This topic describes the tasks that you must perform to install and configure your firewall when using the firewall Basic configuration option. Even if Basic
configuration does not totally satisfy your particular requirements, you always should start by installing your firewall and running Basic configuration. You can then further customize or update the original configuration by using the more advanced configuration options.
This scenario provides information for installing and configuring a firewall with the most common network and firewall configuration. To determine whether your firewall configuration needs are similar to the ones described in this scenario, see the topic Firewall basic configuration: Scenario overview.
IMPORTANT: Remember in our scenario we assume that an internal DNS exists inside your firewall. We strongly recommend having an internal DNS for the following reasons:
v An intenal DNS eliminates extra configuration of host tables, mail, etc.
v An intenal DNS eliminates mail problems that occur when there is not an internal DNS.
v An intenal DNS makes it easier to configure and manage your network.
However, if you DO NOT have an internal DNS, we provide alternate steps for configuring an external server that exists outside your firewall.
To configure your firewall in this scenario, perform these tasks:
1. Complete and review the planning worksheets.
2. Verify hardware, software, and configuration prerequisites.
3. Install the firewall based on answers in the planning worksheet.
4. Prepare for Basic configuration of your firewall.
5. Start the firewall.
6. Perform Basic configuration for the firewall based on your answers in the planning worksheet.
7. Configure clients on the internal network to access Internet services through the firewall.
Firewall basic configuration: Scenario overview
This scenario provides a complete set of instructions for a typical firewall installation and configuration. In this scenario, we assume that you want your employees to access certain Internet services safely. For example, you want your local users to:
v Exchange e-mail with other Internet users.
v Surf the Internet.
v Use file transfer protocol (FTP) to download software from the Internet.
You also assume want to have a presence on the Internet. Therefore, you will want to complete the following tasks before you begin your configuration:
v Install a public Web server to advertise your products, so customers can visit your site and puchase product electronically.
v Install and configure an internal DNS server.
IMPORTANT: Remember in our scenario we assume that an internal DNS exists inside your secure network. We strongly recommend that you have an internal DNS for the following reasons:
v An internal DNS eliminates extra configuration of host tables, mail, etc.
v An internal DNS eliminates mail problems that occur when there is not an internal DNS.
v An internal DNS makes it easier to configure and manage your network.
However, if you DO NOT have an internal DNS, we provide alternate steps for configuring the firewall server that exists outside your firewall.
For more details about this scenario configuration, review these topics:
v Firewall basic configuration: Scenario objectives v Firewall basic configuration: Scenario advantages v Firewall basic configuration: Scenario disadvantages
v Firewall basic configuration: Scenario network configuration
Firewall basic configuration: Scenario objectives
There are two objectives in this scenario:
1. To provide your local users with access to services from the Internet. The primary objective is to allow your users to access Internet services through the firewall. To ensure network security, you must ensure that Internet users cannot access the secure (internal) network. The secure (internal) network is located behind the firewall.
2. To provide services to Internet users through a public server that you place in front of the firewall on the perimeter network. You protect the server with host security and the Internet router. This router may belong to your Internet service provider (ISP). You (or the ISP) must configure the router to allow only those incoming requests to the services that you want to provide from the public server.
Note: This scenario assumes that you have a public server behind the firewall.
However, you can use the procedures to configure your firewall even if your public server is behind the firewall. When your public server is behind the firewall, Basic configuration does the configuration for you.
Basic configuration automatically configures your firewall to use network address translation (NAT) to provide HTTP and HTTPS access to the public server.
You do not need a public address for the server; you can use the non-secure firewall port public address as the public address for the server. You need take no special steps unless you want to have internal users access the Internet through proxy or SOCKS servers. If you use proxy or SOCKS servers, and use the firewall non-secure port as the public server address, then you must specify that HTTP and HTTPS traffic for the public server use ports other than the well-known ones.
This is called port mapping. You can specify these ports during Basic configuration.
