To ensure that you install and configure your firewall properly, you must carefully gather information about your network, security needs, and public server
placement. You must use this information to carefully plan how you will install and configure the firewall. Because planning is the most critical step for
successfully getting your firewall up and running, review these topics:
v IBM Firewall for AS/400 installation requirements.
v Positioning your public server in relation to your firewall.
v Firewall and network configurations: Sample scenarios.
v IBM Firewall for AS/400 planning worksheets.
Frequent updates are made to the AS/400 Firewall home page. You should check it as part of your planning process. The address for the home page is:
http://www.as400.ibm.com/firewall
IBM Firewall for AS/400 installation requirements
Before you install IBM Firewall for AS/400, you must verify two things. Both the firewall home AS/400 system and the firewall administration workstation must meet the software and hardware requirements. To determine what the
requirements are, review these topics:
v IBM Firewall for AS/400 software requirements v IBM Firewall for AS/400 hardware requirements v IBM Firewall for AS/400 user profile requirements
v Secure Sockets Layer (SSL) considerations for IBM Firewall for AS/400
IBM Firewall for AS/400 software requirements
IBM Firewall for AS/400 resides and runs on an Integrated Netfinity Server for AS/400 that is installed on the AS/400 system. The firewall requires these types of software:
v Licensed programs installed on the firewall home AS/400 system and Integrated Netfinity Server.
v Software installed on the firewall administration PC v Software installed on firewall clients
IBM Firewall for AS/400 licensed program requirements
IBM Firewall for AS/400 resides on an AS/400 Integrated Netfinity Server and uses TCP/IP for communications. Consequently, you must have certain AS/400 licensed programs installed on the firewall home AS/400 system to ensure that you can install the firewall correctly. The table below provides a list of AS/400 licensed programs that you must have installed.
Licensed Program Description
5769-SS1 OS/400, Version 4 Release 3
5769-TC1 TCP/IP Connectivity Utilities
5769-SA2 Integration Services for FSIOP
5769-DG1 IBM HTTP Server for AS/400
5769-FW1 Firewall for AS/400
5769-AC1, AC2, AC3 Cryptographic Access Provider (Used to create Virtual Private Networks)
Note: To create virtual private networks, you must also install the IBM
Cryptographic Access Provider (5769–AC1, AC2, or AC3). If you vary on before installing ACx, you must RSTLICPGM the firewall, and reapply firewall PTFs.
Note: If you want to convert firewall logs to DB2 tables and use interactive SQL to build views of your log data, you must install DB2 for AS/400 Query Manager and SQL Development Kit (5769–ST1) licensed programs.
IBM Firewall for AS/400 administration PC software requirements
You administer the firewall through a Web browser on a PC in your internal network. This firewall administration PC requires the following software:
v TCP/IP support (must be configured and operational)
v A Web browser that supports HTML frames and JavaScript (for example, Netscape Navigator 3.0 and 4.0, as well as Microsoft Internet Explorer 4.0, work well)
IBM Firewall for AS/400 client software requirements
Each client on your internal secure network should have the following installed software to access firewall services:
v A Web browser that supports HTML frames and Java Script v FTP software (if you authorize the client to use FTP)
v SOCKS support (if you want the client to use the firewall SOCKS server to connect to the Internet)
IBM Firewall for AS/400 hardware requirements
IBM Firewall for AS/400 resides and runs from an Integrated Netfinity Server on the firewall home AS/400 system. You must use a PC or workstation to configure and administer the firewall. To review the hardware requirements for both the firewall home AS/400 system and the firewall administration PC, see these topics:
v IBM Firewall for AS/400 administration PC hardware requirements
v IBM Firewall for AS/400 hardware requirements for the firewall home AS/400 system
IBM Firewall for AS/400 administration PC hardware requirements
The PC or workstation that you use to configure and administer the firewall must have the following hardware:
v Token-ring or Ethernet adapter to communicate with the Integrated Netfinity Server adapter or another line on the firewall home AS/400 system that uses TCP/IP
v A processor and memory sufficient to run the operating system and Web browser that you use to administer the firewall
For detailed procedures to verify these requirements, see the topic “Verifying firewall hardware, software, and configuration prerequisites” on page 69.
IBM Firewall for AS/400 hardware requirements for the firewall home AS/400 system
The firewall home AS/400 must have a dedicated Integrated Netfinity Server installed. You must use this Integrated Netfinity Server solely for the firewall, and it must have the following features:
v At least 32 MB memory (preferably 64 MB) v Two communication ports
If possible, you should use the Pentium®models of the Integrated Netfinity Server.
The 486 Integrated Netfinity Server works; however, you will get better performance by using the Pentium models.
For detailed procedures to verify these requirements, see the topic “Verifying firewall hardware, software, and configuration prerequisites” on page 69.
