IBM Firewall
IBM Firewall
http://www.redbooks.ibm.com
SG24-2577-02
SG24-2577-02
International Technical Support Organization
February 1998
Take Note!
Before using this information and the product it supports, be sure to read the general information in
Appendix G, “Special Notices” on page 301.
This edition applies to Version 1 Release 3 of IBM Firewall for AIX, Program Number 5801-AAR for use with AIX
for RISC System/6000.
When you send information to IBM, you grant IBM a non-exclusive right to use or distribute the information in any
way it believes appropriate without incurring any obligation to you.
Copyright International Business Machines Corporation 1995 1998. All rights reserved.
Note to U.S. Government Users — Documentation related to restricted rights — Use, duplication or disclosure is
subject to restrictions set forth in GSA ADP Schedule Contract with IBM Corp.
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
The Team That Wrote This Redbook . . . . . . . . . . . . . . . . . . . . . . . . . ix
Comments Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Chapter 4. Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.1 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.2 Install AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.2.1 Post-AIX Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.2.2 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.3 Firewall Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.3.1 Install the Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.3.2 Firewall Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.3.3 Post Firewall Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.3.4 Checking Network Security . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.3.5 Checking System Security . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.3.6 IBM Firewall 3.1 Configuration Replication . . . . . . . . . . . . . . . . 50
4.3.7 Command Line Proxy User Generation . . . . . . . . . . . . . . . . . . 50
Contents v
11.3 DNS Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . 217
11.3.1 Case 1: Internal DNS, Merge DNS, and External DNS . . . . . . . . 217
11.3.2 Case 2: External DNS on the Firewall and Internal DNS . . . . . . 225
Chapter 16. How to Use the IBM Firewall to Counter Security Holes . . . . 263
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Contents vii
viii Protect and Survive Using IBM Firewall 3.1 for AIX
Preface
This book was written to help you design and configure solutions using the IBM
Firewall for AIX. It deals with the issues involved in connecting private IP
networks to the Internet. It describes the different kinds of firewall technologies
that can be used for such connections, focussing on the implementation of those
functions in the IBM Firewall for AIX program product.
There are numerous configuration examples showing ways to set up the filtering,
application server and gateway functions of the IBM Firewall for AIX.
This book will help you to establish a solid fence between your network and the
outside world.
Jorge Ferrari is a Senior ITSO Specialist in Network Design Tools at the Systems
Management and Networking ITSO Center, Raleigh. He writes extensively and
teaches IBM classes worldwide on all areas of network design tools. Before
joining the ITSO in 1993, he worked in the SNAP/SHOT and Network Design
group in Raleigh, NC.
Thanks to the following people for the invaluable advice and guidance provided
in the production of this document:
Valerie Aschman, Stacy Powers, Rex White, Jaime Claypool, Kevin Dunphy
from the Network Security Products Development, IBM RTP
Some of the material in this book was based on a previously published redbook:
Safe Surfing: How to Build a Secure World Wide Web Connection , SG24-4564. We
thank the author of that material:
Andreas Siegert
IBM Germany
Comments Welcome
Your comments are important to us!
In many ways the Internet of the past few years has been like the unknown world
of those early maps. Although there are many people in the Internet world, few
of them know this world really well and many see it as a source for future
growth and revenue. There are dragons lurking here too; crackers who will try
to disrupt and destroy. This book deals with some techniques for providing
Internet access, while keeping the bad guys out of your own network.
In the past, the Internet was suited to data processing and scientific people,
using unfriendly interfaces such as Telnet or FTP. Today, everybody who knows
how to use a keyboard and click a mouse may use a very friendly Web browser
client to navigate the World Wide Web. The Web has had a profound effect on
both the volume of traffic carried by the Internet and also on traffic patterns,
since by following hypertext links, a user may rapidly establish connections with
many different server machines. This means that:
1. There are many more sessions being set up, as a single client is likely to
communicate with many more servers than in the past.
2. There are many more client machines, because the interface is familiar and
easy to use and many organizations have rushed to provide Internet access
to almost anyone.
3. There are many more servers, partly because many companies and
organizations see the Internet as a way to disseminate information and
partly because low cost service providers have allowed individuals and small
organizations to provide their own Web sites.
So successful has the World Wide Web been, that to many people today it is the
Internet.
This commercial interest in the Internet is fuelled by and also a cause of the
explosive growth in Internet hosts and traffic (see Figure 1 on page 3).
So much for the opportunities; what about those dragons? There has been much
press comment about crackers on the Internet, some of which has
over-sensationalized their exploits. The threat that crackers have posed to date
is less severe than the popular image. Most of the publicized incidents have
been perpetrated as a means to grab attention and not with any real malicious
intent. However, the ingenuity of the crackers in defeating system defenses has
not been overstated. The really frightening prospect, therefore, is if one of these
wily crackers has some personal or commercial reason to do you harm.
It seems that once you start getting paranoid about computer security you can
reach a point where nothing seems safe anymore. Is this justifiable? After all,
we don't (normally) worry about people tapping our telephone conversations or
reading our mail, and we happily send credit card numbers, private messages,
gossip and scandal using those media. The difference with the Internet is that
the carrier is not a regulated, well-defined entity. In fact you have no idea
whose computers your message passes through on the way to its destination.
The any-to-any connectivity of the Internet can, alone, give you many security
problems. You will need to protect your own private data and also protect
access to the machines inside your private network against abusive external
use.
The first step to achieving this is to limit the number of points at which the
private network is connected to the Internet. The best configuration is where the
private network is connected by just one gateway. If you only have this unique
path, you have gained a choke point , where you can exercise control over which
traffic to allow into and out of the Internet. We call this gateway a firewall.
When considering the details of your firewall it is important to keep in mind that
the whole concept relies on the fact that it is the only gateway. If an attacker
can find an alternative, uncontrolled, access point your firewall effort has been
wasted. Every point of entry must be subjected to the same rigorous standards
of security.
Depending on what your security requirements are and how much money you
have, you can develop different firewall strategies. The most important advice is
to keep the strategy simple.
When you are defining your firewall strategy, you may think it is sufficient to
prohibit everything that presents a risk for the organization and allow the rest.
However, because of new attack methods, you may not be able to prevent every
attack and, as in the case of the building, you need to monitor for signs that
somehow your defences have been breached. Generally, it is much more
damaging and costly to recover from a break-in than to prevent it in the first
place.
In the case of the firewall, the classic solution uses a screening router. Although
that is not sufficient today to ensure security, it is still the starting point for
firewall defenses. A better strategy is to permit only the applications you have
tested and have confidence in. If you follow this strategy, you have to
exhaustively define the list of services you must run on your firewall. Each
service is characterized by the direction of the connection (from in to out, or out
to in), the list of users authorized, the list of machines where a connection can
be issued, and perhaps the range of time of day you authorize this service.
This router filters all IP packets passing through and is called a screening filter.
This way you can prevent access to machines or to ports in the private network
and also do the reverse; prevent an inside machine from accessing the Internet.
But if you do this, there is no way to control what's happening at the application
layer. That is, you may want to allow one type of traffic across the gateway but
1.4.2 Bastion
A bastion is a machine placed between the secure and nonsecure network
where the IP forwarding is broken, which means no IP packet can go through
this machine. As the routing is broken, the only place from which you can
access both networks is the bastion itself. Therefore, only users who have an
account on the bastion, with a double identification (one for the bastion and one
for the remote host), can use services on both the networks, as shown in
Figure 3.
Figure 3. Bastion
This has some disadvantages, because the bastion may have to support many
users. It is important to enforce good password control here since if a cracker
manages to break into a user ID he or she can then impersonate the user and
get into the private network. Besides this security point, supporting a great
number of users will require a big machine. To avoid having users logged in to
this machine and to reduce load on the machine, more general-purpose bastion
applications exist, such as the SOCKS server (see 2.1.3, “SOCKS Server” on
page 15).
In this case, you can protect the dual-homed gateway from external attacks with
filtering. For example, if you forbid external access to the telnet daemon, you
reduce the threat of an external attack. If you have some nomadic machines
that are hosted outside but need to connect to hosts inside the private network,
you can limit the exposure by using a proxy server and perhaps using smart
card authentication techniques.
The problem with this configuration is that the firewall machine can become very
complex, so if a cracker does break into it, it may take some time to track him or
her down. For example, there are a great number of IP ports used by so-called
well-known services. Some of these are, in fact, not well-known at all and
crackers regularly use them as a back door into a computer. So it is important
to block as many such ports as you can, without impacting the services that you
do want to work.
The architecture is very simple and each machine on this subnet performs only
simple task(s), depending on the number of bastions you have. It is often
referred to as a demilitarized zone (DMZ).
Cheaper and another common solution to provide DMZ is to use three adapters
on the firewall. DMZ is still in the area where secure traffic never flows and we
can limit activities in the DMZ with the firewall. Figure 7 shows you the idea.
There are a number of objectives that are common to all firewall cases:
You want to only allow traffic to flow that you have determined is safe and in
your interest.
You want to give away a minimum of information about your private network.
You want to be able to keep track of firewall activity and be notified of
suspicious behavior.
These common objectives translate into a number of rules that you should
always keep in mind:
Anything that is not explicitly permitted should, by default, be denied.
What this means is that when you set up your firewall you should be able to
state exactly what traffic you want to pass through it. It should not be
possible for any other traffic to pass.
You should keep outside users out of your internal network wherever
possible .
Even if you are providing a legitimate service for outsiders to use, you
should not trust them. If possible such services should be placed outside the
firewall (possibly within a DMZ), isolated from your internal systems.
You should do thorough auditing and logging .
You should assume the worst, that at some time your systems will be
compromised by a cracker. At this point you need good logging functions to
allow you to detect the cracker, retrace his movements, and prevent further
damage.
One area that has become part of this battlefield in recent times is the potential
for exploitation of “smart” client function. As the Web browser becomes the
complete do-everything client, Web-based applications start to rely on client side
execution of programs, using techniques such as Java, ActiveX controls and
other plug-in function.
Load balancing between firewalls can be handled with an IBM product called
Interactive Network Dispatcher. The Network Dispatcher has many different
algorithms to divide the network traffic between several firewalls. It will also
provide some level of high availability. When one of the firewalls is down, the
Network Dispatcher will guide the network traffic to available firewalls. Look at
Appendix E, “IBM Firewall Related Products” on page 285 for more information
about Network Dispatcher.
The IBM Firewall has changed names through the years; a brief history of these
changes would be:
1987: Internal release
December 1994: 5765-473 IBM NetSP Secured Network Gateway V1.2
October 1995: 5765-626 IBM Internet Connection Secured Network Gateway
V2.1
July 1996: 5756-626 IBM Internet Connection Secured Network Gateway V2.2
June 1997 5765-C16 IBM Firewall V3.1 for AIX
You can think of IBM Firewall as a tool box you use to implement the functions of
different firewall architectures, both screening filter and bastion. Once you
choose your architecture and your security strategy, you can build the practical
implementation using the tools it provides.
IBM Firewall for AIX is built on standard system hardware and a standard
commercial operating system. Although it starts out as a standard base system,
by the time the firewall code is installed it has been hardened to such an extent
that it becomes a fortress on the network.
There are two user interfaces for configuring IBM Firewall on AIX:
A graphical user interface (GUI) which is a Java application invoked from a
Web browser.
A set of menus under the AIX systems management interface tool (SMIT).
We recommend that you use the GUI for firewall configuration because it
provides a better visualization of the firewall setup. This will reduce the chance
of misconfiguration. In general we will use the GUI for the examples in this
book.
2.1.1 IP Filters
IP filters are tools to filter packets at the session level, based on IP address,
direction, and packet type (TCP or UDP ports, or ICMP ID). The filter rules work
with the IP gateway function, so the machine is required to have two or more
network interfaces, each in a separate IP network or subnetwork. At least one
adapter is declared nonsecure and the other(s) declared secure. The filters act
at all of these adapters. That is to say, the filters do not only control what can
flow from the secure side to the nonsecure side of the gateway but also what
can flow in and out of each adapter individually. This is an important distinction,
because it means that filters are an essential part of any firewall configuration,
even if all traffic through the firewall is handled by a proxy application instead of
2.1.1.1 Implementation
In IBM Firewall you do not normally directly select the IP filters that you want.
Instead, you define the connections that you want the firewall to support and the
configuration dialog generates the appropriate filters. The result is a series of
entries in the /etc/security/fwfilters.cfg configuration file where each line defines
a filter using the following criteria:
Source IP address and mask
Destination IP address and mask
Type of IP protocol
Source and destination service addresses (for example, TCP/UDP port
numbers)
Direction of the IP packet
Network interface
Whether routed through the firewall or not
Whether the IP packet is fragmented or not
Whenever a packet arrives at the IBM Firewall it is compared with each line in
the filter file in turn, until one is found that matches it. At that point the
processing stops and the filter directive (permit or deny ) is applied.
Proxy servers provide network security at the application level (that is why they
are called application-level gateways as well). For a user to make connections
through a proxy server firewall, the user is required to connect to the proxy first,
and then request the proxy to connect to the destination. Since connections are
terminated at the firewall, the proxy server can examine the data of the
connection before sending the data to the destination. In this way, the proxy
server can provide access control based on the application data, such as
authenticated user name. The difference between proxy server and IP filter is
that connections through proxy servers do not require/involve packet routing at
all.
For example, users use FTP client program to access Internet sites. They have
to connect and authenticate (using a password) to the proxy. Having
successfully accessed the proxy (and thus authenticated themselves) they now
have to again issue the command to reach the desired machine on the Internet.
This method is usable also from the nonsecure network to the secure network,
but this raises other important security problems. If you use the Internet to
connect to the bastion, you have to enter your login name and password to be
identified. But, as we have said, you can't know what machines your session
may pass through and some cracker may be looking for login names and
passwords, by wire tapping or using IP trace commands. If they catch your ID,
they may impersonate you and thus get into the organization with your identity.
(Of course, this would only get them to the firewall; they would need to trace the
second command to get past it.) In this scenario, with the proxy server, you can
use a more sophisticated tool of authentication, such as a security identity card.
This mechanism generates a unique key which is not reusable for another
connection. Two security identification cards are supported by IBM Firewall: the
SecureNet card from Axent and the SecureID card from Security Dynamics.
2.1.2.1 Implementation
In IBM Firewall 3.1, the proxy services available are Telnet, FTP and HTTP. The
Telnet and FTP proxy servers, by default, require users to authenticate
themselves at the firewall. Users who access the gateway in this way get a very
restricted operating environment. It allows you to establish sessions onward
into the nonsecure network, using commands such as telnet. They do not allow
you to issue any commands to look at or modify the firewall itself, for example
you cannot do ls, cat, echo, etc.
However, Telnet and FTP proxies can be operated in the transparent mode.
Under this mode, users can use the proxies but do not need to be authenticated
at the firewall, so long as their connections are originated from the secure
network. This reduces the proxy user administration on the firewall, and
provides a more user-friendly interface to firewall users.
The HTTP proxy provides a more efficient way to handle the HTTP protocol and
provides better logging information (such as URL) for firewall administration. It
should be noted that the HTTP proxy does not support user authentication.
Therefore we recommend that you use the IP filter to allow access from the
secure network only.
Once connected, the appearance and the behavior are unchanged. But, this
method needs to have a double connection: one from the client machine and one
from the firewall machine. This is time consuming and will have an impact on
performance.
One of the major advantages of the proxy approach is that you do not need a
special version of the client program on the client machine. Therefore, once you
have installed your firewall, every user recorded in the firewall can have access
to the nonsecure network without any additional software installation.
SOCKS is a standard for circuit-level gateways. It does not require the overhead
of a more conventional proxy server where a user has to consciously connect to
the firewall first before requesting the second connection to the destination.
The SOCKS server results in a similar bastion configuration, since the session is
broken at the firewall. The user starts a client application with the destination
server IP address. Instead of directly starting a session with the destination
server, the client initiates a session to the SOCKS server on the IBM Firewall
host. The SOCKS server then validates that the source address and user ID are
permitted to establish onward connection into the nonsecure network, and then
creates the second session.
SOCKS needs to have new versions of the client code (called SOCKSified
clients) and a separate set of configuration profiles on the firewall. However, the
server machine does not need modification; indeed it is unaware that the
session is being relayed by the SOCKS server. For a comprehensive list of
socksified clients see 8.11, “Using SOCKS Services” on page 195 and E.1,
“Aventail AutoSOCKS” on page 288.
2.1.3.1 Implementation
The SOCKS daemon uses a configuration file, /etc/sockd.conf, to allow or deny
connections through the bastion.
Each line of this file defines a rule that controls access through the firewall. The
following information is present:
User ID or list of user IDs
Address of client and mask
Address of remote server and mask
Operation field and port to define what service or what range of services
Command to execute (very useful to log or to alert)
From the outside view, the name server on the firewall only knows itself and
never gives information on naming inside the private IP network. From the
inside view, this name server knows the Internet network and is very useful for
accessing any machine on the Internet by its name
2.1.4.1 Implementation
Configuration is performed through either the GUI or SMIT. You have to specify
the following:
Nonsecure domain name
Secure domain name
Nonsecure name server
Secure name server
This generates all the necessary configuration files for the firewall domain name
server. It is still necessary to configure the name server in the secure network
to use the firewall service, however. We show some examples of this in
Chapter 11, “Domain Name Service” on page 215.
Figure 11 shows how name resolution requests flow for different combinations of
requester and node.
Notice that only the names and addresses that we want to reveal (and have
defined in the firewall name server) are available to an external host. Notice
also that name requests originating on the firewall itself are treated as those
from any secure network host, since /etc/resolv.conf refers to the secure network
name server.
Normally, you want to have relatively free access in and out of the secure
network for mail traffic. Unfortunately, however, the standard mail daemon,
sendmail, has proved to be a fertile breeding ground for bugs over the years,
many of which have been exploited by crackers. In previous versions of IBM
Firewall, the AIX sendmail daemon is used as a mail relay, but this sendmail
daemon has been replaced. Now the IBM Firewall supports its own secure mail
gateway called SafeMail. It can be configured to forward mail to a mail gateway
within the secure network.
2.1.5.1 Implementation
The implementation assumes that there is a secure mail gateway within the
secure network. The main reason why you would have such a gateway is for
reasons of control, for example:
A single point to handle misrouted files
A common definition for all your distributed nodes
A logical point to perform transformations to other mail formats
A single point to handle aliasing.
For example, you may want your users to have personal mail handlers that
are not related to the machines to which they log in.
You have an option in the system administration folder, the secure mail server,
to configure the IBM Firewall secure mail gateway. If you do so, the firewall mail
relay is automatically started, forwarding traffic between the gateway and the
outside world.
From the point of view of hosts in the nonsecure network, the only mail gateway
they see is the firewall. This is advertised by the addition of an MX record to the
firewall name server definition. Hosts inside the secure network can be defined
either to route internet traffic to the firewall directly, or to route to the internal
mail gateway, which can then forward mail to the firewall. Some examples of
SafeMail are shown in Chapter 12, “Mail Handling” on page 231.
The firewall and the external trusted host establish a connection between them
and they encrypt and authenticate traffic passing between the private networks.
2.1.6.1 Implementation
In order to configure the secure IP tunnel, you will have to add tunnel definitions
and specific filtering rules to tell the IBM Firewall how to encrypt/authenticate
traffic.
The IBM Firewall 3.1 determines the number of users by tracking all the packets
from the secure network, and registering the IP addresses of the secure hosts in
a table, until the number of different IP addresses reaches the limit. After that,
the IBM Firewall logs all packets from the secure network that have new IP
addresses (not in the table), but those packets are not processed.
As you can see, only the IP addresses of the secure network count for
establishing the number of users, not the IP addresses of the nonsecure side.
The entries in the table are not deleted. This means that if you bought a 50
users license, only the first 50 secure IP addresses that send packets to or
through the firewall will be registered in the table. This table is deleted only at
reboot. The only way to modify the limit of users is to upgrade the firewall
software to a different tier.
Installing a new version is disruptive; the user must uninstall the existing firewall
version and then install the new version. The existing configuration files can be
saved for the new installation (i.e., using installp -ug FW will leave all the
existing configuration files intact).
Before we show detailed examples of how to set up the firewall controls, we will
consider the characteristics of the different IP protocols to gain a better
understanding of what the firewall looks for.
ÚÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Version ³ Length ³ Type of Service ³ Total Length ³
ÃÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Identification ³ Flags ³ Fragment Offset ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ TTL ³ Protocol ³ Header Checksum ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Source IP Address ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Destination IP Address ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Options ³ ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Figure 13. IP Packet Header Format
The source address, destination address and protocol ID are used by the firewall
filters to define which machines can access which particular service.
The IP specifications allow packets of very small sizes. The minimum packet
size that can be sent according to RFC 791 is 68 octets. The problem here is
that this packet size is not enough to carry the complete information for upper
layer protocols. This leads to an attack technique called the tiny fragment
attack .
The ICMP messages that most people are familiar with are the ones that are
generated by the ping command, but in fact there are many different types of
ICMP messages. Ping generates an ICMP echo request message and expects to
receive an echo reply message in response. Echo request is a relatively safe
message, but any of the ICMP messages can be used by an outsider in order to
gain some knowledge of your network or to directly attack your system. Also,
like every protocol that you allow, ICMP messages can be used to overwhelm
your systems in a denial of service attack.
Each ICMP message consists of a type plus a code, both of which are small
integer values. Unlike the higher layer protocols, such as TCP or UDP, there is
not a source port nor a destination port, just the message type and code.
When configuring firewall filters you could disable all ICMP messages in both
directions, if you don't care about the different types of message. This may
make it difficult for you and your users to troubleshoot access problems, but will
be safer and simpler for you. You also have to consider that some ICMP
messages are used by network management applications (principally echo and
address mask).
We now look at each of the ICMP message types. For each message type we
describe ways in which it could be abused by an attacker and suggest a suitable
filtering policy. We show examples of the firewall connection definitions to
implement our suggestions in 6.20, “Filtering Specific ICMP Messages” on
page 130. There is a summary of all the ICMP message types and codes,
including RFC information where appropriate, in Appendix B, “Summary of ICMP
Messages Types” on page 273.
Description: The echo (also called echo request) message is used to check if a
host is up or down. When a host receives the request, it sends back an echo
reply message. These messages are usually generated by a ping command, but
may also be generated by a network management station that is polling the
nodes of a network.
You could consider enabling this facility to some key hosts, such as the router of
your network provider. You might allow incoming pings to the nonsecure
adapter of the SNG.
You should receive these messages, as they may provide useful information for
troubleshooting. You should only send them through the secure interface,
because if you send them through the nonsecure interface, it will help outsiders
to map the services that you are offering.
Router R1 realizes that it sent the packet through the same interface on which it
was received. So instead of R1 receiving messages for M2 from M1 and then
resending them to router R2, it sends a redirect message to M1 telling it to use
R2 as the router in order to reach M2 (see Figure 17 on page 29).
Machine M1 receives the ICMP redirect message from R1 and updates its
routing table in order to be more efficient (see Figure 18).
Our recommendation is to send and log this packet, but not to receive it, as your
routing tables should be determined only by you. It is also recommended to
Firewall Considerations: Enable this for incoming packets so your hosts can
perform error recovery. For outgoing packets, allow all fragment reassembly
time exceeded messages but not the TTL exceeded messages.
The reason that we recommend blocking TTL exceeded messages from going
from the secure network to the nonsecure network is that an attacker can use a
tool called traceroute to find out which hosts are the routers in your network.
This tool manipulates the TTL option of a UDP packet, in order to receive an
ICMP TTL exceeded message in response (see 6.15, “Traceroute” on page 118).
Blocking the outgoing TTL messages will help you hide your network structure.
Description: The time stamp message is used to know the time in milliseconds
since midnight. It receives as an answer a time stamp reply message.
Description: This message is used by a host that is booted across the network
to learn in which IP network it is located. It sends an information request packet
with both the source and target fields set to zero. The replying host will send
the reply with the complete address specified, so the host will now know which
IP address it must use.
These messages are obsoleted by new protocols, like RARP, BOOTP and DHCP.
Also RFC 1122 says that a host should not implement this protocol.
Firewall Considerations: This message is for local networks only, so it does not
need to cross a router. The IBM Firewall should not generate requests, because
it knows its IP interfaces, and certainly there is some better place to generate
the replies than your firewall, so block it.
Description: The address mask request message is sent when a node wants to
know the address mask of an interface. It expects to receive as an answer an
address mask reply message containing the mask of that interface.
Description: These messages are used by hosts in order to learn the domain
associated with an address. The host sends a domain name request message
and receives as an answer a domain name reply. It is specified in RFC 1788,
and the current status of the protocol is experimental.
