Getting Started with IBM Firewall for AS/400

Getting Started withIBM Firewall for AS/400Version 4

IBM

Getting Started withIBM Firewall for AS/400Version 4

IBM

ii Getting Started with IBM Firewall for AS/400

Contents

Chapter 1. Getting started with IBM Firewall for AS/400 . . . . . . . . 1About firewalls. . . . . . . . . . . . . . . . . . . . . . . . . 1

Firewall components . . . . . . . . . . . . . . . . . . . . . 2How a firewall works . . . . . . . . . . . . . . . . . . . . . 2What a firewall can do to protect your network . . . . . . . . . . . . 2What a firewall cannot do to protect your network. . . . . . . . . . . 3

Understanding Internet security issues . . . . . . . . . . . . . . . . 3Trusted networks . . . . . . . . . . . . . . . . . . . . . . . 4Security policies . . . . . . . . . . . . . . . . . . . . . . . 4Security services . . . . . . . . . . . . . . . . . . . . . . . 4Network security objectives . . . . . . . . . . . . . . . . . . . 5Network security considerations . . . . . . . . . . . . . . . . . 5Types of Internet attacks . . . . . . . . . . . . . . . . . . . . 6Firewall security principles . . . . . . . . . . . . . . . . . . . 7

Understanding TCP/IP, networking, and the Internet . . . . . . . . . . . 8TCP/IP addressing and structure . . . . . . . . . . . . . . . . . 8How masks affect Internet Protocol (IP) addressing . . . . . . . . . . 11Understanding subnets . . . . . . . . . . . . . . . . . . . . 12

IBM Firewall for AS/400 features . . . . . . . . . . . . . . . . . . 15IBM Firewall for AS/400 components . . . . . . . . . . . . . . . . 17

IBM Firewall for AS/400 Internet Protocol (IP) packet filtering component . . 17IBM Firewall for AS/400 network address translation (NAT) component . . . 28IBM Firewall for AS/400 proxy server component . . . . . . . . . . . 29IBM Firewall for AS/400 SOCKS server component . . . . . . . . . . 31IBM Firewall for AS/400 mail relay service . . . . . . . . . . . . . 34IBM Firewall for AS/400 split domain name services (DNS) component . . . 35IBM Firewall for AS/400 audit and event reporting services . . . . . . . 38IBM Firewall for AS/400 virtual private network (VPN) component . . . . . 38

Firewall configurations . . . . . . . . . . . . . . . . . . . . . . 39Dual-homed gateway firewall . . . . . . . . . . . . . . . . . . 39Screened host firewall . . . . . . . . . . . . . . . . . . . . . 41

Chapter 2. Planning your firewall installation and configuration . . . . . 43IBM Firewall for AS/400 installation requirements . . . . . . . . . . . . 43

IBM Firewall for AS/400 software requirements . . . . . . . . . . . . 43IBM Firewall for AS/400 hardware requirements . . . . . . . . . . . 44IBM Firewall for AS/400 user profile requirements. . . . . . . . . . . 45Secure Sockets Layer (SSL) considerations for IBM Firewall for AS/400 . . 45

Positioning your public server in relation to your firewall . . . . . . . . . 46Placing a public server in front of the firewall . . . . . . . . . . . . 46Placing a public server behind the firewall . . . . . . . . . . . . . 49

Firewall and network configurations: Example scenarios . . . . . . . . . 52Example scenario: Public server in front of the firewall . . . . . . . . . 52Example scenario: Public server in front of the firewall with secure side

subnets . . . . . . . . . . . . . . . . . . . . . . . . . 53Example scenario: Public server behind the firewall . . . . . . . . . . 54

IBM Firewall for AS/400 planning worksheets . . . . . . . . . . . . . 55

Chapter 3. Installing and configuring your firewall . . . . . . . . . . 61Firewall basic configuration: Scenario overview. . . . . . . . . . . . . 61

Firewall basic configuration: Scenario objectives . . . . . . . . . . . 61Firewall basic configuration: Scenario network configuration . . . . . . . 62Firewall basic configuration: Scenario advantages. . . . . . . . . . . 63

© Copyright IBM Corp. 1998 iii

Firewall basic configuration: Scenario disadvantages . . . . . . . . . 64Firewall basic configuration: Reviewing your planning worksheets . . . . . . 64Verifying firewall hardware, software, and configuration prerequisites. . . . . 70

Recording the resource name of the Integrated PC Server . . . . . . . 70Verifying the memory available on your Integrated PC Server . . . . . . 71Verifying the installation of firewall prerequisite licensed programs. . . . . 71Verifying that the latest program temporary fixes (PTFs) are applied . . . . 72Verifying the basic TCP/IP interface configuration on the firewall home

AS/400 system. . . . . . . . . . . . . . . . . . . . . . . 73Verifying that the IBM HTTP Server is started . . . . . . . . . . . . 74Verifying the firewall administration workstation HOSTS table entries. . . . 75Verifying that the Web browser supports JavaScript . . . . . . . . . . 75

Installing IBM Firewall for AS/400 . . . . . . . . . . . . . . . . . . 75Completing the firewall installation worksheet . . . . . . . . . . . . 76Installing the firewall from the AS/400 Tasks browser interface . . . . . . 77

Preparing for Basic configuration of your firewall . . . . . . . . . . . . 79Stopping the firewall . . . . . . . . . . . . . . . . . . . . . 79Varying off the firewall network server description (NWSD) . . . . . . . 80Adding a TCP/IP routing entry to the firewall network server description

(NWSD) . . . . . . . . . . . . . . . . . . . . . . . . . 80Adding the firewall domain name server to the firewall NWSD . . . . . . 82Updating the secure mail server host table . . . . . . . . . . . . . 82Routing outbound mail to the firewall . . . . . . . . . . . . . . . 83

Starting the firewall . . . . . . . . . . . . . . . . . . . . . . . 84Varying on the firewall network server description . . . . . . . . . . . 85Verify that the firewall network server description is ready . . . . . . . . 85Starting the firewall application. . . . . . . . . . . . . . . . . . 85Verifying the status of the firewall objects and jobs . . . . . . . . . . 86

Performing firewall Basic configuration . . . . . . . . . . . . . . . . 87Completing the configuration planning worksheet . . . . . . . . . . . 87Configuring the firewall from the AS/400 Tasks browser interface . . . . . 89Adding the secure mail server to the firewall domain name server. . . . . 90

Configuring your clients to access Internet services through the firewall. . . . 92Configuring client domain name services (DNS) to use the firewall domain

name server. . . . . . . . . . . . . . . . . . . . . . . . 92Configuring the client Web browser to use the firewall proxy or SOCKS

server . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Chapter 4. Configuring your clients to use the firewall for Internet access . 95Configuring a client to use the firewall . . . . . . . . . . . . . . . . 95

Verifying that a Windows 95 client can identify the client LAN adapter . . . 95Verifying TCP/IP configuration for a Client PC . . . . . . . . . . . . 96Configuring domain name services (DNS) for a firewall client on the secure

network . . . . . . . . . . . . . . . . . . . . . . . . . 97Configuring a firewall client to use a gateway . . . . . . . . . . . . 99Testing the firewall client configuration . . . . . . . . . . . . . . . 99Configuring a client Web browser to use SOCKS or proxy servers . . . . 100

Adding SOCKS support to firewall clients . . . . . . . . . . . . . . . 103Configuring SOCKS support for AS/400 . . . . . . . . . . . . . . . 103

Defining the network to which the AS/400 system is connected directly . . . 104Defining which network that the AS/400 client must use SOCKS to access . 104Defining a domain name server for the SOCKS server . . . . . . . . . 105Testing Your AS/400 SOCKS Configuration . . . . . . . . . . . . . 106

iv Getting Started with IBM Firewall for AS/400

Chapter 1. Getting started with IBM Firewall for AS/400

Because a firewall represents a substantial portion of your network security policy,you must understand exactly what a firewall is and what a firewall can do for you.Each firewall product uses different sets of security features. To understand what afirewall can do to protect your network, review these topics:

v About firewalls

v Understanding Internet security issues

When you connect your network to the Internet, you must use TCP/IP and ensurethat your network is configured properly. You can prevent many firewall installationand configuration problems by making sure that you configure TCP/IP properly.Consequently, you should review the topic, Understanding TCP/IP, networking, andthe Internet, before you start planning your firewall installation.

To understand what IBM Firewall for AS/400 can do to protect your network, reviewthese topics:

v IBM Firewall for AS/400 features

v IBM Firewall for AS/400 components

v Firewall configurations

To learn how to get your firewall up and running, review these topics:

v Planning your firewall installation and configuration.

v Installing and configuring your firewall.

v Configuring your clients to use the firewall for Internet access.

About firewalls

A firewall is a blockade between a secure internal network and an untrustednetwork such as the Internet. Most companies use a firewall to connect an internalnetwork safely to the Internet. You can use a firewall to secure one internal networkfrom another on an intranet also.

A firewall provides a controlled single point of contact (called a chokepoint) betweenyour secure internal network and the untrusted network. The firewall:

v Lets users in your internal network use authorized resources that are located onthe outside network.

v Prevents unauthorized users on the outside network from using resources onyour internal network.

When you use a firewall as your gateway to the Internet (or other network), youreduce the risk to your internal network considerably. Using a firewall also makesadministering network security easier because firewall functions carry out most ofyour security policy.

To better understand what a firewall does and how you can use one to protect yournetwork, review these topics:

v Firewall components.

v How a firewall works.

v What a firewall can do to protect your network.

v What a firewall cannot do to protect your network.

© Copyright IBM Corp. 1998 1

Firewall components

A firewall is a collection of hardware and software that, when used together, preventunauthorized access to a portion of a network.

A firewall consists of the following components:

v Hardware . Firewall hardware usually consists of a separate computer dedicatedto running the firewall software functions.

v Software . Firewall software can consist of some or all of these applications:

– Packet filters

– Proxy servers

– SOCKS servers

– Network address translation (NAT) services

– Logging and monitoring software

– Virtual private network (VPN) services

How a firewall works

To understand how a firewall works, imagine that your network is a building towhich you want to control access. Your building has a lobby as the only entry point.In this lobby, you have receptionists to welcome visitors, security guards to watchvisitors, video cameras to record visitor actions, and badge readers to authenticatevisitors who enter the building.

These measures may work well to control access to your building. But, if anunauthorized person succeeds in entering your building, you have no way to protectthe building against this intruder’s actions. If you monitor the intruder’s movements,however, you have a chance to detect any suspicious activity from the intruder.

When you define your firewall strategy, you may think it is sufficient to prohibiteverything that presents a risk for the organization and allow everything else.However, because computer criminals constantly create new attack methods, youmust anticipate ways to prevent these attacks. As in the example of the building,you also need to monitor for signs that, somehow, someone has breached yourdefenses. Generally, it is much more damaging and costly to recover from abreak-in than to prevent one.

In the case of a firewall, your best strategy is to permit only those applications thatyou have tested and have confidence in. If you follow this strategy, you mustexhaustively define the list of services you must run on your firewall. You cancharacterize each service by the direction of the connection (from inside to outside,or outside to inside). You should also list users that you will authorize to use eachservice and the machines that can issue a connection for it.

What a firewall can do to protect your network

You install a firewall between your network and your connection point to the Internet(or other untrusted network). The firewall then allows you to limit the points of entryinto your network. A firewall provides a single point of contact (called a chokepoint)between your network and the Internet (see Figure 1 on page 3). Because you havea single point of contact, you have more control over which traffic to allow into andout of your network.

2 Getting Started with IBM Firewall for AS/400

A firewall appears as a single address to the public. The firewall provides access tothe untrusted network through proxy or SOCKS servers or network addresstranslation (NAT) while hiding your internal network addresses. Consequently, thefirewall maintains the privacy of your internal network. Keeping information aboutyour network private is one way in which the firewall makes an impersonation attack(spoofing) less likely.

A firewall allows you to control traffic into and out of your network to minimize therisk of attack to your network. A firewall securely filters all traffic that enters yournetwork so that only specific types of traffic for specific destinations can enter. Thisminimizes the risk that someone could use TELNET or file transfer protocol (FTP) togain access to your internal systems.

What a firewall cannot do to protect your network

While a firewall provides a tremendous amount of protection from certain kinds ofattack, a firewall is only part of your total security solution. For instance, a firewallcannot necessarily protect data that you send over the Internet through applicationssuch as SMTP mail, FTP, and TELNET. Unless you choose to encrypt this data,anyone on the Internet can access it as it travels to its destination.

Understanding Internet security issues

When connecting to an untrusted network, you must ensure that your security policyprovides you with the best protection possible. A firewall certainly represents a largeportion of your total security solution. However, because a firewall is only the firstline of defense for your network, you must ensure that your security policy providesadditional coverage.

To ensure that your firewall provides the protection that you need, review thesesecurity concepts:

v Trusted networks

v Security policies

Figure 1. A firewall controls traffic between your secure network and the Internet

Chapter 1. Getting started with IBM Firewall for AS/400 3

v Security services

v Network security objectives

v Network security considerations

v Types of Internet attacks

v Firewall security principles

Trusted networks

Any network over which you have control of the security policies is a trustednetwork. In a trusted network, you (or your organization) can physically configureand audit the computers to ensure that your organization’s security policy isimplemented and enforced.

Any network over which you do not have this level of control should be consideredan untrusted network. You (or your organization) cannot verify the security practicesof any other network. Therefore, you must assume that the other network is notsecure and treat traffic from it accordingly. Otherwise, you add a level of risk to yourown network operations. If someone compromises the other network’s security, yourown network is vulnerable. You have no way of auditing that system to ensure itsintegrity. You also have no way of protecting yourself if someone on that systemattempts to attack your network.

Security policies

A security policy is a written document that defines the security controls that youinstitute for your computer systems. A security policy also describes the risks thatyou intend these controls to minimize. Additionally, a security policy defines whatactions should be taken if someone breaches your security controls.

The most important rule that your security policy should express is: Anything that isnot explicitly permitted, should, by default, be denied. In other words, actions thatyou do not specifically allow should be automatically disallowed. This ensures thatnew types of attacks are unlikely to get past your defenses, even though you mayhave no knowledge of them and have nothing in your security controls to defendspecifically against them.

A security policy contains rules such as who can have access to certain services orwhich services can be run from a given computer. The policy also containsinformation about what processes and controls you have instituted to enforce theserules. If you connect to the Internet, your security policy should stipulate that youinstall and use a firewall to control access to and from the Internet.

Once you create a security policy, you must ensure that it is put into effect. Thismay involve establishing more restrictive password rules, installing and runningvirus protection software, holding classes to educate users on security rules, and soon.

Security services

The National Institute for Standards and Technology (NIST) defines five majorsecurity services. While a firewall provides security for your network, a firewall doesnot generally provide coverage for all of these NIST security services. To completelyprotect your network, your security policy should address each of these as well:


AuthenticationAssurance that the resource at the other end of the session is really what itclaims to be.

Access controlAssurance that the resource requesting access to data or a service hasauthorization to access the requested data or service.

IntegrityAssurance that the information that arrives is the same as the informationthat was sent.

ConfidentialityAssurance that sensitive information is not visible to an eavesdropper.(Encryption is the best way to ensure confidentiality.)

NonrepudiationAssurance that a transaction can be proved to have taken place — alsocalled accountability.

Firewalls cannot provide all of these security services. Therefore, you should ensurethat you have additional security functions to provide these security services foryour network.

Network security objectives

Although the network security objectives that you develop depend on your particularsituation, there are some general objectives you should consider:

v Protect your resources:

– Your Internet servers

– Your internal network, workstations, and systems

– Your data

– Your company image

v Provide your customers with safe Internet transactions. Ensure that the followingconditions are in place:

– Communicating parties can identify each other (authentication).

– Unintended parties cannot read information exchanged between parties(confidentiality).

– Unauthorized parties cannot alter data (integrity).

– Participating parties cannot repudiate transactions (accountability).

Your security policy should describe how you will fulfill these objectives.

Network security considerations

Whenever you create a security policy, you must balance providing services againstcontrolling access to functions and data. With networked computers, security ismore difficult because the communication channel itself is open to attack. Althoughthere are several types of Internet attacks, you can characterize such attacks in twoways:

Passive attacksThese attacks involve someone tapping or tracing communications and aredifficult to detect. Sniffing is an example of a passive attack. You should


assume that someone is eavesdropping on every communication that yousend across the Internet or any other untrusted network.

Active attacksThese attacks involve someone trying to break into or take over yourcomputer. Spoofing is an example of a active attack. You may be certainthat no one has compromised your own machines. However, you cannot becertain about the machines at the other end of the connection. Realistically,you must extend your circle of trust to some of those machines or not usethe Internet at all.

It may seem that once you start thinking about computer security, you can reach apoint where nothing seems safe anymore. Is this justifiable? After all, we do not(usually) worry about people tapping our telephone conversations or reading ourmail. We happily send credit card numbers, private messages, gossip, and scandalwhen using those media. The difference with the Internet is that the carrier is not aregulated, well-defined entity. In fact, you have no idea through whose computersyour message passes on the way to its destination.

Types of Internet attacks

There are several kinds of passive or active attacks of which you should be aware.These are among the most common:

v Sniffing

v Internet Protocol (IP) spoofing

v Denial of service

Sniffing

Computer criminals (crackers) use a technique called sniffing to acquire informationthat they can use to break into your systems. Sniffing programs can ″overhear″critical unencrypted data that passes over the Internet, such as user IDs andpasswords. A cracker can take the captured information and use it to gain access toyour network.

To protect your network from sniffing attacks, take these security measures:

v Use your firewall filtering rules to control which information (packets) come intoyour network. The filter rules can check that packets from external hosts cannotpass through the firewall.

v Use a firewall to translate the internal host names and addresses of any outgoingtraffic to the name and address of the firewall. This hides such critical informationfrom outside users and sniffing programs.

v Educate your users about the risk of using their internal passwords and user IDsto access external hosts. If they do so, attackers could capture this informationfrom the external hosts to use it if they successfully break into your system. Statein your security policy that they must use different user IDs and passwords onexternal untrusted systems.

Internet Protocol (IP) spoofing

Generally, when you set up a network, you assume that you can trust any givenhost on that network. Consequently, a network host does not usually requireauthentication from other hosts on the same network that communicate with it.When you eliminate authentication between hosts you provide easier and faster


communications within the network. However, you should require authenticationfrom hosts outside your network. You cannot assume that you can trust these hoststo be who they say they are.

In an Internet Protocol (IP) spoofing attack, an untrusted external host impersonatesa trusted known host on your network. This impersonation allows the host to bypassyour security controls to connect to your network. The impersonation is successfulbecause the external host uses an IP address of a known host on your network.Because the external host users an internal network address, other hosts on thenetwork can communicate with it without requiring authentication.

To prevent IP spoofing, take these security measures:

v Avoid using IP addresses as a means of authenticating a source communication.This ensures that a ″correct″ IP address alone is not sufficient to gain access toyour resources.

v Require a password or more secure authentication to access a host, regardlessof the origin of the request for access.

v Use encrypted authentication methods.

v Use a firewall to ensure that the originator of a connection is not using IP sourceforwarding to impersonate another system. This helps ensure that a requestinghost identity is authentic.

v Use your firewall to conceal all your internal network IP addresses fromoutsiders. Typically, a firewall uses a single IP address for all outboundtransactions, regardless of the internal IP address of the user. The firewall routesthe inbound traffic to the correct internal host.

The security measures that you use to defend against IP spoofing depend severalfactors. These factors include your analysis of the risk your network faces from thistype of attack, the amount of money you are willing to spend, and the amount ofconvenience you are willing to trade for better security.

Denial of service

A denial of service occurs when an attack brings down one or more hosts on yournetwork such that the host is unable to perform its functions properly. This type ofattack can affect entire networks.

Although it is difficult to predict the form that a denial of service may take, thefollowing examples illustrate how such an attack can affect your network:

v A rogue packet enters your network and interferes with normal operationsbecause it cannot be processed appropriately.

v Traffic flooding (such as a large number of bogus mail messages) overtaxes yourmail server’s processing capabilities, stopping further network traffic.

v A router is attacked and disabled, thereby partitioning your network.

v A virus is introduced that ties up significant amounts of processing resources.

v Devices meant to protect the network, such as the firewall or a router, aresubverted.

Firewall security principles

You should follow these principles when you set up a firewall:


v Develop a written network security policy and follow it. The firewall canimplement many aspects of your security policy and become a part of a networksecurity solution.

v Make sure that the only connection to the Internet (or other untrusted network) isthrough the firewall. Be sure you include any dial-up connections. The firewallshould provide a chokepoint, forcing all traffic to and from the Internet to flowthrough the firewall. Any traffic that bypasses the firewall increases the risks toyour network substantially.

v Allow only those activities that your expressly permit. For example, permit onlythe TCP/IP services that you need (such as HTTP and e-mail) rather than permitall TCP/IP services. This limits the number of security exposures that you mustmonitor and take precautions against.

v Keep it simple. Configuration errors are a major source of security holes. Thefirewall should have limited security policy information to keep its configuration assimple as possible.

v Do not allow any direct TCP/IP connections between applications on internalsystems and servers on the Internet (or other untrusted network). A directconnection allows the server to learn information about the client system. Theserver can try to trick the client into performing an inappropriate action bysending certain responses.

v Never trust information from untrusted systems. The routing table update that youreceive from a neighboring router may redirect your network traffic to anunintended destination. Be aware that another system can impersonate a securesystem.

While these principles are good in theory, as with all security policies, they shouldbe tempered with reality. In some cases, such as when you use a productionsystem to run a public Web server for e-commerce, you should place the publicserver behind the firewall to protect it and the data it contains. You can carefullyopen a hole in the firewall to allow any necessary traffic to flow between the Webserver and the Internet.

Understanding TCP/IP, networking, and the Internet

The Internet uses TCP/IP as its only communications protocol. Therefore, if youconnect to the Internet, you must use TCP/IP for your connection. To successfullywork with TCP/IP, you must have a basic understanding of what TCP/IP is, how itworks, and how it affects your network. For some basic background informationabout TCP/IP and the network structure, review these topics:

v TCP/IP addressing and structure

v How masks affect IP addressing

v Understanding subnets

TCP/IP addressing and structure

You must understand the structure and addressing system that TCP/IP uses. Thisknowledge is essential in order to successfully set up TCP/IP networks, define filterrules for firewalls, and follow packet routing through the network. To learn moreabout TCP/IP addressing, review these basic explanations of key terms andconcepts:

v TCP/IP

v Hosts


v Understanding the Internet Protocol (IP) address format

v IP address classes

v IP addresses reserved for private Internet (intranet) use

Transmission Control Protocol/Internet Protocol (TCP/IP)

Transmission Control Protocol/Internet Protocol (TCP/IP) is a set of networkprotocols that connects networks. TCP/IP allows computers to share resources andexchange information across a network. TCP/IP allows hosts to communicate witheach other regardless of the host or user’s physical location, the operating system,or the network medium. TCP/IP operates in many different network environments,including the Internet and corporate internets (intranets).

Transmission Control Protocol (TCP) provides host-to-host transmission. TCP takesa stream of data and breaks it into segments. It sends each segment individually byusing Internet Protocol (IP) and then reassembles the segments into the originalstream. If the transmission loses or damages any segments, TCP detects this andre-sends the segments.

IP routes data from its source to its destination. IP is responsible for routing packetsfrom one host to another host. The other host can be on the same network or onanother network.

Hosts

In Internet terms, a host is any system or adapter connected to a network. The termdoes not imply any particular type of system. A host can be a client, a server, orboth, depending on the applications that you run on the system.

A dual-homed or multi-homed host is a system that has more than one connectioninto the network. A two-port Integrated PC server is an example of a dual-homedhost.

Understanding the Internet Protocol (IP) address format

The Internet Protocol (IP) uses a 32-bit, two-part logical address field. The 32 bitsconsist of four octets (eight bits per octet). One part of the logical address is for thenetwork address and the other is for the host address. You define each part of theaddress to TCP/IP by using a 32-bit binary mask that you apply to the address. Thenetwork portion of the address is indicated in the mask by placing a ″1″ in each bitof the mask that represents the network portion. The host portion of the address isindicated in the mask by placing a ″0″ in the mask position. The following tableuses a mask to illustrate which portion of an IP address is for the host versus thenetwork in an unsubnetted Class C address.

Table 1. Internet address structure

32-Bit Address

11010000 11011110 10010110 00001011

208. 222. 150. 11

Two Address Portion

11111111 11111111 11111111 00000000

255. 255. 255. 0

The network portion of the address should be contiguous, starting at the left side ofthe address and moving to the right. The network mask is ″anded″ with the IP


address to generate the network address. The address and the mask are written indotted decimal format; each portion of the decimal format allows a maximum valueof 255. You can derive the decimal format by converting each octet to its decimalvalue. If the IP address is 208.222.150.11, for example, the network address part ofthe address is 208.222.150.0, and the host part of the address is 11.

