Damn, damn, damn.
Sent this back to Ilker privately, when I meant to post to the list so
that any errors on my part could be corrected, flamed, recorrected and
archived by the denizens of the list.
Apologies for the formatting, it's a cut'n'paste thing.
Cheers,
- Drew.
ilker kavas wrote:
>
> Hi all,
Hi, Ilker!
> Can some one give me an address or some answers about IBM Firewall.
> Any one see its advantages or/and disadvantages?
> Where can I find trikies or expriences about IBM fw in enerprise networks?
> PS:I have already visit IBM.
Ok - I did a small firewall using IBM Firewall 3.1 a while
back. If
it's your first firewall, I'd suggest you look elsewhere; this thing is
a real pain to configure!
IBM Firewall works on a layer above the rules, creating rules,
objects,
services, and policies (if I've got my naming correct). Rules are the
actual, down-to-the-packet rules - a rule would be "Allow INBOUND TCP
packets from <subnet> to <subnet> to ARRIVE at en0". In order to allow
telnet access out of your firewall, you'd need four rules, making a
service.
Primarily, you'd create objects - two of them. An object is any
host
or group of hosts, to the most basic. We'd create an object called
"World" (actually, it's created for you by default, 0.0.0.0), and an
internal network object, "SecureNet", 192.168.0.0/255.255.255.0.
(assuming en0 is the insecure outside, and en1 is the trusted
inside)
Allow OUTBOUND TCP packets from <internal subnet> to <external subnet>
to ARRIVE at en0
Allow OUTBOUND TCP packets from <internal subnet> to <external subnet>
to LEAVE at en1
Allow INBOUND TCP-ACK packets from <external subnet> to <internal> to
ARRIVE at en1
Allow INBOUND TCP-ACK packets from <external subnet> to <internal> to
LEAVE at en0
(ports left out for simplicity)
Going deeper, IBM has created several layers of obfuscation.
You now have to create a "service", which is basically a wrapper
for
these four rules, allowing them to be used by the higher-level
controls. You'd call this service "Telnet Outbound from Secure" or
something, and some power will slowly become evident - we can define
which DIRECTION these rules apply to. Your rules are also reusable, so
once you've written TCP-ACK-incoming once, you shouldn't have to again.
Then, of course, you have to apply the service to something - I
forget
what IBM calls it; a policy, perhaps? In this you'd state that the
service applies to "World" and "SecureNet". Activate this, and poof,
you can telnet out. Telnet/web/etc are a joke - FTP is a real
brain-drain in this system.
For a true enterprise-class firewall, this is really powerful - but for
something less than, say, 250 systems, it's really overkill. You REALLY
have to know TCP/IP; it's not in the slightest bit forgiving and/or
helpful.
Of course, this is also Firewall 3.1 under AIX - it's possibly
much
easier now.
For reading material, check out the IBM "Redbooks" selection -
there's
one called "Here there be Dragons" or something similar, that'll walk
you through a lot of it. NOTE!!: Do NOT completely depend on the
redbook - ALSO get the MANUAL, or you'll really have problems!
This was only my third or fourth firewall, but it was by far and
away
the biggest learning experience for me - I don't regret it, but I
wouldn't want to do it again. I seriously hope all my facts are
straight, it's been about six months since I've seen it.
Good luck with it,
Cheers,
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
