards any packets that are not permitted in your filter rules. This is called the default-deny rule. Note: The system applies the default-deny rule to datagrams only if the physical interface has at least one customer-defined filter rule active. If customer-defined filter rules are not active on the physical interface, then the default-deny rule will not work. Organizing NAT rules with IP filter rules NAT and filtering work independent of each other. Even so, you can still use NAT in conjunction with IP filtering. If you choose to apply only NAT rules, your system will only perform address translation. If you apply both types of rules, your system will translate and filter addresses. When you use NAT and filtering together, they occur in a specific order. For inbound traffic, NAT rules process first. For outbound traffic, filter rules process first. You may want to consider using separate files to create your NAT and filter rules. Although this is not necessary, it will make your rules easier to read and troubleshoot. Either way (separate or together), you will receive the same errors. If you decide to use separate files for your NAT and filter rules, you can still activate both sets of rules. Make sure your rules do not interfere with one another. To activate both NAT and filtering rules at the same time, you need to use the include feature. For example, you created File A for filter rules and File B for NAT rules. You can include the contents of File B into File A without rewriting all your rules. See Including files in IP packet security for more information. Chapter 3. What is IP packet security? 13

14 Networking Security IP packet security

Chapter 4. Why IP packet security? IP packet security acts like a firewall to protect your system. You often use network address translation (NAT) and Internet Protocol (IP) filtering together, but you can also use them separately. The following scenarios help explain how you use NAT and IP filtering to protect your network. Each example includes a sample configuration. v Example: Map your IP addresses (Static NAT) v Example: Filter IP addresses v Example: Combination of NAT and filtering v Example: Hide your IP addresses (Masquerade NAT) Note: In each scenario the IP addresses 192.x.x.x, represent public IP addresses. All addresses used are for example purposes only. These scenarios help review some common uses for IP packet security. If you find these scenarios familiar, you may want to compare NAT and filtering to other security options. Planning your network security is very important. Review IP packet security versus other security components to help you find your best security plan. Example: Mapping your IP addresses (static NAT) Situation You own your own company, and you decide to start a private network. However, you never registered or acquired permission to use public IP addresses. Everything was fine until you wanted to access the Internet. It turns out your company s address range is registered to someone else, so you think your current set up is obsolete. You really need to allow public users to access your web server. What should you do? Copyright IBM Corp. 1998,2000 15

Solution You could use Static NAT. Static NAT assigns one original (private) address to one registered address. Your AS/400 maps this registered address to your private address. The registered (public) address allows your private address to communicate with the Internet. Essentially, it forms a bridge between the two networks. Communication can then be initiated from either network. Using static NAT, you can retain all your current internal IP addresses and still access the Internet. You will need to have one registered IP address for each private address that accesses the Internet. For example, if you have 12 users, you need 12 IP addresses to map to your 12 private addresses. In the illustration above, the NAT address 192.12.3.1 sits unusable, like a shell, waiting for information to come back. When the information returns, NAT maps the address back to the PC. When Static NAT is active, any inbound traffic destined directly to the address 192.12.3.1 will never get to that interface because it is only representing your internal address. The real private address 10.10.1.1 is the actual destination, even though (to the world outside the AS/400) it appears that 192.12.3.1 is the desired IP address. Sample Configuration 16 Networking Security IP packet security

ADDRESS PC01 IP=10.10.1.1 TYPE=TRUSTED ADDRESS SHELL IP=192.12.3.1 TYPE=BORDER MAP PC01 TO SHELL LINE = TRNLINE JRN = OFF Note: The token ring line that is defined above (LINE=TRNLINE) must be the line that 192.12.3.1 uses. This static NAT will not work if 10.10.1.1 uses the defined token ring line above. Example: Setting filter rules to allow HTTP and FTP Situation You want to provide web applications, but your current firewall is working overtime and you do not want to add additional stress. Your colleague suggests running the applications outside of the firewall. However, from the Internet, you only want HTTP, FTP, and telnet traffic to access your AS/400 web server. What methods do you use? Solution IP packet filtering allows you to set rules which explain what information you want to permit. Set IP filter rules to permit HTTP, FTP, and telnet traffic (inbound and outbound) to the Web server, which is your AS/400 in this case. The server s public address is 192.54.5.1, and the private IP address is 10.1.2.3. You must permit telnet in order to permit HTTP and FTP. Sample Configuration ###The following 2 filters will permit HTTP (Web browser) traffic in & out of the system. FILTER SET external_rules ACTION = PERMIT DIRECTION = INBOUND SRCADDR % = * DSTADDR = 10.1.2.3 PROTOCOL = TCP DSTPORT = 80 SRCPORT % = * FRAGMENTS = NONE JRN = OFF FILTER SET external_rules ACTION = PERMIT DIRECTION = OUTBOUND SRCADDR % = 10.1.2.3 DSTADDR = * PROTOCOL = TCP DSTPORT = * SRCPORT = % 80 FRAGMENTS = NONE JRN = OFF Chapter 4. Why IP packet security? 17