The host portion of the address cannot be all ″1″s or all ″0″s. TCP/IP reservesthese two values for its own use. The full IP address of 208.222.150.11 iscommonly referred to as the address of the system (although the address actuallydescribes the host interface). While this works with a simple system, multi-homedsystems must have multiple addresses because they have multiple interfaces.

Internet Protocol (IP) address classes

Three classes of Internet Protocol (IP) addresses are in common use today: ClassA, B, and C. The address class determines how many hosts can exist on anetwork. You can use the value of the first octet to determine the class of network.The possible values for the first octet are:

v Class A (Address range 0 - 127):

– 127 networks with up to 16,777,216 hosts each.

– Intended for use with a large number of hosts.

– Network mask is 255.0.0.0.

v Class B (Address range 128 - 191):

– 16,384 networks with up to 65,536 hosts each.

– Intended for use with a moderate number of hosts.


v Class C (Address range 192 - 223):

– 2,097,152 networks with up to 254 hosts each (0 and 255 are reserved).

– Intended for use with a smaller number of hosts.


– Most common address type issued by an Internet Service Provider (ISP).

v Class D and E (Address range 224 - 255):

– The Internet Assigned Numbers Authority (IANA) has reserved these classesfor future use.

Internet Protocol (IP) addresses reserved for private Internet(intranet) use

The Internet Assigned Numbers Authority (IANA) reserves three blocks of theInternet Protocol (IP) address space for private intranets. The following table showswhich address blocks IANA reserves.

Table 2. Addresses reserved for private Internet (intranet) use

Class of Network Start of Address Block End of Address Block

A 10.0.0.0 10.255.255.255

B 172.16.0.0 172.31.255.255

C 192.168.0.0 192.168.255.255

Although these addresses cannot route through the Internet, you can use them foryour internal network. Refer to RFC 1918 for more details about Internetrecommendations for private addresses.


How masks affect Internet Protocol (IP) addressing

A mask is a pattern or template that you apply to an Internet Protocol (IP) addressto specify which bits are significant and which bits are irrelevant. When you apply amask to an IP address, you perform a bitwise ″and″ operation. You then use theproduct of the operation to perform some type of test. You can use masks in TCP/IPto define networks, to route packets, and to write filter rules. In TCP/IP, a maskconsists of 32 bits (four octets). To make it easier to read, you write the mask indotted decimal format (for example, 255.255.255.240). In the mask, a ″1″ (one) bitdefines the significant positions and a ″0″ (zero) bit defines the irrelevant positions.

Masks usually specify a range; however, you can use a mask of all ones to specifya single value. By specifying a range, you can apply a single rule, network interfacedefinition, or routing entry to many individual host addresses. When you createfewer entries to define one of these items, you are less likely to introduce errors.

When you add a TCP/IP address to an interface, you also specify a subnet mask.TCP/IP applies the subnet mask to the address and calculates the range ofaddresses that are local to this adapter. When TCP/IP has packets for one of theselocal addresses, it tries to communicate directly with the interface assigned to theaddress by using the local link. If TCP/IP cannot establish the connection, TCP/IPchecks the routing table to look for another route to the address.

To define a route, you enter the destination address, subnet mask, and the next hopaddress. TCP/IP applies the subnet mask to the destination address. TCP/IP thencalculates the range of addresses that can be reached through this next hop. WhenTCP/IP has packets for one of these addresses, it forwards the packet to thesystem (usually a router) at the next hop address. The next hop system eitherdelivers the packet to a local host or forwards the packet to yet another hop. Or, thesystem may generate a non-delivered message because the packet cannot beforwarded due to bad routing information. If you want a specific address to berouted to a specific next hop, specify the host address and a subnet mask of255.255.255.255 (all ″1″s). This means that this route applies only to the onespecific host address.

When you write filter rules, you may specify a mask to apply to the ″from″ addressand a mask to apply to the ″to″ address. The firewall applies these masks to thesource and destination addresses in the packet. The firewall then compares theresult to the from address and to address value in the filter rule. This allows you towrite a single rule that applies to a large number of hosts. If you want the rule toapply to a single host, use the value 255.255.255.255 (all ″1″s) in the appropriatemask field.

To better understand the effect that applying a mask has on an IP address, seeExample: Performing an ″AND″ operation on an address and mask.

Example: Performing an ″AND″ operation on an address andmask

You perform an ″AND″ operation when you apply Boolean algebra to the binaryrepresentation of both the Internet Protocol (IP) address and the mask. The rules ofan ″AND″ state that, if both digits are a ″1″ (one), then one is the product. If eitherdigit is a ″0″ (zero), then zero is the product. In the following example (see Figure 2on page 12), you perform an ″AND″ on the address 208.222.150.11 with the mask

255.255.255.240. This operation results in an address of 208.222.150.0. In thismask, the four right-most bits are not significant (they have a value of zero).


Therefore, 208.222.150.0 is the result when you apply the mask to every addressbetween 208.222.150.0 and 208.222.150.15. When you reach 208.222.150.16, thelast octet of the address is 00010000. When you complete the ″AND″ operationwith the mask for the address, the result is 208.222.150.16. When you apply themask to any addresses in the range 208.222.150.16 through 208.222.150.31, theresult is a value of 208.222.150.16.

Understanding subnets

A subnet is a physical segment of a local area network (LAN). Most networks aredivided into smaller network segments by using subnets to take advantage of betteraddress distribution and better traffic distribution. You create subnets by applyingsubnet masks to the network portion of your Internet Protocol (IP) addresses.

Each subnet has a unique network address. When you subnet your network, youuse routers to join the subnets to form a complete network. Each router containsinformation that allows them to send the network traffic to the correct subnet of thenetwork.

When you install a firewall, you may need to subnet your network. You shouldreview these topics first:

v Why you may need to subnet your network

v Creating subnets

v Determining the number of subnets that you need in your network

Why you may need to subnet your network

A subnet is a physical segment of a local area network (LAN). There are severalreasons to subnet a network:

v You have more than one type of physical network segment installed in thenetwork.

v You expect a large number of hosts in your network, which requires splitting anetwork into smaller networks for improved network performance.

Figure 2. ″ANDING″ an Address


v Your network covers a large physical area. Growing distances require splitting anetwork into smaller networks with routers between them. This reduces collisionscaused by propagation delay in a large network segment.

You assign subnet addresses to your network locally. After subnetting, your entirenetwork appears as one IP network to the outside world and your routers handlethe traffic flow in your network.

The firewall Integrated PC Server has two physical LAN adapters, as well as theAS/400 *INTERNAL attachment, which functions as an internal LAN adapter. Eachof these adapters is in a separate subnet because they are connected to differentphysical segments of the network.

Creating subnets

Your Internet service provider (ISP) provides you with a network address and anetwork mask. (In most implementations of TCP/IP, the network mask is alsoreferred to as a subnet mask.) In some cases, the ISP provides you with acomplete class C address, which allows you to have up to 254 hosts on yournetwork. In other cases, the ISP provides you with a portion of a class C networkaddress. The ISP also provides you with a subnet mask.

Before you can subnet your network, you must determine the following values:

1. How many subnets you need in your network.

2. What your current subnet mask is.

3. What your current network address is.

Determining the number of subnets you need in your network

To create subnets for your network, you must first determine how many subnets youneed. You can use the table below to help you make this determination. Thenumber of subnets that you need is based on the number of hosts that you have ina subnet.

To create subnets for your network, follow these steps:

1. Determine how many subnets you need for your desired network configuration.

2. Use the table to determine the number of subnets that are required to obtain thenumber of subnets that you need.

If the number of subnets you need is not a power of two, you must round up thenumber to the next power of two. You must round up because the mask thatyou apply to the address is binary. For example, if you determine that you needtwo subnets, then the final number of subnets that you need is two. If youdetermine that you need three subnets, then the final number of subnets thatyou need is four (the next power of two).

3. Use the table to determine the values that you need to create a subnet mask.

4. Apply the subnet mask to your Internet Protocol (IP) address range.

Applying a subnet mask allows you to create the specific subnet addresses thatyou need.

5. Use the table to determine the decimal value of the last octet in each subnet.

6. Use the table to determine the number of hosts that you can have in eachsubnet.


Table 3. Possible subnet masks and values

Powerof 2

NumberofSubnetsRequired

Last Octetof SubnetMask(Binary)

Last Octetof SubnetMask(Decimal)

Last Octet of NetworkValues (n.n.n.X)

Hosts perSegment ina Class CNetwork

0 1 00000000 0 0 254

1 2 10000000 128 0,128 126

2 4 11000000 192 0,64,128,192 62

3 8 11100000 224 0,32,64,96,128,160,192,224

30

4 16 11110000 240 0,16,32,...240 (step by16)

14

5 32 11111000 248 0,8,16,24,...248 (step by8)

6

6 64 11111100 252 0,4,8,12,...252 (step by 4) 2

7 128 11111110 254 Not valid for class Csubnet

0

8 255 11111111 255 This is a host address N/A

For examples of how to subnet a network, review the topic Example: Furthersubnetting an already subnetted network.

Example: Further subnetting an already subnetted network: In this example,you have a network address that is already a subnet itself. You examine yourconfiguration and determine that you need two subnets. You need one subnet forthe non-secure port of the firewall and one for the public-secure network in whichyour public server resides.

The Internet service provider (ISP) gave you part of a class C address. Thisnetwork address is 208.222.150.248 with a subnet mask of 255.255.255.248. Thismeans that you have six host addresses available. You need one of these for theISP router, which leaves you with five to distribute.

Table 4. Possible subnet masks and values

Powerof 2

NumberofSubnetsRequired

Last Octetof SubnetMask(Binary)

Last Octetof SubnetMask(Decimal)

Last Octet of NetworkValues (n.n.n.X)

Hosts perSegment ina Class CNetwork

0 1 00000000 0 0 254

1 2 10000000 128 0,128 126

2 4 11000000 192 0,64,128,192 62

3 8 11100000 224 0,32,64,96,128,160,192,224

30

4 16 11110000 240 0,16,32,...240 (step by16)

14

5 32 11111000 248 0,8,16,24,...248 (step by8)

6

6 64 11111100 252 0,4,8,12,...252 (step by 4) 2

7 128 11111110 254 Not valid for class Csubnet

0

8 255 11111111 255 This is a host address N/A


Based on the information in the preceding table, you need to add another ″1″ to thecurrent mask as shown in the next table.

Table 5. Splitting an existing subnet

Convert the existing mask to binary

255. 255. 255. 248

11111111 11111111 11111111 11111000

Change the first zero in the mask to a one

11111111 11111111 11111111 11111100

255. 255. 255. 252

Convert the mask back to decimal

To do this, you must:

1. Convert the existing mask to binary.

2. Change the first zero in the mask to a one.

3. Convert the mask back to decimal.

The results of the conversion operation provides two sets of addresses. You canuse one set of addresses on the perimeter (non-secure) network. You can use theother set of addresses for the *INTERNAL port of the Integrated PC Server. Thehosts in the first subnet have addresses of 208.222.150.249 and 208.222.150.250.The hosts in the other subnet have addresses of 208.222.150.253 and208.222.150.254. If you need any more systems than two on the perimeter network,this solution will not work. You must obtain a larger range of addresses from yourISP.

IBM Firewall for AS/400 features

IBM Firewall for AS/400 is an application gateway firewall and a circuit gatewayfirewall. You can use one or both types of functions. The firewall product provides anumber of technologies that you can use to protect your internal network, including:

v Internet Protocol (IP) packet filtering for TCP, UDP, and ICMP packets

v Network address translation (NAT) services

v SOCKS server

v Proxy server for HTTP, HTTPS, FTP, and Gopher for Web browsers

v TELNET proxy

v Mail relay

v Split domain name services (DNS)

v Logging

v Real-time monitoring

v Virtual private network (VPN) services

IBM Firewall for AS/400 consolidates security administration to enforce I/T securitypolicy and minimize the opportunity for security configuration errors. The firewallprovides privacy by preventing outsiders from accessing network informationthrough the Internet. You can log traffic to and from the Internet, which allows you tomonitor network use and misuse. Firewall configuration is flexible, which enablessupport for various security policies. The administrator decides which services thefirewall should permit and which the firewall should block.


The IBM Firewall for AS/400 software guides the administrator through the basicinstallation and configuration of the firewall. The software that the firewall usesresides on a read-only disk. This eliminates the possibility of virus introduction ormodification of programs that perform communication security functions.

The main processor and firewall communicate over an internal system bus that isnot subject to sniffing programs on local area networks. You can set the firewall toissue notifications to the AS/400 system operator (QSYSOPR) when apre-configured condition on the firewall occurs. The main processor can disable thefirewall when it detects tampering, regardless of the state of the firewall.

You can administer the firewall through a Web browser on the internal (secure)network. You can use the Secure Sockets Layer (SSL) for session encryption toprotect the administration session. The software authenticates the administrator withOS/400 security support so that you need not require separate user IDs andpasswords.

You should install the IBM Firewall for AS/400 on a two-port Integrated PC Server.Configure one port of the Integrated PC Server to connect the firewall to yourinternal secure network. Configure the other port to connect the firewall to theInternet or other untrusted network. The firewall can distinguish which network(trusted or untrusted) sent an Internet protocol (IP) packet. The firewall can alsodistinguish which port is the appropriate port for the originating packets on eachnetwork. Consequently, the firewall is not susceptible to spoofing attacks in whichuntrusted hosts try to masquerade as trusted ones.

The AS/400 system operator (QSYSOPR message queue) receives notificationswhen important firewall events occur, such as attempted intrusions. The systemsends all high severity error messages (Type = Alert) immediately. The systemsends lower severity messages (Type = Error, Warning, Information, or Debug)when they reach a user-defined threshold. If the system detects an error conditionthat may result from tampering (such as the logging function ends), all firewallfunctions are set to end immediately.

Installing the firewall on an Integrated PC Server separates the processor that youuse for application programs from the processor that you use for security programs.This separation eliminates the possibility of the programs interfering with each other.Compromised security programs that are running on the firewall cannot directlyaffect the AS/400 main processor in functionality or performance. In addition, theIBM OS/400 TCP/IP protocol stack is completely independent of the TCP/IP stackon the Integrated PC Server.

The firewall also has separate storage, which prevents attackers from accessingAS/400 data. This storage is on a read-only disk to eliminate the possibility of virusintroduction or modification of programs that perform communication securityfunctions.

You can use the firewall proxy or SOCKS servers or network address translation(NAT) to provide internal users with safe access to services on the Internet. Theproxy and SOCKS servers break TCP/IP connections at the firewall to hide internalinformation from the untrusted network. The servers also provide additional loggingcapabilities. You can use NAT to provide Internet users with easy access to a publicserver behind the firewall. The firewall still protects your network because NAThides your internal IP addresses.


The firewall also protects internal information by using two DNS servers, one thatyou provide on the internal network and one on the firewall. The firewall nameserver contains names visible to the untrusted network only, such as an externalWeb server. The firewall name server resolves outside names in response torequests from the internal name server. Your internal name server contains only thenames of the internal network. Your internal name server forwards requests that itcannot resolve to the firewall name server. The firewall DNS server does notprovide name serving functions for the internal network. You are not required tohave an internal DNS server to successfully implement a firewall. However, havingone makes client configuration easier because you do not have to maintain hosttables on each system. OS/400 includes DNS support, which you should use foryour internal network.

The firewall protects your internal mail server from attack by providing a mail relayfunction. The mail relay function passes mail between an external mail server onthe firewall and an internal one. The firewall translates addresses of outgoing mailto the public address of the firewall secure port. This translation hides any internalinformation from the untrusted network.

The firewall also provides virtual private network (VPN) technology so that you canset up encrypted sessions between your firewall and other compatible firewalls.

IBM Firewall for AS/400 components

A firewall consists of a set of software components, each of which providesparticular security features for your network. Which components you use dependson your security needs. These components work together to provide your networktraffic security controls. Because they are interdependent, each component workswith and affects the other components. Review these topics to get the details thatyou need to work with firewall components and common firewall configurations:

v Internet Protocol (IP) packet filtering for TCP, UDP, and ICMP packets

v Network address translation (NAT) services

v Proxy server for HTTP, HTTPS, FTP, and Gopher for Web browsers

v Proxy server for TELNET(not through a Web browser)

v SOCKS server

v Mail relay service

v Split Domain Name Services (DNS)

v Audit and event reporting services

v Virtual private network (VPN) services

IBM Firewall for AS/400 Internet Protocol (IP) packet filteringcomponent

Internet Protocol (IP) packet filtering is the core protection mechanism of a firewall.Packet filters are sets of rules that limit IP packet flow into or out of a securenetwork Figure 3 on page 18. As the firewall administrator, you define policies thatdetermine which packets the firewall should permit or deny access into yournetwork. You can then use the firewall administration facility to institute thesepolicies as filter rules that your firewall can use. If there is no matching rule, thefirewall has a built-in default rule to deny the packet access and discard the packet.You can have your firewall use any of the following packet data to filter packets:

v Source IP address


v Destination IP address

v Protocol (TCP, UDP, and ICMP)

v Acknowledge (ACK) flag

v Source port

v Destination port

v Direction (inbound, outbound, or both)

v Network interface (secure port, non-secure port, or both)

v Whether the packet is a fragment

The dynamic packet filtering technology of the firewall supports RealAudio.However, you must use network address translation (NAT) to allow RealAudiopackets to cross the firewall.

You can designate the firewall to log information about the packets it processes.Log records allow you to analyze traffic that flows into and out of your network, aswell as traffic that the firewall denies.

Packet filtering is the foundation of a firewall. All other firewall capabilities dependon the packet filtering function. You must have a thorough understanding of whatfilter rules are and how they work. With this knowledge, you can ensure that yourfirewall filter rules control traffic into and out of your secure network properly. Thesearticles describe basic IP packet characteristics and how filter rules control the flowof packets:

v Internet Protocol (IP) filtering and routers

v Internet Protocol (IP)

v Types of Internet Protocol (IP) communications protocols

v Internet Protocol (IP) forwarding

v Well-known ports

v Understanding firewall filter syntax

Figure 3. Packet filters control traffic between your network and the untrusted network


Internet protocol (IP) filtering and routers

Although routers can often filter packets, they do not usually provide a loggingfacility. Without logging, you cannot trace information related to a breach in security,such as where and how the breach occurred.

In addition to this limitation, router manufacturers do not use a common set ofstandards for functions. Consequently, routers from different manufacturers providedifferent functionality. Some routers provide facilities to prevent Internet Protocol (IP)spoofing and some do not. Some routers can allow access for some clientapplications (TELNET) but not others (FTP). Routers also do not use a standardsyntax for filter rules. You must learn the syntax specific to each router in yournetwork to create filter rules for the routers.

Most routers allow you to filter packets based on at least the following headerinformation:

v Source IP address

v Destination IP address

v Direction of flow (inbound, outbound, or both)

Internet Protocol (IP)

The Internet Protocol (IP) suite is the primary means of organizing communicationson the Internet. IP functions include:

v Defining the datagram (basic unit of transmission, also called a packet)

v Defining the Internet addressing scheme

v Routing datagrams to remote hosts

v Fragmenting and reassembling packets

v Moving data between the network access layer and the host-to-host transportlayer

IP information is carried in IP packets. Each packet contains a header withidentifying information about the packet. Your firewall can filter IP packets based onthe header information. To understand what the IP header contains, see the topic“Understanding Internet protocol (IP) packets”.

Understanding Internet protocol (IP) packets: An Internet protocol (IP) packetconsists of a formatted header and the payload data. The header consists of fieldsthat contain identifying data about the packet. The table below illustrates the IPpacket structure. The payload contains the actual information that is transmitted.The payload data may include an additional header that provides session levelprotocol information (for example, TCP, UDP, and so forth).

Table 6. Internet protocol (IP) packet structure

Version Length Type of service Total length

Identification Flags Fragment offset

Time to live Protocol Header checksum

Source IP address

Destination IP address

Options Padding

Data


The important fields for filtering purposes are these:

v Source address

v Destination address

v Fragmentation indicator

v Protocol ID

The firewall uses the source and destination address together with the protocol IDto define which packets may access which service.

Different types of networks support different sizes of packets. Consequently, arouter sometimes must break a large packet into fragments to pass it from onenetwork to another. The firewall or receiving router must be aware of thefragmentation. This awareness is necessary because only the first fragmentcontains the identifying header information for higher layer protocols, such as UDPand TCP. Later fragments can override header fields, such as the source anddestination address. The packet fragmentation indicator tells the firewall how tohandle fragmented packets. Attackers can use the weaknesses inherent infragmentation as a way to infiltrate a network. Therefore, consider configuring thefirewall to allow only non-fragmented packets. Refer to RFC 1858, SecurityConsiderations for IP Fragment Filtering, for more information.

Types of Internet Protocol (IP) communications protocols

The Internet Protocol (IP) suite consists of several lower-level communicationsprotocols:

v Internet Control Message Protocol (ICMP)

v Transmission Control Protocol (TCP)

v User Datagram Protocol (UDP)

An extension to IP, called IP security architecture (IPSec), provides securityprotocols for the TCP/IP network layer. IPSec is an industry (non-IBM) standard. Ifyou plan to use your firewall to create a virtual private network (VPN) betweenfirewalls, you should be familiar with these IPSec protocols:

v Encapsulating Security Payload (ESP) protocol

v Authentication Header (AH) protocol

Internet Control Message Protocol (ICMP): The Internet Control MessageProtocol (ICMP) communicates errors and other information between hosts. ThePING application makes use of the ICMP echo and echo reply functions to providean easy way to discover whether an address can be reached in the network. ICMPis also used by network components such as routers to pass control informationbetween them. ICMP provides information about transport problems, such aswhether a host can be reached or the sender is sending packets too fast.

The ICMP message consists of three control fields and the message data:

v The Type field describes what type of message is contained in the ICMPdatagram.

v The Code field contains the error code reported by the message.

v The Checksum field is generated based upon the entire contents of the ICMPmessage.

v The message data contains the details of the message. In the case of a redirectmessage (Type = 5), the message data contains the address of a new router touse.


Table 7. Internet control message protocol (ICMP) message format

Type Code Checksum

ICMP data (depending on the type of message)

ICMP messages often provide a means for an attacker to access your network.Consequently, you should prevent most ICMP messages from entering your securenetwork. For example, an attacker can use PING, with its ability to use ICMPmessages, to discover addresses in your secure network. Or, an attacker could usereroute messages in an attempt to capture your data by rerouting your networktraffic to an untrusted network.

For more information about these and other ICMP functions, see RFC 1700.

Transmission Control Protocol (TCP): Transmission Control Protocol (TCP) isthe main transport layer protocol of the Internet Protocol (IP) suite. Most IPapplications, such as FTP, HTTP, TELNET and SMTP, use TCP for a reliableend-to-end connection. TCP takes care of retransmission, duplicate or lost packets,and reordering of packets. For filtering purposes, the important TCP headerinformation is as follows:

v Source port

v Destination port

v Acknowledge (ACK) flag

TCP information is carried in TCP packets. Each packet contains a header withidentifying information about the packet. Your firewall can use the headerinformation to filter TCP packets. To understand what the TCP header contains, seethe topic “Understanding Transmission Control Protocol (TCP) packets”.

Understanding Transmission Control Protocol (TCP) packets: Transmission ControlProtocol (TCP) is a reliable, connection-oriented protocol, which establishes alogical end-to-end connection between two hosts. TCP verifies that data is deliveredacross the network accurately and in the proper sequence. TCP verifies that apacket arrived at the remote host. If it does not, TCP retransmits the packet. A TCPpacket consists of a formatted header and the application data. The fields in theheader contain identifying data about the packet as illustrated in the following table.The TCP packet is included in the data portion of the Internet Protocol (IP) packet.

Table 8. Transmission control protocol (TCP) packet structure

Source port Destination port

Sequence number

Acknowledgment number

Offset Reserved Flags Window

Checksum Urgent pointer

Options Padding

Data

A TCP connection is uniquely defined by:

v Source address from the IP portion of the packet

v Source port from the TCP portion of the packet

v Destination address from the IP portion of the packet

v Destination port from the TCP portion of the packet


TCP uses the sequence number and the acknowledgment number (ACK) to keeptrack of the bytes. The acknowledgment segment performs two functions: positiveacknowledgment and flow control.

The acknowledgment tells the sender how much data has been received and howmuch more the receiver can accept.

TCP is also responsible for delivering the data received from IP to the correctapplication. A 16-bit number called the destination port number identifies theapplication. The first word of the segment header contains the source anddestination port.

The important fields for filtering purposes are:

v Source port

v Destination port

v Acknowledgment (ACK) flag

A three-way synchronization initiates a TCP session (see figure). Notice that theinitial request to start a session does not contain an ACK flag. This feature can beuseful for creating filter rules to prevent start requests from the untrusted networkfrom entering your internal secure network.

For instance, you want to allow internal users to use port 25 to start an e-mailsession with a server on the untrusted network. You also want to permit yourinternal users to receive responses from port 25. You can create two filter rules thatallow this traffic. However, you do not want to permit start requests from port 25 toaccess your internal network. To block these requests, you must ensure that thefilter rules deny inbound packets that do not contain the ACK flag.

