Does AIX firewall socks configuration support DHCP and SOCKS5?

ITEM: RTA000154130

Topic thread:                                                                   
RALEIGH NETWORKING SUPPORT CENTER (RALY - NA/ATS)                               
 IBM COMMERCEPOINT                                                              
  IBM eNetwork Firewall V3.2 for AIX                                            
Customer is in the process of upgrading to AIX FW 3.2.2. They currently         
have many clients using socks thru the firewall to get out to the               
internet. All these clients have static IP address. They want to convert        
these clients to DHCP and configure FW for socks. Can this be done with         
FW 3.2.2? If so how is it done?                                                 
DHCP is not supported on the IBM eNetwork Firewall.  In fact, the              
DHCP function on the client machine is disabled during installation             
of the Firewall client code.  This happens for two reasons.  From               
the client perspective - audit trails can be collected at the Firewall          
that tracks IP traffic out to the Internet.  If someone within a                
company sends Email outside of the trusted network that could be                
damaging to the company, say a 'confidential' document, and the dynamic         
address is then assigned to a different user, there would be no way             
to track the incident back to a specific P.C. or end user.  Obviously,          
this becomes a possibility for a security breach from the secure                
network outbound.  From an inbound perspective, it would not be wise            
to allow dynamic addresses to flow into the secure network from the             
Internet because there is no easy way to identify who the traffic               
is really coming from.  And once again, since the IP address would              
change, if any damage was done to any information or servers in the             
secure network from letting this dynamic IP address into the trusted           
network, there would be no solid audit trail of the offender.                   
Thanks for using ASKQ.                                                          
What is the client code you install on each machine? And is this                
code available for WIN95 and NT?                                                
I understand your recommendation, however is there a way to do this             
if the customer really wants to? One of the system programmers is               
pushing a CICSCO firewall and by using a CISCO secure server using              
something called TACACS supports the use of DHCP and allows tracking            
via this secure server. Does our FW support TACACS?                             
Also, one last point our IBM internal network supports DHCP and                 
I assume we use our FW. How do we handle the logging internally?                
Thanks for your help....                                                        
The "client code" is only installed on one machine - the machine                
in the internal network that the Firewall Administrator will use.               
The client code is shipped with the IBM Firewall product, therfore,             
the operating systems are AIX & Windows NT.                                     
Yes, the customer can use DHCP if they really want to.  If they know            
that specific areas of the network are going to be using DHCP, they             
can create subnet masks, and then set up filter rules by subnet mask            
that the firewall can accept.  The NIC cards on the Firewall machine            
*must* be static (never change) IP addresses.  Another suggestion if            
using DHCP is to force 'strong authentication' at the Firewall, meaning         
have the user key in a Userid/Password each time they attempt to exit           
the secure network out to the Internet, therefore there is some kind            
of audit trail for each user.                                                   
TACACS looks like it's an authentication server.  Check out the Cisco           
website at; for                     
more info on TACACS.  Currently our Firewall does not support TACACS            
or Radius servers, but we are looking at adding that to our product             
in the future.                                                                  
We are beginning to use DHCP within IBM, and yes, IBM does use its own          
Firewall - the AIX version.  Unless we are forced to authenticate               
at the Firewall, other than Email that would have our Email address             
to identify us, there is probably no way to associate a specific user           
function they are performing going throught the Firewall.  If someone           
wanted to use SOCKS5, they could force 'strong authentication' at               
the Firewall to get out to the network.  Also, if the user was in a             
specific subnet, the audit trail at the Firewall would show that                
IP address associated with the specific subnet, so that could be               
narrowed down that way.  I believe the Firewall that IBM uses is                
primarily to keep our secure network secure from outside of IBM, and            
allowing users within IBM to get out to the Internet easily.  The               
administration tasks associated with 'authenticating' at the Firewall           
to allow users to get outside of the trusted network could get pretty           
large in a huge company like IBM if they wanted that granular of                
security. But I wouldn't be surprised if specific subnets weren't               
required to authenticate.                                                       
Thanks for using ASKQ.                                                          
When will the IBM firewall support SOCKS5 Clients? Also, is this more           
an AIX issue or a firewall issue or both?                                       
Hi Robert,                                                                      
  Happy New Year˘  Hope you had good holidays.                                  
The plan for IBMs AIX Firewall to support SOCKS5 is for version 4.0             
which currently looks like it will go G.A. in the late 3rd or early             
4th quarter of this year.                                                       
I'm told by the lead SOCKS developer on the Firewall team that this             
is really both an AIX and a Firewall issue.  From an AIX perspective,           
the SOCKS5 protocol needs to be incorporated into the AIX operating             
system (I'm not sure if that is done yet, that would be a question              
for someone that supports AIX operating system) in order for SOCKS5             
to work on AIX.  From a Firewall perspective, we need to incorporate            
the SOCKS5 code we licensed from Aventil into our Firewall product,             
and that's a time/resource issue.                                              
Thanks for using ASKQ.                                                          

WWQA: ITEM: RTA000154130 ITEM: RTA000154130
Dated: 01/1999 Category: FIREWAIX
This HTML file was generated 99/06/24~12:43:42
Comments or suggestions? Contact us