IBM Firewall for AS/400 user profile requirements
To install, configure, or administer the firewall, the firewall administrator user profile must have the following user class and special authorities:
v User class of *SECOFR
v Special authorities of *SECADM, *ALLOBJ, and *IOSYSCFG
The firewall requires a user profile if you enable the user authentication feature for either the TELNET proxy or the SOCKS server.
Secure Sockets Layer (SSL) considerations for IBM Firewall for AS/400
The Secure Sockets Layer (SSL) supports encryption for communication between hosts. You can use SSL to encrypt communication sessions between the firewall administration PC and the firewall. Using SSL enhances firewall administration security. Consequently, using SSL is strongly recommended, especially if you want to administer the firewall remotely or from a non-secure workstation.
Note: To administer the firewall remotely, you must change the filter rule that describes what traffic can access port 2010. You must change this filter rule to allow access to the port from the non-secure side of the firewall. If you change this filter rule, ensure that your changes do not provide an opportunity for an attacker to exploit the change to attack your firewall.
To use SSL, you need:
v IBM HTTP Server for AS/400 (5769–DG1)
v Cryptographic Access Provider licensed program for AS/400 (AC1, AC2, or AC3)
Note: You must also install this program if you want to use your firewall to create virtual private networks. You must install this product before you vary on the Integrated Netfinity Server for the first time. If you do not install the product prior to vary on, the product will be deleted from your system.
v A digital certificate for your firewall server. For more information about obtaining and using digital certificates, see the HTTP Server for AS/400 Webmaster’s Guide.
v A Web browser that supports SSL
Positioning your public server in relation to your firewall
One reason companies connect to the Internet is to provide some type of service to Internet users. This can range from a simple Web site that contains product
information to a fully integrated e-commerce site. Another reason companies connect to the Internet is to provide an e-mail connection for their company. This may be a traditional simple mail transfer protocol (SMTP) connection or it may be a full-function Domino server. Whatever reason your company has for connecting to the Internet, the company must protect its network. A firewall provides the best protection.
If you provide services to Internet users, you must decide where to place your public server. You can put your public server:
v On the perimeter network in front of the firewall v On the internal network behind the firewall
The answer to the question of where to place your Web server is:″It depends.″
Review the information in these topics to help you decide where to place your server:
v Placing a public server in front of the firewall v Placing a public server behind the firewall
After reading these topics, you should have a better understanding of the trade-offs you must make based on your choice of server location. You may also notice that the same item is listed as a disadvantage in one section and an advantage in another.
Placing a public server in front of the firewall
As with all other processes in your company, security must be balanced with usability. Placing the public server in front of the firewall provides the highest level of protection for your internal secure network. The firewall blocks all access to the internal network from the Internet. Figure 9 on page 49 provides a sample
illustration of this network configuration.
To learn about the advantages and disadvantages of placing the server in front of the firewall, review these topics:
v Advantages of placing your public server in front of the firewall v Disadvantages of placing your public server in front of the firewall
Advantages of placing your public server in front of the firewall
When you place your public server in front of the firewall, you gain the following advantages:
v Server traffic does not add to the traffic flow through the firewall and consume firewall resources.
v You do not need to allow Internet Protocol (IP) forwarding in the firewall to provide services to the Web. However, if you use network address translation (NAT) services, you must allow IP forwarding.
v Internet users can access the public server even when the firewall home AS/400 is down.
v The firewall blocks all access to the production network and data.
v The public server is in the public part of the network. Therefore, you need not subnet the addresses that you receive from your Internet service provider (ISP).
Having the public server in front of the firewall reduces the amount of traffic that flows through the firewall. Consequently, the firewall can use more resources for other things, such as caching and logging. This may provide better performance for the users in the internal network who access the Internet.
However, the speed of the line provided to the ISP is usually the biggest
performance limitation. A good rule of thumb is to divide the line speed by 10 (8 data bits plus a start and stop bit). Using this equation, you can determine the maximum number of bytes per second that the line can transfer in one direction.
For example, if you have a 56K bps line to the ISP, expect a maximum of 5600 bytes of data to flow per second. This does not include any overhead that the protocol that you use may add, for example, TCP/IP.
Figure 9. Public server in front of the firewall
With IP forwarding turned off in the firewall, unintended access through the firewall is less likely if you add a rule incorrectly. The firewall is, therefore, easier to set up because the firewall application generates all the rules, which ensures that human errors are less likely. However, if you use NAT to allow internal clients to access Internet services, you must allow IP forwarding.
When you take down the firewall home AS/400 system for backups or service, you must end the firewall. Because the public server is in front of the firewall, Internet users can still access the public server.
The firewall blocks access to the secure internal network. In the event of a
successful attack on the public server, the attacker can compromise the data on the public server system only.
Because the public server is outside the firewall, the public server is in the public portion of your network. Consequently, you do not need to subnet the registered network address that you receive from your ISP. You must obtain at least four registered addresses from your ISP to support this network configuration. See the topic Understanding TCP/IP, networking, and the Internet for more details on IP addresses and subnets.