The idea of this protocol is to substitute the IN-ADDR domain defined in the
domain name server (the one that is used in order to translate IP addresses to
domain names). Using this protocol, each host will be responsible for the
translation of its own IP addresses. The RFC requires every host to implement
an ICMP domain name server and also suggests that every host should
implement an application for sending the ICMP domain request.
TCP provides the application with a reliable end-to-end connection. It takes care
of retransmission, lost and duplicate packets and reordering of packets. When a
host establishes a connection to another machine using TCP/IP, both hosts will
be able to use the same connection in order to send information (that is, it is a
two way channel).
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Source Port ³ Destination Port ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Sequence Number ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Acknowledgment Number ³
ÃÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÂÄÂÄÂÄÂÄÂÄÂÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Data ³ ³U³A³P³R³S³F³ ³
³ Offset³ Reserved ³R³C³S³S³Y³I³ Window ³
³ ³ ³G³K³H³T³N³N³ ³
ÃÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÁÄÁÄÁÄÁÄÁÄÁÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Checksum ³ Urgent Pointer ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Options ³ Padding ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ Data ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Figure 19. The TCP Packet Header
From the firewall point of view, the most important parts of the TCP packet are
the source port, destination port and ACK bit. The source port and the
destination port are used to identify which process is using a TCP connection. A
TCP/IP connection is uniquely defined by:
< Source Address, Source Port, Destination Address, Destination Port >
There are some particular ports that are reserved for specific applications, while
others are dynamically allocated for the processes that need them. The
reserved ports are normally referred to as well-known ports . For example, port
number 23 is reserved for incoming Telnet connections. Port numbers below
1023 are usually described as privileged , meaning that an application needs root
authority to use them. This is only a convention, so you cannot base your
security policy on it, but one side-effect is that the client end of a TCP session
Let us now see how a TCP connection is established. A TCP session is initiated
by a three-way synchronization sequence as shown in Figure 20.
Client Server
1 SYN ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄH
2 IÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄSYN/ACK
3 ACK ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄH
Figure 20. TCP/IP Synchronization Sequence
The acknowledgement (ACK) flag is used by one end of a session to tell the
other end that its previous packet was received. The result is that the only
packet in the TCP/IP session without the ACK flag set is the SYN packet that
creates the session in the first place. So when a connection is created, the first
packet does not have the ACK flag set, but all the following packets will have it.
Firewall rules use this to control the direction in which a session can flow. If we
want to prevent someone from creating connections from the outside (unsecure
network) to the inside, we can specify a rule with a protocol specification of
tcp/ack . This will block the first packet, thereby preventing the establishment of
a connection.
However, it is possible to scan a network without sending any packet with the
SYN bit on. In order to do this, the attacker sends a packet that looks like
something from the middle of a legitimate session, that is, with the ACK bit on.
If the destination port is active, the host will realize that it is not part of a
session in progress and send a reset response. If the port is not active, there
will be no response. Other types of TCP packets may be used to perform similar
types of scanning, such as a packet with SYN:FIN, ACK in the header or one with
the flag field set to 0. All of these packets will be rejected, but the fact that they
are rejected provides some information about the target machine. This is called
stealth scanning .
If you want to allow IP forwarding on the firewall and rely on the SYN control,
you must be aware that your network might be scanned using these techniques.
Should you care about this? After all, the attacker cannot establish a useful
session this way. The danger is, that it provides a way of mapping the contents
of your secure network. This knowledge may not be directly useful, but it can
become useful if combined with some other back door access. The lesson is
this: wherever possible your firewall should be completely dual-homed and not
allow any IP routing.
Unlike TCP, UDP does not provide the application with a reliable end-to-end
connection. Once a UDP packet has been sent, the sender has no knowledge
about whether it has arrived or not. It is therefore up to the application to
provide acknowledgment and sequence control, if required. UDP is
connectionless. That is, each message is a separate entity with no expectation
of responses or subsequent request messages. Applications will often mimic the
operation of a connection-oriented protocol, for example, a client may use a
dynamically allocated port to send a message, and then listen on that same port
for a response.
From the firewall point of view, the only important parts of the UDP packet are
the source port and destination port. The source port and the destination port
are used to identify which process is using a UDP connection. A UDP/IP
connection is uniquely defined by:
< Source Address, Source Port, Destination Address, Destination Port >
As in the case of TCP, certain well-known ports are reserved for specific
applications. For example, DNS uses port 53, and SNMP uses ports 161 and 162.
Because of its connectionless nature, UDP does not have the three-way
synchronization sequence of TCP (see Figure 20 on page 34). This means that
we do not have the ability to create rules based on the direction in which a
session is established. As a result you should avoid routing UDP sessions
through the firewall directly. If you do allow them through, you should only allow
specific pairs of known end points.
When installing IBM Firewall 3.1 please keep the following points in mind:
Keep It Simple and Secure (KISS).
Physically secure your system in a locked area.
Make a checklist of things you change so you can periodically check to make
sure those settings are still the same.
Consider how secure the network structure is between your firewall and the
secure network.
Run the minimum number of services necessary (KISS).
User IDs should be kept to a minimum and set up using IBM Firewall 3.1.
Remove any compilers, assembler or any other computer language that
allows system calls.
Remove tracing tools, for example tcpdump and iptrace.
Use the audit and logging functions to monitor the system.
4.1 Requirements
The software and hardware requirements for IBM Firewall 3.1 include the
following:
AIX Version 4.1.5 or later (we recommend 4.2.1)
A Uniprocessor RISC System/6000 supported by AIX 4.1.5 or above
At least two network interfaces
At least 64 MB physical memory
We recommend that you install AIX from scratch for IBM Firewall 3.1 and aim to
install a minimal system. A fresh install of AIX will ensure you don't have any
other software installed except the minimum you will need to run IBM Firewall
3.1.
Take the option to install the Trusted Computing Base, as it can only be installed
during AIX installation. This will give you the option of later using it to add a
further level of security to your system.
Use lslpp -l fileset.name to see if these are installed. Use smit install_latest
to install them.
Use the preview option in smit before every install/patch. It will help you
identify problems before you actually begin modifying things.
bos.net.tcp.server 4.2.1.5
bos.net.tcp.client 4.2.1.9
bos.up 4.2.1.6
bos.net.ppp 4.2.1.1
bos.rte.security 4.2.1.5
bos.rte.libc 4.2.1.5
bos.net.tcp.smit 4.2.1.1
Note: These are the patches that were available in November 1997.
SNMP Support
To enable SNMP support in IBM Firewall 3.1 you will need to install the
SystemView agent filesets:
Chapter 4. Installation 39
4.2.1.4 Filesystems
As the system typically will need to spool mail and log plenty of syslog output, it
pays to keep /var big enough right from the start. Larger sites might have 1 GB
or more of spool space. Of course the root file system should be big enough to
not accidentally run into a full root file system problem. In our case we
expanded the / filesystem to 8 MB and /var to 200 MB.
Log files from smit (smit.log smit.script) can erode space in the root file
system. Keep an eye on them, or link to somewhere else, for example /tmp
(don't forget skulker!).
Use smit chfs to increase the size of the filesystems. We used chfs -a
size=16384 / to increase root to 8MB and chfs -a size=409600 /var to increase
var.
Note: A separate filesystem to store log files will help avoid problems with the
log filesystem filling up.
Keep an eye on the amount of paging space your system uses with lsps -a.
4.2.2 Users
During the installation of IBM Firewall 3.1, all users other than root, daemon, bin,
adm and nobody will be removed. The root account will be disabled for remote
logins.
For all user IDs in the system that are not used for regular logins, you should
define a mail alias that transfers the mail to a local administrator. Otherwise,
mail could pile up accidentally in a mailbox without anyone ever noticing it.
Note: You can further optimize the performance of your system using
Understanding IBM RS/6000 Performance and Sizing , SC24-4810-00.
After the installp process is complete it is necessary to reboot the machine . The
installp messages tell you to do this, but it is easy to overlook them.
Start the installation program at the AIX command line with smitty
install_latest. You need to define the installation media (CDROM or Local Disk)
and select the components that you need to install. These are:
3.1.1.0 Base IBM Firewall
3.1.1.0 IBM Firewall Common Libraries and Catalogs
3.1.1.0 IBM Firewall Remote Configuration Client
3.1.1.0 IBM Firewall Report Generation Utilities
We tried to install only the Base and Common Libraries, but ended up installing
the lot as the others are requisite filesets of the base.
à ð
á ñ
Figure 22. Preview Install of IBM Firewall 3.1 Using smitty
Chapter 4. Installation 41
− inetd
Startup entries are added to /etc/rc.tcpip for IBM Firewall 3.1 components.
All unnecessary functions are removed from /etc/inetd.conf.
The remaining functions in /etc/inetd.conf are:
− ssld
− Proxy ftp
− Proxy telnet
− Remote configuration server ibmfwrcs
All users are deleted except root, daemon, bin, adm, nobody, and any
previous IBM Firewall users.
Groups ecs, uucp, and usr are deleted.
All files and directories not owned by any user are deleted.
Nonsecure applications are disabled.
These nonsecure applications were disabled on our system:
− /usr/bin/tftp
− /usr/bin/utftp
− /usr/sbin/tftpd
− /usr/bin/uucp
− /usr/sbin/uucpd
− /usr/bin/rcp
− /usr/bin/rlogin
− /usr/sbin/rlogind
− /usr/bin/rsh
− /usr/sbin/rshd
Any previous IBM Firewall users are migrated to this new version.
The file system integrity checker database is generated.
The recommended method is to configure the firewall remotely with the remote
configuration client.
Local configuration is possible with SMIT, but the GUI is easier to use. If you
want to use the GUI locally you will need X-Windows, which really shouldn't be
installed on a firewall.
To allow the remote configuration client to connect to the firewall, we made two
changes to the /etc/security/rcsfile.cfg file:
1. Replace local=yes with local=no.
2. Replace encr=none with encr=ssl.
You also have to install the remote client configuration software on a machine
with a Java-enabled browser in your secure network.
Don't Forget!
If you enable the default rules in IBM Firewall 3.1 you won't be able to
remotely access the machine until you modify the rules to allow remote
access.
Complete instructions for generating an SSL Key with the mkkf command are in
Chapter 5, "Using the Make Key File Utility (MKKF)" of IBM Firewall For AIX
Reference Version 3.1.1, SC31-8418-00.
Note: The default key file is called fwkey.kyr. If you want to use a different
keyfile name, make sure you change /etc/security/rcsfile.cfg to point to your new
keyfile name.
Chapter 4. Installation 43
4.3.3.6 Create an Administrator User
The three levels of user security in IBM Firewall 3.1 are:
1. Root
2. Firewall Administrator
3. Firewall User
You can only create a user a security level below yourself. For example only root
can create a Firewall Administrator.
To make initial creation of users simpler we enabled remote login for the root
user with the command chuser rlogins=true root. This will allow us to log in as
root from the remote configuration client. We will turn this ability off later using
chuser rlogins=false root. Allowing remote logins for root is a very bad idea, but
not an unreasonable step during installation.
Note: You can create a firewall administrator user account with smit fw_add_usr
on the console as root if you wish to avoid enabling remote root login.
First we logged onto our administration RS/6000, then set our DISPLAY
environment variable for X-Windows. We then started the IBM Firewall 3.1
Configuration Client with the command fwconfig.
The system presented us with the logon screen shown in Figure 23.
Note: If you would like more information on the options on the following panels
use the online help or refer to Chapter 10, "Administering Users at the Firewall"
of IBM Firewall for AIX Users Guide , GC31-8419-00.
From here we selected Users to get to the User Administration screen shown in
Figure 25 on page 46.
Chapter 4. Installation 45
Figure 25. List User Screen
We will now create one more administrator account by selecting < N E W > .
You can modify these settings later to be more restrictive after you have
completed your installation if you like.
We selected the Password tab to see the Set Password panel seen in Figure 27
on page 48.
Here we set the password for the new user. The default password settings were
sufficient for our needs.
Chapter 4. Installation 47
Figure 27. Defining the Password for a New User
The final tab in the Add User screen is Administration (see Figure 28 on
page 49). We selected this but were happy with the defaults here also.
This is where you can begin to assign different jobs to different administrators.
The disabled options become enabled if you select Enterprise.
Don't Forget
A newly created user will need to set their password. The initial password
can be set in IBM Firewall 3.1 but the user must still set a new password
before they will be able to log on with the Remote Client.
Chapter 4. Installation 49
4.3.4 Checking Network Security
After having set up the firewall, how do you check its security? There are many
ways to do checks; you will have to find a combination of the tools and
commands available that suit your needs. We discuss using testing programs to
probe for weaknesses later in this book using a variety of tools. See Chapter 13,
“Testing Your Configuration” on page 243.
The key to your firewall's protection is its logs. This is how it warns you of
attacks and other problems. In Chapter 14, “Logging” on page 251, we discuss
ways to extract information from your log files, and other useful tools that can
help you.
/etc/security/fwconfig.map
Unfortunately we did not have sufficient time to run a replication test and must
caution you not to try this without thorough testing.
exit
This file contains the user ID, the user name, the password, and the
authentication method for FTP from the secure side (secftp), telnet from the
secure side (secauth), telnet from the nonsecure side (remauth) and remote
IPsec client from the nonsecure side (remip).
We selected a few parameters of the fwuser command; you can modify the script
to accept other parameters.
Chapter 4. Installation 51
52 Protect and Survive Using IBM Firewall 3.1 for AIX
Chapter 5. IBM Firewall 3.1 Rule Base
The control mechanism of the firewall is defined by a rule base. Here we
describe the contents of the rule base and work through some simple examples
of defining rule base objects. In the next chapter we look at a number of
services that you may want your firewall to handle and describe the rule base
objects you will need to define.
The recommended way to configure the rule base is to use the browser-based
GUI. It is also possible to set up the rule base by using SMIT, but because it is
easy to follow the same route in SMIT, we will only describe the GUI
configuration.
For example, imagine you have a connection that permits Telnet between a
client in the secure network and the proxy server on the firewall. The service in
this case is Telnet. To be precise, it is a session from an unprivileged client port
to TCP port 23. The source object in this case is any IP address in the secure
network, and the destination object is the firewall.
The only default object is The World, an object that is matched by any IP
address.
5.1.3 Services
A service defines the type of IP traffic that is permitted or denied between a
source and destination object. For example, you could construct a service to
permit Telnet, or a service to deny Ping.
A service is built of one or more rules. IBM Firewall provides you with a large
collection of commonly required rules and when building a service you can
usually find the rules you need predefined. If you don't find the rule that you
need, you have to create an extra rule before you define the service. You also
have the ability to move rules up or down in the service, to create a specific
order in the rules.
When you configure a service you do not specify the objects (that is, network
addresses) between which it operates; you define the objects when you place
the service in a connection definition. However, you do need to know what type
of objects a rule applies to, because you have to define the direction of flow for
each rule within the service definition. For example, a service that defines a
TCP session from a client to a proxy server on the firewall will only operate as
intended if it is included in a connection whose destination object is a firewall IP
address.
If the rule has a green arrow (arrow points to the right) the filter defined by the
rule applies to packets flowing from the source to the destination object. If the
rule has a blue arrow (arrow points to the left) the source object and destination
object are swapped, so the rule applies to flows from destination to source. For
example:
There are two types of rules: deny rules and permit rules. They define which IP
packets are blocked (denied) or allowed to pass (permitted) at which firewall
interface. The packets can be filtered on all characteristics described in
Chapter 3, “Getting to Grips with IP Packets” on page 23. The following fields
must be entered when defining a rule:
We give some suggested rules for a naming convention which you may want to
follow, or use as a basis for your own. For the names we use only 2 or 3 words
and for the description we explain the name better. We place the most
descriptive word first in the name, so that all of the definitions that are related to
each other appear together when they are presented in an alphabetical list. For
example:
Remember don't use the pipe symbol |, quote ', or double quote " in the names
and description. Also, remember that you can see any of the rule elements as
fields in the rules list; you just need to click the button labelled with the name of
the field that you need (so, for example, in Figure 39 on page 66 we could add
the Directon field to the rule list display by clicking on the button at the top of the
list).
When you want to implement your connections there are basically two possible
types of connections. The first type, and most easy to implement, is a standard
connection. This connection can be built with predefined services. The following
services are predefined:
Telnet
FTP
HTTP
SOCKS
SSL
SMTP
RealAudio
Identd
SNMP
Ping
DNS
SecureID
Tunnels
Remote Logging
Firewall Configuration
First, start the configuration GUI using the fwconfig command and then select the
connection option from the navigator pane on the left of the display. A list of
existing connections will appear, as shown in Figure 32. In the list select NEW
and click on Open to create a new connection.
Figure 33 on page 62 shows the new connection screen, where you must define
all the parameters. First, enter the name and the description of this connection.
Remember to use a convention for all the names, as this will make future
definitions and modifications easier.
Secondly you need to define the source object and destination object. Click on
Select to select each one from the object list. If you have not already defined the
object, you can select New to define it. The only object predefined is The World,
so we will have to define both the source and destination objects to construct
our example. Figure 34 on page 63 shows the definition for our source object,
representing any address in the secure network. After you have defined the
object click OK, then select the new object in the object list and click OK to place
the object in the source object field. This procedure must be repeated for the
destination object, the firewall itself. Figure 35 on page 63 shows our definition
for this object.
Finally you need to select the service between these objects. Click on Select
and a list of all the defined services will appear. In this case we are using a
standard service, so select the line named "Permit Proxy Telnet Outbound" and
click on OK. Figure 36 on page 64 shows the services list.
Figure 37 on page 65 shows the final result. Click on OK to save the connection
definition.
Now you need to activate the rule base and the filters file will be rebuilt. We
describe this in 5.2.3, “Rule Base Activation” on page 69.
In this example we need a rule that permits inbound TCP packets on port 400 of
the secure interface. This does not exist so we must create a new rule.
It is very important to assign a clear name to a rule. For example, do not use
the name of a source or destination in the rule name, because they are
independent of the rule. A good name may be: "Permit CUST Inbound 1". By
giving rules clear names, it is also easier to reuse your rules. In the rule list
double click on < N E W > as shown in Figure 39. Fill in the parameters for the
new rule, as shown in Figure 40 on page 67. Notice that we have been very
specific in defining the rule: it will only allow packets for our CUST application to
pass if they appear inbound on the secure side of the firewall.
This rule only deals with one direction, client to server. We also need to create
a rule for the response packets from the server to the client. The construction of
this rule is visualized in Figure 41 on page 68. The differences from the first
rule are:
The protocol is now TCP/ACK.
Source and destination criteria are swapped.
The direction is now outbound.
After creating this rule we can build the "Permit CUST" service that invokes the
new rules. Select Traffic Control then Connection Templates, and Services. from
the initial GUI navigator pane (see Figure 24 on page 45). You will see the list
of existing services. In the list double click on < N E W > to see the new service
dialog screen shown in Figure 42 on page 69.
Notice that the flow of the second rule has to be changed, because it applies to
packets in the reverse direction (destination to source).
Finally, we can configure a connection, in the same way as for the previous
example (see 5.2.1, “Standard Connections” on page 61) with the following
content:
Source object Secure Network (created in the previous example).
Destination object Secure Firewall (also created in the previous example).
Service Permit CUST.
Figure 43 on page 70 shows the options in the rule base activation window:
Regenerate Connection Rules and Activate. If you choose this option the
filters file will be created, using your definitions of connections, objects,
For a more extensive discussion about all the possible services, we recommend
referring to Building Internet Firewalls (Chapman and Zwicky).
It is good practice to use deny rules at the end of each section of rules that
permit a given service, instead of relying on the implicit default deny everything
rule (see 5.1.1, “Connections” on page 54). This will prevent problems that may
arise if the rules file contains a later misconfigured permit rule.
In most of the examples below, we show two diagrams. The first is a schematic
diagram of the network connection we are trying to achieve. The second
represents the combination of rules, services and objects that make up the
connection definition in the firewall rule base.
You may also wish to place other rules near the top of the rule base, for
example, to control broadcasts or prevent routed traffic. We will consider each
of these in turn.
A classic attack of this type is the TCP sequence number prediction attack. In
this attack, the attacker does not need to receive any packet from the attacked
host. It needs to be able to send packets and it also has to predict the TCP
sequence number that will be used by the attacked machine in its replies to the
impersonated machine (so that it can acknowledge them).
To protect your network from address spoofing and routing corruption attacks,
you should add a couple of connections to reject packets that have a source
address within the secure network, but which appear on the nonsecure interface
of the firewall (see Actually Useful Internet Security Techniques by Larry Hughes
for a more complete discussion).
The following connections implement this policy. These should be the first two
connections in your rule base.
The two rules used in these connections are not part of the standard rule base,
so you have to create them and the two services that use them.
However, if you want to be more selective about which ICMP messages you want
to allow to flow, you may want to add the connections described in 6.20,
“Filtering Specific ICMP Messages” on page 130.
The three network objects in this connection, which are collected together in the
All Private Ranges group are all the nodes in the ranges defined in RFC1597.
That is to say, the following:
Private A: Address = 10.0.0.0 Mask = 255.0.0.0
Private B: Address = 172.16.0.0 Mask = 255.240.0.0
Private C: Address = 192.168.0.0 Mask = 255.255.0.0
You may think that you do not have these addresses in your network, but in
practice they are often used for testing purposes, so they may appear without
warning.
This rule can also be set by using the Security Policy panel (see 6.23, “Using
Security Policy” on page 134).
6.2.8 Broadcast
Broadcasts should be blocked in order to reduce network traffic on the firewall.
You also should be aware of multicast traffic, for example, the all host multicast
address (224.0.0.1). See RFC 1112 Requirements for Internet Hosts --
Communications Layers for information about IGMP (Internet Group Management
Protocol) and multicasting. Denying broadcast and multicast packets can cause
excessive logging, so it is recommended to switch logging off for these "denial
services".
The second rule only stops broadcast to 255.255.255.255; you may want to modify
it for your specific case. You should use the inverse of the subnet mask used for
the nonsecure interface as the broadcast address to stop.
Similar rules can also be set by using the Security Policy panel (see 6.23, “Using
Security Policy” on page 134). The rule created when you check on "Deny
braodcast to non-secure interface on the Security Policy panel is:
deny 0 0 0.0.0.255 0.0.0.255 udp any 0 any non-secure both both
6.3 Telnet
Telnet is a protocol used to emulate terminal sessions. Telnet servers normally
use TCP port 23, while the client uses one of the nonprivileged ports (starting
from port 1024). Telnet uses passwords in order to authenticate the user. These
passwords cross the network unencrypted.
The Telnet client may also be used to access other TCP-based services, for
example, electronic mail (SMTP).
Even if you use one-time passwords, there are some serious security concerns.
There have been attacks in which intruders anticipate a user connection being
made. Once the user is authenticated the intruder hijacks the connection and
starts to send its own packets (see CERT Advisory CA-95:01).
The only case in which you can safely allow incoming sessions is if you are
using some encryption technique, such as the Secure IP Tunnel provided by IBM
Firewall or the ones described in 6.22, “Secure Terminal Emulation” on
page 133.
The following connection permits you to log in to a host in the secure network
from the firewall, using Telnet. The first rule in the service allows traffic to be
initiated by the firewall to any Telnet server in the secure network (TCP port 23).
The second rule allows the Telnet Server (TCP port 23) to reply. The connection
uses standard, predefined rules and service.
Notice that we are using the tcp/ack format to prevent misuse of port 23 to
establish a session (for example, a connection from port 23 to the SOCKS server
in port 1080).
Telnet Using Proxy: Telnet with a proxy is a two-step connection. First the user
logs into the firewall with a normal Telnet session. Once on the firewall, they
use Telnet again to reach the final destination (which might be some other TCP
Figure 57. Telnet from Secure Network to Nonsecure Network Using Proxy
A connection definition can only reference one pair of network objects (source
and destination). Because there are two parts to the session, one on either side
of the firewall, we need to define two connections to describe it, as follows:
You will find a more detailed description of this process in 8.8, “Using the
SOCKS Server” on page 190. As the ident authentication is optional, it is
described in its own subsection (see 6.13, “ident” on page 116).
The first part of the session is very similar to the proxy case, except using the
SOCKS port instead of tcp/23, as follows:
The second connection in the session is the same as Figure 59 on page 84.
In this case there is an incoming connection that must be allowed from port 20 to
an unknown port. This allows outsiders to misuse port 20 (see 3.1.4.1, “Source
Porting” on page 34) so it is recommended to allow incoming connections only
to the proxy server where you can limit the number of services that you provide.
This avoids the problem of the incoming connection, but requires you to access
nonfixed ports for the data channel connection (see RFC 1579, Firewall Friendly
FTP for a complete discussion about FTP in a firewall context).
