Getting Started on the IBM Firewall
The task of the IBM Firewall is network security. It serves as a blockade
between a secure, internal private network
and another (nonsecure) network or the Internet. The purpose of a Firewall is
to prevent unwanted or unauthorized communication into or out of the secure
network. The Firewall has two jobs:
- The Firewall lets users in your own network use authorized resources from
the outside network without compromising your network's data and other
resources.
- The Firewall keeps unauthorized users outside of your network.
The IBM Firewall is like a tool box you use to implement the functions
of different firewall architectures.
Once you choose your architecture and your security strategy, you select the
necessary IBM Firewall tools. The IBM Firewall Configuration Client is the means by which you
can configure these tools.
Basic Configuration Steps
This section describes the general sequence of configuration steps
that would be taken for a basic IBM Firewall setup.
- Plan for your IBM Firewall setup. As much as you can in advance,
it's a good idea to decide which functions of the Firewall you want to
use and how you want to use them. The following sections in the User's Guide
are particularly helpful for this:
- Tell the Firewall which of its interfaces are connected to
secure networks. You must have a secure interface and a non-secure
interface in order to have your Firewall work properly.
From the navigation tree, open the System
Administration folder and click on "Interfaces". You should see a listing
of the network interfaces on your Firewall. To change the
security status of an interface, select an interface and click "Change".
For further information on Firewall interfaces, see:
- Set up your general security policy.
An easy way to do this is to access the
Security Policy dialog,
available inside of the System Administration folder.
For typical Firewall configurations, it is recommended
(at a minimum) that you enable the following policies:
- Permit DNS queries
- Deny broadcast message to non-secure interface
- Deny Socks to non-secure adapters
See the following section
for more information on the Security Policy function:
- Set up your domain name service and mail service. These functions
can be accessed from inside the System Administration folder in the navigation
tree. Before doing this, however, it would be a good idea to read over
the following section in the User's Guide:
- Define key elements of your network(s) to the Firewall. This is
accomplished via the Network Objects function in the navigation tree.
Network objects are especially important for
controlling traffic through the Firewall. Key elements that
should be defined as network objects include:
- Secure Interface of the Firewall
- NonSecure Interface of the Firewall
- Secure Network
For further information on network objects, see:
- Enable services on the Firewall.
These are the methods by which users in the secure network can
access the non-secure network (such as socks or proxy).
Which services get implemented will depend
on decisions you made at the planning stage. An important thing to remember
is that implementing a service often requires setting up some
connection configurations to allow certain types of traffic. For example,
if you want to allow your secure users to surf the web on the Internet via
HTTP Proxy, not only do you need to configure the
HTTP Proxy daemon
on the Firewall,
but you also need to set up connections to allow HTTP traffic. A good
discussion of how to set up connections that support certain services
can be found in the following chapter:
- Set up Firewall users. If you are going to allow
users to use Services such as Proxy Telnet
or Proxy FTP, you need to define these users to the Firewall. See the
following chapter for more information:
Following these steps should help you get a basic Firewall
configuration up and running. The IBM Firewall provides other functions,
such as
system logs
to help you ensure the security of your network. See the
User's Guide
for more information.