FILTER SET external_rules ACTION = PERMIT DIRECTION = * SRCADDR = % * DSTADDR = * PROTOCOL = ICMP TYPE = * CODE = * FRAGMENTS = % NONE JRN = OFF ###The following 4 filters will permit FTP traffic in & out of the system. FILTER SET external_rules ACTION = PERMIT DIRECTION = INBOUND SRCADDR % = * DSTADDR = 10.1.2.3 PROTOCOL = TCP DSTPORT = 21 SRCPORT % = * FRAGMENTS = NONE JRN = OFF FILTER SET external_rules ACTION = PERMIT DIRECTION = OUTBOUND SRCADDR % = 10.1.2.3 DSTADDR = * PROTOCOL = TCP DSTPORT = * SRCPORT = % 21 FRAGMENTS = NONE JRN = OFF FILTER SET external_rules ACTION = PERMIT DIRECTION = INBOUND SRCADDR % = * DSTADDR = 10.1.2.3 PROTOCOL = TCP DSTPORT = 20 SRCPORT % = * FRAGMENTS = NONE JRN = OFF FILTER SET external_rules ACTION = PERMIT DIRECTION = OUTBOUND SRCADDR % = 10.1.2.3 DSTADDR = * PROTOCOL = TCP DSTPORT = * SRCPORT = % 20 FRAGMENTS = NONE JRN = OFF ###The following 2 filters will permit telnet traffic in & out of the system. FILTER SET external_rules ACTION = PERMIT DIRECTION = INBOUND SRCADDR % = * DSTADDR = 192.54.5.1 PROTOCOL = TCP DSTPORT = 23 SRCPORT % = * FRAGMENTS = NONE JRN = OFF FILTER SET external_rules ACTION = PERMIT DIRECTION = OUTBOUND SRCADDR % = 192.54.5.1 DSTADDR = * PROTOCOL = TCP DSTPORT = * SRCPORT % = 23 FRAGMENTS = NONE JRN = OFF ###The following statement binds (associates) the 'external_rules' filter set with the correct physic FILTER_INTERFACE LINE = TRNLINE SET = external_rules Example: Combining NAT and IP filtering Situation Your business has a moderately sized internal network and an AS/400. You want to transfer all web traffic from the gateway AS/400 to another server behind the AS/400. Your external Web server runs on port 5000. You want to hide all your private PCs and the Web server behind an address on your AS02 interface. You also want to allow other companies to access your Web server. What methods do you use? 18 Networking Security IP packet security

Solution You decide to use IP packet filtering and NAT together. You will need to do the following three things: 1. Hide NAT to allow your private addresses access to the Internet. 2. Port mapped NAT to allow external networks access to your Web server. 3. Filter all inbound and outbound traffic from your private (10.1.1.x) addresses. NAT allows you to hide IP addresses from external networks, like the Internet, and filtering allows you to control inbound and outbound traffic. In this example, you are only allowing HTTP traffic access into your network. You want to use masquerade port-mapped NAT. This allows the other company to initiate conversation with your server on one of the interfaces defined on your AS/400. Chapter 4. Why IP packet security? 19

You can permit a certain IP address and port number by using port-mapped NAT. In this example, the Web server you want to access is on another machine, using port 5000, sitting behind your AS/400. NAT will only translate inbound address 192.27.1.1 on port 80. If the externally initiated traffic does not match this exact address and port number, NAT will not translate it. Sample Configuration ###The following NAT will hide your four pcs behind a public address, so they can access the Internet. ADDRESS pcs IP = 10.1.1.251 THROUGH 10.1.1.254 TYPE = TRUSTED ADDRESS public IP = 192.27.1.1 TYPE = BORDER HIDE pcs BEHIND public TIMEOUT =16 MAXCON=64 JRN = OFF ###The following port mapped NAT will hide your Web server address and port number behind a public address and port number. Notice both NAT rules are hidden behind one common IP address. This is acceptable as long as the addresses you are hiding do not overlap. This port mapped NAT rule will only allow externally initiated traffic on port 80 to access your system. ADDRESS Web250 IP = 10.1.1.250 TYPE = TRUSTED ADDRESS public IP = 192.27.1.1 TYPE = BORDER HIDE Web250:5000 BEHIND Public:80 TIMEOUT = 16 MAXCON = 64 JRN = OFF ###The following 2 filters will permit any inbound traffic destined for your private network through to NAT and any outbound traffic out to the Internet. However, NAT will only allow externally initiated traffic on port 80 to enter the server. NAT will not translate externally initiated traffic that does not match the port mapped NAT rule. FILTER SET external_rules ACTION = PERMIT DIRECTION = INBOUND SRCADDR= * DSTADDR = 10.1.1.* PROTOCOL = TCP DSTPORT = * SRCPORT = * FRAGMENTS = NONE JRN = OFF FILTER SET external_rules ACTION = PERMIT DIRECTION = OUTBOUND SRCADDR = 10.1.1.* DSTADDR = * PROTOCOL = TCP DSTPORT = * SRCPORT = * FRAGMENTS = NONE JRN = OFF ###The following statement binds (associates) the 'external_rules' filter set with the correct physical interface. FILTER_INTERFACE LINE = TRNLINE SET = external_rules ### ANY FILTER RULE THAT IS NOT SPECIFICALLY PERMITTED IS AUTOMATICALLY DENIED BY THIS COMPILATION. Example: Hiding your IP addresses (masquerade NAT) Situation 20 Networking Security IP packet security