If you want to allow other traffic to pass through the firewall to the public server, you must add NAT settings and filter rules to your firewall configuration. For more information about these advanced configuration options, see Firewall advanced topics in the AS/400 Information Center.
Firewall basic configuration: Scenario network configuration
Figure 13 depicts the network configuration for this scenario.
These scenario characteristics influence the firewall configuration:
v The secure network has a local Domain Name Services (DNS) server. For more information about configuring an AS/400 DNS server to work with your firewall, see the Redbook AS/400 TCP/IP Autoconfiguration: DNS and DHCP Support (SG24-5147). This link will take you to the Redbook home page, where you can search for keywords or titles.
v The secure network has subnets.
v Internal users need access to HTTP and FTP servers on the Internet and need to exchange e-mail with other Internet users.
v Internet users have access to services through a public server located on the perimeter network.
Note: This scenario assumes that you have an internal DNS server. When your public server is behind the firewall, Basic configuration does the
configuration for you. Basic configuration automatically configures your firewall to use network address translation (NAT) to provide HTTP and HTTPS access to the public server.
You do not need a public address for the server; you can use the non-secure firewall port public address as the public address for the server. You need take no special steps unless you want to have internal users access the Internet through proxy or SOCKS servers. If you use proxy or SOCKS servers, and use the firewall non-secure port as the public server address, then you must specify that HTTP and HTTPS Figure 13. Scenario configuration with internal DNS and secure subnets
traffic for the public server use ports other than the well-known ones.
This is called port mapping. You can specify these ports during Basic configuration.
Firewall basic configuration: Scenario advantages
The main advantages of this scenario are:
v Users in the secure (internal) network may access services from the Internet while the firewall denies intruders access to the secure (internal) network.
v The firewall breaks TCP/IP connections between the internal secure (internal) network and the untrusted network.
v The firewall blocks the incoming requests to the secure (internal) network. The firewall allows IP forwarding only if you choose to use network address translation (NAT) services to provide users with Internet access.
v Having an internal DNS server, in addition to your ISP DNS, allows an extra layer of protection in case of an external attack on your firewall. The internal DNS server contains the Internet Protocol (IP) addresses and host names of the internal network instead of the firewall, thus protecting it from an attack.
v An internal DNS also makes it easier to manage the growth of your network. If, for example, you wanted to add another workstation to your internal server, you would only need to configure it and create an entry for it in the DNS. Without a secure (internal) DNS, adding a new workstation requires more of you. You would need to configure the new workstation and create an entry for it in the HOST table of every system in the secure (internal) network.
v In addition, using an internal DNS makes configuring the Firewall to work with your mail server or mail servers easier for you.
Note: When you disable IP forwarding, the firewall does not route the incoming requests into the internal network. This provides your internal network with additional protection from mistakes in your firewall filter rules. Use of IP forwarding does not necessarily create an additional risk to your network.
For example, if you use NAT to provide users with access to the Internet, you must use IP forwarding. However, if you create no filter rules beyond those that the application creates for you, you do not occur a significant security risk.
Firewall basic configuration: Scenario disadvantages
The disadvantages of this scenario apply only if you provide public services to Internet users, and allow internal users access to Internet services. The
disadvantages of this scenario are:
v The first time you configure an internal DNS can be difficult. To learn more about the initial configuration of an internal DNS see, AS/400 TCP/IP
Autoconfiguration: DNS and DHCP Support (SG24-5147). This link will take you to the Redbook home page, where you can search for keywords or titles.
v To manage the public server on the perimeter network requires extra effort. You must physically access that system, or permit management functions (for example, TELNET, FTP, Client Access/400) to flow as outbound traffic through the firewall. To permit these management functions, you must create the appropriate firewall filter rules.
Firewall basic configuration: Reviewing your planning worksheets
Before you install the firewall, you must review your planning worksheets. This ensures that you have all the information that you need to properly install and configure the firewall for your scenario.
The example planning worksheets below illustrate the information that you need to provide in order to successful install and configure the firewall for this scenario.
You can use these example worksheets to help you complete your own worksheets.