User Datagram Protocol (UDP): User Datagram Protocol (UDP) is a transportlayer protocol, although Transmission Control Protocol (TCP) is used more often.Domain name services (DNS) and simple network management protocol (SNMP)use UDP.

UDP does not provide a reliable end-to-end connection. Unlike TCP, UDP does nothandle retransmission of packets, duplicate or lost packets, and reordering ofpackets. Once a packet is sent, the sender receives no confirmation that the packetreached its destination: UDP does not provide any acknowledgment (ACK)information. Consequently, it is difficult (and sometimes impossible) to tell if theUDP packet is a response to a request generated from the secure network, or fromthe untrusted network.


Encapsulated Security Payload (ESP) protocol: The Encapsulated SecurityPayload (ESP) protocol is part of the Internet Protocol security architecture (IPSec).ESP provides an integrity check, authentication, and encryption to Internet Protocol(IP) datagrams. ESP allows you to select which of its services to use. The IBMFirewall for AS/400 virtual private network (VPN) component uses all three ESPservices to protect your VPN traffic. This ensures that an intruder cannot forgepackets in order to mount cryptanalytic attacks.

You cannot apply ESP to fragmented IP packets. However, after you apply ESP toan IP packet, intermediate routers can fragment the packet for delivery. If thedestination system receives a fragmented packet, the destination systemreassembles the packet before applying ESP processing to it. If you request ESPprocessing for an IP packet that appears to be a fragment, the packet is discarded.These safeguards prevent the overlapping fragment attack. This attack exploits thefragment assembly algorithm in order to create forged packets and force themthrough a firewall.

If a destination system receives an ESP packet that is both encrypted andauthenticated, it authenticates the packet first. If authentication fails, the receivingsystem discards the packet without decrypting it. This two-step procedure savescomputing resources, as well as reduces the risk of a denial of service attack.

You can use ESP in one of two modes: transport mode or tunnel mode. VPNs useESP in tunnel mode to create a new IP datagram, which contains the original IPdatagram as its payload. If the firewall used both authentication and encryption forESP, the original packet is completely protected. However, the IP header is notprotected.

In tunnel mode, the IP addresses in the outer headers do not have to be the sameas the addresses in the inner headers. For example, two firewalls may operate anESP tunnel to secure all traffic between the networks that they connect together (aVPN). Tunnel mode provides total protection of the encapsulated IP datagram andallows the firewall to route datagrams that use private IP addresses.

In the IBM Firewall for AS/400 implementation of VPNs, an unprotected IP header isnot a problem. This is because you create VPNs between compatible firewallproducts only. Consequently, the IP header contains public addresses for thefirewalls on each end of the connection only. Your internal network information ishidden from outsiders you may attempt to sniff the information from the packetheader.

VPN technology often uses ESP and Authentication Header (AH) protocols jointly toprovide a total security solution. IBM Firewall for AS/400 VPN services use bothprotocols.

Authentication Header (AH) protocol: The Authentication Header (AH) protocolis part of the Internet Protocol security architecture (IPSec) and provides integrityand authentication to Internet Protocol (IP) datagrams. AH authenticates as much ofthe IP datagram as possible. The payload (data) of the IP packet is consideredimmutable and AH always protects it. However, some fields in the IP header changewhile in transit and the receiver cannot predict their value. These fields are calledmutable and AH cannot protect them. To protect the information in these fields, youshould use Encapsulated Security Payload (ESP) protocol tunneling.

You cannot apply AH protocol to fragmented IP packets. However, after you applyAH protocol to an IP packet, the intermediate routers can fragment the packet for


delivery. If the destination system receives a fragmented packet, the destinationsystem reassembles the packet before applying AH processing to it. If AHprocessing is requested for an IP packet that appears to be a fragment, the packetis discarded. These safeguards prevent the overlapping fragment attack. This attackexploits the fragment assembly algorithm in order to create forged packets andforce them through a firewall.

You can use AH in one of two modes: transport mode or tunnel mode. Virtualprivate networks (VPNs) use AH in tunnel mode to create a new IP datagram,which contains the original IP datagram as its payload. In tunnel mode, the IPaddresses in the outer headers do not have to be the same as the addresses in theinner headers. For example, two firewalls may operate an AH tunnel to authenticateall traffic between the networks that they connect together (a VPN). Tunnel modeprovides total protection of the encapsulated IP datagram and allows the firewall toroute datagrams that use private IP addresses.

VPN technology often uses Encapsulated Security Payload (ESP) and AH protocolsjointly to provide a total security solution. IBM Firewall for AS/400 VPN services useboth protocols.

Internet Protocol (IP) forwarding

You can use the proxy and SOCKS servers or network address translation (NAT) toallow users on your internal network to access the untrusted network. Although NATprovides better performance and is easier to maintain, NAT uses Internet Protocol(IP) forwarding. You can also use NAT to allow users in the untrusted network toaccess public servers behind your firewall.

IP forwarding takes packets from the non-secure firewall port and sends them to thesecure network. The firewall forwards only those packets that pass the filter rules.Virtual private networks (VPNs) also use IP forwarding. However, when you set aVPN to use authentication, the risk from IP forwarding is minimal.

Use IP forwarding with caution. When you allow IP forwarding, the firewall cannotbreak the TCP/IP connection at the firewall. This exposes your internal network tomore risk because an attacker could exploit any holes in filtering rules to accessyour internal network.

Well-known ports

Each Internet application (for example, TELNET) uses Internet Protocol (IP) to sendcommunications from a client port to a well-known port on a server. Intruders oftentry to sneak into a secure network by checking whether they can gain accessthrough obscure, little-used ports. Configure your Internet applications to use onlytheir associated well-known ports, unless you use NAT to map ports. You can thencreate filter rules to block communications that deviate from this usage.

The following table contains a list of well-known ports for common Internetapplications. For a complete list of well-known ports, refer to RFC 1700.


Table 9. Well-known ports for common Internet applications and services

Service Port number / protocol

Simple mail transfer protocol (SMTP) 25/TCP

Post office protocol (POP) 3 110/TCP

TELNET 23/TCP

File transfer protocol (FTP) - data 20/TCP

File transfer protocol (FTP) - control 21/TCP

Domain name services (DNS) 53/TCP or 53/UDP

Gopher 70/TCP

Hypertext transfer protocol (HTTP) /www 80/TCP

Internet relay chat (IRC) 6xxx/TCP

SOCKS 1080/TCP

Understanding firewall filter syntax

Your firewall protection is only as good as the filter rules that the firewall uses. Toensure that your firewall controls network traffic correctly, you must understand thesyntax of the filter rules that it employs. With a thorough understanding of filtersyntax, you can easily make changes to your firewall filter rules as needed.

A filter rule is a set of parsed instructions that the firewall uses to interpret how itshould handle traffic into and out of your secure network.

When a packet arrives at the firewall, the firewall compares the information in thepacket to the field values as specified in each filter rule. When the firewall matchesthe packet to a rule, the matching process ends and the firewall applies the actionof the rule to the packet. If there is no matching rule, the firewall has a built-indefault rule to deny access and discard the packet. The IBM Firewall for AS/400allows a maximum of 512 rule definitions.

The sections of a filter rule include:

ActionThe first field of a filter rule specifies what action the firewall should take if apacket matches all the conditions of the rule. The field can have one of twovalues: ″permit″ or ″deny.″

The firewall applies each section of a filter rule to a packet until itdetermines whether the packet completely matches a rule. If the packetmatches, the firewall applies the specified action to the packet. If the actionis permit, the firewall routes the packet. If the action is deny, the firewalldiscards the packet.

From AddressThis field specifies the source address of the packet.

From MaskThis field specifies which mask the firewall should apply to the sourceaddress of the packet. The firewall applies the mask as bitwise AND, whichis the same way Internet Protocol (IP) subnet address masks are applied.

The firewall considers the source address a match if the result of the maskapplication is equal to the desired address. By using the mask, you canwrite a single rule that applies to a range of addresses rather than a single


address. This may reduce the number of rules required. For example, tomatch any address beginning with 10.2.1, specify an address of 10.2.1.0and a mask of 255.255.255.0.

To AddressThis field specifies the destination address of the packet.

To MaskThis field specifies which mask the firewall should apply to the destinationaddress of the packet. The firewall applies the mask as bitwise AND, whichis the same way IP subnet address masks are applied.

The firewall considers the destination address a match if the result of themask application is equal to the desired address. By using the mask, youcan write a single rule that applies to a range of addresses rather than asingle address. This may reduce the number of rules required. For example,to match any address beginning with 10.2.1, specify an address of 10.2.1.0and a mask of 255.255.255.0.

ProtocolThis field specifies a protocol type for the IP packet. It may have any of thefollowing values:

v All - matches any protocol type.

v ICMP - matches Internet Control Message Protocol (ICMP) requests only.

v TCP - matches Transmission Control Protocol (TCP) packets only.

v TCP/ACK - matches only TCP packets with a value of ″on″ for the ACKbit.

v UDP - matches User Datagram Protocol (UDP) packets only.

v ESP - matches Encapsulating Security Payload (ESP) packets only.

v AH - matches Authentication Header (AH) packets only.

If the protocol type for the packet matches the specified protocol in a denyrule, the firewall rejects the packet. This allows you to create filter rules thatblock packets of a specific protocol such as all UDP traffic.

From Port OperationThis field specifies the type of logical operation the firewall should apply tothe source port value or Internet Control Message Protocol (ICMP) typevalue of the packet. If the packet protocol is ICMP, the firewall applies thelogical operation to the ICMP type value of the packet. If the protocol for thepacket is anything else, the firewall applies the logical operation to thesource port value for the packet.

The port operation field can have one of the following operands:

v Any

v Eq

v Gt

v Neq

v Lt

v Le

v Ge

From Port of ICMP TypeThis field specifies the value of the source port number or ICMP type fieldfor the packet. The firewall applies the specified operand in the From PortOperation to this value to determine whether the packet matches the rule.


To Port OperationThis field specifies the type of logical operation the firewall should apply tothe destination port or ICMP type value of the packet. If the packet protocolis ICMP, the firewall applies the logical operation to the ICMP type value ofthe packet. If the protocol for the packet is anything else, the firewallapplies the logical operation to the destination port value for the packet.

The port operation field can have one of these operands:

v Any

v Eq

v Gt

v Neq

v Lt

v Le

v Ge

To Port or ICMP TypeThis field specifies the value of the destination port number or ICMP typefield for the packet. The firewall applies the specified operand in the FromPort Operation to this value to determine whether the packet matches therule.

InterfaceThis field specifies which port on the Integrated PC Server to which the ruleapplies. There are three possible values:

v Secure port (includes the *INTERNAL port)

v Non-secure port

v Both

RoutingThis field specifies whether the packet has the firewall as a destination orsource (local) or whether the destination and the source are both otherhosts (route). If the firewall is neither the destination nor the source, thefirewall may act as a packet router and forward the packet (route). This fieldcan have the following possible values:

v Local - coming to or from the firewall itself (proxy and SOCKS server).

v Route - going through the firewall (IP forwarding).

v Both - packet routing information is irrelevant.

DirectionThis field specifies whether the packet is going into or coming out of theinterface (port) as specified in the Interface field. The direction is alwaysfrom the perspective of the firewall. Possible values for this field are asfollows:

v Inbound (to the firewall)

v Outbound (from the firewall)

v Both (direction is irrelevant)

IP FragmentsThis field specifies how the firewall should handle packet fragments.Possible values for this field are as follows:

v Match all (y) - Fragmentation is not relevant for whether the packetmatches the rule.

v Match fragments (o) - The packet must be fragmented to match this rule.


v Match non-fragments (n) - The packet must not be fragmented to matchthis rule.

Packet LoggingThis field specifies whether the firewall should write a log record for thepacket if the packet matches the rule. There are two possible values: yesand no.

VPN This field specifies whether the filter rule will use virtual private network(VPN) encryption or decryption. There are two values: zero or a wholenumber. If the value is zero, the filter rule will not use VPN encryption ordecryption on the packet. If the value is a whole number, the numbercorresponds to a specific VPN configuration number. This number tells thefirewall what encryption, decryption or authentication algorithms to use.

IBM Firewall for AS/400 network address translation (NAT) component

IBM Firewall for AS/400 network address translation (NAT) services allow you tohide internal network information, such as Internet Protocol (IP) addresses from theuntrusted network. For example, you can use NAT to hide the IP address of apublic server on the secure side of the firewall. You can use NAT to dynamicallytranslate secure client IP addresses to a reserved pool of registered IP addressesfor communicating with the untrusted network. This is sometimes referred to asmasquerading. NAT also allows you to use private IP addresses on your internalnetwork rather than publicly registered ones.

During firewall Basic configuration, if you specify that a particular service use proxyor SOCKS, you should not specify that the service also use NAT.

NAT advantages

NAT is more efficient than the SOCKS or proxy servers. Because NAT uses fewercomputing resources, your firewall may have better performance.

NAT also supports a much wider range of services than the proxy server.

Your internal clients do not have to provide support for proxy or SOCKS. Becausesome types of clients do not provide this support, using NAT allows you to supportInternet access for a wider range of clients.

If you want to put your public server behind the firewall, NAT allows you to do sosafely and easily. During Basic configuration, the firewall application automaticallyuses NAT to configure HTTP and HTTPS access through the firewall to the publicserver. The firewall can then protect your server, while translating the internaladdress to a reserved publicly registered IP address. Outsiders only see the publicaddress. If you use NAT port mapping, you can use the non-secure firewall IPaddress as the publicly registered address for your public server.

Note: If you use port mapping, the port that you map to must not already be inuse. For example, you use proxy servers for HTTP access on port 80.Therefore, you must map HTTP traffic to the public server to a port otherthan 80.

NAT disadvantages


When you use NAT to provide local users with access to services on the Internetyou must have a pool of public addresses to use for translation purposes. Whenyou use SOCKS and proxy servers, however, you need only one public address forthe firewall non-secure port.

NAT is also not as adept as either the SOCKS or proxy servers in detecting attacks.NAT does not provide logging services. The firewall only logs traffic that matchesthose filter rules that have a log field value of yes.

Additionally, NAT requires that you permit IP forwarding to open a hole in yourfirewall. Using IP forwarding can increase your internal network’s security risk.

IBM Firewall for AS/400 proxy server component

The IBM Firewall for AS/400 proxy server is a TCP/IP application that re-sendsrequests and responses between clients on your secure internal network andservers on the untrusted network. The proxy server breaks the TCP/IP connectionto hide your internal network information (such as internal Internet Protocol (IP)addresses). Hosts outside your network perceive the proxy server as the source ofthe communication (see figure).

Typically, you use proxy servers to provide your internal users with access to anuntrusted network. Each TCP/IP application requires its own proxy server. The IBMFirewall for AS/400 provides the following proxy servers:

v File transfer protocol (FTP), either passive or active

v HyperText Transfer Protocol (HTTP)

v Hypertext Transfer Protocol + Secure Sockets Layer (HTTPS)

v Gopher

Figure 4. Proxy server provides caching and logging functions


v Wide Area Information System (WAIS)

v TELNET (not through a Web browser)

These proxy servers are available only through a Web browser. Consequently, yourclients must have Web browsers that support the applications that you want clientsto access through a proxy server. When clients cannot use a browser to access anapplication, you must use a SOCKS server or network address translation (NAT)instead.

You can use proxy servers in conjunction with packet filtering to provide your userswith selective access to services on the untrusted network. Users on the untrustednetwork do not use the proxy server to access local services on the securenetwork, such as a Web server. During Basic configuration, the firewall applicationcreates filter rules to block access to the proxy server from the untrusted network.These filter rules protect the proxy (and your internal network) from attack. Theproxy protects the firewall host because the user does not have to log in to thefirewall directly to access the requested service.

Proxy servers can also provide other services such as caching and logging. Tounderstand how the IBM Firewall for AS/400 proxy server component works, reviewthese topics:

v Proxy logging services

v Proxy caching services

v Proxy server advantages

v Proxy server disadvantages

v IBM Firewall for AS/400 TELNET proxy server

Proxy logging services

Proxy servers can provide logging services, which allow you to obtain informationabout your network traffic. Proxies can log the uniform resource locators (URLs)that users access. By logging the URLs, the network administrator can see whichusers access which resources. You can use this information to generate utilizationreports. The proxy server writes one log record each time a connection isestablished, not one entry per packet. The proxy server writes log records whenyou set the logging level in the firewall to informational (i).

Proxy caching services

Proxy servers can provide caching services. You can use the firewall advancedproxy settings option to specify that the proxy server cache pages. You can specifythe cache and buffer sizes, as well as other parameters for the caching function.The proxy server caching option stores Web pages as users access them.Therefore, users may experience improved response time when they access Webpages that users across the internal network have accessed recently. However,setting the proxy to perform extensive caching may result in slower performance ifcaching uses too many firewall resources. Also, older cached pages may not be themost current version that a Web site provides.

Proxy server advantages

When you use proxy servers to control access to the untrusted network, you gainthe following advantages:

v The proxy server breaks the TCP/IP connection to hide your internal networkinformation (such as internal host names and Internet Protocol (IP) addresses).


v You can set the proxy server to require user authentication before it accepts andforwards the user requests for services (TELNET only).

v The proxy server provides advanced logging capabilities so that you can recordaccess information. Proxy server logging capabilities are superior to those of theSOCKS server because the proxy server provides the URL that the useraccesses.

v Proxy servers help you control which services users can access. If you do notcreate a proxy for the service, users cannot access the service because eachservice must have its own proxy. (This is true as long as you do not allow accessto the service through a SOCKS server or network address translation.)

Proxy server disadvantages

When you use the proxy server to provide access to the untrusted network, beaware of the following disadvantages:

v A unique server application is required for each service that you want a client toaccess. You must use either a SOCKS server or network address translation(NAT) to access a service for which there is no proxy server. For example, if youwant to use Client Access/400 across the Internet.

v Proxy server performance is slower than either SOCKS or NAT.

IBM Firewall for AS/400 TELNET proxy server

The IBM Firewall for AS/400 TELNET proxy server provides your internal users withremote terminal access to hosts outside your network. Like any proxy server, theTELNET proxy breaks the TCP/IP connection at the firewall to hide your internalnames and addresses from outsiders. Using advanced proxy settings, you can setthe TELNET proxy to require user authentication before it accepts and forwards theuser’s requests for services. The TELNET proxy limits users to a restricted shellenvironment where only certain services are permitted.

The TELNET proxy server supports VT-100 type connections only. For otherTELNET terminal types, use a SOCKS server.

TELNET proxy server disadvantages

Using the TELNET proxy is a two-step process for users. Consequently, the proxyserver is not transparent to the client user.

IBM Firewall for AS/400 SOCKS server component

The IBM Firewall for AS/400 SOCKS server is a TCP/IP application that re-sendsrequests and responses between clients on your secure internal network andservers on the untrusted network. The SOCKS server breaks the TCP/IP connectionto hide your internal network information (such as internal Internet Protocol (IP)addresses). Hosts outside your network perceive the SOCKS server as the sourceof the communication. See Figure 5 on page 32.


A SOCKS server is a kind of multitalented proxy server. You can configure theSOCKS server to control which IP addresses you permit to use it and whichapplication services you allow through it. You can use the SOCKS daemonconfiguration options to configure the SOCKS server to require that the firewallauthenticate users.

The firewall graphical user interface makes it easy for you to set up the SOCKSserver to handle these services:

v File Transfer protocol (FTP) (passive or active) with a Web browser

v FTP without a Web browser

v Hypertext Transfer Protocol (HTTP)

v Hypertext Transfer Protocol + Secure Sockets Layer (HTTPS)

v Gopher

v Internet Relay Chat (IRC)

v TELNET (transparently)

v Client Access

v Lightweight Directory Application Protocol (LDAP)

v Secure LDAP

v Post Office Protocol (POP) 3 mail server access from the Internet

v Lotus Notes replication from the Internet

v Distributed relational database application (DRDA)

To use a SOCKS server, the client must support the SOCKS protocol. Most popularWeb browsers support SOCKS. Some operating systems (such as IBM OS/400)

Figure 5. SOCKS server traffic flow


support SOCKS in the TCP/IP protocol stack so that all client applications can usea SOCKS server. You can also obtain add-on packages that provide SOCKSsupport for other types of clients.

To understand how the IBM Firewall for AS/400 SOCKS server component works,review these topics:

v SOCKS logging services

v SOCKS server advantages

v SOCKS server disadvantages

SOCKS

SOCKS is a client/server architecture that transports TCP/IP traffic through a securegateway. A single SOCKS server can handle several TCP/IP applications, such asFTP and TELNET. To use SOCKS, your Web browser or TCP/IP stack must supportSOCKS. Because SOCKS operates at a lower level in the TCP/IP stack, it tends tobe faster than a proxy server. However, SOCKS does not provide caching.Consequently, a proxy server, which provides caching, may offer faster performanceif your users often access the same URLs.

Two standards for SOCKS servers are currently accepted: SOCKS 4 and SOCKS5. SOCKS 5 requires client authentication to the server, which provides additionalsecurity. To use the SOCKS 5 authentication feature, you must set a SOCKSdaemon rule in the firewall for each particular SOCKS application to authenticateusers. The firewall and the firewall home AS/400 use the same set of user IDs andpasswords. Additionally, each client must have SOCKS 5 support.

You can set up SOCKS support on the firewall for the desired TCP/IP applicationswhen you perform firewall Basic configuration. Although you should add SOCKSsupport during Basic configuration, you can add it later by choosing SOCKS fromthe firewall Configuration menu.

Most PC operating systems do not provide native SOCKS support. OS/2 Merlin isan exception; it provides SOCKS in the TCP/IP stack. If you want to use PC clientsother than OS/2, you must add SOCKS support. Most Web browsers provideSOCKS support. Consequently, if you will not use Internet services that yourbrowser cannot provide, you probably do not need to add SOCKS support to thePC client.

If you need to add SOCKS support, you can find several products on the Web.Most of these products work for Microsoft Windows 95; some work for Windows 3.1and Windows NT. These products are usually Windows dynamic link libraries(DLLs) that extend the functionality of the Winsock DLL. These products allowSOCKS 4 and SOCKS 5 applications to work without a browser for applicationssuch as FTP and TELNET.

Note: The PING command uses Internet control message protocol (ICMP) anddoes not work through a SOCKS server.

SOCKS logging services

SOCKS servers can provide limited logging services so that you can obtaininformation about your network traffic. The SOCKS server logs the fact that aconnection was established or ended between two hosts. The log record containsthe source and destination address and port. The SOCKS server does not logURLs. If you configure the SOCKS server to require a user ID, the server also logs


user ID information. When the connection ends, the log records the number ofbytes that were sent. You can use the log information to generate utilization reports.The SOCKS server writes one log record each time the user establishes or ends aconnection, not one entry per packet. The SOCKS server writes log records whenyou set the logging level in the firewall to informational (i).

SOCKS server advantages

When you use a SOCKS server to control access to the untrusted network, yougain the following advantages:

v The SOCKS server breaks the TCP/IP connection, which hides your internalnetwork information (such as internal host names and Internet Protocol (IP)addresses).

v You can configure the SOCKS server to require user authentication before itaccepts and forwards user requests for services. This feature requires a clientthat supports SOCKS 5, which is the first version of SOCKS that supports userauthentication.

v The SOCKS server provides logging capabilities so that you can record utilizationinformation.

v The SOCKS server helps you control which services users can access. If you donot specify a permission for the service through the SOCKS server, users cannotaccess the service. (As long as you do not allow the service through a proxyserver or network address translation.)

SOCKS server disadvantages

When you use a SOCKS server to control access to the untrusted network, beaware of the following disadvantages:

v Clients that do not support SOCKS cannot use the SOCKS server to accessservices on the untrusted network.

v The SOCKS server does not provide a caching option.

IBM Firewall for AS/400 mail relay service

The IBM Firewall for AS/400 uses a mail relay service to exchange mail with othermail servers on the Internet through simple mail transport protocol (SMTP). Thefirewall delivers all incoming mail to an internal mail server (such as an AS/400 postoffice protocol (POP) 3 server), which stores the mail for user retrieval. SeeFigure 6 on page 35.


The firewall mail server works with the firewall domain name server to relay mailbetween the internal mail server and Internet mail servers. The mail relay serveruses simple mail transfer protocol (SMTP). Using the firewall mail server isolatesyour internal secure mail server so that your internal network is not visible to theoutside world. When mail flows through the firewall, the firewall rewrites e-mailaddresses so that all internal users have a single mail domain. This domain is yourcompany’s public domain (for example, mycompany.com).

Clients send mail to the secure mail server and retrieve mail from the secure mailserver. The secure mail server interacts with the mail relay on the firewall to routemail between the secure network and the Internet. The mail relay on the firewalluses the firewall name server to resolve domain names in the mail address to thenumeric IP address. The mail relay uses the internal name server to retrieve mailrouting information to deliver incoming mail to the secure mail server.

Without an internal name server, you must configure the firewall mail relay toretrieve mail routing information about the secure mail server from its own DNSserver. This ensures that incoming mail is delivered without errors and that yourinternal network addresses remain invisible to the outside world.