You have a small company that wants to start HTTP service on your AS/400. You are allowing employees to search the Internet, but you are not allowing external initiation into your network. You ordered a model 170e with one ethernet card. You have three PCs. Your Internet service provider (ISP) provides you with a DSL connection and a DSL modem. The ISP also assigned you the following IP addresses: 192.20.12.1 and 192.20.12.2. All your PCs have 10.1.1.x addresses. You want to hide all the PC addresses behind one of the AS/400 s ISP provided addresses. If you have a large number of PCs to hide, you could hide half of them behind one address. Then, you would hide the other half behind the ISP provided address. What should you do? Solution Hide a range of PC addresses behind the HIDE01 address. You could run TCP/IP services from the 10.1.1.1 address. Range NAT (hiding a range of internal addresses) will protect the PCs from communication that is initiated outside your network. Remember that for range NAT to start, traffic must be initiated internally. However, range NAT will not protect the AS/400 interface. You will need to filter the traffic to protect your AS/400 from receiving untranslated information. Chapter 4. Why IP packet security? 21

Sample Configuration ADDRESS pcs IP = 10.1.1.1 THROUGH 10.1.1.4 TYPE = TRUSTED ADDRESS public IP = 192.20.12.1 TYPE = BORDER HIDE pcs BEHIND public TIMEOUT =16 MAXCON=64 JRN = OFF 22 Networking Security IP packet security

Chapter 5. System requirements for IP packet security IP packet security is an integrated part of the V4R3 through V4R5 AS/400 operating systems. In V4R5, IP security includes IP packet security and IPSec. In Operations Navigator, IP packet security is NAT and IP filtering. This Information Center topic only describes NAT and filtering. For more information about VPN, review AS/400 Virtual Private Networking (VPN) in the Information Center. Before you proceed with configuring and starting IP packet security, you must have at least a V4R3 version of OS/400. In addition, you must complete these requirements: 1. Install the TCP/IP program (5769-TC1) 2. Install Operations Navigator After you meet these requirements, you must plan your IP packet security needs before you configure any IP packet security rules. Note: If you do not understand TCP/IP, networking, or IP addresses, visit this link for a brief overview: Understanding TCP/IP and networking Copyright IBM Corp. 1998,2000 23

24 Networking Security IP packet security

Chapter 6. Planning for IP packet security Will NAT and IP filtering offer adequate protection? To answer this question you must develop a security plan and have knowledge of security risks. Your plan should include these things: v Your network configuration v What resources you want to protect v What and whom you want to protect your resources from What should I know about Internet security? After you know what and whom you want to protect your resources from, you need to explore different security options. Review these topics to learn more about Internet security risks and AS/400 security solutions to help you complete your security plan: v Connecting to the Internet v IP packet security versus other security solutions How do I create a plan? The planning process allows you to pinpoint your security needs. If you decide to use IP packet security to protect your AS/400, perform these tasks to create your packet security configuration plan: v Make a drawing of your network and connections v v v Specify what routers and IP addresses you will use Develop a list of rules that you want to use to control TCP/IP traffic that passes through your systems. You need this list to help you configure your IP packet filtering rules. Each rule in your list should describe these aspects of TCP/IP traffic flow: the type of service that you want to permit or deny (for example, HTTP, FTP, and so forth) the well-known port number for that service the direction of the traffic whether the traffic is reply or initiating traffic the IP addresses for the traffic (source and destination) Specify which IP addresses you want to map to other addresses or hide behind other addresses. (You need this list only if you decide that you need to use network address translation.) After you develop your security plan, you can create and activate the IP packet security rules. IP packet security versus other security solutions Your AS/400 server contains your vital data and resources. You need to ensure that your system provides access only to information that you intend to distribute. To ensure that your private information is secure from intruders, take the appropriate measures to secure your system. Consider the way you plan to connect and provide access to your system before you determine your security rules. Copyright IBM Corp. 1998,2000 25

Your AS/400 has integrated security components that can protect your system from several types of risks. You may need to use additional security measures based on how you use your AS/400. Because NAT and IP filtering are integrated parts of your OS/400 IP packet security, they provide an economical way for you to secure your system. In some cases, these security components can provide everything you need without any additional purchases. This does not mean you should take advantage of the cost savings if you are planning to secure a production AS/400 system. For situations such as this, the security of your system should take precedence over cost. To ensure that you provide maximum protection for your production system, you should consider using a firewall such as IBM Firewall for the AS/400. IP packet security provides some protection, but it serves as an entry-level firewall only. You should not depend on this level of protection in situations that are vital, such as those which involve a production system connected to the Internet. In these high risk situations, you should use more than the integrated security components that come with your AS/400 operating system. IP packet security or a firewall can protect your system against unauthorized access, but they do not keep your communications confidential. If you need to secure communications between your AS/400 and other systems, you should investigate other AS/400 Internet security solutions to broaden your protection. For example, you may want to use digital certificates and the Secure Sockets Layer (SSL) or AS/400 Virtual Private Networking (VPN) to provide secure communications. If you plan to connect your AS/400 or network to the Internet, you should review IBM SecureWay«: AS/400 and the Internet. This topic provides a wealth of information about the risks and solutions you should consider when using the Internet. AS/400 IP packet security or some other method may be able to independently meet your security needs, depending on how you use your system. However, to ensure the security of your system, you should consider using multiple lines of defense. This way, if one method fails, you have backup security for your system. To learn more about what you can do to enhance the security of your AS/400, review AS/400 Internet security solutions. 26 Networking Security IP packet security

