IBM Firewall for AS/400 minicomputers
This article is about the highly advanced IBM Firewall for AS/400 minicomputers. Read the features, pricing and all details of the firewall here.
IBM has been developing its firewall technology for more than 15 years. IBM Firewall is based on this very advanced technology. IBM Firewalls are available for AIX/600 on RS/6000 microcomputers, Windows NT on Intel microcomputers and OS/390 on 390 series mainframe computers. The latest version is available for OS/400 on AS/400 microcomputers. The firewall has not been ported to IBM's OS/2 which is its own operating system. The applications running on AS/400 firewall cannot be accessed even when the firewall is compromised. This is possible because AS/400 firewall runs on integrated PC server embedded in AS/400 desktops and has separate system. The firewall, once installed, cannot be modified as it runs from a read only hard disk drive.
The firewall supports almost all major technologies. However, the integration is poor. It has multiple third party utilities for security functions like scan detection and alerts. The effort in the development of security proxies for TCP/IP protocols is commendable.
Minimum system requirements
Stateless packet filter
The stateless packet filter in the firewall is very simple. It has no functionality beyond Windows NT's built in packet filtering. It uses ACK bit for denying inbound connection attempts. Services can be blocked on the basis of their TCP port numbers. The filter is suitable primarily for protecting the system from denial of service attacks.
Proxies for HTTP and SMTP are provided by the AS/400 firewall. It is not configured to forward IP packets. For real time streaming of multimedia protocols like H.23 and RealAudio, packet forwarding is necessary. However, the firewall allows outbound connections via SOCKS proxy or the circuit level gateway running on the Application layer of TCP. Every TCP service must be SOCKS compatible in order to work with the firewall. Note that as the client software incompatible with SOCKS proxy do not work, many other security features of AS/400 firewall get affected.
Network Address Translation (NAT)
NAT is achieved via the above mentioned SOCKS mechanism. Packets are sent to their legal IP addresses only. If any tampering is detected, the AS/400 processor can disable the firewall.
Deny all services policy
The firewall uses an implicit 'Deny all services' policy wherein every service available on the system is explicitly enabled. Thus, any unwanted service can be easily scanned and disabled.
Installation & interface
The IBM firewall for AS/400 can be installed as a normal AS/400 application. Thus, AS/400 operators find it very easy to work on the firewall. The interface runs in a web browser and can be easily accessed by the administrator remotely from anywhere. The HTML based administration tool used is simple. Policy abstraction is very less thus a strong knowledge of TCP/IP is necessary to operate the system. In the configuration option, administrator can select/unselect WAIS, IRC, RealAudio, Lotus Notes, LDAP, Secure LDAP, Server Mapper (CA/400), DRDA, POP3 Mail, NNTP and Secure NNTP options. If you select any NAT service, you will be asked to specify the translation of private to public IP addresses. You have the option to mask the IP addresses of Private and Public NATs.
Pricing & support
The AIX version of the firewall costs $2499 for 25 users, $4499 for 50 users, $9499 for 250 users and $16500 for unlimited number of users. The pricing information for OS/400 is not provided online. Users can avail IBM's direct consulting services for support. IBM consulting resellers can also help. The documentation provided with the package is task oriented and easy to understand but lacks in real implementation detail.
The best thing about IBM Firewall for AS/400 is that it supports most of the major technologies. It runs on embedded separate PC processors & secret IBM platforms. It also performs OS hardening and has effective security features in place but the firewall is very expensive. Moreover, it is poorly integrated and lacks true content filters, strong security proxies and DMZ support. Using a non-integrated firewall will help users achieve greater security at lower cost.
Read Elron Firewall – A security solution with minimal hardware requirements