Normal Mode Routing, from Secure Network to Nonsecure Network: This cannot
be allowed, as it requires incoming connections from TCP port 20, which would
expose you to an attack by someone misusing the ftp-data port as a source port
(see 3.1.4.1, “Source Porting” on page 34).
Normal Mode FTP from Firewall to Secure Network: The following connection
allows the outbound control session to port 21 and the inbound data session
from port 20. All of the rules within the connection are from the predefined set.
FTP Proxy from Secure Network to Nonsecure Network: This can be allowed,
but remember to protect any tcp services that the Firewall is providing on
nonprivileged ports (normally this is only SOCKS, unless you have added some
other service).
In this case the FTP client connects to an FTP server on the firewall. Once there,
it is authenticated by the server in the normal way. Once the user uses the
quote site command, the proxy connects to the server. To this point, we only
have control sessions from the client to port 21 on the firewall and from the
nonsecure side of the firewall to port 21 on the target server. When the user
gets or puts a file, the FTP client will specify a mode for the transfer (either
normal or passive). The FTP proxy will use the same type of transfer to connect
to the final server.
Figure 66. Normal Mode FTP from Secure Network to Nonsecure Network Using Proxy
The following connections provide FTP access from secure network to nonsecure
network using the proxy server:
FTP from Secure Network to Nonsecure Network Using SOCKS: The rules for
FTP using SOCKS are very similar to the ones for the proxy. The difference is
that in this case, the client only uses passive mode. You have to change the
destination of the client's connection from 21 and gt 1023 to the SOCKS server
on port 1080 and define only the passive mode rules.
You can create this connection by using the standard SOCKS connection
definition for your secure network and a connection which uses a service that
can be created easily by copying the service "Permit Proxy FTP Outbound 2/2"
and removing 2 rules, see Figure 69 on page 93.
As the SMTP protocol doesn't provide any control, a very important point in this
service is to educate your users. Any user on the Internet could send E-mail
messages with a forged origin, so you should tell your users that the apparent
source of an E-mail message cannot always be trusted, unless the message is
signed by a strong authentication mechanism such as Pretty Good Privacy
(PGP). Fortunately, IBM Firewall will log the IP host name of the message
sender, not the one that is specified in the SMTP connection handshake (in the
HELO command)
There are many possible configurations for handling mail using IBM Firewall.
We will discuss a few of them in Chapter 12, “Mail Handling” on page 231. For
the purpose of this filter rule example we assume a desired configuration of a
mail server in the secure network (M.M.M.M) and the use of the safemail
gateway provided by IBM Firewall to deliver mail between the secure network
and the nonsecure network.
Since the sessions between the mail daemons may be set up in either direction,
depending on where the mail arrives from, the connections have been designed
to cater for either case.
In our configuration, the internal DNS is responsible for resolving addresses for
clients in the secure network (this includes the firewall). The firewall DNS is
responsible for hiding internal information from outsiders and also for resolving
outside addresses requested by the internal DNS.
The first connection permit requests and replies between DNS on the firewall
and the internal DNS. It also allows the firewall itself (using resolv.conf) to
resolve addresses from the secure network (directly) and from the nonsecure
network, in which case the request will be forwarded to DNS on the firewall and
then outside.
The second connection allows requests and replies between DNS on the firewall
and the nonsecure network (to allow the firewall to resolve an external address
on behalf of the internal name server).
100 Protect and Survive Using IBM Firewall 3.1 for AIX
The final connection allows the use of TCP for DNS zone transfers, so a server
can retrieve, with just one connection, a whole sub-tree of the DNS name space.
This requires two connection definitions. The first is a standard Socks client
connection, as shown in Figure 61 on page 85. The second is shown below.
Note that the rules used in this connection are not part of the predefined set, so
they have to be manually added.
In the above case, the news server is outside the firewall, either in a remote
network or in the DMZ. Often it is more convenient to have a news server in the
secure network, in order to store news locally. This avoids duplicated traffic and
allows you to restrict the news groups to only those that you would like to
provide. You may also want to provide some internal news groups, which are
not broadcast outside the firewall. If you do put a news server inside the secure
network, you will receive news from an external news feeder to the news server.
There is no standard proxy for NNTP in IBM Firewall, so the simplest approach is
to allow IP forwarding of these packets.
The following connection definition can be used. As with the previous NNTP
case, the rule definitions must be manually added, but in this case we can
exploit the facility to reverse the direction of a rule, so in fact the first and third
rules are identical, as are the second and fourth.
102 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 80. NNTP Routed through the Firewall
If the tcp_relay program is used as NNTP proxy, the internal news server should
be configured to receive news feed from the secure side of the firewall, not from
the external news feeder. Similarly, the external news feeder should feed news
to the nonsecure side of the firewall.
Figure 81. NNTP: News Server Using the tcp_relay Sample Program
104 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 82. NNTP between Internal Server and tcp_relay
As before, the rules are in pairs, with the flow of one pair being reversed.
106 Protect and Survive Using IBM Firewall 3.1 for AIX
6.8 HTTP - World Wide Web Sessions
The World Wide Web (WWW) is a collection of sites and services, loosely
connected by a network of inter-document links. The normal way to access this
network is using a graphical browser interface such as Netscape Navigator,
Microsoft Internet Explorer or NCSA Mosaic.
From a technical point of view the main vehicle for WWW documents is the
HyperText Transfer Protocol (HTTP). This is a lightweight protocol for requesting
and receiving information using any encoding mechanism recognized by both
the client and server. HTTP is a stateless protocol, that is, the server retains no
continuing session information about a client. This has the benefit of allowing
great simplicity and extensibility at the expense of some network bandwidth
overhead.
WWW hyper-links do not always lead to other HTTP connections. Often they will
take you to an anonymous FTP or gopher site. When you select the hyper-link to
such a site, the WWW browser software invokes the appropriate service under
the covers. So when you plan to provide this service, you should also consider
the other related protocols.
As you can see from the previous description, most of the complexity of WWW
lies in the higher-layer application code (which is a source for security concern,
particularly as the content of Web documents becomes more interactive and as
Web browsers become smarter). See Safe Surfing: How to Build a Secure World
Wide Web Connection , SG24-4564, for more information.
If you are going to provide a Web server for access by the rest of the world, it
should be outside your secure network, ideally in a DMZ. The reason for this is
that such servers are, by the nature of the application, likely to be complex and
therefore vulnerable to attack. If you can isolate your server by putting it outside
your secure network, you are limiting the damage that such break-ins can do.
Many examples of attacks on Web servers have been demonstrated, so you
should follow the CERT advisories to check if you are exposed.
SOCKSified Client: In this case, clients in the secure network connect to the
SOCKS server on the firewall, which relays their sessions into the Internet. One
disadvantage of this configuration is that there is no caching of documents, so if
multiple users load the same document, it will be retrieved multiple times.
This configuration requires two connections. The first is the familiar SOCKS
client connection shown in Figure 61 on page 85. The second connection is as
follows:
108 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 85. HTTP from SOCKS to Nonsecure Server
The filtering rules for this case are the same as for the Socksified Client, except
that instead of allowing connections from every client in the secure network, you
can restrict them to the proxy server only. You could also restrict access to the
SOCKS server so that only the proxy server can use it for HTTP. To do this, you
would put the following lines in the sockd.conf file:
# Restrict socksified HTTP Connections (port 80) only to HTTP Proxy
permit p.p.p.p 255.255.255.255 eq 80
deny 0.0.0.0 0.0.0.0 eq 80
Using the IBM Firewall HTTP Proxy Server in Place of SOCKS: The two
previous examples (“SOCKSified Client” on page 108 and “Socksified Proxy” on
page 109) both use the SOCKS server to relay sessions through the firewall. In
each case you could replace it with the HTTP proxy server that comes as part of
IBM Firewall by simply using rules that permit access to the proxy port (usually
tcp/8080), in place of the SOCKS port (tcp/1080).
Proxy in the Secure Network with IP Forwarding Enabled in the Firewall: This
has the disadvantage that you must enable IP forwarding in the firewall, but it is
relatively secure because the filter rules are very restrictive (just one host and
outbound connection only).
110 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 87. HTTP from Secure Network, HTTP Proxy with IP Forwarding Enabled
Proxy Outside the Secure Network: This case is also a good solution, especially
if you are using a DMZ configuration. You can put the proxy server in the DMZ
for caching. Ideally you should only allow your users to access the proxy using
SOCKS.
The clients request a document using SOCKS from the proxy that is outside the
secure network. The proxy does the caching, and you don't have to allow
routing in the firewall, so you can run a dual-homed configuration.
In this case, you will need your Web browsers to support concurrent SOCKS and
HTTP proxy. You can accomplish this if your client TCP/IP implementation has
built-in SOCKS support (for example, in Warp V4) by specifying a proxy in the
browser configuration menu, and then use the SOCKS runtime from the TCP/IP
configuration options (that is, not the browser SOCKS option).
Figure 88. HTTP Proxy in the Nonsecure Network (Preferably Using DMZ)
In this kind of configuration it is very important to treat the proxy server in the
DMZ as part of your firewall. It should be monitored closely for any sign of
attack. If a cracker were to manage to take control of it he could use it to set up
From a firewall perspective SSL is a standard TCP service in which the client
uses any nonprivileged port and the server uses port 443. Follow the
recommendations for HTTP and substitute port 443 in place of 80.
6.10 S-HTTP
S-HTTP is a protocol designed in order to correct the lack of authentication and
encryption of HTTP. S-HTTP is very rarely used in practice. SSL is a much
easier protocol to administer and, although it is less flexible than S-HTTP, it has
proved adequate for most secure Web applications.
From a filtering point of view, S-HTTP is identical to HTTP. The server listens for
connections on tcp port 80, and the clients use any nonprivileged port. The
server will realize if it is an HTTP connection or an S-HTTP connection from the
URL (if it starts with http, it is HTTP, if it starts with shttp, it is S-HTTP). Web
documents retrieved with S-HTTP should not be cached in a proxy server,
because the proxy server cannot determine what S-HTTP options are
appropriate.
112 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 90. Secure HTTP Connection between Client and Server
6.11 Gopher
Gopher is a protocol used for information retrieval. It is not as popular as HTTP,
but there are still some Gopher servers to which you may wish to provide
access. Usually the client machine does not use a specific client for Gopher,
because the most popular Web browsers already have support for this protocol.
The server uses tcp/70, and the client can use any nonprivileged port.
Two connections are needed for this configuration. The first is the standard
socks client connection (see Figure 61 on page 85). The second is as follows
(the rules in this connection are not part of the standard set, so they must be
manually created).
114 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 93. Domino in a DMZ Configuration
Replication and client access to a Notes server are both handled by the same
standard TCP protoocol on port 1352. To split up the connection on the firewall
we can use a similar setup as with HTTP via SOCKS. For this setup we need to
implement the SOCKS client connection, (Figure 61 on page 85) plus the
following connection to allow the SOCKS server to communicate with the
external Notes server.
To use this setup you also have to configure your internal Notes server by
editing the SOCKS proxy field in the Notes Server document to reflect the
address of the firewall. If your version of Notes does not support SOCKS, you
can try the tcp_relay setup as described in Appendix D, “Sample NNTP Relay
Program” on page 279. In this case, you need to configure the internal Notes
server to replicate to the firewall instead of the external Notes server, and
configure tcp_relay only in one direction by using the following line in the file
/etc/tcp_relay.cfg:
client-ip 1352 domino-ip 1352
6.13 ident
The ident protocol is used to authenticate the user of a connection. The ident
client sends a request containing a user ID and information about a TCP port
that the user ID appears to be using. The ident server responds positively if the
user really is using the port. In practice there are very few platforms that
implement the ident server as standard and it has no value on systems that do
not require users to log in (such as Windows 3.1, Windows 95 and OS/2).
The server (the machine who's connection is being authenticated) uses tcp/113
and the client (the machine that is trying to authenticate the connection) uses a
nonprivileged port.
116 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 95. ident, for Authentication from the Firewall to the Secure Network
If you are planning to use SOCKS with user authentication, you should enable
this service from the firewall to the secure network. Figure 96 shows you this
connection.
6.14 Syslog
Syslog is a service used in order to manage log messages from multiple
machines in a centralized place. It is mostly used by UNIX machines, but now is
gaining acceptance in other devices, such as hubs. Syslog should not be
allowed outside the secure network, because it can be used for a denial of
service attack (if you have a DMZ, it is safe to use syslog between servers in the
DMZ and a logging host within the secure network).
Normally you send the firewall logs to a machine in the secure network. Syslog
uses UDP protocol to send the logs. Figure 98 shows the needed connection to
do that.
6.15 Traceroute
Traceroute is a service that is useful in allowing network administrators to track
the path that an IP packet is following in order to reach its final destination. It
works by sending UDP packets from one high port (port number > 1023) to
another high port. It selects a free UDP Port (in our tests on AIX 4.2.1 we only
saw packets from ports greater than 40000) and starts to send packets to
different high ports (in AIX 4.2.1 it starts by default from port 33434, unless you
specify this with -p).
In order to discover the path, it plays some tricky games with the TTL value of
the packet (this field must be decremented by routers everytime they forward the
packet). First it sends a UDP packet with TTL=1, so the first router gets the
118 Protect and Survive Using IBM Firewall 3.1 for AIX
packet, decrements the TTL field, and then discards the packet because the TTL
reached 0. After discarding the packet, the router sends an ICMP TTL exceeded
message to the sender, so the sender learns the address of the first hop.
Then it uses a TTL value of two, and it gets the second router address. It keeps
getting router addresses with TTL exceeded messages until the packet reaches
the destination host. Once the destination host receives the packet, it realizes
that it doesn't have any service on the high port, and so it sends an ICMP port
unreachable message to the sender.
From this description, you can see that using traceroute involves several UDP
packets flowing from the sender to the destination, ICMP TTL exceeded
messages flowing from the routers to the sender, and finally an ICMP port
unreachable message from the destination to the original sender.
This configuration can be safely permitted. In order to do this you must send
high UDP packets and accept ICMP TTL and port unreachable messages.
Figure 100 on page 120 shows you the connections needed from the secure
network to the firewall secure interface.
Figure 101 on page 121 shows you the connections needed from the firewall
nonsecure interface to the world.
120 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 101. Traceroute from Firewall to Nonsecure Network
Note: The ICMP rules are not necessary when the consolidated ICMP connection
(see “Consolidated ICMP Connection” on page 130) is implemented.
Traceroute from Internet to the Firewall: In order to enable this service, you
must allow outgoing ICMP port unreachable messages. You may not want to do
this because it would be useful to an attacker as a fast way to discover which
services you are providing. You can safely allow traceroute from the secure
network.
We found out that Windows NT Version 4.0 implements the traceroute command
using echo request and echo reply messages. The command is tracert.
122 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 104. Network Management Sessions
Note: The ICMP rules are not necessary when the consolidated ICMP connection
(see “Consolidated ICMP Connection” on page 130) is implemented.
The first two rules allow SNMP GET, GETNEXT and SET requests to be sent by
the manager node to the SNMP agent on the firewall and responses from the
firewall. The third rule allows the firewall to send an SNMP trap to the manager
node (the manager receives traps by listening on UDP port 162). The final rules
allow an ICMP echo request from the network manager to the firewall and an
echo reply from the firewall to the network manager.
Note that care should be taken with SNMP if you have any devices that allow
update via SNMP SET. Most workstations and routers allow SNMP GET requests
only, so there is little damage a cracker can do. However, some devices,
6.17 Archie
Archie is a service useful for searching programs in anonymous FTP servers.
The archie servers maintain a database of program names, locations and
descriptions.
Archie is a UDP protocol that uses port 1525 for the server and nonprivileged
ports for the client. There are several ways in which users can use this protocol,
circumventing UDP packets. They can use a WWW gateway, a Telnet client, or
access archie through mail.
In order to use the WWW gateway, they just need HTTP access (see 6.8, “HTTP -
World Wide Web Sessions” on page 107). In this case, they will just have to
open a Gateway Form Document, like http://www-ns.rutgers.edu/htbin/archie
(see Figure 105 on page 125).
124 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 105. Archie Using an HTTP Gateway
In order to use the Telnet service, the user needs outgoing Telnet access. They
telnet to an archie server, log in as user ID archie, and then they can do any
query.
6.18 WAIS
WAIS (Wide Area Information Servers) is a service used to search through large
text databases. It uses TCP as a transport layer; servers use port 210, and the
clients use any nonprivileged port.
One easy way to provide WAIS service is through an HTTP gateway. The client
just selects a URL that provides a WAIS service (for example,
http://www.ai.mit.edu/the-net/wais.html) and submits the query. In this way, if
you are already providing HTTP access you can provide, WAIS access for free
(you just need to educate your users).
126 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 107. WAIS Using an HTTP Gateway
You could also allow SOCKSified dedicated clients. To permit this you will need
the following connection that allows the firewall to contact the WAIS server on
port 210 (note that the rules used in this service are not part of the standard set
and so must be manually defined).
6.19 Finger
Finger is a protocol that is used to determine which users are logged in a
system. The server uses tcp/79.
This useful service has two well-known problems, one on the client side and the
other on the server side.
Having set up this limited finger response, you will want to allow finger requests
to be received by the firewall. The following connection permits this:
128 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 109. Getting a Finger from the World
The problem on the client side is a result of paranoia. If you think that someone
is attacking you, finger is a useful tool to try to find out who it is. Some people
invoke finger automatically within a script file to gain information when they
detect a possible attack. There have been a lot of cases in which the attackers
have replaced the finger daemon by a program that will send you an endless
stream of data. If you execute finger within a script, this can quickly fill your file
system.
The AIX finger client does not control these types of attacks, so if you decide to
use finger to gain information we suggest you pipe the output through the head
command, to limit the amount of output. (In our tests, the AIX finger filled a 300
MB file system, so this is a real problem.)
The finger client must also be protected from nonprintable characters introduced
by the server. We recommend you use some replacement for the standard
client, such as safe_finger, which is included in the SATAN package.
Finally, you have to be careful if you provide a finger service and use the finger
client for obtaining information. You could trigger a denial of service case (also
called finger war), in which someone fingers at you and then you finger them
back, endlessly (mutual paranoia).
130 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 111. Consolidated ICMP Control Connection (Part 2)
132 Protect and Survive Using IBM Firewall 3.1 for AIX
6.21 Other Protocols
As the Internet is constantly evolving, there are always new protocols, so we
want to stress the last but most important rule of the firewall. This default rule is
always added by IBM Firewall:
# Everything that is not explicitly allowed is denied.
deny 0 0 0 0 all any 0 any 0 both both both
From this point on, a user (after logging in successfully) can telnet to the internal
system.
To combat these problems, you need to go one step further and provide
encryption between the firewall and the remote user. The following tools are
available:
134 Protect and Survive Using IBM Firewall 3.1 for AIX
.
Figure 113. Security Policy Panel
From this panel you can set up the rules for DNS, broadcast and SOCKS similar
to the ones mentioned in this chapter.
The advantage of using the Security Policy panel over the the the method
described in Chapter 5, “IBM Firewall 3.1 Rule Base” on page 53, is that is
standard and provides a common way of setting up basic filters in all the IBM
Firewall installations. The disadvantages are that is not possible to control the
rule placement and the rules could be too general or too specific.
IBM Firewall 3.1 provides three kinds of secure IP tunnels to cater for different
situations:
1. An IBM tunnel is used between IBM Firewalls. It uses IPSP (IP Security
Protocol) which is an IBM unique protocol. It features an automatic key
update mechanism, using UDP port 4001. Under this scheme, a new
encryption key is generated at regular intervals and communicated through
the tunnel encrypted under the current key.
2. A manual tunnel uses the IPSec standard and can be established between
an IBM Firewall and:
An IPSec compliant firewall
An AIX IPSec client (it is supplied with IBM Firewall 3.1 for AIX software)
In fact, an AIX IPSec client can establish a manual tunnel with any IPSec
compliant host. The operation of an AIX IPSec client is described in 7.4,
“Using the AIX IPSec Client” on page 149.
Manual tunnel currently does not support any key refresh mechanism.
Hence, when configuring a manual tunnel, it will be necessary to inhibit key
updates.
3. A dynamic tunnel also uses the IPSec standard, but it is used between an
IBM Firewall and a Windows 95 secure remote client. It is configured but not
activated until the remote client starts the tunnel. The configuration of a
dynamic tunnel is described in 7.7, “Windows 95 IPSec Client” on page 160.
Where:
AH Authentication Header (RFC1826)
ESP Encapsulating Security Payload (RFC 1827)
TU Tunnel Mode ESP
TR Transport Mode ESP
RC5 ESP w/ RC5 Cipher
HMAC Keyed MD5 for Message Authentication
IBM is in the process of implementing IKMP, and it will be incorporated into the
future release of IBM Firewall.
138 Protect and Survive Using IBM Firewall 3.1 for AIX
7.2 Operation of the Secure Tunnel
The secure IP tunnel relies on symmetric-key cryptography to enforce data
security. This means that the firewalls at each end of the tunnel have a shared
secret in the form of an encryption key known to both of them. Using this key,
the secure IP tunnel provides two different types of security:
1. Authentication, in which the sending firewall appends a message
authentication code (MAC) to the messages it sends through the tunnel. The
MAC is constructed from the message contents and the encryption key using
a one-way hash function. The receiving firewall performs the same
operation and, if the MAC matches, it knows that the message is authentic.
2. Encryption, in which the data within the message is encrypted using the
secure key, so that it cannot be viewed in transit.
For example, your computer department may wish to monitor machines in the
financial department using SNMP. In this case, the information itself is not
sensitive, but you want to be sure that it is accurate, so you could use a tunnel
that provides only authentication.
However, you also want the computer department to send mail to the financial
department and you would like to protect this mail from being read in the
unsecure network. This would require a second tunnel providing both
authentication and encryption.
You also have to consider that you need the following prerequisites:
1. IP forwarding enabled in both firewalls
2. Coherent IP addresses in both secure networks (for example, you cannot use
the same private IP addresses)
140 Protect and Survive Using IBM Firewall 3.1 for AIX
3. Proper routes in the clients (they point to the firewall for addresses in the
other secure network)
4. Name resolution for the remote networks (this is important if you want to
pass hidden DNS information through the tunnel)
At this point it is very important to double-check the target of the tunnel. When
you later import this at the second end, there is no validation against the local
addresses.
When you have received the files, place them in a directory and import the
definitions (see Figure 118).
142 Protect and Survive Using IBM Firewall 3.1 for AIX
The import function swaps the source and destination addresses.
Figure 119 shows the tunnel list before activating the tunnel, and Figure 120 on
page 144 shows the active tunnel. You can see that the icon at the left of the
tunnel ID is different after the tunnel is activated.
Activate just enables the code; the tunnel will be marked active even if the other
end is not running or connected.
In addition you have a couple of options to deactivate the tunnels. The first one
deactivate, stops one tunnel activity, but the second one shutdown deactivates
immediately all the tunnels. This option is used for security reasons.
7.3.5 Specify Which Protocols You Want to Tunnel Using Filtering Rules
In order to specify which nodes and protocols will use each tunnel, you will have
to configure special filter rules. These rules will be like normal rules (with
source, target, protocol, ports and port operations), but they will also have a
tunnel ID. So when a packet must be transfered, the IBM Firewall will search the
filtering rules. If it matches a rule, and this rule has a specific tunnel ID, the
packet will be sent according to the authentication/encryption rules specified in
this specific tunnel.
Figure 121 on page 145 shows the configuration that we used in our tests.
144 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 121. Test Network for Secure Tunnels
The test network has two firewalls, protecting the secure networks 9.0.0.0 and
192.168.253.0. Their nonsecure IP addresses are 150.53.104.27 and 200.0.253.180,
respectively.
We defined two tunnels between the firewalls. Through tunnel 307 we will send
TCP and UDP packets authenticated and encrypted and through tunnel 308 we
will send ICMP packets authenticated but not encrypted. Figure 122 shows the
tunnel configuration.
Following the procedure we described earlier, we first defined the tunnels in F1,
exported the definitions, moved them to F2 and imported them there. Next we
In order to be able to understand the rules better, we use the symbolic names
(FW1 and FW2) instead of the actual IP addresses (150.53.104.27 and
200.0.253.180) in the rules illustrated below.
The filtering rules have to cater for three types of traffic: UDP packets between
ports 4001 for the session key update protocol, ESP for encryption of the real
data and AH for authentication of the real data.
For each tunnel, packets come in the clear from the secure side, then they are
sent through one of the tunnels, received at the second end of the tunnel and go
again in the clear to the final destination.
Figure 124 shows the filter rules that we used in Firewall 1 for the tunnels.