Chapter 7. Creating and activating IP packet security rules To create and apply IP packet filtering and NAT rules, complete the tasks in this checklist: 1. Use Operations Navigator to access IP packet security. 2. Define addresses and services to create nicknames for those addresses and services for which you plan to create multiple rules. You must define addresses if you want to create NAT rules. 3. Make comments on your rules as you create them. 4. Create NAT rules. You perform this task only if you plan to use NAT. 5. Create filter rules. 6. Include any additional files that you want to add to the new rules file. You perform this task only if you have existing rules files that you want to reuse in this file. 7. Define the interfaces to which you want to apply your rules. 8. Verify your rules files to ensure that they are free of errors. 9. Save and activate your rules file. To ensure that your filter rules are working as you intended, you should periodically review the packet security journals. Reviewing your journals can help you identify denied packet patterns which could indicate possible attack attempts. After reviewing journal results, you may need to change your rules. If your security needs change, you should edit your rules files to change how your system handles TCP/IP traffic. You also may need to complete other tasks to maintain the security of your system. To ensure the security of your AS/400, you should use NAT and IP filter administration methods efficiently and effectively. Accessing the IP packet security functions You must access AS/400 IP packet security through Operations Navigator, the graphical interface that enables you to work with your AS/400 resources. To access IP packet security functions (using a V4R5 system), follow these steps: 1. In the left pane of the Operations Navigator window, expand My AS/400 Connections 2. Expand the AS/400 system on which you want to establish IP packet security. 3. Expand Network. 4. Click IP Security, listed under Network, or right-click IP Security, then select Open. Note: If you choose the latter option (right-click IP Security), you can select Create Shortcut. Selecting this option places an icon on your desktop that links directly to IP packet security. This allows you to bypass these steps the next time you want to access IP packet security. 5. In the right pane of the window, right-click IP Packet Security to display a menu. 6. Select Configuration. The IP packet security window displays. From this window, you can create new rules and manage existing ones. After you access IP packet security, you can start by Defining addresses and services. Copyright IBM Corp. 1998,2000 27

Defining addresses and services When you create IP packet security rules, you must specify what TCP/IP addresses and services that you want the rules to apply to. These rules need to apply to the same sets of services or addresses. IP packet security allows you to define nicknames for addresses and aliases for services. This makes it easier to create NAT and IP filter rules. When you create the rules, you refer to the address nickname or service alias rather than the specific address or service details. Using nicknames and aliases in your filter rules has two advantages: 1. Minimizes the risks of typographical errors. 2. Minimizes the number of filter rules that you need to create. For example, you have 31 users on your network who need Internet access. However, you want to restrict these users to Web access only. You have two choices about how to create the filter rules that you need in this situation. 1. Define a filter rule for each user s IP address. 2. Create a nickname for the entire address set that represents your users by defining an address. The first choice increases your chances of making typographical errors, as well as increases the amount of maintenance that you perform for your rules file. Using the second choice, you only need to create two filter rules. Use a nickname in each rule to refer to the entire set of addresses to which the rule applies. You can also create nicknames for services and use them in the same manner as address nicknames. The service alias defines what TCP, UDP, and ICMP criteria you want to select. You select the source and destination port that you want to use. Note: Remember you must define addresses if you plan to use NAT. NAT rules can only point to address nicknames. Defining Addresses To define addresses, follow these steps: 1. Within the IP packet security dialog, expand IP Packet Security. 2. Right-click Defined Addresses. 3. Select New Defined Address. 4. Complete the fields displayed in the New Defined Address dialog. 5. If you are hiding a range of addresses, you must complete the Start address and End address fields. Do not use masks to define a range of IP addresses. 6. Click OK. Note: If you need more information to complete the fields, click Help. Defining Service Aliases To define service aliases, follow these steps: 1. Within the IP packet security dialog, expand IP Packet Security. 2. Right-click Services. 3. Select New Service Alias. 4. Complete the fields displayed in the New Service Alias dialog. 5. Click OK. Note: If you need more information to complete the fields, click Help. Defining Internet Control Message Protocol (ICMP) services 28 Networking Security IP packet security