Note: Use the questions from the worksheets as a checklist for tasks that you must perform before you install the firewall.
Table 17. Planning worksheet for ensuring that your AS/400 system meets all prerequisites for installing firewall
Prerequisite Checklist (all answers should be YES before you proceed with the Installation)
Answers
Is your OS/400 V4R3 or later? Yes (V4R3)
Is Firewall for AS/400 licensed program (5769-FW1) installed? Yes Is the OS/400 System Openness Includes option needed for 5769-SA2 installed?
Yes
Is Integration Services for FSIOP (5769-SA2) installed? Yes Is TCP/IP Connectivity Utilities for AS/400 (5769-TC1) installed? Yes Is IBM HTTP Server for AS/400 (5769-DG1) installed? Yes If you plan to create virtual private networks, is Cryptographic Access Provider (5769-AC1, AC2, or AC3) installed?
No
Did you verify that the most current PTFs are installed? Yes Does the firewall Integrated Netfinity Server have two ports? Yes Is TCP/IP configured in your AS/400 system (including IP interfaces, routes, local host name, and local domain name)?
Yes
Is the firewall Integrated Netfinity Server installed in the firewall home AS/400 system?
Yes
Did you verify that both ports of the firewall Integrated Netfinity Server are working properly?
Yes
Is the secure port of the firewall Integrated Netfinity Server connected to the internal network?
Yes
Is the non-secure port of the firewall Integrated Netfinity Server the same LAN type (Ethernet or token-ring) as the LAN segment connected to the ISP?
Yes
Is the non-secure port of the firewall Integrated Netfinity Server connected to a separate MAU or HUB? (This port should be in the LAN segment that connects to the ISP router.0
Yes
Does your firewall administration workstation have a browser that supports HTML frames and JavaAScript (for example, Netscape Navigator 3.0+ or Microsoft Internet Explorer 4.0+)?
Yes
Table 18. Planning worksheet for your network configuration
Network Checklist Answers
Provide a diagram of your network, including hosts, routers, bridges, host IP addresses, subnet masks, and mail servers.
Include the firewall home AS/400 system and the firewall Integrated Netfinity Server in your diagram.
Does your AS/400 system have a LAN adapter (other than those in the firewall Integrated Netfinity Server)?
Yes
Do you have a DNS server in your secure network? Yes Will the DNS administrator be available when you set up the firewall?
Yes
Is your secure domain a subdomain of your public domain name?
Yes
private.mycompany.comis a subdomain of
mycompany.com If you do not have DNS in the secure network, have you
updated host tables and the DNS configuration for your clients?
N/A
Are the Internet Protocol (IP) addresses that you use in your internal network valid (registered) Internet addresses? See following note.
Yes
Do you have multiple subnets (and, therefore, routers) in your secure network?
Yes
Do you have a network administrator, and will the administrator be available when you install and configure your firewall?
Yes
Do you have e-mail set up in your secure network? Yes Do you have multiple domains in your secure network? If so, list them.
Yes. othercompany.com
Is TCP/IP installed and configured on the clients (such as Windows 95) of the users that access the Internet?
Yes. See Client configuration.
Do you want users on the internal network to access Internet services through the SOCKS server. If you do, then do the TCP/IP client applications support SOCKS?
Yes, except for TELNET.
Yes, clients support SOCKS.
Note: If you use private (unregistered) Internet Protocol (IP) addresses in the secure network, you should be aware of these limitations:
v You must use either the proxy or SOCKS servers or network address translation (NAT) services on the firewall to access the Internet.
v You must use NAT if you want users to access RealAudio or Internet Relay Chat services.
However, using reserved Internet address ranges (for example, 10.*.*.*, 172.16.*.*, or 192.168.*.*) improves your overall security. This improvement occurs because routers on the Internet discard packets from reserved addresses if they are accidently routed to the Internet.
Table 19. Planning worksheet for your connection to your Internet service provider (ISP) Internet Service Provider (ISP) Checklist Answers
Have you selected an ISP? Yes
Is your connection to the ISP installed and verified? Yes Is your ISP responsible for configuring the router that connects your
perimeter network to the ISP?