# UDP Packets between Tunnel End Points, for the Session Key Update
permit FW1 0xffffffff FW2 0xffffffff udp eq 4001 eq 4001 nonsecure local outbound f=n
permit FW2 0xffffffff FW1 0xffffffff udp eq 4001 eq 4001 nonsecure local inbound f=n
# ESP Packets between Tunnel End Points
permit FW1 0xffffffff FW2 0xffffffff esp any 0 any 0 nonsecure local outbound f=n
permit FW2 0xffffffff FW1 0xffffffff esp any 0 any 0 nonsecure local inbound f=n
# AH Packets between Tunnel End Points
permit FW1 0xffffffff FW2 0xffffffff ah any 0 any 0 nonsecure local outbound f=n
permit FW2 0xffffffff FW1 0xffffffff ah any 0 any 0 nonsecure local inbound f=n
# ICMP Packets, send them Authenticated but Non Encrypted (Tunnel 308)
permit SN1 SM1 SN2 SM2 icmp any 0 any 0 secure both inbound f=n
permit SN1 SM1 SN2 SM2 icmp any 0 any 0 nonsecure both outbound f=n t=308
# ICMP Packets, receive them Authenticated but Non Encrypted (Tunnel 308)
permit SN2 SM2 SN1 SM1 icmp any 0 any 0 nonsecure both inbound f=n t=308
permit SN2 SM2 SN1 SM1 icmp any 0 any 0 secure both outbound f=n
# Other Packets (TCP, UDP), send them Authenticated and Encrypted (Tunnel 307)
permit SN1 SM1 SN2 SM2 all any 0 any 0 secure both inbound f=n
permit SN1 SM1 SN2 SM2 all any 0 any 0 nonsecure both outbound f=n t=307
# Other Packets (TCP, UDP), send them Authenticated and Encrypted (Tunnel 307)
permit SN2 SM2 SN1 SM1 all any 0 any 0 nonsecure both inbound f=n t=307
permit SN2 SM2 SN1 SM1 all any 0 any 0 secure both outbound f=n
The first pair of rules allows the session key update protocol between the
firewalls. The second pair of rules allows the ESP protocol between the firewalls
for encryption of packets. The third pair of rules allows the AH protocol between
146 Protect and Survive Using IBM Firewall 3.1 for AIX
the firewalls to authenticate the packets. The fourth pair of rules allows ICMP
packets from Secure Network 1 to go to Secure Network 2 through tunnel 308
(they are received in the clear through the secure interface and sent through the
tunnel on the nonsecure interface). The fifth pair allows incoming ICMP packets
from Secure Network 2 through tunnel 308. The sixth pair allows other IP
packets (TCP, UDP) to be sent from Secure Network 1 to Secure Network 2 using
tunnel 307. Finally the seventh pair of rules allows incoming replies from Secure
Network 2 through tunnel 307.
The rules for the other end of the tunnel are a mirror image. Figure 125 shows
the filter rules that we used in Firewall 1 for the tunnels.
# UDP Packets between Tunnel End Points, for the Session Key Update
permit FW2 0xffffffff FW1 0xffffffff udp eq 4001 eq 4001 nonsecure local outbound f=n
permit FW1 0xffffffff FW2 0xffffffff udp eq 4001 eq 4001 nonsecure local inbound f=n
# ESP Packets between Tunnel End Points
permit FW2 0xffffffff FW1 0xffffffff esp any 0 any 0 nonsecure local outbound f=n
permit FW1 0xffffffff FW2 0xffffffff esp any 0 any 0 nonsecure local inbound f=n
# AH Packets between Tunnel End Points
permit FW2 0xffffffff FW1 0xffffffff ah any 0 any 0 nonsecure local outbound f=n
permit FW1 0xffffffff FW2 0xffffffff ah any 0 any 0 nonsecure local inbound f=n
# ICMP Packets, receive them Authenticated but Non Encrypted (Tunnel 308)
permit SN1 SM1 SN2 SM2 icmp any 0 any 0 nonsecure both inbound f=n t=308
permit SN1 SM1 SN2 SM2 icmp any 0 any 0 secure both outbound f=n
# ICMP Packets, send them Authenticated but Non Encrypted (Tunnel 308)
permit SN2 SM2 SN1 SM1 icmp any 0 any 0 secure both inbound f=n
permit SN2 SM2 SN1 SM1 icmp any 0 any 0 nonsecure both outbound f=n t=308
# Other Packets (TCP, UDP), receive them Authenticated and Encrypted (Tunnel 307)
permit SN1 SM1 SN2 SM2 all any 0 any 0 nonsecure both inbound f=n t=307
permit SN1 SM1 SN2 SM2 all any 0 any 0 secure both outbound f=n
# Other Packets (TCP, UDP), send them Authenticated and Encrypted (Tunnel 307)
permit SN2 SM2 SN1 SM1 all any 0 any 0 secure both inbound f=n
permit SN2 SM2 SN1 SM1 all any 0 any 0 nonsecure both outbound f=n t=307
To refresh the tunnel, simply select the tunnel and click the Activate button.
However, refreshing a tunnel would only re-activate it to an operational state.
The keys used in the tunnel remain the same. To re-establish the tunnel with
new session keys, you need to delete the tunnel, and then add a new tunnel with
the same tunnel ID and characteristics back into the firewall. After that, you
export the new tunnel definition to the tunnel partner. New session keys are
stored inside the definition files. Your tunnel partner is also required to delete
the existing tunnel and then re-import the new definition.
7.3.7 Summary
The following list is a summary of the steps to create and activate a tunnel:
1. Create a firewall object for the non-secure interface of remote firewall.
2. Create a Network object for the secure network of remote firewall (or for the
specific hosts to be connected with)
3. Create the tunnel itself, local address=non-secure interface of local firewall
and target address=remote firewall object from 1).
4. Export definitions, transport to remote firewall, import definitions (which
automatically switches local and remote addresses).
5. Add connection, services for both VPN encapsulation plus VPN key
exchange, source=non-secure interface of my firewall, destination=remote
firewall object from 1). This allows the firewall-firewall communication of
encapsulated data.
6. Copy the VPN 2/2 rule to a new rule called "VPN traffic 2/2 tunnel xx" and set
the tunnel ID in that rule.
7. Create a connection, services "VPN traffic 1/2" and "VPN traffic 2/2 tunnel xx"
from 6). Source=my secure network (or the set of hosts allowed to use
VPN), destination=secure network of remote firewall from 2).
148 Protect and Survive Using IBM Firewall 3.1 for AIX
8. Ensure "no -o ipforwarding=1" is set.
9. Repeat 1,2,5,6,7,8 at remote firewall. (Note "remote" and "local" are relative
to that firewall.)
10. Activate rulesets
11. Activate tunnel at both ends.
12. Try to ping between the networks. It should work!
The installation procedure is described in IBM Firewall For AIX User's Guide
Version 3.1.1, GC31-8419-00. However, besides installing the AIX IPSec client,
you need to install the latest fixes for AIX on the machine as well. Otherwise,
the AIX IPSec client would not function properly. You can find instructions for
installing AIX fixes in 4.2.1.2, “ Install AIX Fixes” on page 38.
The configuration steps for AIX IPSec client are very similar to the IBM Firewall
secure tunnel implementation described in 7.3, “Implementing the Secure IP
Tunnel - IBM and Manual Tunnels” on page 140. These steps are:
Add a tunnel
Export the tunnel definition
Transfer the tunnel definition to the tunnel partner
Import the tunnel definition in the tunnel partner
Activate the tunnel at both ends
Refresh the tunnel when session keys expired
The importance of Target SPI, ESP Algorithm and Tunnel Life Time have been
explained in the IBM Firewall secure tunnel implementation (see 7.3.1, “Adding
the Tunnel Definition in One Node” on page 141). However, the following new
fields are introduced to AIX IPSec client:
Protocol
Source Port From
Source Port To
Destination Port From
Destination Port To
ESP,AH Mode/Combination
They collectively define the scope within which the secure tunnel mechanism will
be applied. You can treat them as a tunnel filtering rule in AIX IPSec client host.
For example, the data shown in Figure 127 defines an IPSec tunnel for TCP
traffic originating from the node 9.24.104.127 (port greater 1023) to the node
9.24.104.159 (port 23). The traffic for this tunnel is encrypted in tunnel mode first,
then authenticated in tunnel mode. Any other traffic will be sent outside this
tunnel.
150 Protect and Survive Using IBM Firewall 3.1 for AIX
7.4.2 Exporting the Tunnel Definition
Figure 128 shows the tunnel export screen under SMIT. You need to specify the
tunnels that you want to export, and the directory where the export files will be
placed. Unlike the IBM Firewall secure tunnel implementation, the specified
directory needs not be an empty directory. So if there are existing tunnel
definition files in that directory, they will be over-written.
The AIX IPSec client will generate five files in that directory. They are:
fwexpmctx.manual
fwexppolicy
fwexppolicy.3.1
expmctx
exppolicy
We found that the generated tunnel definition files are world readable. Since the
session keys of the tunnel are stored in those files, you should change their
permission to be readable by root only.
When you have received the files, place them in a directory and import the
definitions (see Figure 129).
It should be noted that if your tunnel partner is an IBM Firewall, you have to set
up the filtering rules in the firewall to allow the tunnel traffic. The steps to set up
filtering rules for a secure tunnel are described in 7.3.5, “Specify Which Protocols
You Want to Tunnel Using Filtering Rules” on page 144.
Just like the manual tunnel in an IBM Firewall, the session keys of the IPSec
tunnel remain the same after the tunnel is refreshed. To re-establish the tunnel
with new session keys, see 7.3.6, “Refresh Manual Tunnel When Key Expired” on
page 147.
7.5 Examples
In order to understand how the tunnels work, we will show two examples, one
using tunnel 307 (authentication and encryption) and one using tunnel 308 (only
authentication). We will start with the tunnel 308 example, as it is easier.
152 Protect and Survive Using IBM Firewall 3.1 for AIX
7.5.1.1 No IP Tunnel, Just Plain IP Routing
Figure 131 shows the output of iptrace on the nonsecure interface of F1. Here
you will see both packets in the clear (search for the 616263 sequence in the
packet content).
As you would expect, when we are using plain routers, the packet has the same
sender, destination and data contents as it goes through the second interface
(nonsecure network) of the router.
However, when we look at the nonsecure adapter of F1, we can see that the
packet that is sent is different. Figure 134 on page 155 shows the first packet
that goes from the nonsecure interface of F1 to the nonsecure interface of F2 and
its reply. Now we do not see ICMP messages, we just see IPSP messages
(indicated by ip-proto-253, fd in hex instead of 01 for ICMP). Another point that is
important is that as we are using this tunnel just for authentication, people on
the nonsecure network will be able to look at the packet content (again search
for the 616263 pattern in the packet). If you look carefully at the enclosed packet,
you will see that it is exactly the same except for the 8-bit TTL that is
decremented by one and the 16-bit checksum that is adjusted because of the TTL
change.
154 Protect and Survive Using IBM Firewall 3.1 for AIX
18:40:43.73537280 150.53.104.27 > 200.0.253.180: ip-proto-253 112
-----------------------------------------
NEW HEADERS 4500 0084 5e38 0000 fe fd 993e 9635 681b
c800 fdb4 0100 0003 00 01 0070 0000 00f6
-----------------------------------------
TTL Checksum
-----------------------------------------
ORIGINAL 4500 0054 c985 0000|fe|01|c292|0918 68f1
---- ------
HEADERS c0a8 fdde 0800 8d37 75 80 0000 3121 2219
0007 2471 ------------------------------
---------- 6162 6364 65 66 6768 696a 6162
6364 6566 6768 696a 61 62 6364 6566 6768
PING DATA 696a 6162 6364 6566 67 68 696a 6162 6364
6566 6768 ------------------------------
---------- 2967 c744 20 97 2b34 ad15 1e41
AUTHENTIC. 552e bef4
-----------------------------------------
18:40:43.84263168 200.0.253.180 > 150.53.104.27: ip-proto-253 112
-----------------------------------------
NEW HEADERS 4500 0084 c8b6 0000 fc fd 30c0 c800 fdb4
9635 681b 0100 0003 00 01 0070 0000 01ce
-----------------------------------------
TTL Checksum
-----------------------------------------
ORIGINAL 4500 0054 c9d8 0000|fe|01|c23f|c0a8 fdde
---- ------
HEADERS 0918 68f1 0000 9537 75 80 0000 3121 2219
0007 2471 ------------------------------
---------- 6162 6364 65 66 6768 696a 6162
6364 6566 6768 696a 61 62 6364 6566 6768
PING DATA 696a 6162 6364 6566 67 68 696a 6162 6364
6566 6768 -----------------------------
---------- 81b4 1e54 92 fa d857 916b ee0e
AUTHENTIC. a4c2 de6f
-----------------------------------------
156 Protect and Survive Using IBM Firewall 3.1 for AIX
11:46:27.906934272 9.24.104.241.1169 > 192.168.253.180.7: S 1681600001:1681600001(0)
win 16384 <mss 512>
4500 002c 7b63 0000 3b06 d402 0918 68f1
Packet #1 c0a8 fdb4 0491 0007 643b 2e01 0000 0000
6002 4000 949f 0000 0204 0200
11:46:27.910315520 192.168.253.180.7 > 9.24.104.241.1169: S 1344959489:1344959489(0)
ack 1681600002 win 16384 <mss 512>
4500 002c b6d3 0000 3a06 9992 c0a8 fdb4
Packet #2 0918 68f1 0007 0491 502a 7401 643b 2e02
6012 4000 d062 0000 0204 0200 6976
11:46:27.914952192 9.24.104.241.1169 > 192.168.253.180.7: . ack 1 win 16384
4500 0028 7b64 0000 3b06 d405 0918 68f1
Packet #3 c0a8 fdb4 0491 0007 0000 0001 0000 0001
5010 4000 e46b 0000
11:46:45.760137216 9.24.104.241.1169 > 192.168.253.180.7: P 1:33(32) ack 1 win 16384
4500 0048 7bbc 0000 3b06 d38d 0918 68f1
Packet #4 c0a8 fdb4 0491 0007 0000 0001 0000 0001
abcd entered ----> 5018 4000 e639 0000 6162 6364 6566 6768
696a 6162 6364 6566 6768 696a 6162 6364
6566 6768 696a 0d0a
11:46:45.763902208 192.168.253.180.7 > 9.24.104.241.1169: P 1:33(32) ack 33 win 16384
4500 0048 b6d4 0000 3a06 9975 c0a8 fdb4
Packet #5 0918 68f1 0007 0491 0000 0001 0000 0021
abcd echoed ----> 5018 4000 e619 0000 6162 6364 6566 6768
696a 6162 6364 6566 6768 696a 6162 6364
6566 6768 696a 0d0a
11:46:45.815131008 9.24.104.241.1169 > 192.168.253.180.7: . ack 33 win 16384
4500 0028 7bbd 0000 3b06 d3ac 0918 68f1
Packet #6 c0a8 fdb4 0491 0007 0000 0021 0000 0021
5010 4000 e42b 0000
In this section we will discuss one technique to make this key exchange secure,
using Pretty Good Privacy (PGP) to encrypt the exported tunnel definition. PGP
158 Protect and Survive Using IBM Firewall 3.1 for AIX
is a freely available program which uses public-key cryptography to create
encrypted and authenticated messages.
First, you have to decide which version of PGP you must use, the USA version or
the International version. You can get both versions via anonymous FTP from
concert.cert.dfn.de in the directory /pub/tools/crypt/pgp/unix. Having received
the package, you should then compile the PGP program using the command make
rs6000. Note that this is a good reason for not installing PGP on the firewall
machine, because you do not want to have a compiler there if you can avoid it.
If all goes well, you will end up with an executable file called pgp (in our case it
compiled without any modification).
Create a directory /.pgp for storing the keys. Before you start to create your key
pair, run these tests (to test that PGP is correctly installed):
Create a 512-bit public/secret key pair (enter test as userid/password).
pgp -kg
Add the keys from the file keys.asc to the public keyring. PGP will ask if you
want to sign the keys you are adding. Answer yes for at least one key.
pgp -ka keys.asc
Do a keyring check
pgp -kc
Encrypt pgpdoc1.txt
pgp -e pgpdoc1.txt test -o testfile.pgp
Decrypt this file
pgp testfile.pgp
This will produce a file called testfile, which should be identical to pgpdoc1.txt. If
everything went well, install the pgp program in a bin directory.
Now you are ready to use PGP in earnest. First create your public/secret key
pair:
pgp -kg
The private key will stay locked in your keyring file, but you can send the public
key to anyone. Anything encrypted using the private key can only be decrypted
with the public key, and vice versa. Extract your public key:
pgp -kxa user1 user1.asc
Send the public key to a node at the other end of the secure tunnel.
Now move to the local firewall and create a tar file containing the exported
tunnel definitions:
tar cvf tunnel.tar fwexpmctx fwexppolicy
Encrypt the tar file using the public key from the other end of the secure tunnel,
which you received earlier. You will have to save it in a suitable way for
sending it through SMTP mail (in radix-64 format):
pgp -esa tunnel.tar user2 -u user1
Finally, the user at the other end of the tunnel receives the mail and saves it.
Then they decrypt it using their private key and their pass phrase:
pgp tunnel.tar.asc
Windows 95 IPSec Client differs from a standard IPSec tunnel in the following
ways:
It cannot be used on the secure network to tunnel to the firewall.
Access is given via dynamic filter rules. These override the static rules (due
to the unpredictable IP address of the client). Rule permit's are logged
automatically; this cannot be changed. Debug logging is sent to Local2.
Packets decrypted by the firewall are not routed using the firewall's routing
entries.
The Windows 95 IPsec client will NOT run on Windows NT.
A prerequisite for installing the Windows 95 IPSec Client is the Microsoft ISDN
Accelerator Pack 1.1 (this does not mean that you need an ISDN connection).
The link for obtaining this pack has changed from the one specified in the User'
Guide. To obtain this software go to:
http://www.microsoft.com/windows/windows95/info/isdn4w95.htm
Note: See 7.7.2, “Troubleshooting” on page 168 for information on Microsoft
Dial-Up Networking 1.2.
160 Protect and Survive Using IBM Firewall 3.1 for AIX
7.7.1.1 IBM Firewall 3.1 Configuration
Several changes are required on the firewall before the Windows 95 IPSec Client
will work properly. Here are the steps we went through to configure our firewall:
1. First we create a proxy user, miner (see Figure 140) and change the
Authentication for Nonsecure IP to password.
3. then we went into Virtual Private Network and created a new tunnel; see
Figure 142 on page 163. We generated a Tunnel ID and Target SPI
randomly.
For a large number of tunnels define a numbering standard to keep track of
your tunnels. We also specified the Nonsecure adapter address and the
miner network object.
162 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 142. Creating a New Dynamic Tunnel
4. We then added a new connection to allow SSL from The World to the
nonsecure adapter; see Figure 143 on page 164.
5. Now we need a keyfile to enable SSL negotiation. We had already done this
in 4.3.3.5, “Generate an SSL Key” on page 43. Windows 95 IPSec Client
uses SSL to exchange keys before entering IPsec itself.
6. We checked to make sure that the process /usr/sbin/sslrctd was running.
Without this process the Windows 95 IPSec Client cannot use SSL to
negotiate a tunnel. It will automatically start on reboot only if you have
generated a set of SSL keys.
If you are installing Windows 95 IPSec Client from a zip file, uncompress the file
in a temporary directory. This will also create the driver sub-directory where the
IbmIsdn driver is located.
As we were using the IbmIsdn driver for PPP dialup via a modem, we left the
options to configure the ISDN connection blank.
164 Protect and Survive Using IBM Firewall 3.1 for AIX
7.7.1.3 Configure Windows 95 IPSec Client
We will show how to configure Windows 95 IPSec Client using the screen
captures we used during our installation.
166 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 148. Starting Windows 95 IPSec Client (Part 3 of 8)
7.7.2 Troubleshooting
This section describes how we resolved the few problems we had installing
Windows 95 IPSec Client.
To work around this you can manually create your own IBM IPSec Dial-Up
connection using Windows 95 Dial-Up Networking Accessory. When selecting a
device you should see:
If the IbmIsdn entry cannot be seen when you select a device while
attempting to make a new connection, then you may have a driver
problem.
168 Protect and Survive Using IBM Firewall 3.1 for AIX
4. Reinstalled the IbmIsdn Software Network Adapter.
Despite numerous attempts we could not get the IBM IbmIsdn Software Adapter
device to become visible to the Create Dial-Up Adapter screen. The driver was
visible to the System Devices view but that was it. We removed Microsoft
Dial-Up Networking 1.2 and replaced the ndis.vxd and other drivers with older
versions during the install of Microsoft ISDN Accelerator Pack 1.1.
This was because the firewall was not running the process /usr/sbin/sslrctd.
With the normal proxy server, users have to be predefined in the firewall as
proxy users. They first have to access the firewall, authenticate themselves,
then create a second session to access the target host. With the transparent
proxy server, users logon to the firewall but user authenticaion is not required.
Instead, users enter a special user ID format. This format is user@remote-host.
The proxy server now tries to logon to the remote-host with the specified user
ID. After this the user enters the password for the user ID at the remote host.
There are no special accounts needed for using the transparent proxy. However,
the transparent proxy is less secure, because it does not require user ID
password authentication at the firewall. For this reason, the transparent proxy is
only allowed from the secure interface.
Adding users is simply done by selecting the users option in the GUI.
Figure 154 on page 172 shows the general user screen.
From the list users screen we can define, modify or delete users. Figure 155 on
page 173 shows the dialog for adding a user.
172 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 155. Administer General Screen
The options you can specify for each user are as follows:
Authority Level is either Administrator or Proxy User.
In this chapter we explain only the proxy user option.
User Name is the ID that the user will use to log in to the IBM Firewall.
User Full Name is the textual name of the user (for documentation purposes).
Secure Interface Shell is the command shell that the user will see when they log
in using Telnet from the secure side of the firewall. The available
shells are:
restrict.sh - only gives commands for establishing sessions
(telnet, gopher, ping, mosaic, finger, etc.)
174 Protect and Survive Using IBM Firewall 3.1 for AIX
Disconnect Time in minutes, is the maximun time of user idle before being
disconnected. This time must be more than warning time.
You define the user as shown in Figure 154 on page 172 and select OK, but you
first need set to the values of the password (Figure 156).
The only user ID that you do not have to add in this way is root.
If you have many users to enter, the GUI may be a rather slow method to do it.
You may want to consider using the command fwuser ; see 4.3.7, “Command Line
Proxy User Generation” on page 50 for details.
176 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 157. Enable Transparent Telnet and FTP Proxy
The first pair of rules allows any access to the firewall from a node inside the
secure network (you need this to get to the proxy server in the first place). The
second pair of rules allows Telnet sessions started from the firewall to the
nonsecure network.
These rules only allow access from Telnet clients inside the secure network to
servers outside it. As we explained previously, there are serious security
implications if you provide Telnet access from the nonsecure network to the
secure network (see 2.1.2, “Proxy Servers” on page 13).
# telnet rs60004
Trying...
Connected to rs60004.itso.ral.ibm.com.
Escape character is '[]'.
telnet (rs60004.itso.ral.ibm.com)
login: [email protected]
Trying...
Connected to 192.168.253.222.
Escape character is '[]'.
telnet (192.168.253.222)
AIX Version 4
(C) Copyrights by IBM and by others 1982, 1996.
login: root's Password:
*******************************************************************************
* *
* *
* Welcome to AIX Version 4.2! *
* *
* *
* Please see the README file in /usr/lpp/bos for information pertinent to *
* this release of the AIX Operating System. *
* *
* *
*******************************************************************************
Last login: Thu Mar 27 10:29:07 EST 1997 on /dev/pts/1 from aix1
x4
:root#
Figure 160 on page 179 is an example of a user session using the FTP proxy.
The user uses the ftp command to connect to the firewall (rs60004). Once there,
they are authenticated, then they use quote site in order to reach their final
destination.
178 Protect and Survive Using IBM Firewall 3.1 for AIX
# ftp rs60004
Connected to rs60004.itso.ral.ibm.com.
220-*******************************************************************************
220-* *
220-* *
220-* Welcome to AIX Version 4.1! *
220-* *
220-* *
220-* Please see the README file in /usr/lpp/bos for information pertinent to *
220-* this release of the AIX Operating System. *
220-* *
220-* *
220-*******************************************************************************
220 rs60004.itso.ral.ibm.com FTP GATEWAY (Version 1.2 12/06/94 22:49:31) ready.
Name (rs60004:root): ken
Password:
230 To specify destination, type "quote site remote.host.com"
ftp> quote site ftp.cert.org
220 cert.org FTP server (Version wu-2.4(1) Mon Apr 3 16:53:11 EDT 1995) ready.
ftp> user anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230-CERT Coordination Center FTP server.