Internet Control Message Protocol (ICMP) services allow you to reuse sets of ICMP services in any number of filters. Defining ICMP services will also remember the purpose of different service definitions. To define ICMP services, follow these steps: 1. Within the IP packet security dialog, expand IP Packet Security. 2. Right-click Services. 3. Select New ICMP Service. 4. Complete the fields displayed in the New ICMP Service dialog. 5. Click OK. Note: If you need more information to complete the fields, click Help. Continue this process by reading how and why to Make comments about your NAT and IP filter rules. Making comments about your NAT and IP filter rules Making comments about your rules files is very important. You want to record how you intend your rules to work. For instance, you may want to record what a particular rule permits or denies. This type of information will save you hours of time in the future. If you ever need to fix a security leak quickly, you will need these comments to jog your memory. You may not have the time to figure out what your rules meant, so use comments generously. Each of the dialogs associated with creating and activating IP packet security rules has a Description field. This is the field that is reserved for your comments. The system ignores anything you put in that field. You may want to use the comment field at each step of the rule creation process. This can reduce your chance of forgetting to make a significant comment. It is best to make your comments while the process on which you are commenting is still fresh in your mind. However, you can wait until you finish creating all your rules. To make comments after you finish creating and applying filter rules, follow these steps: 1. Within the IP packet security dialog, expand IP Packet Security. 2. Expand Address Translation. 3. Right-click Comments. 4. Select New Comment. 5. Complete the Description field displayed in the New Comment dialog. Note: If you need more information to complete the field, click Help. 6. Click OK. If you choose to comment on your rules as you create them, go to the next step to Create network address translation (NAT) rules. Otherwise, you can make comments about all of the rules, in general, at the end. Creating network address translation (NAT) rules If you determine that you need to use NAT, you must define nicknames to the IP addresses you intend to use. You cannot create NAT rules with the standard 32-bit address notation. Rather than specifying a real address such as 193.112.14.90, you must refer to 193.112.14.90 by name, like PCs. The system associates the name you defined with the corresponding addresses and translates them accordingly. Therefore, you must define your addresses before your system can apply NAT Chapter 7. Creating and activating IP packet security rules 29

rules to them. If you are hiding a range of addresses, you must define them to one address name in the Defining addresses section. You can create two types of NAT rules. One type allows you to hide addresses, while the other type allows you to map addresses. Hiding Addresses Creating IP filter rules You should hide addresses when you want to keep private addresses hidden from public view. A hidden address rule allows you to hide multiple internal addresses behind a single public IP address. This type of rule allows you to use masquerade NAT. To hideyour private addresses, follow these steps: 1. Within the IP packet security dialog, expand IP Packet Security. 2. Expand Address Translation. 3. Right-click Hidden Addresses. 4. Select New Hidden Address. 5. Complete the fields displayed in the New Hidden Address dialog. Note: If you need more information to complete the fields, click Help. 6. After you complete the fields, click OK. Note: When creating rules, the subnet mask is not important. Disregard this field, because it has nothing to do with NAT. Mapping Addresses You should map addresses when you want to translate a single public IP address into a single internal address. A mapped address rule allows you to route traffic from one address to a secret one. This type of rule allows you to use static NAT. To map (communicate with an incompatible system), follow these steps: 1. Within the IP packet security dialog, expand IP Packet Security. 2. Expand Address Translation. 3. Right-click Mapped Addresses. 4. Select New Mapped Address. 5. Complete the fields displayed in the New Mapped Address dialog. Note: If you need more information to complete the fields, click Help. 6. Click OK. Note: When mapping your address (static NAT) or using port mapped NAT, you must define the line that this mapped or ported address is using. After you create your NAT rules, go to the next step to Create IP filter rules. When you create a filter, you specify a rule that governs the TCP/IP traffic flow into and out of your system. The rules you define specify whether the system should permit or deny access to the packets that attempt to access your system. The system directs IP packets based on the type of information in the packet headers. It also directs the IP packet to the action that you have specified the system to apply. The system discards any packets that do not match a specific rule. As a backup security measure, this default deny rule automatically activates any 30 Networking Security IP packet security

time an undefined packet crosses your system. You must have at least one filter rule activated for the default deny rule to be active. Before you create the rules that govern your filters, you should determine whether you need to use network address translation (NAT). If you use NAT rules, you must define addresses and services. NAT is the only function that requires this defining process, but you can use it for other functions as well. If you define addresses and services, you can reduce the number of rules that you must create as well as minimize the possibility of typographical errors. Here are some other ways you can minimize error and maximize efficiency when creating filter rules: v v v v v v Define one filter rule at a time. For example, create all the permits for telnet at the same time. This way you can group associate the rules whenever you refer to them. Filter rules are processed in the order that they appear in the file. Besureto order the rules the way you intend them to be applied as you create them. If the order is incorrect, your system is vulnerable to attack. The packets will not process as you intend them to process. To make things easier, consider the following voluntary actions: 1. Place your filter set names in the FILTER_INTERFACE statement in the exact same order in which the sets are physically defined in the file. 2. Place all filter rules in one set to avoid problems with set order. Verify the syntax of each rule as you go along. This is easier and faster than debugging them all at once. Create set names for groups of files that are logically associated with each other. This is important because only one rule file can be active at a time. See example below. Only write filter rules for the datagrams you want to permit. Everything else will be discarded by the automatic deny rule. Write rules for high traffic volume first. Example: Look at the Create set names tip above. You may want to allow telnet access to a number of internal users, but not to all. To manage these rules easier, you can assign each of them the set name TelnetOK. A second criteria may allow telnet through a specific interface and block telnet traffic from all others. In this case, you need to create a second set of rules that block telnet access entirely. You can assign these rules the set name TelnetNever. By creating set names you make it easier to distinguish the purpose of the rule, and determine which interfaces you intended to apply particular sets. Use all the tips above to ease the process of creating filters. To create filters, follow these steps: 1. Within the IP packet security dialog, expand IP Packet Security. 2. Right-click Filters. 3. Select New Filter. 4. Complete the fields displayed in the New Filter: General dialog and the New Filter: Services dialog. 5. Click OK. Note: If you need more information to complete the fields, click Help. Chapter 7. Creating and activating IP packet security rules 31

