Administrator > Networks

IP Packet Filtering: Your iSeries Gatekeeper

Each day brings new stories about denial of service attacks, stolen data, e-mail spam caused by open gateways and so forth, all of which could substantially damage your companys business. Even with increasing awareness of such threats, many companies still believe that it won't happen to them.

In most IT environments, a single firewall is still considered to be the only protection needed against attacks launched from the Internet. The truth is most attacks, whether unintentional or malicious, originate from the intranet. This leaves your servers open to any kind of attack from the intranet or someone who breaks through an incorrectly configured firewall or bug-ridden firewall code.

Wouldn't it be nice to have a function that allows you to block unwanted IP data traffic right at the communications interface into your iSeries server? There is a service that offers a way of defining what type of IP traffic can enter or leave your server through one or more physical interfaces.

IP Packet Rules
In OS/400*, this service, called IP packet rules, allows you to establish a gatekeeper for your intranet traffic as well as a second line of defense for traffic to and from the Internet. IP packet rules were introduced with V4R3, and then greatly enhanced with V5R2. IP packet filtering technology is inserted at a low level in the IP protocol stack-network layer-to examine the first few bytes of each packet, which is called the packet header. Using the information from the IP packet header, the packet filter determines whether it should allow the packet through or discard it. Most packet filters let you filter on:

• Source and destination IP address
• Protocols-TCP, UDP, ICMP, etc.
• Source and destination ports
• Whether the packet is inbound or outbound

With V5R2, you can filter on any LAN interface, virtual LAN (LPAR and Windows* integration) and Point-to-Point (PPP) or Layer 2 Tunneling Protocol (L2TP) interfaces. For PPP and L2TP interfaces, you can apply different sets of filters based on authenticated users. Successfully setting up IP packet rules requires a good understanding of IP networking. A typical implementation involves planning, configuration and activation.

Planning
Packet rules can permit or deny IP packets, or protect packets using a VPN. If using a VPN, set up the IpSec rule before the VPN tunnel is established. Once the tunnel is up, the packet that meets the IpSec rule is encrypted and flows through. A more detailed explanation of VPN and IpSec is outside the scope of this article.

Once IP packet are activated for a specific interface, all traffic that isn't explicitly permitted to enter or leave the system is automatically denied by an implicit deny rule.

Next page: >>