230-
230 Guest login ok, access restrictions apply.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
total 5
-rw-r--r-- 1 cert cert 454 Jun 13 1995 .message
drwxr-xr-x 2 cert cert 512 Mar 3 1993 bin
drwxr-xr-x 3 cert cert 512 Apr 3 1995 etc
drwxr-x--x 7 cert cert 512 Mar 24 1995 incoming
drwxr-xr-x 15 cert cert 1024 Feb 8 18:56 pub
226 Transfer complete.
ftp> quit
221 Goodbye.
#
In order to use the Telnet proxy, the user enters the telnet command to connect
to the firewall (rs60004). They are authenticated by IBM Firewall, and then again
use Telnet to reach the final destination (note that Telnet is a generic terminal
emulator, so it could also be used to access other TCP services on different
ports). Figure 161 on page 180 shows a typical session.
Notice that on the firewall the user, ken, has a restricted shell so he cannot
issue any damaging commands (cat is the command shown here). Notice also
that this example demonstrates the most common failing of security measures,
user error. The proxy server is doing a good job of protecting the secure
network, but the target machine (IP address 150.53.104.12) has been
compromised because ken connected to it with the root user ID. Under Telnet,
the password is sent in clear, so anyone could have captured it in the nonsecure
network.
180 Protect and Survive Using IBM Firewall 3.1 for AIX
− Command cat /etc/passwd failed (due to the restricted shell)
− Command telnet 150.53.104.12 succeeded (the filters allow the session
to be set up)
Figure 162 on page 182 and Figure 163 on page 183 show the HTTP proxy
connections required in the secure and nonsecure network respectively.
182 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 163. HTTP Proxy Connection on Nonsecure Network
You should also make sure that DNS queries are permitted from the firewall.
Otherwise, the HTTP proxy cannot resolve any hostnames in the browser
requests.
The configuration parameters of the proxy server can be modified using the GUI.
Figure 164 on page 184 shows the HTTP proxy configuration screen.
184 Protect and Survive Using IBM Firewall 3.1 for AIX
8.7 Idle Proxy Connections
In this section, we discuss idle proxy connections. The purpose of a proxy
server is to provide access to outside networks for internal users (or vice versa).
There is no reason to allow users to establish these connections and then do
nothing. Idle users tie up resources on the firewall. The idle proxy process
disconnects all non-interactive sessions to the IBM Firewall after a specific
period of idle time.
Note that this default value specified in the /etc/security/fwpriv.users file is only
applicable to non-root users. By default, connections started up by root would
not timeout.
You can add entries to this file for specific user IDs, but the DEFAULT entry must
exist in the file. You must not delete the DEFAULT entry, but you can change the
idle time values that it specifies.
If you want to add a specific user's idle time, you can add a new entry for the
user ID to the existing entries, either by editing the file or by using a SMIT
dialog. We recommend the latter course. To do this, enter SMIT and select:
When you click on List you are presented with a list of all the user IDs defined
for proxy services. In Figure 165, we selected user ID ken with a warn time of 5
minutes and a disconnect time of 8 minutes. .
After you have added a user, you should validate the /etc/security/fwpriv.users
file. You can use the fwidleout -v command or select Validate in SMIT to do this
(see Figure 166 on page 187).
186 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 166. Validate Privileged User File
If you get any error messages, you should check your entries in
/etc/security/fwpriv.users. To avoid any mistakes, we recommend that you use
SMIT to add or change the privileged user file.
We recommend that you run the idle proxy process as a cron job instead of
issuing the fwidleout command from the command line. Figure 167 shows an
example of a cron table entry for the root user ID (you can use the crontab -e
command to edit root's cron table and crontab -l command to verify your
changes).
0,5,10,15,25,30,35,40,45,50,55 * * * * /usr/bin/fwidleout
Figure 167. Cron Table Example for Idle Timeout
This entry sets up cron to run idle proxy every 5 minutes for every day of the
year.
We will use the fwpriv.users file and cron table entry described previously in the
examples.
Notice that in this case, when the first fwidleout command was issued by a cron
job, the idle time was only 3 minutes. Therefore, the idle proxy process did not
send any messages or cancel Ken's session. However, between the first user
command (ping) and the second command (traceroute), the idle time was
actually six minutes. In fact, because the time between each user command and
the next cron polling interval was below the warning threshold of five minutes,
no action was taken. Similarly, because Ken logged out before the next
scheduled poll (at 10:15), idle proxy did not notice that he was inactive for six
minutes between 10:08 and 10:14.
Between the first user command (ping, at 10:04) and the first fwidleout command
by cron (10:05), there was only one minute, so Ken did not get any messages.
However, Ken did not enter any further command before the next time cron
issued fwidleout, so it registered 6 minutes idle time. Therefore the idle proxy
process sent a warning message to user ID ken. The warning message would
look like this:
WARNING:!!! Spotted idle for 6 minutes. Time left before disconnection:2 minutes.
Next, Ken entered the traceroute command (at 10:13). Between the two
commands there were 9 minutes idle time, which exceeds the disconnect time.
188 Protect and Survive Using IBM Firewall 3.1 for AIX
However, when the third fwidleout command was issued by cron, it registered an
idle time of only 2 minutes (10:13-10:15). Therefore, Ken did not receive any
messages and was not disconnected.
When the first fwidleout command was issued by cron, the idle time was 4
minutes. Therefore, Ken did not get any warning message. However, when the
second fwidleout command was issued the idle time was 9 minutes which
exceeds the maximum disconnect time of 8 minutes. Therefore, user ID ken was
disconnected.
In this case, the behavior is what you might expect; the user receives a warning
message (10:10) and then is disconnected when he remains idle at 10:15.
What these examples illustrate is that if you want the behavior of idle proxy to be
consistent, you should be careful when choosing idle timeout limits and the cron
polling frequency. Even if you do choose reasonable values, the total idle time
190 Protect and Survive Using IBM Firewall 3.1 for AIX
Note that the ident request does not specify the nodes between which ken's
session must exist. The ident daemon will take the address pair from the ident
request itself.
You should be aware that using the ident option is not possible in every case,
since not all TCP/IP implementations support it (in particular, single-user
systems such as OS/2, DOS and Windows).
In this example, the permitted outbound proxy services are HTTP, Telnet,
FTP and Real Audio.
3. Specify SOCKS server configuration for connections between the secure
network and the nonsecure network.
You build a connection with the secure network as the source object, the
nonsecure network as the destination object, and the SOCKS templates as
the services. Figure 171 on page 193 shows the GUI screen for such a
connection.
192 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 171. SOCKS Configuration from Secure to Nonsecure Network
You click on List to get a list of defined SOCKS templates. In this example,
we selected five templates (FTP, HTTP, Telnet, FTP Passive and Real Audio).
The IBM Firewall 3.1 provides three standard SOCKS templates - HTTP,
Telnet and FTP. However, the FTP Passive and Real Audio templates shown
in Figure 171 are created by us. You can expand the SOCKSified services
by creating new templates. The procedure to create templates is similar to
creating filters, the only difference is the definition of the SOCKS template.
As you can see in Figure 172, the fields to be entered are similar to those for
the filter rule definition. The meaning of these fields are as follows:
Template Name is the name of the template. Remember: use a naming
convention.
Description for describes the function of the template.
Action is the action to take if a session request matches the conditions in
the filter definition. Possible values are permit (allow the session)
or deny (refuse session establishment).
Ident Verification specifies whether or not to use RFC1413 user ID checking
(as discussed earlier).
User list lists user IDs that this configuration applies to, or the name of a
file containing a list of IDs. These are the IDs on the originating
host, and they must be listed separated by commas and without
blanks.
Operation / Port Number is the acceptable destination port (same format as
for the IP filters, see Table 5 on page 58).
Command in addition to the permit or deny actions taken when the criteria in
the SOCKS configuration entry are met, it is possible to execute a
command. IBM Firewall For AIX User's Guide Version 3.1.1,
GC31-8419-00, shows some examples of using this to notify the
user of failed login attempts.
194 Protect and Survive Using IBM Firewall 3.1 for AIX
8.10 Configuration of SOCKS Client
The client configuration file, /etc/socks.conf, is simpler than /etc/sockd.conf on
the server. The /etc/socks.conf file describes, for each destination, whether to
use a SOCKS server, normal connection, or to prevent the connection attempt. It
can also define the SOCKS server to use for a particular connection, the user
ID(s) for which a particular profile applies and a command option, like the
command option in the SOCKS server configuration.
For our environment (see Figure 121 on page 145), we created a simple two-line
configuration file on the secure network machine:
direct 9.24.104.0 255.255.255.0
sockd @=9.24.104.27 0.0.0.0 0.0.0.0
This says to use direct TCP connections when connecting to addresses on the
9.24.104 network. For every other connection, use the SOCKS server at the IP
address 9.24.104.27
Using the SOCKSified clients was then simple. We just entered the normal
command (for example, telnet 150.53.104.12) and had access to the host.
For example, if your code includes the TCP listen function, recompile it with a
-Dlisten=Rlisten flag.
You also have to provide the linker with access to the libsocks library, located in
/usr/lib. The full compile command is:
cc -o socks client.c -lbsd -lsocks -Dconnect=Rconnect (plus other aliases)
Having created the executable program, you need to make sure that the SOCKS
configuration in /etc/socks.conf is set correctly.
The final step to make this a secure environment is to define filters that prevent
direct routing of the connection through the firewall. We have already shown the
filter rules for the Telnet proxy server in the previous chapter (see “Telnet Using
SOCKS” on page 84), but we show them again here for completeness:
Figure 174. Telnet from Secure Network to Nonsecure Network using SOCKS
The first pair of rules allows the SOCKS clients to contact the SOCKS server on
port 1080. The second pair of rules allows the firewall to contact the external
Telnet server.
196 Protect and Survive Using IBM Firewall 3.1 for AIX
Chapter 9. RealAudio Support
In this section we will discuss the IBM Firewall 3.1 support of the RealAudio
protocol. IBM Firewall 3.1 is able to identify RealAudio connections and support
them in a secure way, in order to receive live or on-demand audio from the
Internet without exposing the security of the private network.
The UDP connection does not need to be configured, because when IBM Firewall
3.1 detects a RealAudio TCP control connection it interprets the data stream and
dynamically creates a temporary UDP filter rule for the RealAudio stream. When
the TCP control connection is closed, this temporary rule for UDP packets is
deleted from the filter configuration. Figure 175 illustrates the connections.
At the time of testing we noticed that dynamic filter rules did not work due to
changes in the RealAudio protocol. This is fixed by APAR IR37027.
The RealAudio must first be enabled in the IBM Firewall 3.1. The RealAudio
configuration in IBM Firewall 3.1 can be done using SMIT or the new GUI
interface. First it is necessary to set up the default values:
Server Port Number This is the port used to establish the RealAudio
control connection over TCP. 7070 is the standard
port to use. This has to match the configuration
of the RealAudio server.
Maximum Concurrent Sessions This is the maximum number of connections
(simultaneous connections) that IBM Firewall 3.1
will allow for RealAudio.
To set up these values, select the following sequence from the SMIT main menu:
Or you can select the RealAudio option, inside the system administration folder
in the new GUI Interface. Figure 176 on page 199 shows the resulting screen in
the GUI.
198 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 176. RealAudio Defaults Values
Now you need to permit users to establish connections to the RealAudio server.
For this it is necessary to add filter rules to permit TCP connection using port
7070. To add this connection you need to select the source object (Secure
Network object) and the destination object (World object). Additionally you need
to select the service named "RealAudio", which has 4 rules:
You should have your Network Address Translation configured and activated
before you do the following steps to add your RealAudio client's IP address to
Network Address Translation tables. See Chapter 10, “Network Address
Translation” on page 205 for instructions how to configure and activate the
Network Address Translation.
Figure 177. Connection across IBM Firewall 3.1 Using RealAudio Proxy
Now you need to permit users to establish connections to the RealAudio server.
You need to make two connections. The first connection is from the RealAudio
client to the firewall secure adapter. The second connection is from Firewall's
nonsecure adapter to World. For the first connection add filter rules to permit
the TCP connection from the secure network to the firewall using port 1090. You
can use service HTTP proxy out (1/2) and rules that belong to it as a model for
200 Protect and Survive Using IBM Firewall 3.1 for AIX
your new service. Additionally you must allow the RealAudio client to receive
UDP packets from higher ports of the IBM Firewall 3.1. Write three new rules:
Figure 178. Rules and Their Flow in Service Real Audio Proxy (1/2)
To add the connection you need to select the source object (Secure Network
object) and the destination object (the secure interface of the firewall object).
Additionally you need to select the new service you just created.
For the second connection add filter rules to permit TCP connection from the
nonsecure network to The World. You can use service HTTP proxy out (2/2) and
rules that belong to it as a model for your new service. Additionally you must
allow the IBM Firewall 3.1 to receive UDP packets from higher ports of the
RealAudio server. Write three new rules:
permit tcp gt 1023 eq 7070 non-secure local outbound l=n f=
permit tcp/ack eq 7070 gt 1023 non-secure local inbound l=n f=
permit udp gt 1023 gt 1023 non-secure local inbound l=n f=
Make a new service called "RealAudio proxy (2/2)" and put in it the rules you
just created. To add the second connection you need to select the source object
(nonsecure interface of the firewall object) and the destination object (The World
object).
Create a new SOCKS object that will allow the traffic into port 7070. This
requires creating a new connection from the secure network to The World. Do
not specify any services to that connection. Instead, you will put in the SOCKS
section of that connection the SOCKS object you just created.
In addition, you need to create two new connections very similar to 9.2.2,
“RealAudio with RealAudio Proxy” on page 200. The IBM Firewall 3.1 SOCKS
does not support UDP packets, so we have to configure the RealAudio client to
use only TCP. Figure 179 illustrates the connections.
Figure 179. Connection across IBM Firewall 3.1 Using RealAudio with SOCKS
202 Protect and Survive Using IBM Firewall 3.1 for AIX
Configure your RealAudio client to use TCP only to access RealAudio content.
Do it this way:
1. In your RealAudio client, click Preferences from the View menu.
2. In the Preferences window, click the Transport tab.
3. Click the Use Specified Transport option.
4. Click the Specify Transports button.
5. Click Use TCP to Connect to Server.
6. Check box Attempt to use TCP for all content.
7. Push OK.
8. In the Preferences window, click the Proxy tab.
9. Make sure that Use Proxy box is not checked.
10. Push OK.
Figure 180. Connection across IBM Firewall 3.1 Using RealAudio with HTTP
Configure your RealAudio client to use the HTTP protocol and HTTP proxy for
RealAudio content. We did it in the following steps:
1. In your RealAudio client, click Preferences from the View menu.
2. In the Preferences window, click the Transport tab.
3. Click the Use Specified Transport option.
4. Click the Specify Transports button.
5. Click the Use HTTP Only option.
6. Push OK.
7. Click Proxy tab.
8. Click Use Proxy option.
9. Write your firewall's secure IP address or HTTP proxy IP address into the
Http Proxy field. Specify the HTTP port in the Port field.
10. Push OK.
The idea of NAT is based on the fact that only a small part of the hosts in a
private network are communicating outside of that network. So if we can devise
a technique to assign official addresses to hosts that are used only when they
need to communicate outside the private network, then only a small number of
official addresses are required.
This is what NAT does; it takes the IP address of an outgoing packet and
dynamically translates it to an official address. For incoming packets it
translates the official address to an internal address. We now can use NAT for a
solution for networks that have private address ranges or illegal addresses and
want to communicate with hosts on the Internet.
If NAT translates an address for a TCP packet the checksum is also adjusted.
For FTP packets the task is even more difficult because the packets can contain
addresses in the data of the packet. For example the FTP PORT command
contains an IP address in ASCII. These addresses are also translated correctly
and checksum updates and even TCP sequence and acknowledge updates are
made.
Note that only TCP and UDP packets are translated by NAT. The ICMP protocol
is not supported by NAT. For example pinging to the NAT addresses does not
work, because ping uses the ICMP protocol.
Basically you will create filter rules that will normally route packets from a
secure network to the Internet and back. NAT will take care of the address
translation of the secure addresses. Figure 182 on page 207 shows how packets
flow through the IBM Firewall 3.1. You will notice that NAT translation will occur
for the outgoing packet after the packet has gone through both packet filters
(secure and non-secure). This means that you should never mention NAT
addresses in the filter rules.
206 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 182. The Flow of the Packets inside the IBM Firewall 3.1
To set up and activate the rules for the NAT follow these rules:
1. Define the reserved address range.
First NAT has to know which addresses it may use for the translation. Each
entry consists of a network address, netmask and a timeout value. The
timeout value is the number of minutes before NAT returns an unused
address back to the address pool. The default value is 15 minutes and this
is also the minimum value allowed. The rule starting with RESERVE defines
the pool of official addresses that NAT may use.
For example, the rule RESERVE a.b.c.0 255.255.255.0 15 reserves the class C
range a.b.c.0 to be used for NAT.
2. Define addresses to be translated.
By default all addresses in the secure network are translated by NAT.
However, you may also specify one or more ranges of addresses which must
be translated.
208 Protect and Survive Using IBM Firewall 3.1 for AIX
For example, if you want the network s.s.s.0 to be translated, you define the
following rule: TRANSLATE s.s.s.0 255.255.255.0
3. Define addresses to be excluded from translation.
Use this step if you don't want to translate a range of addresses or you even
want to exclude some addresses from the range of addresses you specified
for translation.
If you don't want to translate the network x.x.x.0, you define the following
rule: EXCLUDE x.x.x.0 255.255.255.0
4. Define address mappings.
An address mapping allows you to map a secure address to a specific
official address. The official address may, but does not have to, be in the
reserved address range. For example, if you want to give Internet users
access to your internal Web site from the Internet, this is the only way to do
that using NAT.
For example, if you want the secure address a.b.c.d to be translated into
w.x.y.z then define the rule: MAP a.b.c.d w.x.y.z
5. Activate or update the NAT configuration.
After the initial configuration and after every change you have to
activate/update the NAT configuration. You may also decide whether or not
to activate the NAT logging.
The use of NAT is transparent to the filter rules. This implies that in the filter
rules you have to use your untranslated secure addresses. The reserved
addresses must not be used in the filter rules.
HostIPAddr is the address you want to move from LAN to the NAT Map or
Reserve setup. It must not be in use. Ping it if you are in doubt. It must not be
the lowest or the highest in the subnet; they are reserved.
The arp entries will disappear in every reboot, so it is good to add them to the
end of /etc/rc.net. This is an example of a token ring entry:
arp -s 802.5 1.2.3.66 00:04:ac:b6:0c:6d pub
You can see the ARP table by typing: arp -a. The ones added say "permanent
published".
The following script adds pub ARP entries for the class C network a.b.c.0.
Assume that the non-secure interface has a token-ring adapter with address
10.0.5a.c9.3f.63.
#!/bin/ksh
i=1
while [ $i -lt 255 ]
do
arp -s 802.5 a.b.c.$i 10:00:5a:c9:3f:63 pub
i=`expr $i + 1`
done
At the startup of a TCP connection only the MTU values between endpoints are
usually considered. So, it is possible that a packet arrives at an intermediate
host that has a smaller MTU. This is solved by fragmenting or sending ICMP
type 3 code 4 packets when fragmentation is not allowed.
However, NAT does not support ICMP so when using NAT the firewall must have
the minimum MTU on the path. Also, all hosts and routers directly connected to
the non-secure interface must have this MTU.
The default MTU for the IBM Firewall is 1492. This is the MTU of IEEE 802.3,
which is most widely used. Most other LAN media are configured for a larger
MTU so they can pass 1492-bytes packets without problems. To still have
reasonable throughput with this MTU size, it is recommended to set the default
maximum segment size on the firewall to 1440. That is 1492 minus 52, which is
the maximum TCP header size. This is can be done with:
no -o tcp_mssdflt=1440
210 Protect and Survive Using IBM Firewall 3.1 for AIX
10.4 Timeout Value
The default timeout value for the NAT connections is 15 minutes. For example, if
your telnet NAT connection is idle more than 15 minutes, your NAT address will
be released back to the reserved address pool. Effectively it means that your
telnet connection is lost. The NAT protocol will send connection reset packets
for FTP connections only. All the other TCP connections will not get any reset
packets. Fortunately the NAT will log these address releases to the syslog. The
log message number is ICA9036. See Appendix A, "Messages" of IBM Firewall
For AIX Reference Version 3.1.1, SC31-8418-00.
The timeout value is also used to keep your NAT address reserved after you
have normally terminated your connection. You can use the same NAT address if
you use NAT again within the timeout period. This has more importance with
UDP protocol, because it is a connectionless protocol.
You may increase the timeout value if you expect the clients to have longer idle
times than 15 minutes. Bear in mind that even when the connection is closed,
the address will be reserved for an amount of time equivalent to the timeout
value. If you run out of addresses in the reserved address pool, you will get
error message ICA9035.
Our internal routing will route the packets from the 192.168.36.0 network to the
firewall. In the firewall we will have a static route for return packets to the
192.168.36.0 network.
192.168.36 9.24.104.27 UG 3 1033 tr0
212 Protect and Survive Using IBM Firewall 3.1 for AIX
The return of NAT packets from the Internet to the IBM Firewall 3.1 must be
enabled. We have only two addresses in our reserved address pool and one
mapped address. They are within the address and mask of the non-secure
adapter, so we have to use the ARP protocol for the NAT return packets. We will
have the following ARP entries at the end of our /etc/rc.net file:
arp -s ether 9.24.105.60 08:00:5a:fc:3d:ca pub
arp -s ether 9.24.105.61 08:00:5a:fc:3d:ca pub
arp -s ether 9.24.105.62 08:00:5a:fc:3d:ca pub
Here is a small sample of iptrace taken from the firewall's non-secure adapter.
It shows the handshaking between client and server. Notice that NAT has
changed the 192.168.36.10 address to 9.24.105.60.
====( 60 bytes transmitted on interface en0 )==== 11:57:59.126834684
ETHERNET packet : [ 08:00:5a:fc:3d:ca -> 08:00:5a:4d:0f:5c ] type 800(IP)
IP header breakdown:
< SRC = 9.24.105.60 >
< DST = 9.24.105.249 > (rs60004e.ral.ibm.com)
ip_v=4, ip_hl=20, ip_tos=0, ip_len=44, ip_id=64000, ip_off=0DF
ip_ttl=126, ip_sum=1d66, ip_p = 6 (TCP)
TCP header breakdown:
<source port=1043, destination port=23(telnet) >
th_seq=86ffa, th_ack=0
th_off=6, flags<SYN>
th_win=8192, th_sum=149f, th_urp=0
0000000 02040faa ].... ]
===( 60 bytes received on interface en0 )==== 11:57:59.128700209
THERNET packet : [ 08:00:5a:4d:0f:5c -> 08:00:5a:fc:3d:ca ] type 800
P header breakdown:
< SRC = 9.24.105.249 > (rs60004e.ral.ibm.com)
< DST = 9.24.105.60 >
ip_v=4, ip_hl=20, ip_tos=0, ip_len=44, ip_id=53139, ip_off=0
ip_ttl=60, ip_sum=c9d3, ip_p = 6 (TCP)
CP header breakdown:
<source port=23(telnet), destination port=1043 >
th_seq=6dd97201, th_ack=86ffb
th_off=6, flags<SYN ] ACK>
th_win=16060, th_sum=1fed, th_urp=0
00000000 020405b4 ].... ]
====( 60 bytes transmitted on interface en0 )==== 11:57:59.131802457
ETHERNET packet : [ 08:00:5a:fc:3d:ca -> 08:00:5a:4d:0f:5c type 800 (IP)
IP header breakdown:
< SRC = 9.24.105.60 >
< DST = 9.24.105.249 > (rs60004e.ral.ibm.com)
ip_v=4, ip_hl=20, ip_tos=0, ip_len=40, ip_id=64256, ip_off=0DF
ip_ttl=126, ip_sum=1c6a, ip_p = 6 (TCP)
TCP header breakdown:
<source port=1043, destination port=23(telnet) >
th_seq=86ffb, th_ack=6dd97202
th_off=5, flags<ACK>
th_win=8760, th_sum=542e, th_urp=0
In general, the standard IBM Firewall 3.1 configuration process will set up the
name server successfully for the firewall itself. However, for a working system
you will also need to configure DNS inside the secure network and, possibly, in
the DMZ.
Initial configuring is simple, you just have to select the Domain Name Services
option inside System Administration. Figure 185 shows the GUI screen. After
selecting OK, the name server configuration files are created and the named
daemon is started automatically.
You also have to provide the domain name of the secure side of the firewall.