IBM Firewall for AS/400 split domain name services (DNS) component

The firewall protects internal information by using two domain name system (DNS)servers. One domain name server is on the firewall; you must provide the othername server on the internal network. The firewall name server contains names thatare visible only to the untrusted network, such as an external Web server. Thefirewall name server is responsible for resolving external host names in response torequests from the internal name server. You can also choose to use the Internetservice provider (ISP) DNS server for resolving external names, if you prefer.

The internal name server that you provide contains only the names of hosts on theinternal network. This internal name server is responsible for forwarding requestsfrom the internal secure network that it cannot resolve to the firewall name server.

Figure 6. Firewall mail relay traffic flow


The firewall DNS server does not provide name serving functions for the internalnetwork. However, you can use the DNS servers that AS/400 provides.

To understand how the IBM Firewall for AS/400 domain name services (DNS)component works, review these topics:

v Domain name services (DNS)

v Domain name servers

v How domain name services (DNS) work

Domain name services (DNS)

Host locations on the Internet or a TCP/IP network are specified by numeric InternetProtocol (IP) addresses. Most users have difficulty memorizing the hundreds orthousands of addresses that they need to connect to other hosts. As a result, mostpeople use symbolic names to distinguish hosts from one another. Computers,however, need the numeric IP address in order to find the requested device andcommunicate with it. Consequently, there has to be a way in which host names aretranslated into numeric IP addresses. Domain name services (DNS) provides thistranslation function.

Domain name servers

A domain name services (DNS) server manages the TCP/IP address information fora portion of a network. For a small network, the server may manage the entiredomain. The set of devices that a server manages is called a zone. A single nameserver can manage more than one zone. To ensure continuous service, each zoneusually has a backup name server (called a secondary name server) designated forit. The records in the primary server and the secondary server are identical. Thisensures that, if the primary server is unavailable, the secondary server can providethe necessary translation resolution.

DNS is a hierarchical system of zones in which each name server cancommunicate with the one above it in the hierarchy. Each name server can alsocommunicate with the one below it (if one exists). The name server for a givenzone is responsible for having the address information for each host in that zone.Each name server also has the address of at least one other name server. Whenthe name server receives a translation request it cannot answer, it can take one oftwo actions. The server can either send the request to another name server or itcan send a response that specifies an alternate name server to handle the request.

How domain name services (DNS) work

The domain name system (DNS) is critical to making the Internet work. DNSprovides information about the various hosts that are hooked into the Internet. DNSis both distributed and hierarchical. This means that no one server has all theanswers, but each server knows where to get the answers it does not know on itsown.

At the top of this system are the root name servers. These servers know where tofind all the authoritative top-level domain name servers. In turn, the top-level nameservers know where to find the next level of authoritative name servers, and soforth. Thus, the domain name database is distributed across the Internet. Thisdistribution allows easier manageability and faster response times than would occurif each host had to maintain a comprehensive database for all domain names andaddresses on the Internet.


When a client program requests access to a particular host by domain name, theprogram sends a request to a designated primary name server. This is usually aname server on the local network. If this name server is unable to provide anInternet Protocol (IP) address for the requested domain name, the server can doone of two things. It can query another name server for the information. Or, it canreturn the name and address of the next logical name server for the client programto query. This process continues until a name server can provide the translation oruntil it returns an error message that the IP address is unknown.

DNS operates in much the same way a phone book does. You know the name ofthe person you want to call, but you do not know the phone number. To resolve thisproblem, you look it up in the phone book. Similarly, when you use a clientprogram, such as FTP or a Web browser, you may know the name of the host youwant to ″call,″ but not the numeric IP address. The client program must also resolvethis problem, which it does by using a function called a resolver. The resolver takesthe host and domain name you specified and queries a domain name server (theresolver’s ″phone book″) for the corresponding numeric IP address it needs to makethe call. If the name server does not have the needed address, it knows the nameof another name server that may know the address.

Here is an example of how DNS works. A user wants to FTP to the IBM PCCompany FTP host. The user knows the host name is ftp.pcco.ibm.com andprovides this name to the FTP client. The client then queries the local name serverfor the IP address. The local name server is in another domain than the one thatthe client requested. Therefore, the name server does not have the necessaryinformation. The name server does, however, have the name and address for the.com name server (the root name server). What happens next depends on whetherthe client request is recursive or iterative.

If the request is recursive, the local name server queries the root server for the FTPclient. The root name server also does not have a specific entry for the requestedhost. It does, however, know the name and address for the next level domain(ibm.com) and sends this information back to the local name server.

The local name server then sends a new query to the ibm.com name server. It alsodoes not have the needed address, but it knows the name and address for thepcco.ibm.com name server and returns that information. The local name serversends a new query to the pcco.ibm.com name server, which can return the neededaddress for the host (FTP) in its domain. The local name server passes thisinformation back to the FTP client program, which uses the address to contact therequested host.

If the FTP client request is iterative, the local name server sends information aboutthe root name server back to the FTP client. The FTP client then makes a newquery to the root name server and so forth, until it receives the necessary IPaddress.

As you can see, without DNS it is difficult to communicate with hosts outside of yourlocal network. Without a DNS server, you need an extensive (and accurate)memory for numeric IP addresses. Otherwise, you must maintain a huge (andpossibly incomplete) set of host tables on each client.


IBM Firewall for AS/400 audit and event reporting services

IBM Firewall for AS/400 provides extensive logging features, as well as real-timemonitoring. To understand how the IBM Firewall for AS/400 audit and eventreporting works, review these topics:

v Firewall logging services

v Firewall monitoring services

Firewall logging services

You can specify that the firewall log information about the packets it processes. Youcan then use the log records to analyze traffic flowing into and out of your network.You can also analyze traffic that the firewall does not allow into your network.

The firewall maintains entries in the system log files whenever users attempt toaccess hosts through the various firewall servers. Rule violations and userauthentication may create log entries. For example, you can have the firewall log:

v Packets that the firewall denies

v The uniform resource locators (URLs) that users access

v Occurrences of TELNET sessions that users establish

You can also log a variety of other activities. The firewall writes log records forproxy and SOCKS servers when you set the logging level in the firewall toinformational (i). You can view log files from the firewall Web browser facility or fromAS/400.

The firewall application also supports various logging levels. For instance, you canset the firewall to log exception conditions only or to log all traffic through thefirewall. The system archives the log file to the AS/400 Integrated File System forsafekeeping. You can convert these log files into more specific database files basedon the types of messages in the logs. You can then query these database recordsto display the log information or to create reports.

Firewall monitoring services

The AS/400 system monitors firewall functions that run on the Integrated PC Server.By default, the AS/400 system operator (through the QSYSOPR message queue)receives notifications when important firewall events occur, such as attemptedintrusions. The system sends all high severity error messages (Type = Alert)immediately. The system sends lower severity messages (Type = Error, Warning,Information, or Debug) when they reach a user-defined threshold. If the systemdetects an error condition that may be a result of tampering, all firewall functionsend immediately. For example, if the logging function ends, it may indicate thatsomeone is trying to bypass the firewall. All firewall functions end to ensure that noone can communicate with your internal secure network until you investigate thesituation.

IBM Firewall for AS/400 virtual private network (VPN) component

IBM Firewall for AS/400 provides virtual private network (VPN) technologies. Whenyou use VPNs, you can create encrypted connections between the firewall andseveral other IBM firewall products. You can think of a VPN as an extension of yourprivate network across a more public network, such as the Internet. Using a VPNcreates a secure private connection, essentially through a private ″tunnel.″


IBM Firewall for AS/400 VPN technology is compatible with IBM Firewall for AIX 3.1,IBM eNetwork Firewall V3.2, and IBM Secure Network Gateway for AIX V2.2. Youcan import or export VPN settings to files in the Integrated File System. You andyour VPN partner can then use these files to coordinate and set up theconfiguration for both ends of the VPN.

IBM Firewall for AS/400 VPN technology uses two Internet Protocol (IP) securityarchitecture (IPSec) protocols to protect traffic that flows through the VPN tunnel.The Encapsulated Security Payload (ESP) protocol provides an integrity check,authentication, and encryption to IP datagrams. The IBM Firewall for AS/400 VPNcomponent uses all three ESP services to protect your VPN traffic. This ensuresthat an intruder cannot forge packets in order to mount cryptanalytic attacks. Intunnel mode, the IP addresses in the outer headers do not have to be the same asthe addresses in the inner headers. Consequently, the IP header contains publicaddresses for the firewalls on each end of the connection only. Your internalnetwork information is hidden from outsiders you may attempt to sniff theinformation from the packet header.

IBM Firewall for AS/400 VPN technology also uses the Authentication Header (AH)to provide integrity and authentication to IP packets. AH authenticates as much ofthe IP datagram as possible. VPNs use AH in tunnel mode to create a new IPdatagram, which contains the original IP datagram as its payload. In tunnel mode,the IP addresses in the outer headers do not have to be the same as theaddresses in the inner headers. For example, two firewalls may operate an AHtunnel to authenticate all traffic between the networks that they connect together (aVPN). Tunnel mode provides total protection of the encapsulated IP datagram andallows the firewall to route datagrams that use private IP addresses.

Note: If you want to use your firewall to create virtual private networks, you mustalso install the IBM Cryptographic Access Provider (AC1, AC2, or AC3).

Firewall configurations

A firewall consists of one or more software elements that run on one or more hosts.The hosts may be general purpose computer systems or specialized systems suchas routers.

You can combine firewall elements to create many different firewall configurations.The elements of IBM Firewall for AS/400 provide two common firewall configurationtypes: the dual-homed gateway and screened host firewall.

Dual-homed gateway firewall

The dual-homed gateway is one of the most popular firewall configurations becauseit is both the most secure and the most versatile. Consequently, the dual-homedgateway is your best firewall configuration choice.

The dual-homed gateway has one physical connection to the internal securenetwork and one to the non-secure network (see figure). A separate local areanetwork (LAN) adapter is responsible for communications between the firewallhome AS/400 system and the internal secure network.


Clients on the internal secure network must use either network address translation(NAT) or a SOCKS or proxy server to access services on the Internet. Internethosts or clients see only the address of the firewall when interacting with hosts orclients on the internal secure network. Because the firewall provides split domainname services, the names of internal hosts are not visible on the Internet, yetinternal users have access to all systems, including the Web server on thenon-secure network.

If the router that connects the internal network to the Internet has packet filteringfeatures, you can configure it to reject undesirable inbound connections. Thisensures that the router allows only those packets that you specify to access eitherthe Web server on the perimeter network or the firewall. The firewall packet filtersprovide additional limits for what traffic can reach the internal secure network.

You do not need to assign public IP addresses to the internal secure networkbecause the network does not directly participate with the Internet. You increase thesecurity of your internal network when you use the IP addresses reserved forprivate Internets because most routers automatically reject them. Refer to the topicIP addresses reserved for private Internet (intranet) use for a complete list of theseaddresses.

Any filter rule errors that you make on the router or firewall do not expose yourinternal systems to direct attack from the Internet. The physical separation of thetwo networks protect the AS/400 system and its clients.

There are no significant disadvantages for this configuration. However, if you putyour public server behind the firewall, you must allow Internet Protocol (IP)forwarding so that Internet users can access it. Also, if you want to accessproduction data behind the firewall for a public server outside the firewall, you musteither open a hole in the firewall or use some form of backup media to physicallytransfer the data to the server.

Figure 7. Dual-Homed Gateway Firewall


Screened host firewall

Although the screened host firewall configuration is similar to the dual-homedgateway firewall, the separation of the internal secure network from the perimeternetwork is logical rather than physical. This configuration relies on the routerpacket filter rules only to allow traffic between the Internet, firewall, and public Webserver (see figure).

In this configuration, the Web server can easily communicate with the internalservers. This communication makes it easy to update the Web server with dynamicdata from the production system. However, if someone successfully attacks theWeb server, the attacker can use the Web server as a starting place to attack yourinternal systems. Generally, you should not use this configuration because thesecurity policy is split between the firewall and the router. This means that bothsystems must be reviewed and maintained. A hole in one system may beoverlooked because it is thought that the other system is closing it.

The screened host configuration requires only one LAN adapter in the firewall,which makes this solution less expensive to implement. However, thedisadvantages of this configuration can result in considerable recovery expenses.

In this configuration, the Internet router is your most important line of defense. Youmust ensure that you configure the router packet filter rules correctly because thereis no physical separation between the internal and perimeter networks. Holes in therouter filter rules can give an attacker the means to access and wreck havoc in yourinternal network because the attacker may be able to bypass the firewall.

Figure 8. Screened Host Firewall



Chapter 2. Planning your firewall installation andconfiguration

To ensure that you install and configure your firewall properly, you must carefullygather information about your network, security needs, and public server placement.You must use this information to carefully plan how you will install and configure thefirewall. Because planning is the most critical step for successfully getting yourfirewall up and running, review these topics:

v IBM Firewall for AS/400 installation requirements.

v Positioning your public server in relation to your firewall.

v Firewall and network configurations: Sample scenarios.

v IBM Firewall for AS/400 planning worksheets.

Frequent updates are made to the AS/400 Firewall home page. You should check itas part of your planning process. The address for the home page ishttp://www.as400.ibm.com/firewall.

IBM Firewall for AS/400 installation requirements

Before you install IBM Firewall for AS/400, you must verify that both the firewallhome AS/400 system and the firewall administration workstation meet the softwareand hardware requirements. To determine what the requirements are, review thesetopics:

v IBM Firewall for AS/400 software requirements

v IBM Firewall for AS/400 hardware requirements

v IBM Firewall for AS/400 user profile requirements

v Secure Sockets Layer (SSL) considerations for IBM Firewall for AS/400

IBM Firewall for AS/400 software requirements

IBM Firewall for AS/400 resides and runs on an Integrated PC Server that isinstalled on the AS/400 system. The firewall requires these types of software:

v Licensed programs installed on the firewall home AS/400 system and firewallIntegrated PC Server

v Software installed on the firewall administration PC

v Software installed on firewall clients

IBM Firewall for AS/400 licensed program requirements

IBM Firewall for AS/400 resides on an AS/400 Integrated PC Server and usesTCP/IP for communications. Consequently, you must have certain AS/400 licensedprograms installed on the firewall home AS/400 system to ensure that you caninstall the firewall correctly. The table below provides a list of AS/400 licensedprograms that you must have installed.


|

Licensed Program Description

5769-SS1 OS/400, Version 4 Release 3

5769-TC1 TCP/IP Connectivity Utilities

5769-SA2 Integration Services for FSIOP

5769-DG1 IBM HTTP Server for AS/400

5769-FW1 Firewall for AS/400

5769-AC1, AC2, AC3 Cryprographic Access Provider (Used tocreate Virtual Private Networks)

Note:: If you want to create virtual private networks, you must also install the IBM Cryptographic AccessProvider (5769–AC1, AC2, AC3) before you vary on the Intergrate PC Server for the first time. Ifyou do not install the product before you vary on, the product will be deleted from yousystem.

Note:: If you want to convert firewall logs to DB2 tables and use interactive SQL to build views of your logdata, you must install DB2 for AS/400 Query Manager and SQL Development Kit (5769–ST1)licensed programs.

IBM Firewall for AS/400 administration PC software requirements

You administer the firewall through a Web browser on a PC in your internalnetwork. This firewall administration PC requires the following software:

v TCP/IP support (must be configured and operational)

v A Web browser that supports HTML frames and JavaScript (for example,Netscape Navigator 3.0 and 4.0, as well as Microsoft Internet Explorer 4.0 workwell)

IBM Firewall for AS/400 client software requirements

Each client on your internal secure network should have the following installedsoftware to access firewall services:

v A Web browser that supports HTML frames and Java Script

v FTP software (if you authorize the client to use FTP)

v SOCKS support (if you want the client to use the firewall SOCKS server toconnect to the Internet)

IBM Firewall for AS/400 hardware requirements

IBM Firewall for AS/400 resides and runs from an Integrated PC Server on thefirewall home AS/400 system. You must use a PC or workstation to configure andadminister the firewall. To review the hardware requirements for both the firewallhome AS/400 system and the firewall administration PC, see these topics:

v IBM Firewall for AS/400 administration PC hardware requirements

v IBM Firewall for AS/400 hardware requirements for the firewall home AS/400system

IBM Firewall for AS/400 administration PC hardwarerequirements

The PC or workstation that you use to configure and administer the firewall musthave the following hardware:


|||

||

||

||

||

||

|||

||||

v Token-ring or Ethernet adapter to communicate with the Integrated PC Serveradapter or another line on the firewall home AS/400 system that uses TCP/IP

v A processor and memory sufficient to run the operating system and Web browserthat you use to administer the firewall

For detailed procedures to verify these requirements, see the topic “Verifyingfirewall hardware, software, and configuration prerequisites” on page 70.

IBM Firewall for AS/400 hardware requirements for the firewallhome AS/400 system

The firewall home AS/400 must have a dedicated Integrated PC Server installed.You must use this Integrated PC Server solely for the firewall, and it must have thefollowing features:

v At least 32 MB memory (preferably 64 MB)

v Two communication ports

If possible, you should use the Pentium® models of the Integrated PC Server. The486 Integrated PC Server works; however, you will get better performance by usingthe Pentium models.

For detailed procedures to verify these requirements, see the topic “Verifyingfirewall hardware, software, and configuration prerequisites” on page 70.

IBM Firewall for AS/400 user profile requirements

To install, configure, or administer the firewall, the firewall administrator user profilemust have the following user class and special authorities:

v User class of *SECOFR

v Special authorities of *SECADM, *ALLOBJ, and *IOSYSCFG

The firewall requires a user profile if you enable the user authentication feature foreither the TELNET proxy or the SOCKS server.

Secure Sockets Layer (SSL) considerations for IBM Firewall for AS/400

The Secure Sockets Layer (SSL) supports encryption for communication betweenhosts. You can use SSL to encrypt communication sessions between the firewalladministration PC and the firewall. Using SSL enhances firewall administrationsecurity. Consequently, using SSL is strongly recommended, especially if you wantto administer the firewall remotely or from a non-secure workstation.

Note: To administer the firewall remotely, you must change the filter rule thatdescribes what traffic can access port 2010. You must change this filter ruleto allow access to the port from the non-secure side of the firewall. If youchange this filter rule, ensure that your changes do not provide anopportunity for an attacker to exploit the change to attack your firewall.

To use SSL, you need:

v IBM HTTP Server for AS/400 (5769–DG1)

v Cryptographic Access Provider licensed program for AS/400 (AC1, AC2, or AC3)

Chapter 2. Planning your firewall installation and configuration 45

Note: You must also install this program if you want to use your firewall to createvirtual private networks. You must install this product before you vary onthe Integrated PC Server for the first time. If you do not install the productprior to vary on, the product will be deleted from your system.

v A digital certificate for your firewall server. For more information about obtainingand using digital certificates, see the HTTP Server for AS/400 Webmaster’sGuide.

v A Web browser that supports SSL

Positioning your public server in relation to your firewall

One reason companies connect to the Internet is to provide some type of service toInternet users. This can range from a simple Web site that contains productinformation to a fully integrated e-commerce site. Another reason companiesconnect to the Internet is to provide an e-mail connection for their company. Thismay be a traditional simple mail transfer protocol (SMTP) connection or it may be afull-function Domino server. Whatever reason your company has for connecting tothe Internet, the company must protect its network. A firewall provides the bestprotection.

If you provide services to Internet users, you must decide where to place yourpublic server. You can put your public server:

v On the perimeter network in front of the firewall

v On the internal network behind the firewall

The answer to the question of where to place your Web server is: ″It depends.″Review the information in these topics to help you decide where to place yourserver:

v Placing a public server in front of the firewall

v Placing a public server behind the firewall

After reading these topics, you should have a better understanding of the trade-offsyou must make based on your choice of server location. You may also notice thatthe same item is listed as a disadvantage in one section and an advantage inanother.

Placing a public server in front of the firewall

As with all other processes in your company, security must be balanced withusability. Placing the public server in front of the firewall provides the highest levelof protection for your internal secure network. The firewall blocks all access to theinternal network from the Internet. Figure 9 on page 47 provides a sampleillustration of this network configuration.


To learn about the advantages and disadvantages of placing the server in front ofthe firewall, review these topics:

v Advantages of placing your public server in front of the firewall

v Disadvantages of placing your public server in front of the firewall

Advantages of placing your public server in front of the firewall

When you place your public server in front of the firewall, you gain the followingadvantages:

v Server traffic does not add to the traffic flow through the firewall and consumefirewall resources.

v You do not need to allow Internet Protocol (IP) forwarding in the firewall toprovide services to the Web. However, if you use network address translation(NAT) services, you must allow IP forwarding.

v Internet users can access the public server even when the firewall home AS/400is down.

v The firewall blocks all access to the production network and data.

v The public server is in the public part of the network. Therefore, you need notsubnet the addresses that you receive from your Internet service provider (ISP).

Having the public server in front of the firewall reduces the amount of traffic thatflows through the firewall. Consequently, the firewall can use more resources forother things, such as caching and logging. This may provide better performance forthe users in the internal network who access the Internet.

However, the speed of the line provided to the ISP is usually the biggestperformance limitation. A good rule of thumb is to divide the line speed by 10 (8data bits plus a start and stop bit). Using this equation, you can determine themaximum number of bytes per second that the line can transfer in one direction.For example, if you have a 56K bps line to the ISP, expect a maximum of 5600

Figure 9. Public server in front of the firewall


bytes of data to flow per second. This does not include any overhead that theprotocol that you use may add, for example, TCP/IP.

With IP forwarding turned off in the firewall, unintended access through the firewallis less likely if you add a rule incorrectly. The firewall is, therefore, easier to set upbecause the firewall application generates all the rules, which ensures that humanerrors are less likely. However, if you use NAT to allow internal clients to accessInternet services, you must allow IP forwarding.

When you take down the firewall home AS/400 system for backups or service, youmust end the firewall. Because the public server is in front of the firewall, Internetusers can still access the public server.

The firewall blocks access to the secure internal network. In the event of asuccessful attack on the public server, the attacker can compromise the data on thepublic server system only.

Because the public server is outside the firewall, the public server is in the publicportion of your network. Consequently, you do not need to subnet the registerednetwork address that you receive from your ISP. You must obtain at least fourregistered addresses from your ISP to support this network configuration. See thetopic Understanding TCP/IP, networking, and the Internet for more details on IPaddresses and subnets.

Disadvantages of placing your public server in front of thefirewall

When you place your public server in front of the firewall, you must be aware of thefollowing disadvantages:

v When you place the public server in front of the firewall, the firewall does notprotect the public server. The router to the ISP and the security that you set upon the server itself provide the only protection for the public server. In mostcases, the ISP handles the configuration of their router. If your public server is aV4R3 AS/400 system, you can use native packet filtering to protect the server.

v The firewall cannot log traffic to or from the public server. Consequently, youhave no record of attempted or successful attacks on the public server. However,if your public server is a V4R3 AS/400 system, you can have the server logtraffic. You must implement measures to prevent unauthorized access to anyservices that are started on the public server for administrative reasons. Forexample, TELNET, FTP, IBM HTTP Server for AS/400, and so forth.

v Updating the public server with production data requires that you either open ahole in the firewall or that you physically transfer the data. Consequently, data onthe public server may not be current.

v You must have two systems: an AS/400 at V4R3 to support the firewallIntegrated PC Server and another system to provide the public service.

If you plan to use the public server solely for HTTP serving and other read-onlyactivities, then the server should be fairly safe. You can safely use well-written CGIprograms because they use HTTP forms to update data. However, if you start anyservices that can provide direct access to the server, such as TELNET, the serverbecomes open to attack. You should only put data on the public server that you canafford to lose and can easily replace. This type of public server is sometimesreferred to as a ″sacrificial lamb.″


Most routers cannot log access attempts. When the public server is in front of thefirewall, the server may be your only source for log information. Information aboutdiscarded packets or attacks on the public server cannot be captured, unless theserver is a V4R3 AS/400 system. You also cannot obtain information about theeffects of a successful attack.

You may need to start the TELNET or FTP server on the public server foradministrative reasons. If you choose to do this, make sure that the ISP router hasfilters in place to prevent access to these services from the Internet. Start theseservices only when you need to actively use them, and end them as soon as youare done. In the case of FTP, you can use carefully coded exit programs to provideadditional protection. You can also use exit points for TELNET. You can find moreinformation about coding exit programs in the TCP/IP Configuration and Reference(SC41-5420) or on the AS/400 Technical Studio Web site.

Note: If you provide these services to Internet users, remember that these servicesdo not encrypt user IDs, passwords, or the data that you transfer.Consequently, a potential attacker can view everything that you do is throughthese services. You may choose to implement anonymous FTP, butanonymous FTP requires that you use exit programs.

When you place the public server in front of the firewall, you may need a methodfor updating the server with new data from the internal network. The simplest andmost secure way to do the update is to use a tape to load a new copy of the data.This method keeps the internal network separate from the public network, but doesrequire human intervention.