Yes
Will a technical support person from the ISP organization be available when you configure your firewall?
Yes
Have you registered your public domain name (mycompany.com) with the InterNIC?
Yes
Have you agreed with your ISP whose DNS will be the authority for your public domain? (Will the ISP DNS or the firewall DNS resolve IP addresses for your public servers?)
Yes, the firewall DNS.
Table 20. Planning worksheet for services that you want to use from the Internet Accessing Services From the Internet Checklist Answers Do you have a security policy that covers how your employees are to
use services from the Internet? If not, spell out your security policies before continuing. For example, will you restrict which users or departments are allowed to surf the Net? Will you allow TELNET or RealAudio?
Yes
Have your users received the necessary training? For example:
v Do your users understand the risks of downloading software from the Internet?
v Are Java applets permitted? (Is Java enabled in the browser?) v Is antivirus software installed on your users’ clients?
v Do your users know they should run antivirus software every time they download software from the Internet?
v Do your users know how to identify a secure transaction?
v Do users know how to use the firewall to access the Internet?
Yes to all except
What Internet services are you planning to use now and in the near future? These are services that users on the secure network will initiate.
v E-mail
v Hypertext Transfer Protocol (HTTP) v HTTPS (secure HTTP)
v File transfer protocol (FTP) (passive or active?) v TELNET
v RealAudio v Client Access/400
v Lightweight directory access protocol (LDAP) v Secure LDAP
v Post office protocol (POP) 3 v Gopher
v Wide area information servers (WAIS) v Internet relay chat (IRC)
v Lotus Notes
v Distributed relational database architecture (DRDA) v NNTP (Network New Transfer Protocol)
v Secure NNTP (Secure Network New Transfer Protocol)
For now e-mail, HTTP, HTTPS, and FTP. TELNET in the future. No for all others.
How will you allow users to access these services? Will you permit the services through a proxy or SOCKS server, or through NAT? Do you know how to decide which method you should use for each service that you decide to allow?
SOCKS (if SOCKS clients are available.
Table 21. Planning worksheet for services you want to provide on the Internet Providing Services to Internet Users Checklist Answers Will you provide local services to Internet users now or in the future
(for example, HTTP, FTP, POP, and so forth)?
HTTP
Do you understand the risks associated with accessing sensitive data without using encryption (for example, HTTPS) or using passwords over the Internet?
Yes
Do you understand the trade-offs between locating the server or servers in the perimeter network versus behind the firewall?
Yes
Is your public server or servers located in your secure network behind the firewall?
Yes
If the answer is YES, have you planned for the additional router that you may need between the public host and the rest of your secure network. (You may also need an additional router if your server is on an Integrated Netfinity Server in the home AS/400 system.)
N/A
If your public server is in the secure network, is it located on an Integrated Netfinity Server in the home AS/400 system (for example, NT or Domino server)?
N/A
If your public server is in the secure network, is it located in the home AS/400 system?
N/A
If your public server is on the secure network, is it located in a separate system from the home AS/400 system?
N/A
Table 22. Planning worksheet for the connection between your public server in the perimeter network and your production systems
Connections Between Public Servers and Production System Checklist
Answers
Does your public server need access to production data?
What applications are you planning to use to transfer data between production systems and your public servers? Check all that apply.
v Net.Data v DDM
v Distributed relational database architecture (DRDA)
What services are required to manage your public servers (in the perimeter network) from the secure network?
v File transfer protocol (FTP) v TELNET
v Client Access/400 v DDM
v Distributed relational database architecture (DRDA) v Simple network management protocol (SNMP)
Use the following table to list all services that you will provide to Internet users and indicate where you will locate each of these services. You can then use this list to determine configuration options that you may need for your firewall.
Table 23. Planning worksheet for local services you plan to provide to Internet users
After you review your planning worksheets, verify that all hardware, software, and configuration prerequisites have been met before you install the firewall.