If you need to change the order of the rules once you have defined them, you can switch to the All Security Rules view. From there, use drag-and-drop to change rule order. After you create your filters, go to the next step to consider Including files. Including files in IP packet security Defining IP filter interfaces You can create more than one packet security rules file. Using multiple files makes it much easier for you to work with your rules. Especially, if you need a large number of rules to control traffic on multiple interfaces. For example, you may want to use some rules on an individual interface and other rules on multiple interfaces. You can group commonly used rules within individual files. Then include this file in the current master file that you will use to run the rules. If an included file already contains common rules, then you do not have to rewrite each rule. You only need to use the include feature to add the rules to your master file. When creating include files, you may want to keep your NAT rules for an interface separate from your filter rules for that interface. However, only one file can be active at any given time. Note: The master file is considered one file. In other words, the one file that can be active at any given time, can be the master file. When you create a new rules file, you can include any existing files as part of the new file. Before you do this, you should create the new filter rules you want to use. Whenever you create a rule, you should file (group) them by type. This way you do not have to recreate rules that you have used before. You can just include or remove them as needed. To include an existing file within the current rules files, follow these steps: 1. Within the IP packet security dialog, expand IP Packet Security. 2. Right-click Includes. 3. Select New Include. 4. Complete the fields displayed in the New Include dialog. 5. Click OK. Note: If you need more information to complete the fields, click Help. You can edit an included file by double-clicking its name on the screen, or by selecting Explore in the context menu. The new rule cascade allows you to add rules to the file. You can modify a rule by selecting Properties. After you include all the additional rules files you want to use, go to the next step to Define IP filter interfaces. You must define filter interfaces to establish which filter rules you want the system to apply to which interfaces. Before you can define your filter interfaces, you need to create the filters that you intend the system to apply to various interfaces. If you chose to define your addresses (when you define your interfaces), you will refer to them by name. If you chose not to define your addresses (when you define your interfaces), you will refer to them by IP addresses. 32 Networking Security IP packet security

Before you define your interfaces, you should include any additional files you want to use. Then you can define your interfaces. Remember that the filter sets are applied in the order that they are specified in the filter interface statement. So, the filter rules should appear in the FILTER_INTERFACE statement in the same order in which the sets are physically defined in the file. To define filter interfaces, follow these steps: 1. Within the IP packet security dialog, expand IP Packet Security. 2. Right-click Filter Interfaces. 3. Select New Filter Interface. 4. Complete the fields displayed in the New Filter Interface dialog. 5. Click OK. Note: If you need more information to complete the fields, click Help. Note: Remember to add comments whenever possible. You can do this in the Description field when you define a filter interface. After you define the filter interfaces, go to the next step to Verify NAT and IP filter rules. Verifying NAT and IP filter rules Before using the verify function you should print and view your filter rules to check for visible errors. You can not activate rules that have syntactical errors. The verify function checks for errors of a syntactical nature. The system can not verify whether you have ordered your rules correctly. You must check for rule order manually. Packet security rules are order dependent. You must order the rules the way that you want them applied. If you order them incorrectly, you will not get your intended result. Ensure that your rules are correct and ordered the way you want them applied before you activate them. You must have a rules file open before you can verify it. To verify the currently open rules file, follow these steps: 1. Open the file you want to verify. Note: If you are verifying the file you are in currently, you can skip this step. Verify is always active when editing a file. 2. Within the IP packet security dialog, click the File menu. 3. Select Verify. 4. Click Save. 5. Complete the fields displayed in the New Filter: General dialog and the New Filter: Services dialog. 6. Click OK. If you need more information to complete the fields, click Help. Note: You should verify the syntax of each rule as you go along. This is easier than debugging them all at once. Warning messages: Whenever you activate your filter rules, the system automatically verifies them. Various warning and error messages may be produced. A warning message is simply for informational purposes and will not stop the verification process. Read all messages carefully. One message will appear saying that your verification or activation was successful. Chapter 7. Creating and activating IP packet security rules 33