Placing a public server behind the firewall

Placing the public server behind the firewall provides both a high level of securityfor your internal secure network and more protection for the public server. Thefirewall blocks all access to the internal network from the Internet. The figure belowprovides a sample illustration of this network configuration.


To learn about the advantages and disadvantages of placing the server behind thefirewall, review these topics:

v Advantages of placing your public server behind the firewall

v Disadvantages of placing your public server behind the firewall

Advantages of placing your public server behind the firewall

When you place your public server behind the firewall, you gain the followingadvantages:

v The firewall protects the public server. You are not dependent on the Internetservice provider (ISP) router for protection of the public server.

v You can use the firewall logging function to detect and recover from attacks onthe public server.

v The public server and production data are on the same side of the firewall, whichmay make it easier for you to update the server with production data.

v You can use the same AS/400 system to run the firewall Integrated PC Serverand run the public server.

v During Basic configuration for your firewall, the application automaticallyconfigures HTTP and HTTPS access to your public server through networkaddress translation services (NAT). NAT allows the firewall to route traffic fromthe Internet to your public server while hiding your internal addresses. Using NATalso lowers the number of registered IP addresses that you must obtain becauseyour public server can use a private address. NAT translates this address eitherto a reserved public address or to the firewall public address.

The firewall can also log packets that the server receives. If you choose to use thisfeature, you get a log that contains information about packets that the firewallaccepts and forwards. You can also get log entries for packets that the firewalldiscards. You can use these logs to determine if someone has been attacking yournetwork. You must set up these logging features before you can use them.


With the firewall protecting the public server and the production systems, you caneasily use built-in tools such as distributed relational database architecture (DRDA)or FTP to move data between systems without having to modify the firewall. Thisallows you to access existing data and systems when implementing Internet-basedapplications.

You need one system running OS/400 at V4R3 or later to support the firewallIntegrated PC Server and code. You can use this same system as the public serverbecause the firewall protects the system and the internal network from attack.

You can use NAT in the firewall to route traffic from the Internet to your publicserver and hide your internal addresses. The firewall uses the NAT settings to mapthe publicly registered IP address of the server to the private address for the serveron your internal network. You can use the address of the firewall non-secure port asthe public address of the server. This lowers the number of registered IP addressesthat you must obtain for your network.

Note: You may need to specify that the firewall send HTTP and HTTPS traffic forthe public server to ports other than the well-known ports for these services.You must do this only if you use proxy or SOCKS servers to provide internalusers with access to Internet services.

Disadvantages of placing your public server behind the firewall

When you place your public server behind the firewall, you must be aware of thefollowing disadvantages:

v Server traffic flows through the firewall. This extra traffic consumes more firewallresources that you could otherwise use for caching, logging, and so forth.

v Internet Protocol (IP) forwarding is active on the firewall so that Internet userscan reach your public server.

v You may need to perform additional configuration for the firewall and your publicserver. For example, you may want to allow Notes clients on the Internet toaccess a Lotus Domino server behind the firewall. To allow this traffic to flowthrough the firewall, you must add filter rules to the firewall configurationmanually.

v When the firewall home AS/400 is down, no traffic can flow between the Internetand the secure network. Consequently, Internet users cannot access your publicserver and internal users cannot access the Internet.

When you place the public server behind the firewall, you increase the amount oftraffic that flows through the firewall. This may consume firewall resources that youcan otherwise use to service internal users that access the Internet. However,firewall resource limitations are not likely to create a bottleneck in your Internetperformance. The bottleneck, if any, is more likely to be caused by the speed of theline that you use to connect to the ISP. You can find information about calculatingthe line throughput, in the topic Advantages of placing your public server in front ofthe firewall.

During firewall Basic configuration, the application configures network addresstranslation services (NAT) to route traffic to a public server behind the firewall. NATuses IP forwarding. When IP forwarding is active, the firewall forwards any packetthat it receives. IP forwarding can increase your networkÆs vulnerability to attack.However, before forwarding the packet, the firewall checks the packet against thefilter rules to determine whether to route or discard the packet. Well written filterrules ensure that only those packets that you authorize to reach your internal


network and public server do so. However, if you add or change a rule incorrectly,you can disable the firewall. The rule could allow the firewall to forward everythingbecause everything passes a rule. For this reason, you need to have a goodunderstanding of how to write filter rules. You should also examine your firewallconfiguration regularly.

When you shut down the firewall home AS/400 system for service or theQSYSWRK subsystem ends, the firewall application ends. When the firewallapplication ends, the firewall is not available to forward packets. Although yourinternal network remains protected in this case, Internet users cannot reach yourpublic server.

Firewall and network configurations: Example scenarios

To make it easier for you to plan your network and firewall configuration, this topicdescribes some sample configuration scenarios for your review. Each samplescenario contains network configuration diagrams. After each diagram is a basicdescription of the scenario and information about the addressing in the scenario.

As you examine each scenario, notice that the main difference between thescenarios is the network configuration. The services that you provide to Internetclients and the services that your users access from the Internet affect theconfiguration of the firewall, but generally do not affect the network configuration.

To help you plan your own firewall configuration, look through these samplescenarios and find the scenario diagram that best matches your environment:

v Example scenario: Public server in front of the firewall

v Example scenario: Public server in front of the firewall with secure side subnets

v Example scenario: Public server behind the firewall

Example scenario: Public server in front of the firewall

Figure 10 on page 53 shows a basic network configuration with a public server(WWW) on the non-secure perimeter network. This configuration provides access tothe Internet from the internal secure network by using proxy or SOCKS servers ornetwork address translation (NAT). During Basic configuration, you select theInternet services that local users can access from the internal secure side of thenetwork. These selections do not affect the network configuration. The configurationprevents access to the internal secure network from the non-secure network orInternet. An additional LAN adapter connected to the firewall home AS/400 in theinternal secure network provides access to the IBM HTTP Server for firewallinstallation.


All hosts in the internal secure network are located on the same LAN segment asthe secure port of the firewall. In this configuration, the internal secure LAN appearsas one segment. There are two reasons that the LAN can appear as one segment.One is that there is only one physical segment in the LAN. Another is that bridges,which are transparent to TCP/IP protocol, connect multiple LAN segments.

For a discussion of the advantages and disadvantages of this scenario, review thetopic Placing a public server in front of the firewall.

You can find detailed information for setting up this scenario in the topic, Installingand configuring your firewall.

Example scenario: Public server in front of the firewall with secureside subnets

The figure below shows a basic network configuration with a public server (WWW)on the non-secure perimeter network. The hosts in the internal secure network arelocated on multiple LAN segments. These hosts are connected to the secure port ofthe firewall by using a router. A typical network has many subnets in the internalsecure network; however, for simplicity, the figure only shows two subnets in theinternal secure network.

Figure 10. Public server in front of the firewall


For a discussion of the advantages and disadvantages of this scenario, review thetopic Placing a public server in front of the firewall.

You can find detailed information for setting up this scenario in the topic Installingand configuring your firewall.

Example scenario: Public server behind the firewall

Figure 11 on page 55 shows a basic network configuration with a public server(WWW) behind the firewall on the internal secure network. You provide access tothe Internet from the internal secure network by using proxy or SOCKS servers orby using network address translation (NAT). During Basic configuration, you selectthe Internet services that your users access from the internal network. Theseselections do not affect the network configuration. Basic configuration automaticallyuses NAT to allow access to the public server on the internal secure network fromthe Internet. The firewall filter rules and the Internet service provider (ISP) routerprotect the internal secure network. An additional LAN adapter connected to firewallhome AS/400 in the internal secure network provides access to the IBM HTTPServer for firewall installation.


The secure port of the firewall is connected to a LAN segment that becomes thepublic secure network. The hosts in the internal secure network may be located ondifferent LAN segments.

For a discussion of the advantages and disadvantages of this scenario, review thetopic Placing a public server behind the firewall.

You can find detailed information for setting up this scenario in the topic Installingand configuring your firewall.

IBM Firewall for AS/400 planning worksheets

This topic provides information about how to plan your firewall installation andconfiguration. There are worksheets that you can use to help you plan. Use theworksheets to gather detailed information about your firewall Integrated PC Server,home AS/400 system, network, Internet service provider (ISP), and Internet serviceusage plans. You need this information to adequately plan your Internet, network,and firewall strategy. You can also use this information to configure your firewall andyour public server.

Table 10. Planning worksheet for ensuring that your AS/400 system meets all prerequisitesfor installing firewall

Prerequisite Checklist (all answers should be YES before youproceed with firewall installation)

Answers

Is your OS/400 V4R3 or later?

Is Firewall for AS/400 licensed program (5769-FW1) installed?

Is the OS/400 System Openness Includes option needed for 5769-SA2installed?

Is Integration Services for FSIOP (5769-SA2) installed?

Figure 11. Public server behind the firewall


Table 10. Planning worksheet for ensuring that your AS/400 system meets all prerequisitesfor installing firewall (continued)

Prerequisite Checklist (all answers should be YES before youproceed with firewall installation)

Answers

Is TCP/IP Connectivity Utilities for AS/400 (5769-TC1) installed?

Is IBM HTTP Server for AS/400 (5769-DG1) installed?

If you plan to create virtual private networks, is Cryptographic AccessProvider (5769-AC1, AC2, AC3) installed?

Did you verify that the most current PTFs available are installed? (A listof these is available at http://www.as400.ibm.com/firewall Support -->Code Updates.)

Does the firewall Integrated PC Server have two ports?

Is TCP/IP configured in your AS/400 system (including IP interfaces,routes, local host name, and local domain name)?

Is the firewall Integrated PC Server installed in the firewall home AS/400system?

Did you verify that both ports of the firewall Integrated PC Server areworking properly?

Is the secure port of the firewall Integrated PC Server connected to theinternal network?

Is the non-secure port of the firewall Integrated PC Server the sameLAN type (Ethernet or token-ring) as the LAN segment connected to theISP?

Is the non-secure port of the firewall Integrated PC Server connected toa separate MAU or hub? (This port should be in the LAN segment thatconnects to the ISP router.)?

Does your firewall administration workstation have a browser thatsupports HTML frames and Java Script (for example, NetscapeNavigator 3.0+ or Microsoft Internet Explorer 4.0+)?

Table 11. Planning worksheet for your network configuration

Network Checklist Answers

Provide a diagram of your network, including hosts, routers, bridges,host IP addresses, subnet masks, and mail servers. Include the firewallhome AS/400 system and the firewall Integrated PC Server in yourdiagram.

Does your AS/400 system have a LAN adapter (other than those in thefirewall Integrated PC Server)?

Do you have a DNS server in your secure network?

Will the DNS administrator be available when you set up the firewall?

If you do not have a DNS in the secure network, is your secure domainname a subdomain of your public domain name?

If you do not have DNS in the secure network, have you updated hosttables and the DNS configuration for your clients?

Are the Internet Protocol (IP) addresses that you use in your internalnetwork valid (registered) Internet addresses? See following Note.

Do you have multiple subnets (and, therefore, routers) in your securenetwork?

Do you have a network administrator, and will the administrator beavailable when you install and configure your firewall?


||

Table 11. Planning worksheet for your network configuration (continued)


Do you have e-mail set up in your secure network?

Is your secure mail server in the firewall home AS/400 system?

If your secure mail server is not in the firewall home AS/400 system, isit a TCP/IP host?

List the operating systems of the hosts in your network (PCs, servers,and so forth) that have access to the Internet through the firewall.

Is TCP/IP installed and configured on the clients (such as Windows 95)of the users that access the Internet?

Do you want users on the internal network to access Internet servicesthrough the SOCKS server? If you do, then do the TCP/IP clientapplications support SOCKS? For example, Netscape browser,SOCKSCap, AutoSOCKS, TCP/IP SOCKSified stack?

Note: If you use private (unregistered) Internet Protocol (IP) addresses in thesecure network, you should be aware of these limitations:

v You must use either the proxy or SOCKS servers or network addresstranslation (NAT) services on the firewall to access the Internet.

v You must use NAT if you want users to access RealAudio or InternetRelay Chat services.

However, using reserved Internet address ranges (for example, 10.*.*.*,172.16.*.*, or 192.168.*.*) improves your overall security. This improvementoccurs because routers on the Internet discard packets from reservedaddresses if they are accidently routed to the Internet.

Table 12. Planning worksheet for your connection to your Internet service provider (ISP)

Internet Service Provider (ISP) Checklist Answers

Have you selected an ISP?

Is your connection to the ISP installed and verified?

Is your ISP responsible for configuring the router that connects yourperimeter network to the ISP?

Will a technical support person from the ISP organization be availablewhen you configure your firewall?

Have you registered your public domain name (mycompany.com) withthe InterNIC?

Have you agreed with your ISP whose DNS will be the authority for yourpublic domain? (Will the ISP DNS or the firewall DNS resolve IPaddresses for your public servers?)

Table 13. Planning worksheet for services that you want to use from the Internet

Accessing Services From the Internet Checklist Answers

Do you have a security policy that covers how your company employeesare to use services from the Internet? If not, spell out your securitypolicies before continuing. For example, will you restrict which users ordepartments are allowed to surf the Net? Will you allow TELNET orRealAudio?


||||

Table 13. Planning worksheet for services that you want to use from theInternet (continued)


Have your users received the necessary training? For example:

v Do your users understand the risks of downloading software from theInternet?

v Are Java applets permitted? (Is Java enabled in the browser?)

v Is antivirus software installed on your users’ clients?

v Do your users know that they should run antivirus software everytime they download software from the Internet?

v Do your users know how to identify a secure transaction?

v Do users know how to use the firewall to access the Internet?

What Internet services are you planning to use now and in the nearfuture? These are services that users on the secure network will initiate.

v E-mail


v HTTPS (secure HTTP)

v File transfer protocol (FTP) (passive or active?)

v TELNET

v RealAudio

v Client Access/400

v Lightweight directory access protocol (LDAP)

v Secure LDAP

v Post office protocol (POP)3

v Gopher

v Wide area information servers (WAIS)

v Internet relay chat (IRC)

v Lotus Notes

v Distributed relational database architecture (DRDA)

v NetNews transfer protocol (NNTP)

v Secure NNTP

How will you allow users to access these services? Will you permit theservices through a proxy or SOCKS server, or through NAT? Do youknow how to decide which method you should use for each service thatyou decide to allow?

Table 14. Planning worksheet for services you want to provide on the Internet

Providing Services to Internet Users Checklist Answers

Will you provide local services to Internet users now or in the future (forexample, HTTP, FTP, POP, and so forth)?

Do you understand the risks associated with accessing sensitive datawithout using encryption (for example, HTTPS) or using passwords overthe Internet?

Do you understand the trade-offs between locating the server or serversin the perimeter network versus behind the firewall?

Is your public server or servers located in your perimeter network?

Is your public server or servers located in your secure network behindthe firewall?


|

|

Use the following table to plan how to update your public server if it is in front of your firewall on theperimeter network.

Table 15. Planning worksheet for the connection between your public server in the perimeternetwork and your production systems

Connections Between Public Server and Production SystemChecklist

Answers

Does your public server need access to production data?

What applications are you planning to use to transfer data betweenproduction systems and your public servers. Check all that apply.

v Net.Data

v DDM


What services are required to manage your public servers (in theperimeter network) from the secure network?

v File transfer protocol (FTP0

v TELNET

v Client Access/400

v DDM


v Simple network management protocol (SNMP)

Use the following table to list all the services that you will provide to Internet users and indicate where youwill locate each service.

Table 16. Planning worksheet for local services you plan to provide to Internet users

Service Public Serveron perimeternetwork

Public Server onfirewall homeAS/400 System

Public Server onsecond IntegratedPC Server in HomeAS/400 system

Public Server onseparate systemin securenetwork

HTTP

POP

FTP

TELNET

CA/400



Chapter 3. Installing and configuring your firewall

This topic describes the tasks that you must perform to install and configure yourfirewall when using the firewall Basic configuration option. Even if Basicconfiguration does not totally satisfy your particular requirements, you alwaysshould start by installing your firewall and running Basic configuration. You can thenfurther customize or update the original configuration by using the more advancedconfiguration options.

This scenario provides information for installing and configuring a firewall with themost common network and firewall configuration. To determine whether your firewallconfiguration needs are similar to the ones described in this scenario, see the topicFirewall basic configuration: Scenario overview.

To configure your firewall in this scenario, perform these tasks:

1. Complete and review the planning worksheets.

2. Verify hardware, software, and configuration prerequisites.

3. Install the firewall based on answers in the planning worksheet.

4. Prepare for Basic configuration of your firewall.

5. Start the firewall.

6. Perform Basic configuration for the firewall based on your answers in theplanning worksheet.

7. Configure clients on the internal network to access Internet services through thefirewall.

Firewall basic configuration: Scenario overview

This scenario provides a complete set of instructions for a typical firewall installationand configuration. In this scenario, we assume that you want your employees toaccess certain Internet services safely. For example, you want your local users to:

v Exchange e-mail with other Internet users.

v Surf the Internet.

v Use file transfer protocol (FTP) to download software from the Internet.

You also assume want to have a presence on the Internet. Therefore, you will wantto complete the following tasks before you begin your configuration:

v Install a public Web server to advertise your products, so customers can visityour site and puchase product electronically.

v Install and configure an internal DNS server.

For more details about this scenario configuration, review these topics:

v Firewall basic configuration: Scenario objectives

v Firewall basic configuration: Scenario advantages

v Firewall basic configuration: Scenario disadvantages

v Firewall basic configuration: Scenario network configuration

Firewall basic configuration: Scenario objectives

There are two objectives in this scenario:


|

||

|

1. To provide your local users with access to services from the Internet. Theprimary objective is to allow your users to access Internet services through thefirewall. To ensure network security, you must ensure that Internet users cannotaccess the secure (internal) network. The secure (internal) network is locatedbehind the firewall.

2. To provide services to Internet users through a public server that you place infront of the firewall on the perimeter network. You protect the server with hostsecurity and the Internet router. This router may belong to your Internet serviceprovider (ISP). You (or the ISP) must configure the router to allow only thoseincoming requests to the services that you want to provide from the publicserver.

Note: This scenario assumes that you have a public server behind the firewall.However, you can use the procedures to configure your firewall even ifyour public server is behind the firewall. When your public server isbehind the firewall, Basic configuration does the configuration for you.Basic configuration automatically configures your firewall to use networkaddress translation (NAT) to provide HTTP and HTTPS access to thepublic server.

You do not need a public address for the server; you can use thenon-secure firewall port public address as the public address for theserver. You need take no special steps unless you want to have internalusers access the Internet through proxy or SOCKS servers. If you useproxy or SOCKS servers, and use the firewall non-secure port as thepublic server address, then you must specify that HTTP and HTTPStraffic for the public server use ports other than the well-known ones.This is called port mapping. You can specify these ports during Basicconfiguration.

If you want to allow other traffic to pass through the firewall to the publicserver, you must add NAT settings and filter rules to your firewallconfiguration. For more information about these advanced configurationoptions, see Firewall advanced topics in the AS/400 Information Center.

Firewall basic configuration: Scenario network configuration

Figure 12 on page 63 depicts the network configuration for this scenario.


|

|||||||

|||||||||

||||

|

These scenario characteristics influence the firewall configuration:

v The secure network has a local Domain Name Services (DNS) server. For moreinformation about configuring an AS/400 DNS server to work with your firewall,see the Redbook AS/400 TCP/IP Autoconfiguration: DNS and DHCP Support(SG24-5147).

v The secure network has subnets.

v Internal users need access to HTTP and FTP servers on the Internet and need toexchange e-mail with other Internet users.

v Internet users have access to services through a public server located on theperimeter network.

Note: This scenario assumes that you have an internal DNS server. When yourpublic server is behind the firewall, Basic configuration does theconfiguration for you. Basic configuration automatically configures yourfirewall to use network address translation (NAT) to provide HTTP andHTTPS access to the public server.

You do not need a public address for the server; you can use thenon-secure firewall port public address as the public address for theserver. You need take no special steps unless you want to have internalusers access the Internet through proxy or SOCKS servers. If you useproxy or SOCKS servers, and use the firewall non-secure port as thepublic server address, then you must specify that HTTP and HTTPS trafficfor the public server use ports other than the well-known ones. This iscalled port mapping. You can specify these ports during Basicconfiguration.

Firewall basic configuration: Scenario advantages

The main advantages of this scenario are:

Figure 12. Public server in front of the firewall with secure side subnets

Chapter 3. Installing and configuring your firewall 63

||||

|

|||||

|||||||||

|

v Users in the secure (internal) network can access services from the Internetwhile the firewall denies intruders access to the secure (internal) network.

v The firewall breaks TCP/IP connections between the internal secure (internal)network and the untrusted network.

v The firewall blocks incoming requests to the secure (internal) network. Thefirewall allows IP forwarding only if you choose to use network addresstranslation (NAT) services to provide users with Internet access.

v Having an internal DNS server in addition to your ISP DNS, allows an extra layerof protection in case of an external attack on your firewall. The internal DNSserver contains the Internet Protocol (IP) addresses and host names of theinternal network instead of the firewall, thus protecting it from an attack.

v An internal DNS also makes it easier to manage the growth of your network. If,for example, you wanted to add another workstation to your internal server, youwould only need to configure it and create an entry for it in the DNS. Without asecure (internal) DNS, if you add a new workstation, you would need to configureit and create an entry for it in the HOST table of every system in the secure(internal) network. What are the disadvantages of having an internal DNS? A:The main disadvantage of having an internal DNS is learning how to configure itthe 1st time. The AS/400 began providing a DNS as an option of OS/400 free ofcharge in V4R3. We just have to get them to use it.

v In addition, using an internal DNS makes it is easier for you to configure theFirewall to work with your mail server(s).

Note: When you disable IP forwarding, the firewall does not route incomingrequests into the internal network. This provides your internal network withadditional protection from mistakes in your firewall filter rules. Using IPforwarding does not necessarily create an additional risk to your network. Forexample, if you use NAT to provide users with access to the Internet, youmust use IP forwarding. However, if you create no filter rules beyond thosethat the application creates for you, you do not occur a significant securityrisk.

Firewall basic configuration: Scenario disadvantages

The disadvantages of this scenario apply only if you provide public services toInternet users, and allow internal users access to Internet services. Thedisadvantages of this scenario are:

v The first time you configure a secure (internal) DNS can be difficult. To learnmore about the initial configuration of secure (internal) DNS see, (There will be alink here.)

v To manage the public server on the perimeter network requires extra effort. Youmust physically access that system, or permit management functions (forexample, TELNET, FTP, Client Access/400) to flow as outbound traffic throughthe firewall. To permit these management functions, you must create theappropriate firewall filter rules.

Firewall basic configuration: Reviewing your planning worksheets

Before you install the firewall, you must review your planning worksheets. Thisensures that you have all the information that you need to properly install andconfigure the firewall for your scenario.


||||

|||||||||

||

|||

The example planning worksheets below illustrate the information that you need toprovide in order to successful install and configure the firewall for this scenario. Youcan use these example worksheets to help you complete your own worksheets.

Note: Use the questions from the worksheets as a checklist for tasks that you mustperform before you install the firewall.

Table 17. Planning worksheet for ensuring that your AS/400 system meets all prerequisitesfor installing firewall

Prerequisite Checklist (all answers should be YES before youproceed with the Installation)

Answers

Is your OS/400 V4R3 or later? Yes (V4R3)

Is Firewall for AS/400 licensed program (5769-FW1) installed? Yes

Is the OS/400 System Openness Includes option needed for 5769-SA2installed?

Yes

Is Integration Services for FSIOP (5769-SA2) installed? Yes

Is TCP/IP Connectivity Utilities for AS/400 (5769-TC1) installed? Yes

Is IBM HTTP Server for AS/400 (5769-DG1) installed? Yes

If you plan to create virtual private networks, is Cryptographic AccessProvider (5769-AC1, AC2, AC3) installed?

No

Did you verify that the most current PTFs are installed? Yes

Does the firewall Integrated PC Server have two ports? Yes

Is TCP/IP configured in your AS/400 system (including IP interfaces,routes, local host name, and local domain name)?

Yes

Is the firewall Integrated PC Server installed in the firewall home AS/400system?

Yes

Did you verify that both ports of the firewall Integrated PC Server areworking properly?

Yes

Is the secure port of the firewall Integrated PC Server connected to theinternal network?

Yes

Is the non-secure port of the firewall Integrated PC Server the sameLAN type (Ethernet or token-ring) as the LAN segment connected to theISP?

Yes

Is the non-secure port of the firewall Integrated PC Server connected toa separate MAU or hub? (This port should be in the LAN segment thatconnects to the ISP router.0

Yes

Does your firewall administration workstation have a browser thatsupports HTML frames and Java Script (for example, NetscapeNavigator 3.0+ or Microsoft Internet Explorer 4.0+)?

Yes


|||

Table 18. Planning worksheet for your network configuration


Provide a diagram of your network, including hosts, routers,bridges, host IP addresses, subnet masks, and mail servers.Include the firewall home AS/400 system and the firewallIntegrated PC Server in your diagram.

Does your AS/400 system have a LAN adapter (other thanthose in the firewall Integrated PC Server)?