Disadvantages of placing your public server in front of the firewall
When you place your public server in front of the firewall, you must be aware of the following disadvantages:
v When you place the public server in front of the firewall, the firewall does not protect the public server. The router to the ISP and the security that you set up on the server itself provide the only protection for the public server. In most cases, the ISP handles the configuration of their router. If your public server is a V4R3 AS/400 system, you can use native packet filtering to protect the server.
v The firewall cannot log traffic to or from the public server. Consequently, you have no record of attempted or successful attacks on the public server. However, if your public server is a V4R3 AS/400 system, you can have the server log traffic. You must implement measures to prevent unauthorized access to any services that are started on the public server for administrative reasons. For example, TELNET, FTP, IBM HTTP Server for AS/400, and so forth.
v Updating the public server with production data requires that you either open a hole in the firewall or that you physically transfer the data. Consequently, data on the public server may not be current.
v You must have two systems: an AS/400 at V4R3 to support the firewall Integrated PC Server and another system to provide the public service.
If you plan to use the public server solely for HTTP serving and other read-only activities, then the server should be fairly safe. You can safely use well-written CGI programs because they use HTTP forms to update data. However, if you start any services that can provide direct access to the server, such as TELNET, the server becomes open to attack. You should only put data on the public server that you can afford to lose and can easily replace. This type of public server is sometimes referred to as a ″sacrificial lamb.″
Most routers cannot log access attempts. When the public server is in front of the firewall, the server may be your only source for log information. Information about discarded packets or attacks on the public server cannot be captured, unless the server is a V4R3 AS/400 system. You also cannot obtain information about the effects of a successful attack.
You may need to start the TELNET or FTP server on the public server for
administrative reasons. If you choose to do this, make sure that the ISP router has filters in place to prevent access to these services from the Internet. Start these services only when you need to actively use them, and end them as soon as you are done. In the case of FTP, you can use carefully coded exit programs to provide additional protection. You can also use exit points for TELNET. You can find more information about coding exit programs in the TCP/IP Configuration and Reference (SC41-5420) or on the AS/400 Technical Studio Web site.
Note: If you provide these services to Internet users, remember that these services do not encrypt user IDs, passwords, or the data that you transfer.
Consequently, a potential attacker can view everything that you do is through these services. You may choose to implement anonymous FTP, but anonymous FTP requires that you use exit programs.
When you place the public server in front of the firewall, you may need a method for updating the server with new data from the internal network. The simplest and most secure way to do the update is to use a tape to load a new copy of the data.
This method keeps the internal network separate from the public network, but does require human intervention.
Placing a public server behind the firewall
Placing the public server behind the firewall provides both a high level of security for your internal secure network and more protection for the public server. The firewall blocks all access to the internal network from the Internet. The figure below provides a sample illustration of this network configuration.
To learn about the advantages and disadvantages of placing the server behind the firewall, review these topics:
v Advantages of placing your public server behind the firewall v Disadvantages of placing your public server behind the firewall
Advantages of placing your public server behind the firewall
When you place your public server behind the firewall, you gain the following advantages:
v The firewall protects the public server. You are not dependent on the Internet service provider (ISP) router for protection of the public server.
v You can use the firewall logging function to detect and recover from attacks on the public server.
v The public server and production data are on the same side of the firewall, which may make it easier for you to update the server with production data.
v You can use the same AS/400 system to run the firewall Integrated PC Server and run the public server.
v During Basic configuration for your firewall, the application automatically configures HTTP and HTTPS access to your public server through network address translation services (NAT). NAT allows the firewall to route traffic from the Internet to your public server while hiding your internal addresses. Using NAT also lowers the number of registered IP addresses that you must obtain because your public server can use a private address. NAT translates this address either to a reserved public address or to the firewall public address.
The firewall can also log packets that the server receives. If you choose to use this feature, you get a log that contains information about packets that the firewall accepts and forwards. You can also get log entries for packets that the firewall discards. You can use these logs to determine if someone has been attacking your network. You must set up these logging features before you can use them.
With the firewall protecting the public server and the production systems, you can easily use built-in tools such as distributed relational database architecture (DRDA) or FTP to move data between systems without having to modify the firewall. This allows you to access existing data and systems when implementing Internet-based applications.
You need one system running OS/400 at V4R3 or later to support the firewall Integrated PC Server and code. You can use this same system as the public server because the firewall protects the system and the internal network from attack.
You can use NAT in the firewall to route traffic from the Internet to your public server and hide your internal addresses. The firewall uses the NAT settings to map the publicly registered IP address of the server to the private address for the server on your internal network. You can use the address of the firewall non-secure port as the public address of the server. This lowers the number of registered IP addresses that you must obtain for your network.
You can use NAT in the firewall to route traffic from the Internet to your public server and hide your internal addresses. The firewall uses the NAT settings to map the publicly registered IP address of the server to the private address for the server on your internal network. You can use the address of the firewall non-secure port as the public address of the server. This lowers the number of registered IP addresses that you must obtain for your network.