iSeries™ packet
rules is an integrated feature of i5/OS™ available from the iSeries Navigator
interface.
The packet rules feature allows you to configure
two core network security technologies to control the flow of TCP/IP traffic
to protect your iSeries system:
- Network address translation (NAT)
- IP packet filtering
Because NAT and IP filtering are integrated parts of your i5/OS, they provide
an economical way for you to secure your system. In some cases, these security
technologies may provide everything you need without any additional purchases.
These technologies, however, do not create a true, functional firewall. You
can use IP packet security alone, or in conjunction with a firewall, depending
on your security needs and objectives.
Note: You should not attempt to take
advantage of the cost savings if you are planning to secure an iSeries production
system. For situations such as this, the security of your system should take
precedence over cost. To ensure that you provide maximum protection for your
production system, you should consider using a firewall.
What are NAT and IP packet filtering and how do they work
together?
Network
address translation (NAT) changes the source or the destination
IP addresses of packets that flow through the system. NAT provides a more
transparent alternative to the proxy and SOCKS servers of a firewall.
NAT can also simplify network configuration by enabling networks with incompatible
addressing structures to connect to each other. Consequently, you can use
NAT rules so that an iSeries system can function as a gateway between
two networks which have conflicting or incompatible addressing schemes. You
can also use NAT to hide the real IP addresses of one network by dynamically
substituting one or more addresses for the real ones. Because IP packet filtering
and NAT complement each other,
you will often use them together to enhance network security.
Using NAT can also make it
easier to operate a public web server behind a firewall. Public IP addresses
for the web server translate to private internal IP addresses. This reduces
the number of registered IP addresses that are required and minimizes impacts
to the existing network. It also provides a mechanism for internal users to
access the Internet while hiding the private internal IP addresses.
IP
packet filtering provides the ability to selectively
block or protect IP traffic based on information in the packet headers. You
can use the Internet Setup Wizard in iSeries Navigator to quickly and easily
configure basic filtering rules to block unwanted network traffic.
You
can use IP packet filtering to do the following:
- Create a set of filter rules to specify which IP packets to permit into
your network and which to deny access into your network. When you create filter
rules, you apply them to a physical interface (for example, a Token ring or
Ethernet line). You can apply the rules to multiple physical interfaces, or
you can apply different rules to each interface.
- Create rules to either permit or deny specific packets that are based
on the following header information:
- Destination IP address
- Source IP address Protocol (for example, TCP, UDP, and so forth)
- Destination port (for example, it is port 80 for HTTP)
- Source port
- IP datagram direction (inbound or outbound)
- Forwarded or Local
- Prevent undesirable or unnecessary traffic from reaching applications
on the system. Also, you can prevent traffic from forwarding to other systems.
This includes low-level ICMP packets (for example, PING packets) for which
no specific application server is required.
- Specify whether a filter rule creates a log entry with information about
packets that matches the rule in a system journal. Once the information writes
to a system journal, you cannot change the log entry. Consequently, the log
is an ideal tool for auditing network activity.