Yes

Do you have a DNS server in your secure network? Yes

Will the DNS administrator be available when you set up thefirewall?

Yes

Do have DNS in the secure network? If so what is your securedomain name a subdomain of your public domain name?

Yes.private.mycompany.com isa subdomain ofmycompany.com

Do you have multiple domains within your secure network? Ifyes, list the domain names of each multiple domain.

Yes. mycompany1.com,mycompany2.com, andmycompany3.com

If you do not have DNS in the secure network, have youupdated host tables and the DNS configuration for yourclients?

Yes

Are the Internet Protocol (IP) addresses that you use in yourinternal network valid (registered) Internet addresses? See thefollowing Note.

No

Do you have multiple subnets (and, therefore, routers) in yoursecure network?

Yes

Do you have a network administrator, and will the administratorbe available when you install and configure your firewall?

Yes

Do you have e-mail set up in your secure network? Yes

Is your secure mail server in the firewall home AS/400 system? Yes

If your secure mail server is not in the firewall home AS/400system, is it a TCP/IP host?

N/A

List the operating systems of the hosts in your network (PCs,servers, and so forth) that have access to the Internet throughthe firewall.

Windows 95

Is TCP/IP installed and configured on the clients (such asWindows 95) of the users that access the Internet?

Yes. See Clientconfiguration on page 121.

Do you want users on the internal network to access Internetservices through the SOCKS server. If you do, then do theTCP/IP client applications support SOCKS?

Yes, except for TELNET.Yes, clients supportSOCKS.

Note: If you use private (unregistered) Internet Protocol (IP) addresses in the secure network, you shouldbe aware of these limitations:

v You must use either the proxy or SOCKS servers or network address translation (NAT) serviceson the firewall to access the Internet.

v You must use NAT if you want users to access RealAudio or Internet Relay Chat services.

However, using reserved Internet address ranges (for example, 10.*.*.*, 172.16.*.*, or 192.168.*.*)improves your overall security. This improvement occurs because routers on the Internet discardpackets from reserved addresses if they are accidently routed to the Internet.


|

|||||

Table 19. Planning worksheet for your connection to your Internet service provider (ISP)

Internet Service Provider (ISP) Checklist Answers

Have you selected an ISP? Yes

Is your connection to the ISP installed and verified? Yes

Is your ISP responsible for configuring the router that connects yourperimeter network to the ISP?

Yes

Will a technical support person from the ISP organization be availablewhen you configure your firewall?

Yes

Have you registered your public domain name (mycompany.com) withthe InterNIC?

Yes

Have you agreed with your ISP whose DNS will be the authority for yourpublic domain? (Will the ISP DNS or the firewall DNS resolve IPaddresses for your public servers?)

Yes, the firewallDNS.


Table 20. Planning worksheet for services that you want to use from the Internet


Do you have a security policy that covers how your employees are touse services from the Internet? If not, spell out your security policiesbefore continuing. For example, will you restrict which users ordepartments are allowed to surf the Net? Will you allow TELNET orRealAudio?

Yes

Have your users received the necessary training? For example:

v Do your users understand the risks of downloading software from theInternet?

v Are Java applets permitted? (Is Java enabled in the browser?)

v Is antivirus software installed on your users’ clients?

v Do your users know they should run antivirus software every timethey download software from the Internet?

v Do your users know how to identify a secure transaction?

v Do users know how to use the firewall to access the Internet?

Yes to all exceptJava applets arenot permitted, noris Java enabledin the browser.

What Internet services are you planning to use now and in the nearfuture? These are services that users on the secure network will initiate.

v E-mail


v HTTPS (secure HTTP)

v File transfer protocol (FTP) (passive or active?)

v TELNET

v RealAudio

v Client Access/400

v Lightweight directory access protocol (LDAP)

v Secure LDAP

v Post office protocol (POP) 3

v Gopher

v Wide area information servers (WAIS)

v Internet relay chat (IRC)

v Lotus Notes


Now for e-mail,HTTP, HTTPS,and FTP.TELNET in thefuture. No for allothers.

How will you allow users to access these services? Will you permit theservices through a proxy or SOCKS server, or through NAT? Do youknow how to decide which method you should use for each service thatyou decide to allow?

SOCKS (ifSOCKS clientsare available.


Table 21. Planning worksheet for services you want to provide on the Internet

Providing Services to Internet Users Checklist Answers

Will you provide local services to Internet users now or in the future (forexample, HTTP, FTP, POP, and so forth)?

HTTP

Do you understand the risks associated with accessing sensitive datawithout using encryption (for example, HTTPS) or using passwords overthe Internet?

Yes

Do you understand the trade-offs between locating the server or serversin the perimeter network versus behind the firewall?

Yes

Is your public server or servers located in your perimeter network? Yes

Is your public server or servers located in your secure network behindthe firewall?

No

If the answer is YES, have you planned for the additional router that youmay need between the public host and the rest of your secure network.(You may also need an additional router if your server is on anIntegrated PC Server in the home AS/400 system.)

N/A

If your public server is in the secure network, is it located on anIntegrated PC Server in the home AS/400 system (for example, NT orDomino server)?

N/A

If your public server is in the secure network, is it located in the homeAS/400 system?

N/A

If your public server is on the secure network, is it located in a separatesystem from the home AS/400 system?

N/A

Table 22. Planning worksheet for the connection between your public server in the perimeternetwork and your production systems

Connections Between Public Servers and Production SystemChecklist

Answers

Does your public server need access to production data?

What applications are you planning to use to transfer data betweenproduction systems and your public servers. Check all that apply.

v Net.Data

v DDM


What services are required to manage your public servers (in theperimeter network) from the secure network?

v File transfer protocol (FTP)

v TELNET

v Client Access/400

v DDM


v Simple network management protocol (SNMP)

Use the following table to list all services that you will provide to Internet users and indicate where you willlocate each of these services. You can then use this list to determine configuration options you may needfor your firewall.


Table 23. Planning worksheet for local services you plan to provide to Internet users

Service Public Serveron theperimeternetwork

Public Serveron HomeAS/400 System

Public Server onsecond Integrated PCServer in firewallhome AS/400 system

Public Serveron separatesystem insecure network

HTTP Yes N/A N/A N/A

POP

FTP

TELNET

CA/400

After you review your planning worksheets, verify that all hardware, software, and configurationprerequisites have been met before you install the firewall.

Verifying firewall hardware, software, and configuration prerequisites

When you completed your planning worksheets, you should have verified that thefirewall Integrated PC Server is installed in the firewall home AS/400 system. Also,you should have verified that it is a two-port Integrated PC Server. Additionally, youneed a LAN adapter, other than those in the firewall Integrated PC Server, availableon the firewall home AS/400 system.

Before you install the firewall, you must verify that all hardware, software, andconfiguration requirements are in place. Your firewall home AS/400 system must beat V4R3 or later. You must have PTF cumulative packet C7217410 (or later)installed on the system. Review these topics to be sure that you are ready to installyour firewall:

1. Recording the resource name of the Integrated PC Server.

2. Verifying the memory available on your Integrated PC Server.

3. Verifying the installation of firewall prerequisite licensed programs.

4. Verifying that the latest program temporary fixes (PTFs) are applied.

5. Verifying the basic TCP/IP interface configuration on the home AS/400 system.

6. Verifying that the IBM HTTP Server is started.

7. Verifying the firewall administration workstation HOSTS table entries.

8. Verifying that the Web browser supports JavaScript.

After you verify that all hardware, software, and configuration requirements are inplace, you can install the firewall product.

Recording the resource name of the Integrated PC Server

The firewall Integrated PC Server must be installed in the firewall home AS/400system. You need to know the resource name of the Integrated PC Server whereyou will install the firewall. You must have this information during firewall installationand to check the amount of memory for the Integrated PC Server.

To record the Integrated PC Server resource name:

1. On an AS/400 command line, type:


DSPHDWRSC TYPE(*CMN)

to view the Display Communications Resources panel.

2. Find the Integrated PC Server where you are installing the firewall and writedown its resource name.

After you record the Integrated PC Server resource name, verify that it meets thememory requirements for the firewall.

Verifying the memory available on your Integrated PC Server

The Integrated PC Server on which you install the firewall must have at least 32 MBof memory. To verify the amount of memory on your Integrated PC Server, you mustdetermine what its resource name is.

Note: If possible, you should use the Pentium models of the Integrated PC Server.The 486 Integrated PC Server works; however, you will get betterperformance by using the Pentium models.

To verify the amount of memory on your Integrated PC Server before installing IBMFirewall for AS/400, complete these steps:

1. On an AS/400 command line, typeSTRSST

to display the System Service Tools (SST) menu.

2. Type option 1 (Start a service tool), and press Enter to view the Start a ServiceTool display.

3. Type option 7 (Start hardware service manager), and press Enter . This displaysthe Hardware Service Manager menu.

4. Type option 2 (Logical hardware resource), and press Enter to view The LogicalHardware Resources menu.

5. Type option 1 (System bus resource), and press Enter to view the LogicalHardware Resources on System Bus display.

6. Use your Page Down key until you find the communication IOP resource foryour Integrated PC Server.

7. Type option 5 (Display detail) in the Opt field for the selected resource to viewdetailed information about the resource. The Memory installed on IOP fieldshows the amount of memory on the Integrated PC Server.

After you verify that the Integrated PC Server meets the memory requirements, youmust verify that the all firewall prerequisite license programs are installed.

Verifying the installation of firewall prerequisite licensed programs

Several AS/400 licensed programs must be installed on the firewall home AS/400system before you can install and configure the firewall.

To determine if the firewall home AS/400 system has the required licensedprograms installed:

1. On an AS/400 command line, typeGO LICPGM

and press Enter . The Work with Licensed Programs menu displays.


2. Type option 10 (Display installed licensed programs) to display the InstalledLicensed Programs panel. This panel lists all licensed programs that areinstalled.

3. Browse the display to verify that all of the following required licensed programsare installed:

v Firewall for AS/400, 5769-FW1

v Integration Services for FSIOP, 5769-SA2

v TCP/IP Connectivity Utilities for AS/400, 5769-TC1

v IBM HTTP Server for AS/400, 5769-DG1

v Cryptographic Access Provider, 5769–AC1, AC2, AC3 (for creating virtualprivate networks)

Note: If the firewall licensed program (5769-FW1) is not installed, install it now.

Note: If you plan on creating a virtual private network and the CryptographicAccess Provider (5769–AC1, AC2, AC3) is not installed, install it now. (Therewill be a link here to appropriate installation.)

Installing IBM Firewall for AS/400 licensed program

Before you can install the IBM Firewall for AS/400 product, you must install the IBMFirewall for AS/400 licensed program.

To install the IBM Firewall for AS/400 product (5769-FW1), complete the followingsteps:

1. From an AS/400 command line, type:GO LICPGM

and press Enter . This shows the Work with Licensed Programs display.

2. Load the CD with the IBM Firewall for AS/400 licensed product (5769-FW1) inthe CD-drive on the AS/400 system.

3. From the Work with Licensed Programs display command line, type 11 (Installlicensed programs) and press Enter to show the Install Licensed Programsdisplay.

4. Press your Page Down key until you find the firewall licensed program5769-FW1 Firewall for AS/400 in the displayed list.

5. In the opt column for the firewall program, type 1 (Install for the 5769-FW1Firewall for AS/400 product). This shows the Confirm Install of LicensedPrograms display.

6. Press Enter to confirm the installation and view the Install Options display.

7. In the Installation device field, type the name of your installation device (forexample, OPT01). After the installation process completes, a message that theLicensed program is successfully installed appears.

After you verify that all required licensed programs are installed, confirm that thelatest PTFs are applied.

Verifying that the latest program temporary fixes (PTFs) are applied

Before you install the IBM Firewall for AS/400 product, you must verify that thelatest PTFs for these products are applied:

v IBM Firewall for AS/400


||

|||

|

v Integration Services for FSIOP

v TCP/IP Connectivity Utilities

v IBM HTTP Server for AS/400

For the latest news on PTFs, check the Firewall for AS/400 home page athttp://www.as400.ibm.com/firewall. Once the Web page displays in your browser,follow these steps to list the PTFs that you might need:

1. Click the Support icon in the frame on the left to display support options.

2. Click Code Updates to display a list of available PTFs.

3. Use the DSPPTF command on your home AS/400 system to verify that the latestcumulative (CUM) PTF package and other recommended PTFs are installed.

4. Order any PTFs that you do not have by using the SNDPTFORD command. Formore information on ordering and applying PTFs, see the topic in the AS/400Information Center.

If you are unable to access this Web page, call IBM Service Support. After youverify that the latest PTFs have been applied, verify the basic TCP/IP interfaceconfiguration on the firewall home AS/400 system.

Verifying the basic TCP/IP interface configuration on the firewall homeAS/400 system

Before you install the firewall, you must ensure that you have configured basicTCP/IP services. You must ensure that you have started the necessary TCP/IPservers on the firewall home AS/400 system. To ensure that you have configuredyour TCP/IP interface properly, verify the following elements of your TCP/IPconfiguration:

v Verify the TCP/IP interface configuration for the AS/400 LAN adapter.

v Verify the home AS/400 host and secure domain names.

After you verify your TCP/IP configuration, you should verify that you have startedthe IBM HTTP Server for AS/400..

Verifying the TCP/IP interface configuration on the firewall homeAS/400 LAN adapter

To check the configuration of the TCP/IP interface, complete these steps:

1. On an AS/400 command line, type:GO CFGTCP

and press Enter to view the Configure TCP (CFGTCP) menu.

2. Select option 1 (Work with TCP/IP Interfaces) to view the Work with TCP/IPInterfaces display.

3. Locate your firewall home AS/400 LAN adapter.

The LAN adapter is listed under the Line Description column.

4. Press F11 to view status for the LAN adapter and verify that the status is active.

Note: If the TCP/IP interface for the LAN adapter is inactive, start the interface byusing option 9 on the Work with TCP/IP Interfaces display. Then press F5 torefresh the display and verify that the interface has started.


After you verify that the LAN adapter is active, you must verify that the firewallhome AS/400 host and secure domain names are configured.

Verifying the firewall home AS/400 host and secure domainnames

Before you install the firewall, ensure that you have configured a host and securedomain name for the firewall home AS/400 system.

To verify that the home AS/400 system has a host and secure domain name,complete these steps:

1. On an AS/400 command line, type:GO CFGTCP

and press Enter to view the Configure TCP menu.

2. Select option 12 (Change local domain and host names) to see the ChangeLocal Domain and Host Names display.

3. Verify that the Local domain name and Local host name fields have thecorrect values for the secure network.

Note: In this scenario, the secure network does have a DNS server. Therefore, youshould designate a DNS server for the firewall home AS/400 system. Youcan verify this in V4R3 by using option 12 on the Configure TCP/IP display.

After you verify that the firewall home AS/400 system has a host and securedomain name, verify that the IBM HTTP Server is started.

Verifying that the IBM HTTP Server is started

The IBM HTTP Server must be started before you can use it to install the firewall.

To verify that the IBM HTTP Server is started, complete these steps:

1. On an AS/400 command line, typeWRKSBSJOB SBS(QSYSWRK)

and press Enter to view the Work with Subsystem Jobs display.

2. Verify that there are *ADMIN jobs listed as active. If there are, the *ADMINserver is started.

3. If the *ADMIN jobs are not started, start them now. From an AS/400 commandline, type:STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

and press Enter to start the *ADMIN instance of the HTTP server. Wait a fewminutes and repeat step one to check the status of the *ADMIN jobs.

After you verify that the IBM HTTP Server is started, you need to perform two othertasks:

v Verify that the firewall administration HOSTS table has the necessary entries.

v Verify that the Web browser supports JavaScript.


|||

|

Verifying the firewall administration workstation HOSTS table entries

The internal secure network in this scenario does not have a domain name server.Therefore, you must ensure that each firewall administration workstation has thesecure Internet Protocol (IP) address of the firewall in its local host table. Eachclient host table must also contain the names and addresses of any other internalsystems with which it needs to communicate. For example, each administrationworkstation host table must contain the firewall home AS/400 IP address and thefirewall secure port.

Although these instructions apply to Windows 95 clients, you can apply theconcepts to other types of clients.

To add the necessary information to the administration host table, complete thesesteps:

1. Locate the client HOSTS file. You can do this by performing a DIR HOST*.* /Son the drive that contains the operating system.

2. If you find a HOSTS file, update it to include the secure IP address of thefirewall and the firewall secure host name.

Note: If you do not find a HOSTS file, you should be able to locate a samplefile called HOSTS.SAM. You can use this file to create a new HOSTS fileto which you can add the necessary information.

After you update the administration workstation HOSTS file, confirm that the firewalladministrative PC Web browser allows JavaScript.

Verifying that the Web browser supports JavaScript

You must use a Web browser that supports HTML frames and JavaScript to installand configure the firewall. Netscape Navigator 3.0 and 4.0, as well as MicrosoftInternet Explorer 4.0 all work well. Although this procedure provides the steps forNetscape 3.0, you should be able to apply the settings described to the otherproducts as well.

To verify that JavaScript is enabled in Netscape Navigator 3.0, complete thesesteps:

1. Click Options on the menu bar to display the pull-down menu.

2. Select Network Preferences from the menu to display the Preferences window.

3. Select the Languages tab.

4. Verify that Enable JavaScript checkbox is selected.

After you verify that all hardware, software, and configuration prerequisites are met,you can install the firewall product

Installing IBM Firewall for AS/400

After you complete you planning worksheets and verify that all hardware, software,and configuration requirements are in place, you can install the firewall product.Before installing the firewall, you must complete the installation worksheet. Youshould also review the special considerations and assumptions that apply to yourscenario before you use this worksheet.


The scenario for these procedures has the following considerations andassumptions:

v Only internal users in the secure network behind the firewall can start all TCP/IPconnections.

v The public server is located in the perimeter network in front of the firewall. Thereare no public servers behind the firewall.

v Your Internet service provider (ISP) has assigned three public Internet Protocol(IP) addresses to you, one for each of these:

– Firewall non-secure port

– Public server in the perimeter network

– ISP route

The ISP has also given you the IP address of the Internet DNS to which yourfirewall DNS should forward name resolution queries.

v You have registered your public domain name (mycompany.com, for example)with the InterNIC.

v Your secure domain name (private.mycompany.com, for example) is a subdomainof your public domain or is the same as your public domain.

v Your secure network has multiple subnets. The firewall administration workstationand the secure port of the firewall are in different subnets. Your secure networkdoes not have an internal DNS server.

Using a DNS server to resolve host names in the secure TCP/IP network isrecommended. Using an internal DNS simplifies network management becausehost name to address mapping is performed in a central location. Using a DNSserver is more important in complex network environments, such as those thatinclude firewalls. Although you can configure the firewall to operate without aninternal DNS server, this creates restrictions that limit the flexibility of your network.These restrictions are:

v The secure (internal) domain name must be the same as, or a subdomain of, thenon-secure (external) domain name. For example, if the external domain name ismycompany.com, then valid secure domain names are mycompany.com,private.mycompany.com, and secure.mycompany.com.

v Only those clients that you have manually configured to include the firewallsecure port as the DNS can resolve Internet names.

Firewall installation procedures

To install the IBM Firewall for AS/400 on the Integrated PC Server and prepare forBasic configuration of the firewall, complete these tasks:

1. Complete the installation worksheet.

2. Install the firewall product on the Integrated PC Server.

After you install the firewall, you must perform some network configuration changesbefore you can do Basic configuration for your firewall. You can find moreinformation about making these changes in the topic, Preparing for Basicconfiguration of your firewall.

Completing the firewall installation worksheet

After you update the administration workstation HOSTS file, you can complete theinstallation worksheet. You must complete this worksheet before you install the


firewall.

Table 24. Firewall installation worksheet

Required installation information Answers for the scenario

Integrated PC Server - If you have more than oneIntegrated PC Server, you must know which is the onewhere you want to install the firewall (for example,CC01). You can use the WRKHDWRSC command to find thisinformation.

CC12

Firewall Name - Create a new unique name for yourfirewall. You also use this name to create a networkserver description (NWSD) object (for example, FRW01).

FIREWALL

Port 1 Port 2

Type of LAN - Ethernet, 4 Mbps token-ring, or 16 Mbpstoken-ring.

16M, TRN 16M, TRN

Adapter Address - create a new unique address foreach port. This address must not already be in use onyour LAN (for example, 400000000000 or020000000000).

400009010011 400009010012

Port IP address * (for example, 10.1.2.3) 10.5.69.129 208.222.150.11

Port Subnet Mask * (for example, 255.255.255.0) 255.255255.0 255.255.255.0

IP address of your router * (for example, 10.2.3.1) 208.222.150.1

* If you are connecting to the Internet, you may need to consult with your Internet serviceprovider (ISP) for this value.

After you complete the worksheet, you are ready to install the firewall product fromthe AS/400 Tasks browser interface.

Installing the firewall from the AS/400 Tasks browser interface

After you update the administration workstation HOSTS file and complete theinstallation worksheet., you can install the firewall on the Integrated PC Server. Youmust have already installed the licensed program, IBM Firewall for AS/400(5969-FW1), on the firewall home AS/400 system.

To install the firewall, you must access the AS/400 Tasks browser interface. To doso, you need access to the IBM HTTP Server that runs on the firewall home AS/400system. (To check the status of the IBM HTTP Server, see the topic Verifying thatthe IBM HTTP Server is started.

To install the firewall on the Integrated PC Server, follow these steps:

1. Open a Web browser session on the firewall administration workstation andenter the following Web address:

http://HOME400:2001

This sends an HTTP request to the IBM HTTP Server on the firewall homeAS/400 system. A user name and password display appears.

2. Enter your AS/400 user profile and password in the appropriate fields to validateyour authority to access the AS/400 Tasks page. The AS/400 Tasks pageappears. This page may contain different entries based on the products that youhave installed on your system.


Note: Any user with a valid user ID and password can access the AS/400Tasks page. You need special authorities of *SECADM, *ALLOBJ, and*IOSYSCFG to successfully install, configure, and administer the firewall.

3. Click the IBM Firewall for AS/400 icon to display the IBM Firewall for AS/400browser interface.

Note: If you have problems accessing the IBM HTTP Server in the firewallhome AS/400 system, verify that the *ADMIN server jobs in QSYSWRKare active. You can find this procedure in the topic Verifying that the IBMHTTP Server is started.

4. Click the Installation icon in the frame on the left to begin installing the firewall

Tip: Do not use the Web browser Forward and Back navigation buttons orresize the browser window. The firewall product Web pages expire fromcache immediately after you view them to ensure that you see the mostcurrent versions only. Therefore, you must use the navigation buttons onthe Web pages themselves to prevent an interruption in the display.

5. Follow the firewall installation page instructions. Use the information from yourinstallation worksheet to complete the HTML forms.

At the end of the installation, The Complete the Firewall Installation pagedisplays. This page shows you a summary of the information that you providedfor installing the firewall.

6. Review the information. If the information is correct, click the Install button tocomplete the installation.

Note: Do not start the firewall yet. There are some configuration changes that youmust make that require the firewall network server to be varied off.

When you install the firewall, several things happen on your AS/400 system.

After you install the firewall, you must perform some network configuration changesbefore you do Basic configuration for your firewall. You can find more informationabout making these changes in the topic Prepare for Basic configuration of yourfirewall.

What happens on your AS/400 System when you install thefirewall

When you install the firewall on the Integrated PC Server, you submit a job to theAS/400 system to do the following:

v Create a network server description (NWSD) for the firewall. This objectrepresents the firewall as a TCP/IP host. The network server description name isthe same as the firewall name.

v Create three line descriptions (*LIND):

– A line description for the firewall port 1 (FIREWALL01).

– A line description for the firewall port 2 (FIREWALL02).

– A line description for the firewall *INTERNAL port (FIREWALL00). This internalLAN line communicates between the server application that runs on theIntegrated PC Server and the firewall home AS/400 system.

v Create a network server storage space (FIREWALL00). Labeled K drive, thisdrive is read-write. The drive provides storage for logs, a mail queue, and cache.

v Create two server storage spaces (*SVRSTG) in QUSRSYS:


– FIREWALL1 - Labeled C drive, this drive is read-only and is the OS/2 bootdrive.

– FIREWALL3 - Labeled E drive, this drive is read-write and provides storagefor configuration files.

v Creates a TCP/IP interface for the *INTERNAL firewall port (firewall00) on thefirewall home AS/400 system. This interface uses the name of the firewallextended with 00.

Preparing for Basic configuration of your firewall

This type of common firewall installation requires that you make some configurationchanges to your network information, the firewall, and secure mail server. You mustmake these changes before you perform Basic configuration for the firewall.

For instance, the firewall Basic configuration feature assumes that you have asimple internal network that consists of a single subnetwork. If you have multiplesubnetworks, you must update the firewall system configuration so that the firewallcan return information to clients on the secure network.