After you complete the verification process, you can Save, activate, and deactivate NAT and IP filter rules. Saving, activating, and deactivating NAT and IP filter rules Activating the filter rules you create is the final step to implement the IP packet security process. Before you save and activate your rules you should verify that they are correct. Always attempt to resolve any problems before saving and activating your filter rules. If you activate rules that have errors or are ordered incorrectly,your system will be at risk. Your system has a verify function that is automatically invoked any time you activate your rules. Because this automatic feature only checks for major syntactical errors, you should not rely on it. Make sure you always manually check for errors in your rules. v Saving your filter rules In addition to verifying, you must save your rules before you can activate them. Anytime you verify a filter rule file, the system gives you the option of saving your file. When you select the verify function a confirmation window displays. If you click OK, another window displays. This is where you specify the name of the file you want to verify. After you choose which file you want verified, you can choose whether you want to cancel or Save. If you click save, the system saves your file and proceeds through the verification process. If you try to activate your rules without saving them, the system will prompt you to save your rules. v Activating your filter rules You can only activate the rules that you are currently viewing. To activate your filter rules, follow these steps: 1. Within the IP packet security dialog, click the File menu. 2. Select Activate. The system displays a dialog which asks you to confirm that you want to verify the rules as you activate them. 3. Click Yes in the dialog. If you have not previously saved your rules file, the system displays the Save Rules As dialog. 4. Specify a name for the rules file and click OK to save the rules. 5. If the system is able to verify the rules, the system activates them. If there are errors in the rules, these errors will be displayed at the bottom of the window. You can correct them before you attempt to activate the rules again. When filter rules are not applied to an interface (for example, you are only using NAT rules, not filtering rules), a warning (TCP5AFC) appears. This is not an error. It only verifies that using one interface is indeed, your intention. Always look at the last message. If it says the activation is successful, then the messages above are all warnings. Note: When you activate new rules, they replace all previous rules on all physical interfaces. Even if a physical interface is not mentioned in the new rules, it will be replaced. v Deactivating your filter rules If for some reason you want to deactivate your filter rules, follow the above steps for activation. However, instead of selecting Activate, select Deactivate. Then click Yes. This will make your system vulnerable to intruders. After you configure IP packet security to protect your system, you want to ensure that your system remains secure. To do this, you must know how to use NAT and IP filter administration. 34 Networking Security IP packet security

Chapter 8. NAT and IP filter administration Once you create and activate your filter rules which govern your IP packet security, you must manage your rules. This enables you to maintain the security of your system. You can manage filter rules by doing the following: v Viewing filter rules when you need to troubleshoot errors. v Editing existing filter rules when you need to change how TCP/IP traffic flows into and out of your system. v Saving, activating, and deactivating existing filter rules when you need to stop or restart your NAT and filter rules. When you deactivate your rules, your network will be unprotected. v Backing up NAT and IP filter rules to protect yourself against losing files. v Journaling and auditing rule actions to log your filter rules. This helps to debug your rules. You should use every possible means to effectively and efficiently manage your rules. The security of your system depends on accurate and current rules. If you need troubleshooting assistance, return to the main IP packet security (filtering and NAT) page. Viewing NAT and IP filter rules By viewing the filter rules you create, you can check for any visible errors. You may want to view your filter rules not only before activating and testing, but also before printing and backing up. Viewing your rules is not your only way of checking for errors. It is, however, a useful way to minimize or remove the errors before testing. Your system also has a verify function, but do not solely rely on it. You should take the necessary measures to ensure that you correct all errors manually. This will save you valuable time and resources. To view inactive rules you need to open the filter rule file. To view your currently active rules, follow these steps: 1. Open the IP packet security dialog. This dialog displays the rules that are currently loaded. 2. Click All Security Rules. A list of all your rules should appear in the right frame of the dialog. Note: Because this is a special view, you can not edit the rules from within this dialog. You must open your rules file through the File menu to edit your rules. You should print out the filter rules you create so you can look over them. This allows you to catch any visible mistakes and verify that you included any previously created filter rules files you wanted to add. You should not activate your filter rules without viewing them to verify that they are correct. Copyright IBM Corp. 1998,2000 35

Return to NAT and IP filter administration. Editing NAT and IP filter rules As your needs change, you must edit your rules to ensure the security of your system. Before you can edit a rule, you must create the rules you want to apply. You should attempt to correct any errors and make any necessary changes to your rules before activation. This is the best way to prevent complications with your filter rules. You must use Operations Navigator to access the IP packet security dialog that enables you to proceed with editing. To edit a filter rule, follow these steps: 1. Click File on the menu bar, and select Open from the pull-down menu. A standard Open File dialog displays. Note: By default, the system applies the file extension.i3p. This is the extension that you must use if you plan to activate the file. 2. Select the file that you want to edit from the dialog list, and click Open. The rules file you select displays in the right pane of the IP packet security window. Note: The IP packet security window displays the file name of the active rules file. If you want to edit the active rules file, select that file from the dialog list. 3. Select the rule that you want to change and right-click to display a menu. 4. Select Properties to display the properties window. 5. Make changes to the rule, then click OK. 6. Save the rules file after you make changes. Note: If you do not save the rules file, the system will prompt you to save your file. After you complete the editing process, you need to complete the following steps within the Creating filter rules process: 1. Verify NAT and IP filter rules. 2. Saving and activating NAT and IP filter rules. Then return to NAT and IP filter administration. Backing up NAT and IP filter rules It may not seem necessary at first, but backing up your filter rules files is always a good idea. In the event of a loss, your backups can save you the time and work it would take to recreate your files from scratch. These are general tips you can use to ensure that you have an easy way to replace lost files: v Print out the filter rules. You can store the printouts wherever they are most likely to be secure and reenter the information as necessary. Printouts are also useful if you need to search for an error in a filter rule. v Copy the information to a disk. Copying has an advantage over printouts: rather than reentering manually, the information exists electronically. It provides you a straightforward method for transporting information from one on-line source to another. 36 Networking Security IP packet security