How do you know what name to use? You may not be able to freely choose the
domain name. Assuming that you are connecting an existing IP network to the
Internet, the secure network domain name will probably already exist. You don't
have to specify the nonsecure domain name here, but you need to consider the
following: the nonsecure name must be authorized by the Internet Assigned
Numbers Authority and will follow the national and international conventions for
IP domain names. This is the name that you will be known by to the rest of the
world. If your firewall configuration includes a DMZ, the servers within the DMZ
will be in this domain.
The best practice is to strictly follow the hierarchical domain naming standards,
which is the way that DNS was designed to work. DNS will work even if you use
a non-hierarchical scheme, but we do not recommend it. One thing you should
strive for is to have internal and external domain names that are easily
differentiated from each other. This means that you can instantly identify
whether a resource is inside or outside the firewall, and it makes it much easier
to create DNS configurations and mail routing rules.
216 Protect and Survive Using IBM Firewall 3.1 for AIX
11.3 DNS Configuration Examples
The best way to understand the possible DNS configurations is to look at some
examples. We will consider the following two cases:
1. With a name server located in the DMZ providing resolution for externally
visible names
2. A similar configuration, except with the external resolution performed by the
IBM Firewall 3.1 machine
The /etc/resolv.conf file points to the internal name server, which is where name
requests originating on the firewall are resolved. In our case this is address
9.24.104.108, so /etc/resolv.conf will contain the following:
domain itso.ral.ibm.com
nameserver 9.24.104.108
Note that this means that when the firewall machine tries to resolve an IP name,
it behaves exactly like a host in the secure network.
The /etc/fwnamed.boot file is the base file from which the DNS configuration is
defined. In this case it just specifies the root server hints file /etc/fwnamed.ca,
and the loopback/localhost reverse address file.
The /etc/fwnamed.loc file just contains the mapping for the loopback/local host
address (127.0.0.1).
/etc/fwnamed.ca, the cache hints file, specifies the name server(s) used to
request the list of root name servers; in this case the external name server. The
Merge DNS on the firewall will ask that name server for the current list of root
name servers, and will cache it in memory. It will repeat this process when the
cached list time-to-live expires. In our case this is the DNS system inside the
DMZ, 150.53.104.12.
Take care if you manually stop and start the firewall DNS server: stop src -s
named will stop the service, but to restart you must specify the configuration file,
startsrc -s named -a "-b /etc/fwnamed.boot" , otherwise it will attemp to use the
default file /etc/named.boot.
218 Protect and Survive Using IBM Firewall 3.1 for AIX
; Created by IBM Firewall 1997080180
. IN NS externaldns.150.53.104.12.
externaldns.150.53.104.12. 3600000 IN A 150.53.104.12
Unlike the firewall system, name resolution requests on this machine go to the
name server on the same system, so /etc/resolv.conf is conventional.
domain ral.ibm.com
nameserver 150.53.104.12
The DNS name space for the DMZ is called ral.ibm.com , so named.boot defines
us as the primary server for that domain.
directory /etc
domain ral.ibm.com
primary ral.ibm.com named.zone
primary 104.53.150.in-addr.arpa named.rev
primary 0.0.127.in-addr.arpa named.loc
cache . named.ca
The named.zone file defines all the servers and aliases that are hosted in the
DMZ. It also contains the MX record that allows a remote mail server to look up
the address where the mail is to be sent. In our case, we want the external mail
address for a user inside our secure network to be [email protected], instead of
[email protected]. Therefore the MX record directs this mail ID to the
nonsecure interface of the IBM Firewall 3.1 system. In addition to MX record
there is an address entry for domain ral.ibm.com. This is for the mailers that do
not use MX records.
The /etc/named.loc file just contains the mapping for the loopback/local host
address (127.0.0.1).
The named.ca file contains information on the name servers which are asked for
the current list of root name servers. This allows DNS to work even if the
named.ca file contains out-of-date information, providing it contains at least one
working address. You should periodically obtain the latest version of this file.
220 Protect and Survive Using IBM Firewall 3.1 for AIX
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
; This file is made available by InterNIC registration services
; under anonymous FTP as
; file /domain/named.root
; on server FTP.RS.INTERNIC.NET
; -OR- under Gopher at RS.INTERNIC.NET
; under menu InterNIC Registration Services (NSI)
; submenu InterNIC Registration Archives
; file named.root
;
; last update: Aug 22, 1997
; related version of root zone: 1997082200
;
; This file is made available by DOD NIC registration services
; under anonymous FTP as
; file /domain/named.root
; on server NIC.DDN.MIL
;
; last update: Nov 8, 1995
; related version of root zone: 199511080
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
;
; formerly C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; formerly TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; formerly NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; formerly NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
;
; formerly NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
Figure 196. Case 1, /etc/named.ca File on the External DNS (DMZ) Part 1 of 2
Figure 197. Case 1, /etc/named.ca File on the External DNS (DMZ) Part 2 of 2
domain itso.ral.ibm.com
name server 9.24.104.108
directory /etc
forwarders 9.24.104.27 9.24.104.27 9.24.104.27
domain itso.ral.ibm.com
cache . named.ca
primary itso.ral.ibm.com named.zone
primary 104.24.9.in-addr.arpa named.rev
primary 0.0.127.in-addr.arpa named.local
slave
The slave directive specifies that the nameserver completely relies on the
forwarders servers. Without the slave directive, the internal DNS server will try
to directly contact the root name servers, if the request from the forwarders
servers times out for any reason. These direct requests will always fail, as the
firewall filter rules will block them, and in the meantime the internal DNS will
appear to "hang". You may use the directive options forwarders-only instead of
slave.
The named.ca file specifies the nameserver used to request the list of root name
servers. It must contain the secure interface address of the firewall itself, as
only the nameserver running on the firewall has direct access to the root name
222 Protect and Survive Using IBM Firewall 3.1 for AIX
servers and the external DNS, as the filter rules block any other DNS attempts
through the firewall.
The remaining configuration files for the internal DNS (named.zone, named.rev
and named.ca) are conventional, but we have listed them here for completeness.
. IN NS rs60004.itso.ral.ibm.com.
rs60004.itso.ral.ibm.com. IN A 9.24.104.27
Figure 204. Case 1, Name Resolution from Secure Network with nslookup
224 Protect and Survive Using IBM Firewall 3.1 for AIX
C:\mptn\bin>nslookup
Default Server: warp.overnet.com
Address: 192.168.253.222
> ns1.ral.ibm.com.
Server: warp.overnet.com
Address: 192.168.253.222
Non-authoritative answer:
Name: ns1.ral.ibm.com
Address: 150.53.104.12
> aix1.ral.ibm.com.
Server: warp.overnet.com
Address: 192.168.253.222
Name: aix1.ral.ibm.com
Address: 150.53.104.27
> rs60004.itso.ral.ibm.com.
Server: warp.overnet.com
Address: 192.168.253.222
*** warp.overnet.com can't find rs60004.itso.ral.ibm.com.: Server failed
Figure 205. Case 1, Resolve Names from Nonsecure Network with nslookup
domain itso.ral.ibm.com
nameserver 9.24.104.108
The named.boot, named.zone and named.ca files are exactly like the equivalents
on the external DNS machine from case 1, except with the external address of
the firewall (150.53.104.27, aix1.ral.ibm.com) substituted.
226 Protect and Survive Using IBM Firewall 3.1 for AIX
directory /etc
domain ral.ibm.com
cache . /etc/named.ca
primary ral.ibm.com /etc/named.zone
primary 104.53.150.in-addr.arpa /etc/named.rev
primary 0.0.127.in-addr.arpa /etc/named.loc
228 Protect and Survive Using IBM Firewall 3.1 for AIX
; temporarily housed at NSI (InterNIC)
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 198.41.0.10
;
; housed in LINX, operated by RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
;
; temporarily housed at ISI (IANA)
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
;
; housed in Japan, operated by WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File
Figure 214. Case 2, Resolve Names from Secure Network with nslookup
C:\mptn\etc\namedb>nslookup
Default Server: warp.overnet.com
Address: 192.168.253.222
> aix1.ral.ibm.com.
Server: warp.overnet.com
Address: 192.168.253.222
Non-authoritative answer:
Name: aix1.ral.ibm.com
Address: 150.53.104.27
> www.ral.ibm.com.
Server: warp.overnet.com
Address: 192.168.253.222
Non-authoritative answer:
Name: www.ral.ibm.com
Address: 150.53.104.31
> rs60004.itso.ral.ibm.com.
Server: warp.overnet.com
Address: 192.168.253.222
*** warp.overnet.com can't find rs60004.itso.ral.ibm.com.: Server failed
> mcgregor.itso.ral.ibm.com.
Server: warp.overnet.com
Address: 192.168.253.222
*** warp.overnet.com can't find mcgregor.itso.ral.ibm.com.: Server failed
Figure 215. Case 2, Resolve Names from Nonsecure Network with nslookup
230 Protect and Survive Using IBM Firewall 3.1 for AIX
Chapter 12. Mail Handling
IBM Firewall 3.1 provides a secure SMTP mail relay capability, as we briefly
described in 2.1.5, “Secure Mail Handling” on page 19. This allows you to
present a single interface for mail coming into your secure network and to hide
the details of the secure network from the outside.
The configuration provided by IBM Firewall 3.1 can be used with no further
modification. However, you will have to make changes to adjacent mail servers
to let them behave in a more secure way. In this chapter we will first describe
the standard setup, and then show examples that address some of the most
common additional requirements.
The secure domain is the name of your secure network. SafeMail will hide the
sender address of mail originating from this domain. The public domain name is
the name by which you are known to the non-secure network, and for which you
receive mail.
SafeMail acts like a mail exchanger, but it does not queue any inbound or
outbound mail nor does it store and forward mail. If a destination server accepts
the mail, the mail packets are transferred to the destination server like a
bidirectional "pipe". If a destination server is not available or does not accept
the mail, the mail is rejected.
If you have multiple secure-side domains, the mail servers of these domains are
required to be able to route mail amongst themselves. This is needed because
232 Protect and Survive Using IBM Firewall 3.1 for AIX
SafeMail will route inbound mail to only one of them, so the SMTP server who
receives a note to multiple domains must accept all the recipients and resend
the note to the other domains as needed.
SafeMail does not rewrite inbound addressses. It did in IBM Firewall 3.1.0.0, but
not in the following updates (3.1.1.1 and later). The secure-side mail domains
must be configured so as to accept the public domain name as an alias for their
private domain names.
We will describe each of them in turn. The examples in this chapter will meet
many typical requirements, but there are sure to be some subtleties in your
particular environment that we have not covered. Unfortunately, it seems that
whoever devised the format of the sendmail configuration file had a warped
sense of humor. It is not a simple thing to modify. If you are going to do any
serious work with /etc/sendmail.cf, we recommend sendmail by Bryan Costales
(published by O'Reilly, ISBN: 15620562).
In many mail implementations, such as the one in OS/2 TCP/IP, support for MX
is enabled by default. The sendmail in AIX 4.2 and above is MX enabled by
default. Other systems require a sendmail configuration update to enable MX
support. The following excerpt shows the entry in /etc/sendmail.cf on an AIX
system 4.1 that allows the sender to use this support:
234 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 219. Tracking Incoming Mail to an SMTP Client
ral.ibm.com. IN MX 10 aix1.ral.ibm.com.
Figure 220. The /etc/named.zone File on the External Name Server
rob:[email protected]
Figure 221. The /etc/aliases File on the Internal Mail Server
236 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 222. Incoming Mail via SMTP
This is the reverse of the previous case. We will send mail from
[email protected] to [email protected]. As before, the first
step is for the originating host to resolve the IP address of the destination. In
this case there is no mail exchanger involved, so all that is necessary is a
simple IP name lookup. It will first try to solve by looking at the HOST file, and if
this fails it will use DNS. At the time of testing we noticed that the target
machine or domain of the outgoing mail has to have an MX record. It will not
look for an A record. Otherwise the SafeMail will reset the connection.
Figure 11 on page 18 describes the process by which an internal node resolves
external addresses.
Once the target address has been determined, the following process takes place:
238 Protect and Survive Using IBM Firewall 3.1 for AIX
Step 1 The Ultimail/2 client on mcgregor.itso.ral.ibm.com sends mail to the
local mail server (rs600020.itso.ral.ibm.com). This is defined by the
DV macro in the %ETC%\sendmail.uml file.
# DVYour.External.Gateway
DVrs600020
Figure 224. DV Macro in the Sendmail.uml File on the Mail Client
AIX Users
If your client is an AIX 4.1 machine, you would specify the DR macro in
/etc/sendmail.cf instead of the DV macro shown above. You would specify:
DRrs600020
in this case.
If your client is an AIX 4.2 machine, you would specify the DS macro in
/etc/sendmail.cf instead of the DV macro shown above. You would specify:
DSrs600020
in this case.
Step 2 The sendmail daemon on the internal mail server receives the mail
message and then reroutes it to the firewall
(rs60004.itso.ral.ibm.com). This is controlled by the DR macro in the
/etc/sendmail.cf file.
This is very similar to the first case we dealt with, except that, in this case, we
use Post Office Protocol 3 (POP3) to receive the mail. POP3 is defined by
RFC1225 and it specifies a mail client that requires fewer resources from the
host machine than a full-fledged SMTP client. In fact, we used the same product
as before, Ultimail/2, configured as a POP client instead of an SMTP client.
Figure 227 on page 241 shows how a POP client accesses mail messages
through a POP server. Incoming mail to POP client users is spooled in the
mailbox on the server. The users access the POP server indirectly to obtain
their incoming mail. The protocol used between client and server is POP3.
However, when users send mail, they are sending it using SMTP directly. In fact,
it is not necessary to send mail to the mail server. It could be sent directly to
the destination host. The principal advantage of the POP approach is that only
240 Protect and Survive Using IBM Firewall 3.1 for AIX
one machine, the mail server, has to be permanently available to process mail
messages. It also places the disk space to store mail messages on the server
instead of distributed among the mail clients. This is a more controlled and
economical use of hardware resources.
13.1 Introduction
Let's face it. Sooner or later somebody will test your configuration. It might be
someone from your organization checking up on you, or a cracker from the outer
reaches of the Internet. You should test the configuration yourself before
somebody else does it for you.
Network Security Auditor scans TCP, UDP and RPC services, for which you can
select a predefined scan configuration or define your own scan configuration.
Some examples of predefined scan configurations are:
Default
− tcp ports: 21,23,25,111,139,512-514,6000
− udp ports: 69,111,137,161
− rpc service: nfsmount
Fulltcp
− tcp ports: 1-65535
− udp ports: 69,111,137,161
− rpc services: nfs,nfsmount,ypserv
− options: tcp-seq-num ftp-walk-tree
Firewall
− tcp ports: 1-65535
− udp ports: 1-65535
− options: ip-source-route, tcp-seq-num, ip-options, ftp-walk-tree
− rpc services: all
Other scan types are: baseline, medium, standard and complete.
When you run Network Security Auditor a Web browser is started from which you
can configure setup, start scans and generate reports, as shown in Figure 228
on page 244.
However, if you want, you can run Network Security Auditor on the command
line.
244 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 229. Set up a Scan for Nonsecure Firewall Interface
After you make a scan, you can generate different kinds of reports, such as a
standard, summary, vulnerability or policy report. The generated report can then
be printed or stored depending on the browser you are using. For example, with
Netscape you can store a report as a text, HTML or postscript file. In Figure 230
on page 246 the output of our scan is shown in HTML format. As you can see
only the Telnet, FTP and ping responded.
13.3 Strobe
Strobe is a port scanning tool written (and copyrighted) by Julian Assange. It
may be used freely and you can get it from ftp://suburbia.net:/pub/strobe.tgz.
It's an extremly fast TCP port scanner, and it allows the user to specify the
source port of the connections (in order to emulate a source porting attack). It
does not do stealth scanning (see 3.1.4.2, “Stealth Scanning” on page 35) so you
will see packets with the SYN bit on if you trace it.
246 Protect and Survive Using IBM Firewall 3.1 for AIX
# ./strobe -P 20 -t 2 9.24.104.215 9.24.104.241
strobe 1.03 (c) 1995 Julian Assange ([email protected]).
9.24.104.215 echo 7/tcp Echo [95,JBP]
9.24.104.241 echo 7/tcp Echo [95,JBP]
9.24.104.215 discard 9/tcp Discard [94,JBP]
9.24.104.241 discard 9/tcp Discard [94,JBP]
9.24.104.215 daytime 13/tcp Daytime [93,JBP]
9.24.104.215 chargen 19/tcp ttytst source Character Generator
9.24.104.215 ftp 21/tcp File Transfer [Control] [96,JBP]
9.24.104.215 telnet 23/tcp Telnet [112,JBP]
9.24.104.215 smtp 25/tcp Simple Mail Transfer [102,JBP]
9.24.104.215 time 37/tcp Time [108,JBP]
9.24.104.241 daytime 13/tcp Daytime [93,JBP]
9.24.104.241 ftp 21/tcp File Transfer [Control] [96,JBP]
9.24.104.241 telnet 23/tcp Telnet [112,JBP]
9.24.104.241 smtp 25/tcp Simple Mail Transfer [102,JBP]
9.24.104.241 time 37/tcp Time [108,JBP]
9.24.104.241 pop2 109/tcp postoffice Post Office Protocol - Version 2
9.24.104.241 pop3 110/tcp Post Office Protocol - Version 3 [122,MTR]
9.24.104.241 sunrpc 111/tcp rpcbind SUN Remote Procedure Call
9.24.104.241 loc-srv 135/tcp Location Service [JXP]
9.24.104.241 snmptrap 162/tcp SNMPTRAP [15,MTR]
9.24.104.241 cmip-man 163/tcp CMIP/TCP Manager [4,AXB1]
9.24.104.241 cmip-agent 164/tcp CMIP/TCP Agent
9.24.104.241 smux 199/tcp SMUX [MTR]
9.24.104.241 exec 512/tcp remote process execution;
.
.
.
13.3.2 Strobe
Now we activate the firewall, and we verify that the attacker cannot gain any
information, because the packets are blocked by the filters (with IBM Firewall
configured as a dual-homed firewall).
It is interesting to look at the log files, to see what marks a port scanner leaves
behind. You can see a great number of connections coming from the same IP
address (150.53.104.12) to different destinations, where a destination is fully
defined by an IP address (9.24.104.215) a protocol (tcp) and a port (1-XXXX).
Feb 11 15:35:09 rs60004 : ICA1036i: #:79 R:d i:150.53.104.27 s:150.53.104.12 d:9.24.104.215 p:tcp sp:20 dp:28
Feb 11 15:35:09 rs60004 : ICA1036i: #:79 R:d i:150.53.104.27 s:150.53.104.12 d:9.24.104.241 p:tcp sp:20 dp:28
Feb 11 15:35:09 rs60004 : ICA1036i: #:79 R:d i:150.53.104.27 s:150.53.104.12 d:9.24.104.215 p:tcp sp:20 dp:29
Feb 11 15:35:09 rs60004 : ICA1036i: #:79 R:d i:150.53.104.27 s:150.53.104.12 d:9.24.104.241 p:tcp sp:20 dp:29
Feb 11 15:35:09 rs60004 : ICA1036i: #:79 R:d i:150.53.104.27 s:150.53.104.12 d:9.24.104.215 p:tcp sp:20 dp:30
Feb 11 15:35:09 rs60004 : ICA1036i: #:79 R:d i:150.53.104.27 s:150.53.104.12 d:9.24.104.241 p:tcp sp:20 dp:30
You can see how strobe scans 60 ports in just one second (ports 1 to 30 for
machines 9.24.104.215 and 9.24.104.241).
Figure 234 shows the output from the tcpdump command for the same scan.
Here you can see the SYN bit on, so this shows that it is not stealth scanning
(that is, it is initiating the conventional TCP session handshake, instead of
emulating the server end of an existing IP connection).
15:35:08.293612032 150.53.104.12.20 > 9.24.104.215.1: S 1737212929:17372 12929(0) win 16384 <mss 512>
15:35:08.344706304 150.53.104.12.20 > 9.24.104.241.1: S 1737276929:1737276929(0) win 16384 <mss 512>
15:35:08.345345920 150.53.104.12.20 > 9.24.104.215.2: S 1737340929:1737340929(0) win 16384 <mss 512>
15:35:08.345980288 150.53.104.12.20 > 9.24.104.241.2: S 1737404929:1737404929(0) win 16384 <mss 512>
15:35:08.346621824 150.53.104.12.20 > 9.24.104.215.3: S 1737468929:1737468929(0) win 16384 <mss 512>
15:35:08.347233152 150.53.104.12.20 > 9.24.104.241.3: S 1737532929:1737532929(0) win 16384 <mss 512>
15:35:08.377754624 150.53.104.12.20 > 9.24.104.215.28: S 1740668929:1740668929(0) win 16384 <mss 512>
15:35:08.378351232 150.53.104.12.20 > 9.24.104.241.28: S 1740732929:1740732929(0) win 16384 <mss 512>
15:35:08.378944768 150.53.104.12.20 > 9.24.104.215.29: S 1740796929:1740796929(0) win 16384 <mss 512>
15:35:08.379545856 150.53.104.12.20 > 9.24.104.241.29: S 1740860929:1740860929(0) win 16384 <mss 512>
15:35:08.380142208 150.53.104.12.20 > 9.24.104.215.30: S 1740924929:1740924929(0) win 16384 <mss 512>
15:35:08.380741248 150.53.104.12.20 > 9.24.104.241.30: S 1740988929:1740988929(0) win 16384 <mss 512>
13.4 SATAN
SATAN is a tool designed by Dan Farmer and Wietse Venema to scan networks
and pinpoint security problems. SATAN has been the subject of some criticism,
because it is freely available. Some people feel that it is dangerous to make
such a tool so widely available. The authors contend, however, that the
dangerous crackers know all of SATAN's tricks already, so it is better to give the
knowledge to network administrators, thereby letting them test their own
defenses. Unlike other tools, it probes for security holes from outside and
searches for a number of different security exposures, in addition to basic port
scanning.
SATAN uses a Web browser for its graphical user interface and it generates the
reports in HTML form so they can be viewed online within the Web browser. In
order to run it you need PERL Version 5 or later.
248 Protect and Survive Using IBM Firewall 3.1 for AIX
13.4.1 SATAN Using Plain IP Routing
Once again, we first ran SATAN with the firewall filters disabled, so it acted as a
normal IP router. As you can see from Figure 235, it was able to discover
several security holes.
13.4.2 SATAN
Next we turned on the firewall filtering. Once again it was configured as a
dual-homed gateway, with no IP routing allowed, so SATAN was not able to
reach the secure network hosts.
We are not providing any service to the outside network, when we tried to scan
the firewall, it was not able to gain any information from the firewall itself.
250 Protect and Survive Using IBM Firewall 3.1 for AIX
Chapter 14. Logging
Logging is essential to the day-to-day operation of IBM Firewall 3.1. Unless you
log the activity on your firewall and generate alerts for suspicious activity, you
could be under attack without even realizing it. Worse, in the event of an attack,
you would be seriously hampered in your attempts to determine the origin and
target of the attack.
For more information about logging, see "Chapter 16, Managing Log and Archive
Files" IBM Firewall For AIX Version 3.1.1 User's Guide GC31-8419-00.
From the main IBM Firewall 3.1 Netscape panel (see Figure 24 on page 45)
select System Administration and then System Logs, now select Log Facilities.
First we will create a log facility to monitor all activity on the firewall, select
< N E W > in Figure 237.
We decided to use All Facilities debug logging for the following reasons:
We have plenty of disk space
We will archive regularly to efficiently use the space available
We need to capture everything we can while we test the firewall
See Figure 238 for the settings we chose for All Facilities debug logging.
Where possible we advise you to log as much as you can or risk missing vital
information.
Note: You may not be able to use * debug logging if you are using one or more
Windows 95 IPSec Client tunnels, as the output from their dynamic filter rules
can be enormous. It's also worth mentioning that the debug output from these
dynamic filter rules goes to Local2.
We repeated the above steps and created several log facilities detailed in
Figure 239 on page 253.
252 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 239. Completed Log Facilities
The All Facilities log will capture all activity, making the Local4 and Local1
logging seem redundant. However the firewall generates alerts to Local1, an
essential service. Local4 logging is used by the reporting utilities in combination
with the su log.
The parameter file for syslog is /etc/syslog.conf. You should however use the
Remote Configuration Client to configure log facilities as it will take archive
settings into account and refresh the syslogd process for you. There are eight
priority levels you can specify to reduce the amount of logging activity for a
specific service, they are:
debug
information
notice
warning
error
critical
alert
emergency
At debug level all activity for that facility will be logged. At emergency level,
very little activity would be logged at all.
IBM Firewall 3.1 only uses three of the available levels of priority, they are:
debug
To complete configuration of archiving you need to modify the AIX crontab file for
the root user. Unfortunately it won't stop this message from appearing, but you
will be able to safely ignore it.