To review the requirements for this scenario, see the topic Firewall basicconfiguration: Scenario overview

To make the necessary configuration changes, complete these tasks:

1. Stop the firewall application.

2. Vary off the firewall network server description (NWSD).

3. Add a TCP/IP routing entry to the firewall NWSD to enable traffic betweensecure clients and the firewall. You need to perform this task only if yournetwork consists of more than four subnets. When you install the firewall youcan specify up to four subnets in your network.

4. Add the firewall domain name server to the firewall NWSD. You must performthis step only if you do not have a DNS server on your internal network. Formore information about configuring an AS/400 DNS server to work with yourfirewall, see the Redbook AS/400 TCP/IP Autoconfiguration: DNS and DHCPSupport (SG24-5147).

5. Update the secure mail server host table.

6. Route outbound mail to the firewall.

After you complete your configuration changes, you can start the firewall so thatyou can perform Basic configuration.

Stopping the firewall

To allow traffic to travel between your secure clients and the firewall, you must adda TCP/IP routing entry to the firewall network server description (NWSD). Beforeyou can add a TCP/IP routing entry to the firewall NWSD, you must stop the firewallapplication, as follows:

On an AS/400 command line, type:ENDNWSAPP NWSAPP (*FIREWALL) NWS (firewall)

and press Enter . The message ″Network server application ended for networkserver firewall″ displays.


Where firewall occurs in the command, type the name of your firewall.

Next, you must vary off the firewall NWSD before you can add a TCP/IP routingentry for it.

Varying off the firewall network server description (NWSD)

Before you can add a TCP/IP routing entry to the firewall network server description(NWSD), you must vary off the firewall NWSD, as follows:

On an AS/400 command line, type:VRYCFG CFGOBJ(firewall) CFGTYPE(*NWS) STATUS(*OFF)

and press Enter . The message ″Vary off completed for Network Server descriptionfirewall″ displays.

Where firewall occurs in the command, type the host name of your firewall.

After you stop the firewall and vary off the firewall NWSD, you can add the newTCP/IP route to the firewall NWSD.

Adding a TCP/IP routing entry to the firewall network serverdescription (NWSD)

The firewall Basic configuration feature assumes that you have a simple internalnetwork that consists of a single subnetwork. If you have multiple subnetworks, youmust update the firewall system configuration so that the firewall can returninformation to clients on the secure network.

Attention: You need to perform this task only if your secure network more thanfour subnetworks.

In this scenario, the network is divided into multiple subnets. The firewall secureport is in subnet 10.5.69.0 with the rest of the secure network in subnet 10.5.70.0.You must add routing information to the firewall configuration before the firewall canreturn responses to clients on the 10.5.70.0 subnet. In this example, you can pointthe firewall to the entire 10. network to allow network growth behind the firewall.

You must add a TCP/IP route to the firewall NWSD to allow Internet Protocol (IP)routing from the firewall to the internal LAN router. This TCP/IP route informationtells the firewall where to route packets for local users on the secure network.

This TCP/IP route provides a path from the firewall secure port B through the routerport H to the internal secure network behind the router. This route is illustrated inthe following figure.


To add a TCP/IP route to enable the firewall to route traffic to clients on the secureinternal network, complete these steps:

1. On an AS/400 command line, typeCHGNWSD(firewall)

2. and press F4. Where firewall occurs in the command, type the name of yourfirewall NWSD.

3. Use your Page Down key to display the TCP/IP Route Configuration.

4. Type a ″+″ sign in the more values field to display additional TCP/IP routeconfiguration fields.

5. Add the route destination (network address), subnet mask, and next hop (localrouter) for your local private network.

These are the TCP/IP route configuration example values for this scenario:

v Route destination . . . . . . > ’10.0.0.0’

v Subnet mask . . . . . . . . . . > ’255.0.0.0’

v Next hop . . . . . . . . . . . . . . > ’10.5.69.1’

CAUTION:Do not remove or alter the *DFTROUTE value. This value ensures that alltraffic with the Internet as its destination is routed to the Internet.

Note: If you have multiple subnets in your internal network, you may need toadd multiple route entries. The default route should remain the externalrouter that is connected to the Internet. (In this example, this route is208.222.150.1.)

6. Press Enter . The ″Network Server Description changed″ message appears.

After you add a firewall route to the secure network, you must add the firewalldomain name server to the firewall NWSD.

Figure 13. Public server in front of the firewall with secure side subnets


Adding the firewall domain name server to the firewall NWSD

Some applications that run in the firewall query the domain name services (DNS)server in the secure network for host name to IP address resolution. For example,proxy servers and SENDMAIL make these queries. If there is an internal DNSserver, it forwards those queries to the firewall DNS server. The firewall DNS server,in turn, queries the Internet service provider (ISP) DNS server if it is unable toresolve the name. The secure network in this scenario does not have an internalDNS. Therefore, you must configure the firewall to use itself for name resolutionservices. You must perform this step only if you do not have a DNS server on yourinternal network.

To do this, you must change the name server parameter of the firewall networkserver description (NWSD). The name server parameter must specify the InternetProtocol (IP) address for the *INTERNAL port of the firewall.

From an AS/400 command line, typeCHGNWSD NWSD(firewall) TCPNAMSVR('192.168.12.2')

and press Enter . Where firewall occurs in the command, type the name of yourfirewall NWSD.

After you configure the firewall to use itself for name resolution, you must updatethe secure mail server host table..

For more information about configuring an AS/400 DNS server to work with yourfirewall, see the Redbook AS/400 TCP/IP Autoconfiguration: DNS and DHCPSupport (SG24-5147).

Updating the secure mail server host table

If you do not have a domain name services (DNS) server in the secure network,you must update the host table of the secure mail server. You must add the firewall,home AS/400 system, and public domain to the secure mail server host table . Youthen must update the firewall configuration to handle the mail relay function. Seethe topicAdding the secure mail server to the firewall domain name server for moreinformation.

You must add the fully qualified firewall host name with the Internet Protocol (IP)address assigned to the *INTERNAL port. This enables the AS/400 simple mailtransfer protocol (SMTP) server to send outgoing mail to the firewall across theinternal LAN connection. This assumes that your secure mail server is in the firewallhome AS/400 system.

The mail relay function in the firewall adds SMTP records in the protocol portion ofthe mail. These records change the SMTP domain name of inbound mail from thepublic SMTP domain to the fully qualified name of the secure mail server. TheSMTP domain name is the portion of the mail address that follows the @ symbol.For example, the address [email protected] changes [email protected].

The SMTP server receives the mail and determines if the mail should stop at thissystem or be forwarded to another system. To determine this, the server checks tosee if the SMTP domain is on this system. The server looks up the SMTP domainname. It uses the name resolver to check if an address returned matches a TCP/IP


address assigned to an interface on this system. If there is a match, then the serverlooks at the local system distribution directory to find the user. If there is no match,the server forwards the mail based on the SMTP attributes. When there is nointernal DNS server, the SMTP server uses a host table for these lookups.

You must add two entries to the host table. You must add an entry for the SMTPdomain name that you use for mail on the internal network with a local IP address.Also, you must add an entry for the public SMTP domain name with a local IPaddress. This prevents the server from forwarding mail addresses with the publicSMTP domain name to the firewall, which would pass it back to the firewall homeAS/400 system.

If you have mail working already, you must determine what other entries that youneed in the host table to support your configuration.

Note: You can use different names for the secure (internal) and public (external)domains. If you do, you must configure your secure (internal) domain so thatthe public name is an alias for the secure (internal) domain name.

To update the home AS/400 host table, follow these steps:

1. From an AS/400 command line, typeCFGTCP

and press Enter to view the Configure TCP menu.

2. Select menu option 10 (Work with TCP/IP host table entries) and press Enter .

3. Select option 1 (Add) to view the Add TCP/IP Interface display.

4. Add the following information to the firewall home AS/400 host table:

v The fully qualified firewall host name and its IP address, for example,192.168.12.2 firewall.private.mycompany.com.

v The public domain name and the fully qualified host name of the firewallhome AS/400 system. You must include a local host IP address, for example,10.5.69.212 mycompany.com and home400.private.mycompany.com.

Attention: If your secure mail server is an SMTP server is not on the firewall homeAS/400 system, you must update that server’s host table. You must add the fullyqualified firewall host name and secure port IP address to the secure mail server’shost table. Also, you must point the secure mail server to the firewall for mailrouting. This ensures that the mail server can forward mail to the firewall. Forexample, you would add a pointer to 10.5.69.129 firewall.private.mycompany.com.

After you update the internal mail server host table, you must change serverattributes so that the server routes outbound mail to the firewall.

Routing outbound mail to the firewall

Your simple mail transfer protocol (SMTP) server must route mail for Internet usersto the firewall. To ensure this, you must configure the SMTP attributes in the firewallhome AS/400 system to point to the firewall as the mail router. You must enter thename of the firewall in the Mail router field. This tells the SMTP daemon where toforward mail that it cannot deliver itself.

You must enter *YES in the Firewall field. This tells the SMTP daemon that it islocated behind a firewall. The SMTP daemon looks up where to send mail. Whenthe daemon is behind a firewall, it may resolve a name to a server located on the


|||

|

other side of the firewall. When this occurs, the daemon tries to send the maildirectly to the server. Because you configure the firewall to block these packets, thedaemon cannot make the necessary connection. If the firewall field says *YES, thedaemon forwards the mail to the mail router that you specify in the Mail router field.The daemon returns a ″non-deliverable″ message to the sender if you do notconfigure these fields correctly.

Note: Your should have your SMTP server configured and working properly beforeyou change attributes for it.

To change the attributes so that your server routes the mail properly, follow thesesteps:

1. On an AS/400 command line, typeCHGSMTPA

and press Enter to view the Change SMTP Attributes display.

2. In the Mail router field, type the fully qualified firewall host name, for example,firewall.private.company.com.

3. In the Firewall field, type the value *YES.

4. Press Enter to save your changes.

After you make your SMTP attribute changes, you are ready to vary on the firewallnetwork server description.

Starting the firewall

After you install the firewall and make any necessary configuration changes, youmust start the firewall before you can perform Basic configuration.

To start the firewall and to make sure that everything associated with the firewallstarts, complete these tasks:

1. Vary on the firewall network server description (NWSD).

2. Verify that the firewall NWSD is ready.

3. Start the firewall application.

4. Verify the status of firewall objects and jobs.

After you get the firewall running, you are ready to perform Basic configuration.

You can also start the firewall from the Web browser interface by clicking the Starticon.

Tip: If you use the Web browser to start the firewall, you get a message that thefirewall is started. However, it may take another few minutes before all thefirewall servers are up. To determine whether the firewall is ready, you mustmanually verify that port 2001 is listening for communications. Follow thesesteps to verify that port 2001 is active:

On an AS/400 command line, typeSBMNWSCMD ('netstat -s')

and press Enter . A list of port numbers that the firewall uses displays.


When you see port 2001 is listening for communications, you can click theConfiguration icon in the browser to access Basic configuration.

Varying on the firewall network server description

You must vary on the firewall network server description (NWSD) before you startyour firewall.

On an AS/400 command line, typeVRYCFG CFGOBJ(firewall) CFGTYPE(*NWS) STATUS(*ON) RESET(*YES)

and press Enter . Where firewall occurs in the command, type the name of yourfirewall. After the command processes, the message ″Vary on completed forNetwork Server Description firewall″ appears.

You must verify that the firewall NWSD is ready before you start the firewallapplication.

Note: A status of active on the Work with Configuration Status display does notnecessarily indicate that the NWSD has completed its start-up processing.

Verify that the firewall network server description is ready

After you vary on the firewall network server description (NWSD), you must verifythat it has completed its start-up processing. The NWSD must complete its start-upprocessing before you can successfully start the firewall application. To determinewhether the firewall NWSD is ready, you must display the job log of the monitor jobfor the network server, as follows:

1. On an AS/400 command line, type:WRKSBSJOB SBS(QSYSWRK)

and press Enter to view the Work with Subsystem Jobs display. This displaylists all jobs running in the QSYSWRK subsystem.

2. Page through the jobs until you find a job entry that has the same name as yourfirewall. This entry must show a function of PGM-QFPAMONB.

3. To work with the job, type a 5 in the Opt field of the desired entry and pressEnter . This shows the Work with Job display.

4. Type 10 on the command line to display the job log for the job and press Enter .

5. Press F10 (Display detailed messages) to view more information and messagesabout the job.

6. Look for the message ″Network server FIREWALL is active.″ If you do not seethis message, wait a moment more, and refresh the display by pressing F5.

After you verify that the firewall NWSD is ready, you can start the firewallapplication.

Starting the firewall application

After you vary on the firewall network server description and verify that it is ready,you can start the firewall application. You must start the firewall application beforetraffic can flow between your secure network and the non-secure network.

On an AS/400 command line, type:


STRNWSAPP NWSAPP(*FIREWALL) NWS(firewall)

and press Enter . Where firewall occurs in the command, type the host name thatyou assigned to your firewall. The message ″Network server application started fornetwork server firewall″ displays.

After you start the firewall, you must verify the status of firewall objects and jobsbefore you perform Basic configuration.

Verifying the status of the firewall objects and jobs

When you start the firewall application, several firewall objects either must be activeor varied on. Also certain firewall jobs must be running before you perform theBasic configuration. If these objects are not active, you may have problemsaccessing or using the Basic configuration function.

To verify the status of the firewall network server, follow these steps:

1. On an AS/400 command line, typeWRKCFGSTS CFGTYPE(*NWS) CFGD(firewall)

and press Enter to view the Work with Configuration Status display. Wherefirewall occurs in the command, type the name of your firewall network serverdescription.

2. Verify that the following firewall objects are either active or varied on before youperform Basic configuration:

v The Firewall Network Server (active)

v The line over the *INTERNAL port (FIREWALL00) (active)

v The line over the firewall secure port (FIREWALL01) (active or varied on)

v The line over the non-secure port (FIREWALL02) (active or varied on)

If these objects are not active, you may have problems in accessing or usingthe Basic configuration.

3. Verify the status of the firewall jobs in QSYSWRK, by using the command

Two firewall jobs (listed with the firewall name) must be active in QSYSWRK.

To verify the status of the firewall jobs in QSYSWRK, follow these steps:

1. On an AS/400 command line, typeWRKSBSJOB SBS(QSYSWRK)

and press Enter to view the Work with Subsystem Jobs display. This displaylists all jobs running in the QSYSWRK subsystem.

2. Page through the jobs until you find two jobs listed under the firewall name. Onejob runs under the QSYS user and the other under the QFIREWALL user.

Note: Both firewall jobs must be active in QSYSWRK for the firewall to functionproperly. If one or both cancel, study the corresponding job log to find theproblem. Make sure that the AS/400 *INTERNAL port IP interface isactive.

Tip: If you use the Web browser to start the firewall, you get a message that thefirewall is started. However, it may take another few minutes before all thefirewall servers are up. To determine whether the firewall is ready, you mustmanually verify that port 2001 is listening for communications. Follow thesesteps to verify that port 2001 is active:


On an AS/400 command line, typeSBMNWSCMD ('netstat -s')

and press Enter . A list of port numbers that the firewall uses displays.

When you see port 2001 is listening for communications, you can click theConfiguration icon in the browser to access Basic configuration.

After you verify the status of firewall objects and jobs, you can perform Basicconfiguration for the firewall.

Performing firewall Basic configuration

After you start the firewall application and ensure that it is ready, you can configureyour firewall. The Basic configuration feature greatly simplifies firewall configurationfor most general requirements, such as the ones in this scenario. To review therequirements for this scenario, see the topic Firewall basic configuration: Scenariooverview.

Basic configuration allows you to select all of the services that you want to permit torun through the firewall. When you configure services for local users, these servicescan flow from the inside to the outside of the firewall only.

Note: Basic configuration also allows you to specify that the firewall should permitHTTP and HTTPS traffic to reach a public server behind the firewall. If youwant to allow other types of traffic to reach the public server, you must createadditional filter rules manually.

Even if Basic configuration does not satisfy all your requirements, it should alwaysbe your starting point. You can then use advanced configuration options to furthercustomize your firewall.

To perform Basic configuration for your firewall, complete these tasks:

1. Complete the configuration planning worksheet.

2. Use the AS/400 Tasks browser interface to perform Basic configuration.

3. Add the secure mail server to the firewall domain name server.

Completing the configuration planning worksheet

Before you perform Basic configuration, you must complete the configurationplanning worksheet. Use your planning worksheets to help you complete theconfiguration worksheet.

Note: If the requirements of your situation match those of this scenario, you canuse all the procedures for performing Basic configuration as is. If yourrequirements do not entirely match those of this scenario, you will need toadjust the instructions accordingly.

This scenario uses the planning worksheets from “Firewall basic configuration:Reviewing your planning worksheets” on page 64. These worksheets specify thatyou want to enable e-mail, FTP, and HTTP. In the future, you will add TELNET.Because it is easier to configure services by using Basic configuration, you shouldconfigure TELNET now. However, do not start the TELNET proxy server until youare ready to allow your authorized users to use TELNET over the Internet.


Note: Both TELNET and FTP send user IDs and passwords in the clear. Thefirewall cannot protect you against attackers who might sniff the lines toacquire this information, unless you use a virtual private network (VPN).VPNs can encrypt and protect user IDs and passwords that pass betweenthe two end points of the VPN. However, you can establish a VPN betweenfirewall products only. For more information about VPNs, see the topic, xxxxxunder Advanced Firewall Topics in the AS/400 Information Center.

Because all your clients support SOCKS, you choose to enable HTTP, HTTPS, andFTP through a SOCKS server. Your users are using Netscape Navigator 3.0 or lateras clients, so both HTTP and FTP can use SOCKS in the Netscape browser.

You might also configure HTTP through proxy so that you can see the difference inthe SOCKS and proxy logging capabilities and compare performance.

You should configure TELNET through a proxy server to force users to log on to thefirewall. They must validate their user IDs and passwords before they can start aTELNET request to a server in the Internet.

Note: When you run Basic configuration, you lose your existing customizedconfiguration. Typically, you use Basic configuration for the initialconfiguration of the firewall and use advanced configuration functions afterthat. However, when you use the advanced configuration functions, you oftenhave to create your own filter rules and other settings. These actionsincrease the risk that you may create a rule or setting incorrectly. Poorlywritten rules or settings could cause the firewall to perform incorrectly. DuringBasic configuration, however, the application creates all the filter rules andother settings to make your configuration options work properly.Consequently, it may be better to use Basic configuration to make yourchanges, if the Basic configuration feature covers what you need to do.


Table 25. Configuration planning worksheet

Configuration information requirements Scenario answers

Secure (internal) mail server name - If you have a secure mailserver, enter the name here. For example, if the mail server’s hostname is mailsvr and it is part of the domainmynetwork.mycompany.com, enter:mailsvr.mynetwork.mycompany.com.

HOME400.private.mycompany.com

Multiple domains within a secure (internal) mail server name - Ifyou have multiple domains within you internal network, enter thenames here. For example if a domain name within you internalnetwork isdomain1 and it is part of the domain1.mynetwork.com,enter domain1.mynetwork.com.

domain1.mynetwork.comdomain2.mynetwork.com

Secure (internal) Port - If your Integrated PC Server has two ports,you need to know which one is attached to your secure port.

port1

Non-Secure (external) Domain Name * - This is the domain that isoutside of the firewall and accessible by outsiders. If your securedomain name is mynetwork.mycompany.com, you probably shouldname your non-secure domain mycompany.com.

mycompany.com

Non-Secure (external) Domain Name Server IP Addresses * (forexample, 208.222.150.7).

203.5.100.76

Non-Secure (external) Hosts * - List the names and IP addressesof up to four non-secure hosts. These are systems that are placedoutside of the firewall. For example, you may want to place aWWW server machine outside of the firewall.

www - 208.222.150.2

Network address translation (NAT) - Decide which services youwant to configure.

N/A

Proxy Server - Decide which services you want to configure. HTTP, TELNET

Socks Server - Decide which services you want to configure. HTTP, HTTPS, FTP

* If you are connecting to the Internet, you may need to consult with your Internet serviceprovider for this value.

After you complete the configuration planning worksheet, you can configure thefirewall from the AS/400 Tasks browser interface.

Configuring the firewall from the AS/400 Tasks browser interface

To configure the firewall, you must access the firewall browser interface from theAS/400 Tasks page. Once you display the browser interface, the frame on the leftcontains new icons for Configuration , Administration , Start , and Stop .

The configuration and administration functions of the firewall must access the IBMHTTP Server that runs in the firewall. Consequently, the IBM HTTP Server must beactive to access these functions. See the topic Verifying that the IBM HTTP Serveris started for more information.

Note: If you have problems accessing the IBM HTTP Server in the firewall:

v Make sure that the fully qualified firewall name (for example,firewall.private.mycompany.com) resolves to the firewall secure port IPaddress. Either the DNS server in the secure network or thecorresponding entry in the administration workstation HOSTS nameshould resolve the name.


|||||

||

||

v Make sure that the firewall is started. Both firewall jobs must be active inQSYSWRK as described in the topicVerifying the status of the firewallobjects and jobs.

To perform Basic configuration for your firewall, follow these steps;

1. Use your Web browser to access the firewall browser.

2. Click the Configuration icon to view the Configuration Menu page.

3. Click Basic and follow the configuration instructions. Enter the information thatyou collected in the configuration planning worksheet.

After you complete all the browser forms, the Review Configuration pageappears. This page shows a summary of the information that you entered.

4. Review the information. If the information is correct, click OK to complete Basicconfiguration. If some information is incorrect, you can make changes directly inthe Review Configuration page.

After you complete Basic configuration, you must add the secure mail server to thefirewall domain name server.

Adding the secure mail server to the firewall domain name server

If your secure network does not have a DNS server, you must update the firewallDNS server configuration. You must add records to the DNS server configuration sothat it can resolve the secure mail server name to its IP address. You must add amail exchanger (MX) record and an address (A) record to the DNS server that runson the firewall. The MX and A records point to the secure mail server on yourinternal network. In this scenario, these records point to the firewall home AS/400system. If the secure mail server is on another system, the records should point tothat system’s IP address.

To add the required records, follow these steps:

1. In your browser, go to the following Web address:http://firewall.private.mycompany.com:2001/cgi-bin/db2www/fsdns.mac/main

to display the Advanced Domain Name Settings page.

2. Click the Domain button to display the Resource Settings page.

3. Select the MX record (for example, mycompany.com. IN MX 0FIREWALL.mycompany.com.) in the list box and click the Insert button. Thisallows you to insert another MX record for the secure mail server after theselected record. The Change Advanced DNS Settings Page (Part 1 of 2)displays.

4. Select MX as the Record type and click the OK button to view the ChangeAdvanced DNS Settings (Page 2 of 2) page. Do not enter any otherinformation on the first page.

5. Type information that is appropriate for your scenario into the following fieldsand click the OK button to add the record.

v Domain Name (for example, home400.private.mycompany.com.)

v Mail Exchanger (for example, home400.private.mycompany.com.)

Important: Do not forget the trailing dot (.) at the end of the domain name.

6. Click the OK button to display the Update DNS Settings page.

7. Click No so that no changes are made at this point. You must add anotherrecord first.


8. Select an A type record (for example, WWW IN A 108.222.150.2) from the listbox and click the Insert button. This allows you to insert an A (address) recordfor the secure mail server. The Change Advanced DNS Settings Page (Part 1of 2) displays.

9. Select A for the Record type and click the OK button to view the secondChange Advanced DNS Settings Page (Part 2 of 2).

10. Type the information that is appropriate for your scenario into the followingfields and click the OK button to add the A record.

v Domain Name (for example, home400.private.mycompany.com.)

v Mail Exchanger (for example, 192.168.12.1)

Important: Do not forget the trailing dot (.) at the end of the domain name.

11. Click the OK button to display the Update DNS Settings page.

12. Click Yes to update the firewall DNS settings.

Note: If the internal mail server is the firewall home AS/400 system, the firewallmust send mail to AS/400 over the internal LAN connection. Use the AS/400IP address that you assigned to the *INTERNAL port in the address (A)record. If the internal mail server is not the firewall home AS/400 system,use the corresponding IP address for that host.

To ensure that you have entered the new records correctly, review the named.domfile. This file contains all the records that the firewall DNS server uses. Ensure thatall the records that require trailing dots (.) have them. You can do this by using thebrowser interface or by using an AS/400 command.

To review the named.dom file from the AS/400 system, typeSBMNWSCMD CMD('type e:\mptn\etc\namedb\named.dom')SERVER(FIREWALL)

Where FIREWALL appears in the command, type the name that you assigned toyour firewall. The AS/400 sends the results of the command to the job log. You maywant to print the job log and keep it as documentation. The results in your job logshould look similar to the ones in the example below:; Last Update: 19971209 18:44:19 adan; Created by IBM Firewall for AS/400 0973370719@ IN SOA FIREWALL.mycompany.com. postmaster.mycompany.com. (09733707193600 600 360000 86400)

IN NS FIREWALL.mycompany.com.mycompany.com. IN MX 0 FIREWALL.mycompany.com.home400.private.mycompany.com. IN MX 0 home400.private.mycompany.com.FIREWALL.mycompany.com. IN A 208.222.150.11www IN A 208.222.150.2home400.private.mycompany.com. IN A 192.168.12.1Command submitted to server FIREWALL.

