• Subject: RE: IP Forwarding and Filtering
  • From: "Christopher A. Libby" <clibby@xxxxxxxxxxxxxxxxxxxxxx>
  • Date: Wed, 18 Jul 2001 08:29:45 -0400
  • Importance: Normal

Well, Evan, IMHO your AS/400 is better suited to being an AS/400 than a
router.  Honestly I am not sure what kind of threshold you would have to hit
before the CPU would start maxing out.  However, I do know there will be
more drain on your processor, decreased bandwidth, and other problems that a
seperate firewall could overcome quite easily.

Let me explain our setup -

We have a dedicated internet connection via wireless to our ISP.  This
connection come into the WAN port of our firewall.  Our 1 internet server
lives in the DMZ of the firewall, protected from transport layer attacks but
otherwise open to the free world.  The LAN is connected to the LAN port of
the firewall - invisible from the outside, but the LAN has any access to the
Internet granted by the administrators.  Also, our firewall has built-in
IPSec VPN software - allowing me remote access to the LAN from home or the
road.

When we investigated our best option for building security for our new
internet connection, we investigated a lot of solutions.  When it came to
the AS/400, it was just too complicated - between my time and my managers,
we would have spent more than the Sonicwall solution.

For me, administering the OS/400 solution would have consumed a lot of time.
Every new attack, exploit, etc. would need to be research and/or prevented.
With Sonicwall (as well as many other firewall devices), I simply plug it in
and update the firmware when it tells me to.  Setting up LAN->Internet
access rights was a simple IP-Based ruleset.  I can filter 'unacceptable'
usage using the built-in CyberNot filter.  Basically, it was an all in one
solution.

Okay, now that I've gotten off track, let me get back on.  From your
descriptions, it shoulds to me like the telco operates a firewall ahead of
your connection.  From the telco, you have a connection to your AS/400
directly?  Then from the AS/400, you have both a connection to the server
room and to the WAN?  Do you have any routers between the AS/400 and the
telco?  As far as the telco-run firewall, maybe I'm just anal-retentive but
I would put up the best damn firewall I could find to protect myself.  If
there was a security breach into your network, it's your companies
responsibility & liability, not the telco's.

-Chris

---------------------------------------------------------
Christopher A. Libby, Programmer/Analyst
Maine Public Service Company (www.mainepublicservice.com)
clibby@mainepublicservice.com (207) 768-5811 ext. 2210


> -----Original Message-----
> From: owner-web400@midrange.com [mailto:owner-web400@midrange.com]On
> Behalf Of Evan Harris
> Sent: Tuesday, July 17, 2001 2:59 PM
> To: WEB400@midrange.com
> Subject: RE:IP Forwarding and Filtering
>
>
> Chris
>
> There is a firewall in front of the machine, however I have been asked to
> configure IP Filtering rules so that the addresses that can be reached
> using the AS/400 as a router - as an effect of IP forwarding -
> are limited.
> Presumably the traffic is already filtered by the Telco-operated firewall
> that protects the perimeter of the enterprise and therefore
> supposedly the
> internal traffic.
>
> There is a dedicated interface to the outside world, a dedicated
> interface
> to the machines behind the AS/400 and another dedicated interface to the
> rest of the WAN.
>
> Hope this explains the set-up some more.
>
> These servers WILL have a lot of traffic. At what level do you
> believe this
> will choke the AS/400 - are you saying that it will not handle the IP
> filtering tasks or that the NIC will be overwhelmed ? Where do
> you see the
> bottleneck ocurring ?
>
> Having said that, do you have any specifics for how to set up IP
> filtering
> ? Or the effects of  IP Forwarding being on.
>
> Thanks for the suggestion anyway
>
> Regards
> Evan Harris
>
>
>
> >I would strongly recommend getting a firewall device and placing
> all these
> >machines in the DMZ.  Otherwise, there is the potential to choke
> your AS/400
> >if one of these other servers has a lot of traffic.
> >
> >-Chris
> >
> >---------------------------------------------------------
> >Christopher A. Libby, Programmer/Analyst
> >Maine Public Service Company (www.mainepublicservice.com)
> >clibby@mainepublicservice.com (207) 768-5811 ext. 2210
> >
> >
> > > -----Original Message-----
> > > From: owner-web400@midrange.com [mailto:owner-web400@midrange.com]On
> > > Behalf Of Evan Harris
> > > Sent: Tuesday, July 17, 2001 5:50 AM
> > > To: web400@midrange.com
> > > Subject:
> > >
> > >
> > > Hi guys
> > >
> > > we have a customer that wants to provide access to some boxes
> behind the
> > > AS/400 directly, but still maintain security. A suggestion that
> > > has come up
> > > is to set IP forwarding on on the AS/400 and use IP filtering
> to control
> > > the traffic that gets past the AS/400 (apologies if I haven't
> > > phrased this
> > > right)
> > >
> > > I have had a peek at the IP Filtering screens under Ops navigator
> > > but it is
> > > not as helpful as I would like, particularly not for getting
> > > started. Does
> > > anyone have any suggestions or samples to get this underway. I have
> > > configured the hideous AS/400 firewall in the past (it wasn't
> a complex
> > > configuration) so I have had some exposure to configuring
> firewall rules,
> > > but the IP Filtering screens and the firewall screens are light
> > > years apart.
> > >
> > > Any comments on the strategy our customer has adopted or how to
> > > get started
> > > and especially any perceived pitfalls are welcome.
> > >
> > > And of course feel free to ask me to make myself clear or provide more
> > > information :)
> > >
> > > regards
> > > Evan Harris
> > >
> > > +---
> > > | This is the WEB400 Mailing List!
> > > | To submit a new message, send your mail to WEB400@midrange.com.
> > > | To subscribe to this list send email to WEB400-SUB@midrange.com.
> > > | To unsubscribe from this list send email to
> WEB400-UNSUB@midrange.com.
> > > | Questions should be directed to the list owner/operator:
> > > david@midrange.com
> > > +---
> > >
> >
> >
> >+---
> >| This is the WEB400 Mailing List!
> >| To submit a new message, send your mail to WEB400@midrange.com.
> >| To subscribe to this list send email to WEB400-SUB@midrange.com.
> >| To unsubscribe from this list send email to WEB400-UNSUB@midrange.com.
> >| Questions should be directed to the list owner/operator:
> david@midrange.com
> >+---
>
> +---
> | This is the WEB400 Mailing List!
> | To submit a new message, send your mail to WEB400@midrange.com.
> | To subscribe to this list send email to WEB400-SUB@midrange.com.
> | To unsubscribe from this list send email to WEB400-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
> david@midrange.com
> +---
>


+---
| This is the WEB400 Mailing List!
| To submit a new message, send your mail to WEB400@midrange.com.
| To subscribe to this list send email to WEB400-SUB@midrange.com.
| To unsubscribe from this list send email to WEB400-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.