Logon as the root user in aix. Now edit the crontab file with the command:
crontab -e
The first command will archive your logs, the second will purge entries over the
age you specified earlier. If your system is particularly busy around midnight
you may want to archive early in the morning instead.
254 Protect and Survive Using IBM Firewall 3.1 for AIX
The Log Monitor facility checks the output to the Local4 log based on user
defined thresholds. If a threshold is exceeded then an alert is generated and
reported to the Local1 log facility. You can also opt to be alerted by mail or
pager, or run an executable.
This section will activate the Alerts Display area of the Main IBM Firewall 3.1
panel (see Figure 24 on page 45).
For more information on Log Thresholds see "Chapter 17. Monitoring the
Firewall Logging", IBM Firewall 3.1 User's Guide , GC31-8419-00.
You will have to experiment with the threshold settings in your environment so
you don't get swamped with too many alerts.
You can also set up the mail or exec threshold here, which triggers if another
threshold is exceeded.
While this list may seem limited, the ability to set a message threshold gives you
a lot of options.
256 Protect and Survive Using IBM Firewall 3.1 for AIX
Firewall is unable to authenticate the indicated user name using the specified
authentication method.
It's important to put a good comment in here as it is the best way to figure out
which message threshold is which.
We attempted to log in with an invalid user name three times to trigger an alert;
see Figure 243.
258 Protect and Survive Using IBM Firewall 3.1 for AIX
Chapter 15. Building Logging Reports
In this chapter we describe how to build useful reports from firewall logging.
The reports may provide information about attack rates, type of attacks, but also
lots of information of resource usage from the secure network. For example,
information about the amount and duration of internet traffic. Or total number of
sessions per given period, regardless what session type or total number of bytes
transferred by FTP per given period and so on.
Firewall log files contain this information but it is not easily derived from them.
Here we describe a method to convert the log files into tables which can be
handled by advanced database managers.
The tables are in delimited ASCII (DEL) file format, with no character string
delimiters, and using semicolon (;) as the column delimiters.
The tables are stored in files with a .tbl extension. The Firewall Reporting
Utilities can be installed separately, and should be installed on another machine
There are two ways to generate the tables, by SMIT or via the command line.
By using SMIT, it is assumed you supply the results of the firewall log
management facility. These are archived compressed log files. The tables are
generated as follows:
Report Utilities - IBM Firewall V3R1 for AIX
Create Tabulated Message Files
Enter Log Archive File Name [logarch1.a]
After this you can select the log file and determine the directory in which you
want the tables. You can also choose to append to existing tables or overwrite
the tables. The following SMIT entries appear:
* Log File Name [ 970319syslog.Z]
Log File Type Firewall log
Append to existing files yes
Directory for Output Files [/var/data]
Log Archive File Name /tmp/arch.a
The tables can also be generated directly from a log file by the following
command:
fwlogtbl -a -d /var/data syslog
This will generate tables from the file syslog in the directory /var/data.
You need the following files to handle the tables: fwschema.ddl, fwimport.dat,
fwqrysmp.dat, these can be found in the /usr/lpp/fw/sample directory. We
assume that you have DB/2 installed on a machine and have an instance
defined.
260 Protect and Survive Using IBM Firewall 3.1 for AIX
15.2.1.2 Import the Tables into the Database
Go to the directory where you put all the tables that were generated from the log
files. Run the following command to load the data from the tables into the DB/2
database:
db2 -vf fwimport.dat > import.out
If the user of the import command is not the creator of the tables, the table
names in the fwimport.dat file may need to be prefixed with the name of the
table creator and a dot. Each import command in the fwimport.dat file produces
info in a < t a b l e n a m e > . m s g file. Furthermore, there is information on the
standard out, so in import.out.
15.2.1.3 Queries
The file fwqrysmp.dml, provided with the Report Utilities, contains some SQL
sample queries you can try on your database. The following command starts the
query:
db2 -vf fwqrysmp.dml > report.out
The results can be found in report.out.
Which queries you need depends on the kind of reports you want to make. We
suggest to study the example queries and the file fwschema.dll which contains
the structure of the tables. After that it will be relatively easy to build your own
queries.
15.3 Stalker
Stalker is a software product from Trusted Information Systems. It examines
data from the AIX auditing subsystem. Based on that audit data Stalker can
trace and browse security violations and other interesting events. Stalker has a
rich set of options to produce security violation reports. The user interface is
based on X Windows.
Stalker has basically two components: Stalker Manager and Stalker Agent. The
recommended configuration with the firewall is to install both Stalker Manager
and Agent in the firewall. There is a special version of Stalker that is suitable
for IBM Firewall 3.1. Stalker for Firewalls is modified so that Stalker Manager
and Agent can communicate locally inside the firewall. Normally they would
communicate using NFS and remote commands.
If you want to run Stalker Manager and Agent in different machines, you can
secure the connection between them with IPSec tunnel, Secure Shell (ssh) or
Kerberos. The installation process will modify AIX audit subsystem and add
more audit events to it.
Stalker Manager has to be able to get access to a number of IBM Firewall 3.1
configuration files and program binaries. It has to be able to access the data
produced by the AIX audit subsystem. Stalker does not use the syslog data
produced by IBM Firewall 3.1 at all.
262 Protect and Survive Using IBM Firewall 3.1 for AIX
Chapter 16. How to Use the IBM Firewall to Counter Security Holes
Much thought has gone into finding weaknesses in computer security and
responses to defend them. An excellent summary of 42 such potential
weaknesses may be found in Firewalls and Internet Security: Repelling the Wily
Hacker (Cheswick and Bellovin, Addison-Wesley, 1994). In this chapter,
reproduced with the permission of the authors and publisher, we list those points
(from the 42) that relate directly to firewall configurations and include notes on
how the IBM Firewall 3.1 can help you to counter them.
Of course, there are some password weaknesses for which the only solution is
user education, such as the social engineering attack: "Hi, this is Fred. Joe asked
me to check out a problem on the machine; can you give me a guest ID?".
You should also beware of crackers using secure network IP addresses from the
nonsecure side of the firewall. We discussed a filter that will block such
attempts in 6.2.1, “Rules to Block Attempts at IP Address Spoofing” on page 73.
If you are not sure that all your hosts have this kind of checking, the safest thing
to do is to prevent these applications from crossing the firewall by using filters.
If you must have them routed, you may want to manually define the
name/address mappings for trusted nodes in your secure network name server.
The net result of this kind of DNS attack is that name-based authentication is
fundamentally insecure, so you should block such services unless absolutely
necessary.
264 Protect and Survive Using IBM Firewall 3.1 for AIX
16.1.1.10 10. Return Addresses in Mail Aren't Reliable
The return address in a mail message is placed there by the mailer, and so it
can be set to anything. There is nothing you can do to stop people doing this to
you, but you should educate staff to be suspicious about unusual return
addresses. Sensitive information should not be put in a mail message without
some secondary validation that the message is going to the correct person.
This problem is at the application level, so there is nothing the firewall can
directly do about it. However, refer also to 16.1.1.24, “25. Be Careful about
Interpreting WWW Format Information” on page 267.
Chapter 16. How to Use the IBM Firewall to Counter Security Holes 265
16.1.1.15 15. Finger Discloses Too Much Information about Users
Finger is a protocol that is used to find out information about a machine and the
users logged on to it. This is a good way for a cracker to find potential targets.
The easy answer is to disable finger by blocking it with IP filters. However,
finger can be a very useful facility, so you may use the proposed modification for
giving contact information in a safe way.
16.1.1.17 17. Portmapper Can Call RPC Services for Its Caller
An RPC-based client can request portmapper to pass an RPC call directly to the
target server, instead of just returning the port number of that server. This
means that the server sees the request as having come from the local host.
Your normal response to this would be to use filters to block the application at
the firewall. However, with RPC-based services things are not so simple
because you cannot predict the port numbers that portmapper will allocate. This
means that you are led either to block all Sun RPC-based applications, or to use
address filtering (which we have already said is not 100% effective. See 16.1.1.2,
“2. Sequence Number Attacks Can Subvert Address-Based Authentication” on
page 263).
266 Protect and Survive Using IBM Firewall 3.1 for AIX
16.1.1.21 21. If Misconfigured, TFTP Will Hand Out /etc/passwd
Trivial FTP uses a configuration file to restrict the directories to which a client
has access. Frequently, however, it is installed in an unconfigured way, allowing
access to much more than you would like. You can stop it from routing through
the firewall by blocking UDP port 69. This can pose a problem for supporting
some network devices that use TFTP to load their operating code and
configuration. Some routers keep the password used for online control, in clear,
in the configuration file. So if you need to load, say, the gateway router to the
Internet using TFTP, how do you prevent a cracker stealing the configuration file,
logging in to the router, planting erroneous route definitions and then using them
for a masquerade attack? The following two courses of action are possible
answers to this:
1. Normally block TFTP and only let it through when you are loading the router
(but you must not forget to lock the door when you finish!)
2. Prohibit online update for that particular router
16.1.1.23 24. FSP Is Often Abused to Give Out Files to Those Who
Should Not Have Them
FSP is a file transfer protocol that nobody uses legitimately. You should block it
at your firewall by a deny filter for UDP port 21.
How can the SNG firewall help with this? One possibility is to use the telnet
proxy service. This may operate with a very restricted shell, so the scope for
damaging embedded commands is much reduced. Unfortunately this answer
has some serious problems. The main one is performance; running a large
number of X-windows servers will be a big drain on the firewall machine. There
is also the extra delay introduced by running the X-protocol, and anyway we
want to avoid running X on our firewall if possible. Finally there is the question
of convenience; most people prefer to run applications like this on a personal
computer. You need to assess the risk involved in order to come to a judgment
about where and to what extent you allow WWW access in your secure network.
Chapter 16. How to Use the IBM Firewall to Counter Security Holes 267
The particular security aspects of the Web are discussed in Safe Surfing: How to
Create a Secure World Wide Web Connection , SG24-4564.
You can see from this that X-windows is a dangerous protocol to allow out
through your firewall. Blocking it is not so easy; X11 normally uses a TCP port
around 6000-6005 but it is dynamic, so there is a danger of blocking out other
services (although you may want to block them anyway).
268 Protect and Survive Using IBM Firewall 3.1 for AIX
16.1.1.30 31. Don't Believe Port Numbers Supplied by Outside
Machine
What this means is although the normal use for a port may be for a well-known
server, a cracker can easily generate messages using that port (that is, a client
using the normal server port). We have seen how in filters for TCP services we
can prohibit this by using the tcp/ack filter feature to distinguish between the
session initiator and responder (see 3.1.3, “An Introduction to TCP Packets” on
page 33).
Chapter 16. How to Use the IBM Firewall to Counter Security Holes 269
16.1.1.36 37. Be Careful about Pointing a Finger at a Subverted
Machine
If you think you are being attacked, one thing you can do is use the finger
command to try to find something out about the originator. Some crackers have
corrupted finger servers, which will flood you with data or control codes. This
can fill your file systems.
270 Protect and Survive Using IBM Firewall 3.1 for AIX
Appendix A. How to Get the Samples in This Book
There are two code packages described in this book, both of which are available
using anonymous FTP. The code packages are:
tcp_relay. This is a TCP/IP relay program that can be used to provide a proxy
service for the Network News Transfer Protocol (NNTP). It is
described in 6.7, “NNTP: Network News Transfer Protocol” on
page 101 and the source code is listed in Appendix D, “Sample NNTP
Relay Program” on page 279.
LAID Logging, Alerting and Intruder Detection is a package of installation
scripts and configuration files that:
1. Configure a logging environment, using syslog services.
2. Configure the AIX audit facility.
3. Configure Systems Monitor for AIX SLM and SIA agents to
monitor the SNG system to check for problems that may indicate
an attack or security exposure.
You will find the samples in directory /redbooks/SG242577. You will also find a
file named sg242577.README in the same directory, which includes instructions
on how to download and unpack the samples. There are further README files
within the samples giving detailed installation instructions.
You will find the samples in directory /pub/SG242577. You will also find a file
named sg242577.README in the same directory, which includes instructions on
how to download and unpack the samples. There are further README files
within the samples giving detailed installation instructions.
274 Protect and Survive Using IBM Firewall 3.1 for AIX
Table 9 (Page 3 of 3). ICMP Message Codes
Type Name Reference
17 Address Mask Request RFC950
Codes
0 No Code
18 Address Mask Reply RFC950
Codes
0 No Code
19 Reserved (for Security) Solo
20-29 Reserved (for Robustness Experiment) ZSu
30 Traceroute RFC1393
31 Datagram Conversion Error RFC1475
32 Mobile Host Redirect David Johnson
33 IPv6 Where-Are-You Bill Simpson
34 IPv6 I-Am-Here Bill Simpson
35 Mobile Registration Request Bill Simpson
36 Mobile Registration Reply Bill Simpson
37 Domain Name Request RFC1788
38 Domain Name Reply RFC1788
Codes
0 No Code
278 Protect and Survive Using IBM Firewall 3.1 for AIX
Appendix D. Sample NNTP Relay Program
This program is based on a sample in Actually Useful Internet Techniques by
Larry Hughes (published by New Riders, ISBN 1-56205-508-9).
/* ========================================================================
*
* Program: tcp_relay.c
*
* Author : Adrian Fabio Setton <[email protected]>
* IBM Argentina
*
* Tweaked By: Andreas Siegert <[email protected]>
* IBM Germany
*
* Derived from: passtru.c, with permission.
* Author : Larry J. Hughes, Jr. <[email protected]>
* "Actually Useful Internet Security Techniques"
* New Riders Publishing, ISBN 1-56205-508-9
* Thanks Larry !!!
*
* Purpose :
* Relays a connection thru the SNG avoiding IP forwarding
* It uses a configuration file in order to define which connections to
* relay.
* The format of the /etc/tcp_relay.cfg file is:
* inAddress inPort outAddress outPort.
* inAddress is the IP address that establishes the connection
* inPort in the Port that receives the connection on the SNG.
* Lines starting with a # and empty lines are ignored
*
* Example of the Config File for News
* 150.53.104.12 119 9.24.104.241 119
* 9.24.104.241 119 150.53.104.12 119
* Usage : configure the following line in /etc/inetd.conf for NNTP (news):
* nntp stream tcp nowait nobody /usr/local/bin/tcp_relay tcp_relay
*
* Compile with
* make tcp_relay
* ======================================================================== */
/* ========================================================================
* Includes
* ======================================================================== */
#include <sys/types.h>
#include <sys/time.h>
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/select.h>
#include <sys/syslog.h>
/* ========================================================================
* Global Variables (My apologies ...)
* ======================================================================== */
int nTableEntrys;
TABLE Table[MAX_ENTRYS];
int serverSocket=0;
/* ========================================================================
* Prototypes
* ======================================================================== */
int main(int argc, char *argv[]);
int RelayConnection(int client, int server);
int NetWrite(int socket, char *buffer, int length);
void ReadTable(char *szFileName);
void FatalError(int n, char *s);
/* ========================================================================
* Main
* ======================================================================== */
main(int argc, char *argv[])
{
struct sockaddr_in clientAddress;
struct sockaddr_in firewallPort;
struct sockaddr_in serverAddress;
int clientLength=sizeof(clientAddress);
int firewallLength=sizeof(firewallPort);
int i, nIndex;
int one = 1;
int Found=FALSE;
char connbuff[1024], errbuff[1024];
char a1[24],a2[24];
/* set up syslog */
openlog ("tcp_relay",LOG_PID | LOG_ODELAY | LOG_CONS,LOG_AUTH);
ReadTable(CFGFILE);
strcpy(a1,inet_ntoa(clientAddress.sin_addr.s_addr));
if (!Found) {
sprintf (errbuff,"%s:%i not authorized",
a1,firewallPort.sin_port);
FatalError(4, errbuff);
}
280 Protect and Survive Using IBM Firewall 3.1 for AIX
/* Create socket for connection to remote server */
if ((serverSocket = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
FatalError(5, "socket error");
}
/* ========================================================================
* Relay Connection
* ======================================================================== */
int RelayConnection(int client, int server)
{
int numSelected;
int rBytes, wBytes;
char buffer[1024];
fd_set ibits;
numSelected =
select(16, &ibits, (fd_set *)0, (fd_set *)0, (struct timeval *)0);
if (numSelected == -1)
{
FatalError(9, "select error");
break;
}
/* client -> server */
else if (FD_ISSET(client, &ibits))
{
rBytes = read(client, buffer, sizeof(buffer));
if (rBytes <= 0) break;
wBytes = NetWrite(server, buffer, rBytes);
if (wBytes != rBytes) break;
}
}
}
/* ========================================================================
* Network Write
* ======================================================================== */
int NetWrite(int socket, char *buffer, int length)
{
int numToWrite, numWritten;
/*
* Write the entire buffer or die trying. Might take several attempts.
*/
numToWrite = length;
do
{
numWritten = write(socket, buffer, numToWrite);
if (numWritten == -1)
{
FatalError(10, "write error");
}
buffer += numWritten;
numToWrite -= numWritten;
} while (numToWrite > 0);
return(length);
}
282 Protect and Survive Using IBM Firewall 3.1 for AIX
/* ========================================================================
* Fatal Error
* ======================================================================== */
void FatalError(int n, char *s)
{
syslog(LOG_ERR, "[%d] %s", n, s);
close(0);
if (serverSocket!=0) {
close(serverSocket);
}
closelog();
exit(n);
}
/* ========================================================================
* Read Table
* ======================================================================== */
void ReadTable(char *szFileName)
{
FILE *fp;
char szBuffer[255];
char szInAddress[255], szInPort[255];
char szOutAddress[255], szOutPort[255];
char errbuff[1024];
int i, nRet, lineno;
fp=fopen(szFileName, "r");
if (!fp) {
sprintf(errbuff,"Error opening %s",szFileName);
FatalError(11, errbuff);
}
i=0;
lineno=0;
while (fgets((szBuffer), sizeof(szBuffer)-1, fp) && i<MAX_ENTRYS) {
lineno++;
if ((szBuffer[0]=='#') || (strlen(szBuffer)<=1)) {
/* empty or comment line */
continue ;
}
nRet=sscanf(szBuffer, "%s%s%s%s", szInAddress, szInPort,
szOutAddress, szOutPort);
if (nRet!=4) {
fclose(fp);
sprintf(errbuff,"Error reading line %i of %s",lineno,szFileName);
FatalError(12, errbuff);
}
Table[i].inaddress=inet_addr(szInAddress);
Table[i].inport=atoi(szInPort);
Table[i].outaddress=inet_addr(szOutAddress);
Table[i].outport=atoi(szOutPort);
if (Table[i].inaddress==-1 || Table[i].outaddress==-1) {
fclose(fp);
sprintf (errbuff,"Config file format error at line %i: %s",lineno,szBuffer);
FatalError(13, errbuff);
}
i++;
}
nTableEntrys=i;
fclose(fp);
}
For a current list of IBM Firewall related products, you should check:
http://www.software.ibm.com/enetwork/firewall/
. Click on Products.
We will briefly describe the main features of the products. Most of the
information has been taken from the vendors' Web sites. The following is the list
of IBM Firewall related products:
1. MIMEsweeper from Integralis (www.integralis.com )
MIMEsweeper does content security checks of mail and Web access. It has
two main components: MAILsweeper and WEBsweeper. It can:
Manage junk e-mail
Block URLs
Protect confidential information
Block Java applets and JavaScript
Sanitize cookies
Add legal disclaimers to mail
Quarantine dubious files
MIMEsweeper runs under Windows NT.
2. S/KEY from Bellcore (www.bellcore.com/security/skey.html )
S/KEY is a software authentication package that you can use with the IBM
Firewall user-supplied authentication API.
S/KEY uses a client/server model of authentication. The server generates a
challenge response to the client's logical request. The client then generates
the appropriate one-time password. The client calculates this password by
using the server's challenge and the user's secret pass phrase as inputs to
the S/Key system's one-time password algorithm. The client sends the
generated one-time password back to the server, which verifies it and logs
the user into the system.
This system has the advantage over similar ones that does not require any
special hardware.
IBM Firewall provides a sample of user-supplied authentication code. It is
supplied as three files (makefile.ex, fwuserpt.c, fwuserau.c) in the
/usr/llp/FW/sample directory. See Firewall for AIX Reference, SC31-8418 for
details.
3. SecureID card from Security Dynamics (http://www.securitydynamics.com/ )
The SecurID token provides a one step process to positively identify network
and system users and prevent unauthorized access. It can be used, for
example, to allow/deny access to the proxy server.
When the user wants to access the system, he/she logs in, and then is
prompted to enter the one-time password read off the SecureID token. This
286 Protect and Survive Using IBM Firewall 3.1 for AIX
Telemate is a reporting tool. It will read the IBM Firewall log and produce
reports. It runs in Windows 95 or NT.
Telemate can answer questions as:
How is my bandwidth being used?
Who is hitting questionable sites?
What sites are individual users hitting?
Who is generating the most traffic?
How much should I bill for use?
We should also mention two IBM products that also complement the IBM
Firewall functions:
HACMP (High-Availability Cluster Multi-Processing)
(http://www.rs6000.ibm.com/software/Apps/hacmp/ )
HACMP for AIX is a control application that can link up to eight RS/6000
servers or SP nodes into highly available clusters. With the enhanced
scalability feature, up to 16 SP nodes can be linked. Clustering servers or
nodes enables parallel access to their data, which can help provide the
redundancy and fault resilience required for business critical applications.
Using HACMP with two or more IBM Firewalls will enhance the reliability of
the systems.
IBMers will find more information on this subject in this intranet Web Site:
http://hawww.ak.munich.ibm.com/HACMP/HA-FW/HA-FW-2.html
Interactive Network Dispatcher (http://www.ics.raleigh.ibm.com/netdispatch/ )
Interactive Network Dispatcher (IND) is a software product that performs
load-balancing and IP traffic management across multiple IBM Firewalls.
It enables multiple IBM Firewalls to efficiently function as a single system,
allowing customers to distribute traffic to servers located anywhere in the
world, greatly increasing system availability and responsiveness.
IND can co-exist in the same machine with IBM Firewall.
In order to be used with IBM Firewall 3.1, the Network Dispatcher needs
access to port 10003 on the firewall. To set up the firewall correctly, do the
following:
1. Define two network objects on the firewall with the same IP address. The
names must be different. This will allow the firewall to talk to itself, which
would not be allowed if the network object names were the same.
2. Define a connection with the two network objects just created. Use one
as the source and the other as the destination.
3. Within the connection, define a service with the following rules:
4. Rule 1 is a permit rule:
source port = 10003, Destination port >1024, route = local, direction = both, interface = non-secure.
With the connection defined, the two rules will be built, which will allow
Network Dispatcher to talk to itself on port 10003.
288 Protect and Survive Using IBM Firewall 3.1 for AIX
E.1.1 Major Features
The following is a list of AutoSOCKS features provided by the vendor:
Supports all Windows platforms
− Windows 3.x, Windows for Workgroups 3.11, Windows 95 and Windows NT
Supports multiple authentication and encryption standards
− Simple username/password
− Challenge-Handshake Authentication Protocol (CHAP)
− Kerberos and SSL (optional)
End-user transparency
− Integrates with existing desktop applications and TCP/IP stacks
− Seamlessly routes connections from Windows applications to external
networks through a SOCKS server
− Transparently negotiates authentication and encryption with SOCKS V5
server
− Support for multiple SOCKS servers
− No modification to Windows system components and environment
Standards support
− Interoperable with 16- and 32-bit WinSock 1.1 applications
− Supports all Windows, Windows 95 and Windows NT TCP/IP stacks
− Supports publicly available SOCKS V4 and V5 standards
Network administration
− User interface provides a single configuration point for all WinSock client
applications
− Online documentation and help
− Logging tool for troubleshooting
− Ping and traceroute for monitoring network connections
There is an Installation Wizard that comes with the product, which guides you
during the product setup. There is also a configuration tool. We had to only
specify a few parameters, for example, the firewall IP address (or name) and the
version of socks.
Next we had to specify the IP address of our subnet; we were in the secure
network 9.24.104.0.
We also had to specify the domain name of our secure network. AutoSOCKS will
redirect any traffic that is not intended for the network to the SOCKS server in
the firewall.
290 Protect and Survive Using IBM Firewall 3.1 for AIX
Figure 247. Defining the Subnet to Aventail AutoSOCKS
AutoSOCKS keeps a log of all the applications that use its service. A sample log
is shown in Figure 248.