Important:

v If you use the DNS/Mail configuration option, you lose any entriesthat you make through the Advanced Domain Name Server Settings.You should record any changes that you make through AdvancedDomain Name Server Settings so that you can reapply them if youuse the DNS/Mail configuration option.

v Hosts in the Internet can query the IP address of the internal mailserver because the firewall combines internal and external DNS


functions. However, the filter rules that you create during Basicconfiguration prevent Internet users from accessing your internal mailserver.

When you finish configuring your firewall, you must configure clients on the securenetwork to use it to access Internet services.

Configuring your clients to access Internet services through thefirewall

After you configure your firewall, you must configure clients on the secure networkto access the Internet through the firewall. To do this, you must:

1. Configure client domain name services (DNS) to use the firewall domain nameserver.

2. Configure the client Web browser to use the firewall proxy or SOCKS server.

Configuring client domain name services (DNS) to use the firewalldomain name server

You must configure domain name services (DNS) for clients that use the firewall toaccess HTTP services on the Internet. You must add the firewall secure port IPaddress to the client DNS configuration. Although this procedure describes how toconfigure DNS for Windows 95 clients, you can apply the concepts to other kinds ofclients.

To change the client DNS configuration, follow these steps:

1. Double-click the My Computer icon.

2. Double-click the Control Panel icon.

3. Double-click the Network icon.

4. Click the Configuration tab.

5. Double-click the TCP/IP protocol list item.

6. Click the DNS Configuration tab.

7. Click the Enable DNS radio button and add the secure IP address of thefirewall to the DNS search order field.

8. Close all open windows and restart the client.

If clients must use proxy or SOCKS servers to access Internet services, you mustconfigure the client Web browser to use these servers.

Configuring the client Web browser to use the firewall proxy orSOCKS server

If a client must use proxy or SOCKS servers to access Internet services, you mustconfigure the client Web browser to use these servers. Therefore, you must add thefirewall secure port IP address to the SOCKS server (or proxy server) configurationfor the client Web browser. Although this procedure describes how to configureNetscape Navigator 3.0, you can adapt the procedure for other Web browsers.

To add the address to the Web browser, follow these steps:

1. Click Options from the menu bar, followed by Network Preferences from thepull-down menu to display the Preferences window.


2. Select the Proxies tab.

3. Select Manual Proxy Configuration and click the View button to display theManual Proxy Configuration window.

4. Type the firewall secure port IP address into the SOCKS host field and 1080into the port field.

5. Click the OK button to accept the entries and return to the Preferences window.

6. Click the OK button to save the new preferences.

After you configure your clients, you can begin using your firewall.



Chapter 4. Configuring your clients to use the firewall forInternet access

After you install and configure the firewall, you must configure your clients on theinternal network to access the non-secure network through the firewall. Beforeconfiguring your clients, you must ensure that the LAN adapter is installed andrecognized by the client operating system. You must also ensure that TCP/IP isloaded on the system. If the LAN adapter is not installed correctly, refer to thedocumentation that came with the adapter for installation instructions. If TCP/IP isnot loaded on the system, refer to the documentation that came with the clientoperating system.

These instructions describe how to configure a typical client to access Internetservices through the firewall. Because Windows 95 is the most common client inuse, the instructions cover how to configure a Windows 95 client. Although specificinstructions vary for other types of clients, you should be able to apply thisinformation to other client platforms.

Windows 95, like most PC operating systems, does not provide native SOCKSsupport. OS/2 Merlin is an exception; it provides SOCKS in the TCP/IP stack.Fortunately, most Web browsers for Windows 95 provide SOCKS support. If youplan to use Internet services that your browser cannot provide, you must addSOCKS support to firewall clients.

You can also configure your AS/400 as a SOCKS client.

Configuring a client to use the firewall

After you install and configure the firewall, you must configure clients on the internalsecure network to access the non-secure network through the firewall. Before youcan configure the client, the client must have a suitable LAN adapter installed andcorrectly identified in Windows 95.

To configure the client, complete these steps:

1. Verify that the LAN adapter is installed and that the client operating systemrecognizes it.

2. Verify that the client TCP/IP settings are correct.

3. Configure domain name services (DNS) for the client.

4. Configure gateway settings for the client, if the client is in a network that usesrouters to separate network segments.

5. Testing the firewall client configuration..

6. Configure the Web browser for proxy or SOCKS.

7. Add SOCKS support, if your want to access Internet services without using theclient Web browser.

Verifying that a Windows 95 client can identify the client LAN adapter

Before configuring the client PC to use the firewall for Internet access, you mustverify that the PC has a suitable LAN adapter installed. You must also verify thatthe client can identify the adapter. This procedure describes how to verify the LANadapter identification for a Windows 95 client. However, you can apply the conceptsto other types of clients.


To verify that the identification for the LAN adapter is correct, perform these steps:

1. From your desktop, right-click the Network Neighborhood icon to view theshortcut menu.

2. Select the Properties menu option to open the Network window.

3. Click the Configuration tab and select your LAN adapter from the list box.

4. Select the Properties button to open the Properties folder for the LAN adapterthat you selected.

5. Select the Bindings tab to view the protocol settings for the LAN adapter thatyou selected.

6. Verify that TCP/IP is selected as a bindings option.

7. Select the Cancel button to return to the Network window.

Note: If TCP/IP is not selected, you must select it and click the OK button tochange the settings.

After you verify that the identification for your LAN adapter is correct, you mustverify the TCP/IP settings for the client.

Verifying TCP/IP configuration for a Client PC

After you verify that the firewall administration PC (or other client) LAN adapteridentification is correct, verify that the TCP/IP configuration is correct.

To verify that TCP/IP is configured properly for the client, complete these steps:

1. From the desktop, right-click the Network Neighborhood icon to view theshortcut menu.


3. Click the Configuration tab and select TCP/IP from the list box.

4. Select the Properties button to open the TCP/IP Properties folder.

5. Select the IP Address tab.

6. Verify that the IP address and subnet mask are correct for the client.

7. Click the Cancel button to return to the Network window.

Note: If the IP address and subnet mask are not correct, enter the correctinformation and click the OK button to save your changes.

After you verify that the IP address settings are correct, you must configure domainname services (DNS) for the client. How you configure DNS depends on whetheryou have an internal DNS server or whether the client must use a host table forname resolution.

Note: After you finish all configuration changes to the client, you must click OK onthe Network window to save your changes. Then, you must restart the PC tomake the network changes take effect.


Configuring domain name services (DNS) for a firewall client on thesecure network

After you verify that the client TCP/IP settings are correct, you must configuredomain name services (DNS) for the client. How you configure DNS depends onwhether you have an internal DNS server or whether the client must use a hosttable for name resolution.

If you do not have a DNS server on the secure network, the client must use a hosttable for name resolution. You must make changes to the client host table so thatthe client can resolve names correctly.

If you do have a DNS server on the secure network, you must configure DNSsupport on the client.

Changing the host table for a firewall client when the securenetwork does not have a DNS server

If your internal secure network does not have a domain name services (DNS)server, your clients must use host tables for name resolution. Each firewalladministration workstation (or other client) must have the secure IP address of thefirewall in its local host table. Each client host table must also contain the namesand addresses of any other internal systems with which the client mustcommunicate. For example, each administration workstation host table must containthe firewall home AS/400 IP address and the IP address of the firewall secure port.

To add the necessary information to the client host table, follow these steps:

1. Open an MS-DOS Prompt window.

2. At the MS-DOS prompt, type the command:DIR C:\HOST*.* /S

Where C: occurs in the command, type the letter of the drive that contains theoperating system. A list of files that start with HOST appears. Find a file with thename HOSTS, and note the directory name that contains the HOSTS file.Windows 95 TCP/IP looks for the HOSTS file in the Windows directory.

Note: If you do not find a HOSTS file, a sample file (HOSTS.SAM) should beavailable. Use this file to create a new HOSTS file to which you can addthe necessary information.

3. At the DOS prompt, type:edit c:\windows\hosts

Where c:\windows occurs in the command, type the letter of the drive anddirectory name that contains the HOSTS file. The MS-DOS prompt EDITwindow appears.

4. Add a record that contains the IP address, fully qualified AS/400 host name, andthe host name of the AS/400 system to the file.

Note: The fully qualified name for the AS/400 system consists of the AS/400host name, followed by a period (.), followed by the AS/400 domainname. You can find these values by selecting option 12 from theConfigure TCP (CFGTCP) menu on the AS/400 system. In this example,the fully qualified name is home400.private.company.com and the hostname is home400.

Chapter 4. Configuring your clients to use the firewall for Internet access 97

5. Add a record that contains the IP address, fully qualified firewall host name, andthe host name of the firewall to the file.

Note: The fully qualified name for the firewall consists of the firewall NWSDname, followed by a period (.), followed by the AS/400 domain name.You can find the domain name by selecting option 12 from the ConfigureTCP (CFGTCP) menu on the AS/400 system. In this example, the fullyqualified name is fwbasic.private.company.com and the host name isfwbasic.

6. Save the file as C:\windows\hosts.

After you edit the client host table, you may need to configure DNS support for theclient.

Configuring domain name services (DNS) support on a firewallclient

If you are using only the client host table for name resolution, you do not need toconfigure DNS support for the client. If your secure network has a DNS server,however, you must configure the client to use the secure DNS server for nameresolution. The secure DNS server should point to the firewall DNS server toresolve names for hosts outside the secure network.

If you do not have a DNS server in the secure network, configure the client to usethe firewall as a DNS server. The client can then use the firewall DNS server forexternal domain name resolution when the client must access the non-securenetwork.

Although this procedure describes how to configure DNS support for a Windows 95client, you can apply the concepts to other types of clients.

To configure DNS support on the client, complete these steps:

1. From the desktop, right-click the Network Neighborhood icon to view theshortcut menu.



4. Click the Properties button to open the TCP/IP Properties folder.

5. Select the DNS Configuration tab.

6. Click the Enable DNS radio button.

7. Add the following information to the appropriate fields:

v Type a host name for the PC into the Host field.

v Type the secure domain name into the Domain field.

v To use only the host table, leave the DNS Server Search Order field blank.Otherwise, type one of the following values:

– The IP address of the secure DNS server (for example, 10.5.69.2)

– The IP address of the secure port of the firewall (for example, 10.5.69.3)

8. Click the ADD button.

9. Click the OK button to save the settings and return to the Network window orclick another tab to continue with TCP/IP configuration.


Note: After you finish all configuration changes to the client, you must click OKon the Network window to save your changes. Then, you must restartthe PC to make the network changes take effect.

After you configure DNS, you may need to configure gateway settings for the client,if your network contains routers to separate network segments.

Configuring a firewall client to use a gateway

You may need to configure a client to use a gateway if your network uses routers toseparate segments of the network. When a client is not directly connected to thenetwork segment that contains the remote host, the client passes its data to thegateway. This gateway , or next hop router, should be able to route the data to theremote host.

Although this procedure describes how to configure a gateway for a Windows 95client, you can apply the concepts to other types of clients.

To configure the client to use a gateway, follow these steps:

1. From the Windows desktop, right-click the Network Neighborhood icon to viewthe shortcut menu.



4. Click the Properties button to open the TCP/IP Properties folder.

5. Click the Gateway tab.

6. Type the IP address of the gateway (router) that connects the client to the restof the network into the New gateway field.

7. Click the Add button.

8. Click the OK button to save your settings and return to the Network window orclick another tab to continue with TCP/IP configuration.

Note: After you finish all configuration changes to the client, you must click OKon the Network window to save your changes. Then, you must restart thePC to make the network changes take effect.

After you configure the gateway entry, you can change any other client networkconfiguration settings that you need for your TCP/IP environment. You should alsotest the firewall client configuration.

Testing the firewall client configuration

After you make client configuration changes and restart the client, you should testthe configuration to ensure that it works properly.

Note: The default firewall filter rules block PING requests through the firewall.Therefore, if you use PING to contact an external host (for example,www.as400.ibm.com), the name should resolve to a valid address (forexample, 208.222.150.11). The PING request, however, should time out.

To test the client configuration, follow these steps:

1. Open an MS-DOS Prompt window.

2. At the DOS prompt, type:ping 10.5.69.212


and press Enter . Where 10.5.69.212 occurs in the command, type the addressof your AS/400 system. A series of messages should appear that shows theaddress of the system and replies from the system.

3. At the DOS prompt, type:ping home400.

and press Enter . Where home400 occurs in the command, type the name ofyour AS/400 system. A series of messages should appear that shows theaddress of the system and replies from the system.

4. At the DOS prompt, type:ping 10.5.69.129

Where 10.5.69.129 occurs in the command, type the address of your firewall. Aseries of messages should appear that shows the address of the firewall andreplies from the firewall.

5. At the DOS prompt, type:ping firewall

and press Enter . Where firewall occurs in the command, type the name of yourfirewall. A series of messages should appear that shows the address of thefirewall and replies from the firewall.

If the message ″Bad IP address hostname″ appears (where hostname is the valuethat you entered for the PING command), there is an error. This error can be in thePING command (check the spelling of the host name), the client DNS configuration,the DNS server, or the HOSTS name file. You can bypass the DNS name resolutionprocess by using the PING command and the IP address of the target host.

If the message ″Request timed out″ appears, the DNS server resolved the name toan address and the PING command tried to contact the target host. Verify that thereturned address is valid for the requested name and that the target host isoperating. If the address is correct and the host is operating, check the value in thegateway entry.

After testing your client configuration, you must configure the client Web browser touse SOCKS or proxy servers to access the non-secure network.

Configuring a client Web browser to use SOCKS or proxy servers

Because you configure and administer the firewall through a Web-based facility, youmust use a Web browser that the firewall facility supports. This Web browser mustsupport Java and JavaScript, as well as SOCKS and HTTP proxies. The browsershould also provide a post office protocol (POP) 3 mail client for easy access toInternet e-mail.

For the purposes of the firewall administration client, you do not need to enableSOCKS or proxy. The basic network installation with no proxies specified works.However, if you selected proxy or SOCKS servers for Internet access during Basicconfiguration, you must set up proxy or SOCKS client support for the browser. Thisallows Web browsing through the firewall to the Internet or other non-securenetwork.

These procedures provide basic setup instructions for three common browsers:Netscape Navigator 3.0, Netscape Communicator 4.04, and Microsoft Internet


Explorer 4.0. However, these procedures do not replace the instructions that thespecific product documentation provides. Consider the product documentation asthe authoritative source of information relating to these products. Refer to theproduct documentation for detailed instructions if you have questions during theinstallation.

To configure Netscape Navigator 3.0, see the topic Configuring Netscape Navigator3.0 to use SOCKS or proxies.

To configure Netscape Navigator 4.0, see the topic Configuring NetscapeCommunicator 4.04 to use SOCKS or proxies.

To configure Microsoft Internet Explorer, see the topic Configuring Microsoft InternetExplorer 4.0 to use SOCKS or proxies.

Configuring Netscape Navigator 3.0 to use SOCKS or proxyservers

You must set up proxy or SOCKS client support for the client browser when youspecify proxy or SOCKS servers for client Internet access. This allows Webbrowsing through the firewall to the Internet or other non-secure network.

To configure Netscape Navigator 3.0 to use proxy or SOCKS, start the browser andfollow these steps:

1. Select Options from the menu bar.

2. Select the Network Preferences menu option to display the Preferenceswindow.

3. Click the Proxies tab.

4. Click Manual Proxy Configuration .

5. Click View .

6. To use SOCKS support, type the IP address of the secure port of the firewall(for example, 10.5.69.3) in the SOCKS Host field and 1080 in the Port field.

7. To use proxy support, enter the following information:

v The IP address of the secure port of the firewall (for example, 10.5.69.3) inthe FTP Proxy field and 80 in the Port field to support FTP proxy from thebrowser.

v The IP address of the secure port of the firewall (for example, 10.5.69.3) inthe HTTP Proxy field and 80 in the Port field to support HTTP proxy from thebrowser.

v The IP address of the secure port of the firewall (for example, 10.5.69.3) inthe WAIS Proxy field and 80 in the Port field to support WAIS proxy from thebrowser.

8. Type the secure domain name (for example, private.mycompany.com) in the NoProxy for field. This name tells the browser that the browser is connecteddirectly to your secure domain. Therefore it does not need to use proxy orSOCKS servers to reach this domain. List all domains to which the client isconnected directly.

9. Click OK to save the configuration.


Configuring Netscape Communicator 4.04 to use SOCKS orproxy servers


To configure Netscape Navigator 4.0 to use proxy or SOCKS, start the browser andfollow these steps:

1. Select Edit from the menu bar to display a pull-down menu.

2. Select Preferences from the menu.

3. Click the plus sign (+) beside the Advanced category.

4. Click Proxies .

5. Click Manual Proxy Configuration .

6. Click View .

7. To use SOCKS support, type the IP address of the secure port of the firewall(for example, 10.5.69.3) in the SOCKS Host field and 1080 in the Port field.

8. To use proxy support, enter the following information:

v The IP address of the secure port of the firewall in the HTTP field and 80 inthe Port field to support HTTP proxy from the browser.

v The IP address of the secure port of the firewall in the FTP field and 80 inthe Port field to support FTP proxy from the browser.

v The IP address of the secure port of the firewall in the WAIS Proxy fieldand 80 in the Port field to support WAIS proxy from the browser.

9. Type the secure domain name (for example, private.mycompany.com) in theExceptions field. This name tells the browser that the client is connected toyour secure domain directly. List all domains to which the client is connecteddirectly.

10. Click the OK button to save your configuration changes.

Configuring Microsoft Internet Explorer 4.0 to use SOCKS orproxy servers


To configure Microsoft Internet Explorer 4.0 to use proxy or SOCKS servers, startthe browser and follow these steps:

1. Right-click the Internet Explorer icon to view a short-cut menu.

2. Select Properties from the menu to display the Properties window.

3. Click the Connection tab.

4. Verify that the browser is configured for a LAN connection.

5. Click Advanced .

6. Select the Access the Internet Using a Proxy Server option.

7. Type the IP address of the secure port of the firewall into the desired proxy orSOCKS field.


|

|

|

Adding SOCKS support to firewall clients

Most PC operating systems do not provide native SOCKS support. OS/2 Merlin isan exception; it provides SOCKS in the TCP/IP stack. If you want to use PC clientsother than OS/2, you must add SOCKS support. Most Web browsers provideSOCKS support. If you will not use Internet services that your browser does notprovide, you probably do not need to add SOCKS support to the client.

If you need to add SOCKS support, you can find several products on the Web.Most of these products work for Windows 95; some work for Windows 3.1. Theseproducts are usually Windows dynamic link libraries (DLLs) that extend thefunctionality of the Winsock DLL. They allow SOCKS 4 and SOCKS 5 applicationsto work without a browser for applications such as FTP and TELNET.

Note: Microsoft Windows NT also does not provide native SOCKS support.Therefore, if you plan to use Windows NT as a firewall client, you must addSOCKS support.

We tested two products: Aventail AutoSOCKS and SocksCap (NEC USA, Inc.).Each is available in a Windows 95 and a Windows 3.1 version on the Web.

The Web address for Aventail AutoSOCKS is:

http://www.aventail.com/

After you access the site, select the Product & Solutions option. Scroll down tothe AutoSOCKS product information. Click Download Evaluation Copy and followthe download instructions.

The Web address for SocksCap is:

http://www.socks.nec.com/

After you access the site, select the SocksCap button and follow the downloadinstructions. You may want to select other buttons to get additional informationabout SOCKS and how it works.

Configuring SOCKS support for AS/400

If you want to use your AS/400 as a firewall client through the SOCKS server, youconfigure SOCKS support for the AS/400 system. To configure SOCKS for AS/400you must use Operations Navigator to access the TCP/IP Properties window for theAS/400 system that you want to configure as a firewall client.

To access the TCP/IP Properties window, follow these steps:

1. Start Operations Navigator by clicking Start —> Programs —> IBM AS/400Client Access —> AS/400 Operations Navigator . The AS/400 OperationsNavigator window appears.

2. Double-click the icon that represents the AS/400 system that you want toconfigure. A list of system components displays.

3. Double-click the Network icon to display a list of network components.

4. Double-click the Protocols icon to display a list of protocols in the panel on theright.


5. Double-click the TCP/IP icon in the right panel to display the TCP/IP Propertieswindow.

6. Click the SOCKS tab in the TCP/IP Properties window to display SOCKSinformation and options.

After you access the SOCKS tab, perform these tasks:

v Define the network to which the AS/400 system is directly connected to preventAS/400 from using a SOCKS server to connect to the network.

v Define the network that the AS/400 client must use SOCKS to access and theSOCKS server address that AS/400 must use to access the network.

After you configure SOCKS support for the AS/400 system, you may want to definea DNS server for SOCKS to use. You should also test your AS/400 SOCKSconfiguration.

Defining the network to which the AS/400 system is connected directly

The AS/400 system should not use a SOCKS server to connect to the network towhich it is directly attached. To prevent the AS/400 system from using the SOCKSserver, follow these steps to define the direct network connection for the AS/400system.

1. Use Operations Navigator to access the SOCKS tab in the TCP/IP Propertieswindow.

2. From the SOCKS tab, click the Add button to display the Add SOCKSDestination window.

3. Type the network address of the secure network in the IP address field (forexample, 10.0.0.0).

4. Type the subnet mask that describes your secure network in the Mask field (forexample 255.0.0.0).

Note: This defines the entire 10. network as a direct network, Therefore, theAS/400 system will not use SOCKS to access any host with an addressthat starts with 10.

5. Click the down arrow in the Connection field and select Direct from the list ofoptions.

6. Click OK to add the destination information.

Now you can define which network that the AS/400 client must use SOCKS toaccess. You may also want to define a DNS server for SOCKS to use.

Defining which network that the AS/400 client must use SOCKS toaccess

Before you can use AS/400 as a SOCKS client, you must define which network theAS/400 must use a SOCKS server to access. For example, you might have theAS/400 client use the SOCKS server to access all networks (except the directconnection).

To define which networks AS/400 should access through the SOCKS server, followthese steps:



2. From the SOCKS tab, click the Add button. The Add SOCKS Destinationwindow appears.

3. Type the address 0.0.0.0 in the IP address field.

4. Type the subnet mask 0.0.0.0 in the Mask field.

Note: When a destination address is ″anded″ with a mask of 0.0.0.0, the resultis 0.0.0.0. By specifying a mask and address of all zeros, all IPaddresses match this destination description.

5. Click the down arrow in the Connection field and select SOCKS server fromthe list of options.

6. Type the IP address of the SOCKS server in the Server IP address field. Onthe firewall home AS/400 system, this is the IP address of the *INTERNAL portof the firewall. On other AS/400 systems in the secure network, this is the IPaddress of the secure port of the firewall.

7. Verify that the Port field has a value of Any . This specifies which remote portsthe AS/400 can use this connection to access.


When you complete the SOCKS configuration, you may want to define a DNSserver for SOCKS to use. You should also test your AS/400 SOCKS configuration.

Defining a domain name server for the SOCKS server

When you configure your AS/400 as a SOCKS client, you may need to define adomain name services (DNS) server for SOCKS to use. You must do this only ifdomain name servers were not specified when TCP/IP was configured for theAS/400 system.

For name or IP address resolution, the system queries the DNS servers configuredwith TCP/IP first. If they cannot resolve the name or address, then the systemqueries the DNS server that you specify in the SOCKS client configuration forAS/400.

Note: At least one DNS server must be configured using CFGTCP option 12before SOCKS checks the domain name server configured for SOCKS.

To define a DNS server for your AS/400 SOCKS client, follow these steps:


2. From the SOCKS tab, type the DNS server IP address in the SOCKS domainname server field .

If you do not have an internal DNS server, point the AS/400 system ato thefirewall for DNS services. If the internal DNS server cannot resolve externalinformation, type the IP address of the firewall in the SOCKS domain nameserver field. On the firewall home AS/400 system, this is the IP address of the*INTERNAL port of the firewall. On other AS/400 systems in the secure network,this is the IP address of the secure port of the firewall.


When you complete the SOCKS configuration, you should test your AS/400 SOCKSconfiguration.


Testing Your AS/400 SOCKS Configuration

To quickly test your AS/400 SOCKS client configuration, you can start a TELNETsession with a system in the non-secure network. (You must have enabled TELNETin the SOCKS server during firewall configuration.) To test the configuration,perform these steps:

1. Sign on to the AS/400 system.

2. On an AS/400 command line, typetelnet locis.loc.gov

and press Enter to display the US government’s LIBRARY OF CONGRESSINFORMATION SYSTEM menu.

Note: If you do not receive the menu, you may have a problem with DNS,firewall configuration, or your network connection.

3. To exit the system, type 12, and press Enter .

4. Type 12 and press Enter again.


IBMR

Printed in the United States of Americaon recycled paper containing 10%recovered post-consumer fiber.

Spine information:

IBMGetting Started withIBM Firewall for AS/400 Version 4

Documents

Getting Started with IBM Firewall for AS/400