Note: Your AS/400 copies information to the system disk, not to a floppy disk. The rules files are stored in the IFS file system on the AS/400, not on a PC. You may want to use a disk protection method as a backup means for protecting the data that is stored on the system disk. When using an AS/400, you must plan a backup and recovery strategy. Review Back up and Recovery for more information about recovering and backing up your files. Return to NAT and IP filter Administration. Journaling and auditing rule actions Your IP packet security includes a journaling feature. Journaling allows you to troubleshoot NAT and filtering problems. You can use it to create a log of rule actions. This allows you to debug and spot check your rules easier. You can also audit the traffic that flows into and out of your system by reviewing these system logs or journals. The journaling feature is used on a per-rule basis. When you create a NAT or filter rule, you have the following journaling options: starts, full, and off. See the table below for more detail. OPTION STARTS FULL OFF DEFINITION Each starting TCP datagram is logged but no UDP traffic is logged. Every packet that is translated is logged. No journaling occurs. If journaling is turned on, a journal entry is generated for each rule applied to a datagram (NAT or filter). The only rules that are not created are the default deny rules. They are never journaled because they are created by the system. Using these journals, you create a general file on the AS/400. You can then use the information recorded in your system s journals to determine how your system is being used. This can help you decide to change various aspects of your security. If you set the journaling feature to OFF, your system will not create a journal entry for that rule. Although you can choose to do this, it may not be your best option. If you are not experienced in creating filter and NAT rules, you may want to use FULL (logging) as necessary. You can then use the logs as troubleshooting tools. However, be selective in what you choose to journal. Journaling is a heavy burden on your system s resources. Try to focus on the rules that control heavy traffic. To view these journals do the following: 1. At a command prompt on the AS/400 enter: DSPJRN JRN(QIPNAT) for NAT journals or DSPJRN JRN(QIPFILTER) for IP filter journals. Chapter 8. NAT and IP filter administration 37

38 Networking Security IP packet security

Chapter 9. Troubleshooting NAT and IP filtering This section provides some troubleshooting advice for IP packet security problems. v AS/400 communications trace capability allows you to see all datagram traffic for a specified interface. Use the start communications trace (STRCMNTRC) and print communications trace (PRTCMNTRC) commands to collect and print the information. v NAT and IP filtering rule order determines how your rules are processed. They are processed in the order which they appear in the file. If the order is not correct, the packets will not process as you intend them to. This will leave your system vulnerable to attack. Place your filter names in the FILTER_INTERFACE statement in the exact same order in which the sets are physically defined in the file. Note: It is easiest to place all filter rules in one set to avoid problems with set order. Review the Creating IP filter rules section of this topic for more help on writing correct filter rules. Remember the process shown in the table below. Inbound Traffic Process Outbound Traffic Process 1. NAT rules 1. IP filter rules 2. IP filter rules 2. NAT rules v v v Removing all rules is the best way to reset your system and clear out errors. On the AS/400, issue the following command: RMVTCPTBL (Remove TCP/IP Table). If you lock yourself out of the Operations Navigator application, you can also use this command to go back and repair any rules. Note: In V4R4 and V4R5, the Remove TCP/IP Table command also starts the VPN servers. Allowing IP datagram forwarding in your TCP/IP configuration on the AS/400 is essential. Use the CHGTCPA (Change TCP/IP Attributes) command to verify that IP datagram forwarding is set to YES. Verifying default return routes makes sure that the address that you map to or hide behind is correct. This address must be routable on the return route back to the AS/400 and pass through the correct line to be untranslated by NAT. Note: If your AS/400 has more than one network, or line, connected to it, you should be especially careful about routing inbound traffic. Inbound traffic is handled on any line that it enters on, which may not be the correct line waiting to untranslate it. Copyright IBM Corp. 1998,2000 39

40 Networking Security IP packet security

Chapter 10. Other information about IP packet security (filtering and NAT) If you need more information about IP packet security (filtering and NAT), please refer to the following sources: v IBM SecureWay : AS/400 and the Internet v v v v TCP/IP Configuration and Reference, SC41 5420 AS/400 Internet Security: IBM Firewall for AS/400, SG24 2162 TCP/IP Tutorial and Technical Overview, GG24 3376 05 TCP/IP Technical Reference Copyright IBM Corp. 1998,2000 41

42 Networking Security IP packet security

Printed in the United States of America on recycled paper containing 10% recovered post-consumer fiber.