11/11/97 10:23:26: (32 bit) Info: Cannot provide DNS proxying. One or more servers is version 4 (9.24.104.159)
11/11/97 10:24:46: (32 bit) Info: Socket 38: Matched against a redirection rule, destination (everything else)
11/11/97 10:24:46: (32 bit) Info: Socket 38: Redirecting to SOCKS server 9.24.104.159
11/11/97 10:24:46: (32 bit) Info: Socket 38: Redirecting connection!
11/11/97 10:25:10: (32 bit) Info: Socket 43: Matched against a redirection rule, destination (everything else)
11/11/97 10:25:11: (32 bit) Info: Socket 43: Redirecting to SOCKS server 9.24.104.159
11/11/97 10:25:11: (32 bit) Info: Socket 43: Redirecting connection!
11/11/97 10:25:11: (32 bit) Info: Socket 44: Matched against a redirection rule, destination (everything else)
11/11/97 10:25:11: (32 bit) Info: Socket 44: Redirecting to SOCKS server 9.24.104.159
11/11/97 10:25:11: (32 bit) Info: Socket 44: Redirecting connection!
292 Protect and Survive Using IBM Firewall 3.1 for AIX
Appendix F. Listing the IBM Firewall Rules
The following awk program was developed to list the rules defined in a IBM
Firewall:
# Prints out Services lines
awk -F \] '
BEGIN { rulefile="/etc/security/fwrules.cfg";}
{printf "%-32s %-s\n",$2,$3; # $3 up to 69 chars
nr=split($8,rr," ");
for (i=1; i<=nr; i++)
{
split(rr[i],rn,";");
do
{
getline < rulefile;
}
while ($1 != rn[1]);
printf " >%c<\t%-40s %-s\n", rn[2] , $2, $3; # $3 up to 53 chars
if ($6 == "any") {sp=$6 " " $7}
if ($6 == "eq") {sp="=" $7}
if ($6 == "gt") {sp=">" $7}
if ($8 == "any") {dp=$8 " " $9}
if ($8 == "eq") {dp="=" $9}
if ($8 == "gt") {dp=">" $9}
printf "\t%-7s%-8s%-6s%-6s%-11s%-6s%-9s%-4s%-3s\n",$4,$5,sp,dp,$10,$11,$12,$13,$14;
close(rulefile);
}
print "";
}
' /etc/security/fwservices.cfg
294 Protect and Survive Using IBM Firewall 3.1 for AIX
>o< FTP Control Ack 2/2 TCP/ACK out port 21 secure
permit tcp/ack =21 >1023 secure route outbound l=n f=y
>o< FTP Data in 20 TCP in port 20 non-secure
permit tcp =20 >1023 non-secure route inbound l=n f=y
>o< FTP Data out 20 TCP out port 20 secure
permit tcp =20 >1023 secure route outbound l=n f=y
>i< FTP Data Ack in 20 TCP/ACK in port 20 secure
permit tcp/ack >1023 =20 secure route inbound l=n f=y
>i< FTP Data Ack out 20 TCP/ACK out port 20 non-secure
permit tcp/ack >1023 =20 non-secure route outbound l=n f=y
>i< FTP Data in 1023+ TCP in port 1023+ secure
permit tcp >1023 >1023 secure route inbound l=n f=y
>i< FTP Data out 1023+ TCP out port 1023+ non-secure
permit tcp >1023 >1023 non-secure route outbound l=n f=y
>o< Proxy FTP Data Ack in non-secure TCP/ACK port 1023+
permit tcp/ack >1023 >1023 non-secure route inbound l=n f=y
>o< FTP Data Ack out 1023+ TCP/ACK out port 1023+ secure
permit tcp/ack >1023 >1023 secure route outbound l=n f=y
FTP proxy in 1/2 Permit FTP inbound from non-secure network to firewall
>i< Proxy FTP Control in non-secure 1/2 TCP in port 21 non-secure
permit tcp >1023 =21 non-secure local inbound l=n f=y
>o< Proxy FTP Control Ack out non-secure 1/2 TCP/ACK port 21
permit tcp/ack =21 >1023 non-secure local outbound l=n f=y
>o< Proxy FTP Data out non-secure 1/2 TCP port 20
permit tcp =20 >1023 non-secure local outbound l=n f=y
>i< Proxy FTP Data Ack in non-secure 1/2 TCP/ACK port 20
permit tcp/ack >1023 =20 non-secure local inbound l=n f=y
>i< Proxy FTP Data in non-secure 1/2 TCP port 1023+
permit tcp >1023 >1023 non-secure local inbound l=n f=y
>o< Proxy FTP Data Ack out non-secure 1/2 TCP/ACK port 1023+
permit tcp/ack >1023 >1023 non-secure local outbound l=n f=y
FTP proxy in 2/2 Permit FTP inbound from firewall to secure network
>i< Proxy FTP Control out secure 1/2 TCP port 21
permit tcp >1023 =21 secure local outbound l=n f=y
>o< Proxy FTP Control Ack in secure 2/2 TCP/ACK port 21
permit tcp/ack =21 >1023 secure local inbound l=n f=y
>o< Proxy FTP Data in secure 2/2 TCP port 20
permit tcp =20 >1023 secure local inbound l=n f=y
>i< Proxy FTP Data Ack out secure 2/2 TCP/ACK port 20
permit tcp/ack >1023 =20 secure local outbound l=n f=y
FTP proxy out 1/2 Permit FTP outbound from secure network to firewall
>i< Proxy FTP Control in secure 1/2 TCP port 21
permit tcp >1023 =21 secure local inbound l=n f=y
>o< Proxy FTP Control Ack out secure 1/2 TCP/ACK port 21
permit tcp/ack =21 >1023 secure local outbound l=n f=y
>o< Proxy FTP Data out secure 1/2 TCP port 20
permit tcp =20 >1023 secure local outbound l=n f=y
>i< Proxy FTP Data Ack in secure 1/2 TCP/ACK port 20
permit tcp/ack >1023 =20 secure local inbound l=n f=y
>i< Proxy FTP Data in secure 1/2 TCP in port 1023+
permit tcp >1023 >1023 secure local inbound l=n f=y
>o< Proxy FTP Data Ack out secure 1/2 TCP/ACK port 1023+
permit tcp/ack >1023 >1023 secure local outbound l=n f=y
FTP proxy out 2/2 Permit FTP outbound from firewall to non-secure network
>i< Proxy FTP Control out secure 2/2 TCP port 21
permit tcp >1023 =21 non-secure local outbound l=n f=y
>o< Proxy FTP Control Ack in non-secure 2/2 TCP/ACK port 21
permit tcp/ack =21 >1023 non-secure local inbound l=n f=y
>o< Proxy FTP Data in non-secure 2/2 TCP port 20
permit tcp =20 >1023 non-secure local inbound l=n f=y
>i< Proxy FTP Data Ack out non-secure 2/2 TCP/ACK port 20
permit tcp/ack >1023 =20 non-secure local outbound l=n f=y
>i< Proxy FTP Data out non-secure 2/2 TCP port 1023+
permit tcp >1023 >1023 non-secure local outbound l=n f=y
>o< Proxy FTP Data Ack in non-secure 2/2 TCP/ACK port 1023+
permit tcp/ack >1023 >1023 non-secure local inbound l=n f=y
Gopher proxy out 2/2 Permit gopher from firewall to non-secure network
>i< Proxy gopher out 2/2 TCP out port 70 non-secure
permit tcp >1023 =70 non-secure local outbound l=n f=y
>o< Proxy gopher Ack out 2/2 TCP/ACK in port 70 non-secure
296 Protect and Survive Using IBM Firewall 3.1 for AIX
>o< EFM config ACK out non-secure TCP/ACK out port 1024 non-secure
permit tcp/ack =1024 >1025 non-secure local outbound l=n f=y
Permit ALL with Logging Permit all (for debugging purposes only)
>i< All - permit permit All
permit all any 0 any 0 both both both l=y f=y
>o< All - permit permit All
permit all any 0 any 0 both both both l=y f=y
Permit FTP outbound from firewall to secure Permit FTP outbound from firewall to secure
>o< FTP Client 2/2 TCP/ACK in >1023 from 21
permit tcp/ack =21 >1023 secure local inbound l=n f=y
>o< FTP Client Data 1/2 TCP in port 20 secure
permit tcp =20 >1023 secure local inbound l=n f=y
>i< FTP Client Data 2/2 TCP/ACK out port >1023 to 20 secure
permit tcp/ack >1023 =20 secure local outbound l=n f=y
>o< FTP Client 1/2 TCP in port >1023 from 21 secure
permit tcp =21 >1023 secure local inbound l=n f=y
>i< FTP Client 3/2 TCP from >1023 to 21 secure out
permit all >1023 =21 secure local outbound l=n f=y
Ping Permit Ping outbound secure network to anywhere
>i< Ping ICMP port 8
permit icmp =8 =0 both both both l=n f=y
>o< Ping Response ICMP port 0
permit icmp =0 =0 both both both l=n f=y
Real Audio proxy (1/2) Real Audio from secure to fw
>i< Real Audio proxy (1/2) in secure TCP in port 1090 secure
permit tcp >1023 =1090 secure local inbound l=y f=y
>o< Real Audio proxy ACK (1/2) secure TCP/ACK out port 1090 secure
permit tcp/ack =1090 >1023 secure local outbound l=y f=y
Real Audio proxy (2/2) Real Audio from firewall to world
>i< Real Audio proxy (2/2) TCP out port 7070 non-secure
permit tcp >1023 =7070 non-secure local outbound l=y f=y
>o< Real Audio proxy ACK (2/2) TCP/ACK in port 7070 non-secure
permit tcp/ack =7070 >1023 non-secure local inbound l=y f=y
Real audio route 7070 log on Real Audio route 7070
>i< Real Audio in secure 7070 log on TCP in port 7070 secure
permit tcp >1023 =7070 secure route inbound l=y f=y
>i< Real Audio out 7070 non-secure log on TCP out port 7070 non-secure
permit tcp >1023 =7070 non-secure route outbound l=y f=y
>o< Real Audio ACK 7070 in non-secure log on TCP/ACK in port 7070 non-secure
permit tcp/ack =7070 >1023 non-secure route inbound l=y f=y
>o< Real Audio ACK 7070 out secure log on TCP/ACK out port 7070 secure
permit tcp/ack =7070 >1023 secure route outbound l=y f=y
Real Audio route 80 Real Audio route 80
>i< Real Audio 80 non-secure TCP out port 80 non-secure
permit tcp >1023 =80 non-secure route outbound l=n f=y
>i< Real Audio 80 secure TCP in port 80 secure
permit tcp >1023 =80 secure route inbound l=y f=y
>o< Real Audio ACK 80 non-secure TCP/ACK in port 80 non-secure
permit tcp/ack =80 >1023 non-secure route inbound l=y f=y
>o< Real Audio ACK 80 secure TCP/ACK out port 80 secure
permit tcp/ack =80 >1023 secure route outbound l=n f=y
Real Audio udp >1023 Real Audio udp >1023
>i< Real audio udp >1023 Real Audio udp >1023
permit udp =80 >1023 both route both l=y f=y
>o< Real audio udp >1023 Real Audio udp >1023
permit udp =80 >1023 both route both l=y f=y
RealAudio Permit RealAudio connection from secure network to non-secure network
>i< RealAudio in secure TCP in port 7070 secure
permit tcp >1023 =7070 secure route inbound l=n f=y
>i< RealAudio out non-secure TCP out port 7070 non-secure
permit tcp >1023 =7070 non-secure route outbound l=n f=y
>o< RealAudio Ack in non-secure TCP/ACK in port 7070 non-secure
permit tcp/ack =7070 >1023 non-secure route inbound l=n f=y
>o< RealAudio out secure TCP/ACK out port 7070 secure
permit tcp/ack =7070 >1023 secure route outbound l=n f=y
298 Protect and Survive Using IBM Firewall 3.1 for AIX
>i< Proxy Telnet in non-secure 1/2 TCP port 23
permit tcp >1023 =23 non-secure local inbound l=n f=y
>o< Proxy Telnet Ack out non-secure 1/2 TCP/ACK port 23
permit tcp/ack =23 >1023 non-secure local outbound l=n f=y
Telnet proxy in 2/2 Permit telnet in from firewall to secure network
>i< Proxy Telnet out secure 2/2 TCP port 23
permit tcp >1023 =23 secure local outbound l=n f=y
>o< Proxy Telnet Ack in secure 2/2 TCP/ACK port 23
permit tcp/ack =23 >1023 secure local inbound l=n f=y
Telnet proxy out 1/2 Permit Telnet out from secure network to firewall
>i< Proxy Telnet in secure 1/2 TCP port 23
permit tcp >1023 =23 secure local inbound l=n f=y
>o< Proxy Telnet Ack out secure 1/2 TCP/ACK port 23
permit tcp/ack =23 >1023 secure local outbound l=n f=y
Telnet proxy out 2/2 Permit telnet out from firewall to non-secure network
>i< Proxy Telnet out non-secure 2/2 TCP port 23
permit tcp >1023 =23 non-secure local outbound l=n f=y
>o< Proxy Telnet Ack in non-secure 2/2 TCP/ACK port 23
permit tcp/ack =23 >1023 non-secure local inbound l=n f=y
Telnet routed from Internet Telnet routed from Internet
>i< Telnet route in non-secure telnet from Internet
permit tcp =23 =23 non-secure route inbound l=n f=y
>i< Telnet route out secure telnet from Internet
permit tcp =23 =23 secure route outbound l=n f=y
>o< Telnet route ACK in secure Telnet from Internet
permit tcp/ack =23 =23 secure route inbound l=n f=y
>o< Telnet route ACK out non-secure Telnet from Internet
permit tcp/ack =23 =23 non-secure route outbound l=n f=y
Tunnel (307) / inbound / telnet 0
>o< Proxy Telnet Ack out secure 1/2 TCP/ACK port 23
permit tcp/ack =23 >1023 secure local outbound l=n f=y
>i< Proxy Telnet in secure 1/2 TCP port 23
permit tcp >1023 =23 secure local inbound l=n f=y
Tunnel 309 all
>i< permit icmp all
permit icmp any 0 any 0 secure local both l=y f=y
tunnel 309 telnet
>i< Proxy Telnet Ack in secure 2/2 TCP/ACK port 23
permit tcp/ack =23 >1023 secure local inbound l=n f=y
>o< Proxy Telnet out secure 2/2 TCP port 23
permit tcp >1023 =23 secure local outbound l=n f=y
VDOLIVE Direct In Permit non-secure client to secure server
>i< VDOLIVE TCP in non-secure VDOLIVE TCP Session from any port ( > 1023) to 7000
permit tcp >1023 =7000 non-secure route inbound l=n f=y
>i< VDOLIVE TCP out secure VDOLIVE TCP Session from any port ( > 1023) to 7000
permit tcp >1023 =7000 secure route outbound l=n f=y
>o< VDOLIVE TCP/ACK in secure VDOLIVE TCP/ACK Session from 7000 to any port (>1023)
permit tcp/ack =7000 >1023 secure route inbound l=n f=y
>o< VDOLIVE TCP/ACK out non-secure VDOLIVE TCP/ACK Session from 7000 to any port (>1023)
permit tcp/ack =7000 >1023 non-secure route outbound l=n f=y
>i< VDOLIVE UDP Forward in non-secure VDOLIVE UDP Session from any port (>1023) to 7001
permit udp >1023 =7001 non-secure route inbound l=n f=y
>i< VDOLIVE UDP Forward out secure VDOLIVE UDP Session from any port (>1023) to 7001
permit udp >1023 =7001 secure route outbound l=n f=y
>o< VDOLIVE UDP Backward in secure VDOLIVE UDP Session from 7001 to any port (>1023)
permit udp =7001 >1023 secure route inbound l=n f=y
>o< VDOLIVE UDP Backward out non-secure VDOLIVE UDP Session from 7001 to any port (>1023)
permit udp =7001 >1023 non-secure route outbound l=n f=y
VDOLIVE Direct Out Permit secure client to non-secure server
>i< VDOLIVE TCP in secure VDOLIVE TCP Session from any port ( > 1023) to 7000
permit tcp >1023 =7000 secure route inbound l=n f=y
>i< VDOLIVE TCP out non-secure VDOLIVE TCP Session from any port ( > 1023) to 7000
permit tcp >1023 =7000 non-secure route outbound l=n f=y
>o< VDOLIVE TCP/ACK in non-secure VDOLIVE TCP/ACK Session from 7000 to any port (>1023)
permit tcp/ack =7000 >1023 non-secure route inbound l=n f=y
>o< VDOLIVE TCP/ACK out secure VDOLIVE TCP/ACK Session from 7000 to any port (>1023)
300 Protect and Survive Using IBM Firewall 3.1 for AIX
Appendix G. Special Notices
This document was written for planners and implementers of firewalls, to help in
designing and configuring solutions using the IBM Firewall for AIX. Some
knowledge of TCP/IP protocols is assumed. The information in this publication is
not intended as the specification of any programming interfaces that are
provided by the IBM Firewall for AIX. See the PUBLICATIONS section of the IBM
Programming Announcement for IBM Firewall for AIX for more information about
what publications are considered to be product documentation.
Information in this book was developed in conjunction with use of the equipment
specified, and is limited in application to those specific hardware and software
products and levels.
IBM may have patents or pending patent applications covering subject matter in
this document. The furnishing of this document does not give you any license to
these patents. You can send license inquiries, in writing, to the IBM Director of
Licensing, IBM Corporation, 500 Columbus Avenue, Thornwood, NY 10594 USA.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact IBM Corporation, Dept.
600A, Mail Drop 1329, Somers, NY 10589 USA.
The information contained in this document has not been submitted to any
formal IBM test and is distributed AS IS. The information about non-IBM
("vendor") products in this manual has been supplied by the vendor and IBM
assumes no responsibility for its accuracy or completeness. The use of this
information or the implementation of any of these techniques is a customer
responsibility and depends on the customer's ability to evaluate and integrate
them into the customer's operational environment. While each item may have
been reviewed by IBM for accuracy in a specific situation, there is no guarantee
that the same or similar results will be obtained elsewhere. Customers
attempting to adapt these techniques to their own environments do so at their
own risk.
Reference to PTF numbers that have not been released through the normal
distribution process does not imply general availability. The purpose of
AIX Current
DB2 IBM
NetView OS/2
RISC System/6000 RS/6000
SP SystemView
Microsoft, Windows, Windows NT, and the Windows 95 logo are trademarks
or registered trademarks of Microsoft Corporation.
302 Protect and Survive Using IBM Firewall 3.1 for AIX
Appendix H. Related Publications
The publications listed in this section are considered particularly suitable for a
more detailed discussion of the topics covered in this redbook.
This information was current at the time of publication, but is continually subject to change. The latest
information may be found at http://www.redbooks.ibm.com.
Redpieces
For information so current it is still in the process of being written, look at "Redpieces" on the Redbooks Web
Site (http://www.redbooks.ibm.com/redpieces.htm). Redpieces are redbooks in progress; not all redbooks
become redpieces, and sometimes just a few chapters will be published this way. The intent is to get the
information out much quicker than the formal publishing process allows.
IBMMAIL Internet
In United States: usib6fpl at ibmmail [email protected]
In Canada: caibmbkz at ibmmail [email protected]
Outside North America: dkibmbsh at ibmmail [email protected]
Telephone orders
Redpieces
For information so current it is still in the process of being written, look at "Redpieces" on the Redbooks Web
Site (http://www.redbooks.ibm.com/redpieces.htm). Redpieces are redbooks in progress; not all redbooks
become redpieces, and sometimes just a few chapters will be published this way. The intent is to get the
information out much quicker than the formal publishing process allows.
306 Protect and Survive Using IBM Firewall 3.1 for AIX
IBM Redbook Order Form
Please send me the following:
Company
Address
We accept American Express, Diners, Eurocard, Master Card, and Visa. Payment by credit card not
available in all countries. Signature mandatory for credit card payment.
A E
AH 137, 147 Encapsulating Security Payload (ESP) 137
AIX Encrypted Session Manager (ESM) 134
fixes 38 ESM 134
IPSec client 137 ESP 137, 146
operating system 37
skulker 39
alerts 254 F
Archie 124 Finger 128
ARP 210 firewall administrator 44
Authentication Header (AH) 137 fragmentation indicator 24
AutoSOCKS 286, 288 FTP 86
Axent PORT command 206
Defender 286 FTP proxy 15, 171, 178
SecureNet 286 fwidleout 187
fwlogtxt 259
fwuser 50
B
bastion 6
bibliography 303 G
broadcast 80 Gopher 113
C H
caching capability 17 HACMP 9, 287
CERT Advisory CA-95:18 81 hardening 41
command line 50 High Availability Cluster Multi-Processing (HACMP) 9
configuration replication 50 HTTP proxy 15, 110, 181
connections 61 HyperText Transfer Protocol (HTTP) 107
D I
DB/2 259 IANA 205
DB2/6000 259 address translation 205
Defender 286 NAT
demilitarized zone (DMZ) 8 IBM Firewall 3.1 21
denial of service attack 24 hardening 41
DES 134 installation 37
destination address 24 requirements for 37
destination unreachable 26 tier pricing 21
Dial-Up networking 168 IbmIsdn 164, 168
DMZ 8, 217, 219, 225 ICMP 24, 75, 119, 130, 206
DNS 97, 215, 235 IDEA 134
configurations 217 ident 116
forwarders 17, 216 idle proxy connections 185
MX record 219, 233 IKMP 138
server 17 installation of IBM Firewall 3.1 37
Domain Name Service 215 Interactive Network Dispatcher 10, 287
Domino 114 Internet Assigned Numbers Authority (IANA) 205
dual homed firewall 81 Internet Key Management Protocol (IKMP) 138
dynamic tunnel 137 Internet Security Association and Key Management
Protocol (ISAKMP) 138
IP address spoofing 13, 73
M
MAC 139 S
Maximum Transmission Unit (MTU) 210 S-HTTP 112
message authentication code (MAC) 139 S/KEY 133, 174, 285
Microsoft ISDN Accelerator Pack 1.1 160 S/WAN 138
MIME 107 SafeMail 19, 231
MIMESweeper 285 SATAN 129, 243, 248
MTU 210 screening filter 6
Multi-Purpose Internet Mail Extensions (MIME) 107 secure domain name 231
multicast packets 80 Secure Electronic Transactions (SET) 2
secure IP tunnel 20, 137
Secure Shell (SSH) 134
N Secure Sockets Layer (SSL) 2
NAT 198, 205 Secure Telnet (STEL) 134
address mappings 209 SecureID 133, 174, 285
addresses to be excluded 209 SecureNet 133, 174, 286
reserved address range 208 Security Parameters Index (SPI) 138
timeout 211 sendmail 233
Netscape Navigator 41 services 55, 71
Network Address Translation 198, 205 session key lifetime 142
Network Dispatcher 10, 287 SET 2
Network Domain Name Server 216 Simple Mail Transfer Protocol (SMTP) 93
Network News Transfer Protocol 101 Simple Network Management Protocol (SNMP) 122
Network Security Auditor 243 SMTP 93, 231
NNTP 101 commands 232
nslookup 224, 229 headers 233
SNMP 123
SOCKS 190
O server 6, 16, 77, 194
OAKLEY Key Determination protocol 138 templates 192
objects 53 socksified client 110, 195
overlapping fragment attack 24 source address 23
SPI 141
P SSH 134
SSL 2, 112, 163
password 47, 161, 174
key 43
310 Protect and Survive Using IBM Firewall 3.1 for AIX
Stalker 261, 286
STEL 134
strobe 243, 247
Structured Query Language (SQL) 259
Syslog 78, 117, 253
system resource controller 79
T
target SPI 141
TCP header 33
tcp_relay 103
Telemate.net 286
Telnet 81
proxy 15
proxy session 178
traceroute 32, 118
transparent proxy 171, 176
Triple DES 134
TTL 118
tunnel ID 143
tunnel type 141
U
UDP 118
header 35
UltiMail/2 234
Users 45
V
virtual private network (VPN) 137
VPN 137
W
WAIS 126
Web browsers 107
Wide Area Information Servers 126
Windows 95 IPSec Client 160
World Wide Web (WWW) 107
X
X-Windows 39
Index 311
312 Protect and Survive Using IBM Firewall 3.1 for AIX
ITSO Redbook Evaluation
Protect and Survive Using IBM Firewall 3.1 for AIX
SG24-2577-02
Your feedback is very important to help us maintain the quality of ITSO redbooks. Please complete this
questionnaire and return it using one of the following methods:
Use the online evaluation form found at http://www.redbooks.ibm.com
Fax this form to: USA International Access Code + 1 914 432 8264
Send your comments in an Internet note to [email protected]
Please rate your overall satisfaction with this book using the scale:
(1 = very good, 2 = good, 3 = average, 4 = poor, 5 = very poor)
Was this redbook published in time for your needs? Yes____ No____
If no, please explain:
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________