Does AIX firewall socks configuration support DHCP and SOCKS5?
RALEIGH NETWORKING SUPPORT CENTER (RALY - NA/ATS)
IBM eNetwork Firewall V3.2 for AIX
Customer is in the process of upgrading to AIX FW 3.2.2. They currently
have many clients using socks thru the firewall to get out to the
internet. All these clients have static IP address. They want to convert
these clients to DHCP and configure FW for socks. Can this be done with
FW 3.2.2? If so how is it done?
DHCP is not supported on the IBM eNetwork Firewall. In fact, the
DHCP function on the client machine is disabled during installation
of the Firewall client code. This happens for two reasons. From
the client perspective - audit trails can be collected at the Firewall
that tracks IP traffic out to the Internet. If someone within a
company sends Email outside of the trusted network that could be
damaging to the company, say a 'confidential' document, and the dynamic
address is then assigned to a different user, there would be no way
to track the incident back to a specific P.C. or end user. Obviously,
this becomes a possibility for a security breach from the secure
network outbound. From an inbound perspective, it would not be wise
to allow dynamic addresses to flow into the secure network from the
Internet because there is no easy way to identify who the traffic
is really coming from. And once again, since the IP address would
change, if any damage was done to any information or servers in the
secure network from letting this dynamic IP address into the trusted
network, there would be no solid audit trail of the offender.
Thanks for using ASKQ.
What is the client code you install on each machine? And is this
code available for WIN95 and NT?
I understand your recommendation, however is there a way to do this
if the customer really wants to? One of the system programmers is
pushing a CICSCO firewall and by using a CISCO secure server using
something called TACACS supports the use of DHCP and allows tracking
via this secure server. Does our FW support TACACS?
Also, one last point our IBM internal network supports DHCP and
I assume we use our FW. How do we handle the logging internally?
Thanks for your help....
The "client code" is only installed on one machine - the machine
in the internal network that the Firewall Administrator will use.
The client code is shipped with the IBM Firewall product, therfore,
the operating systems are AIX & Windows NT.
Yes, the customer can use DHCP if they really want to. If they know
that specific areas of the network are going to be using DHCP, they
can create subnet masks, and then set up filter rules by subnet mask
that the firewall can accept. The NIC cards on the Firewall machine
*must* be static (never change) IP addresses. Another suggestion if
using DHCP is to force 'strong authentication' at the Firewall, meaning
have the user key in a Userid/Password each time they attempt to exit
the secure network out to the Internet, therefore there is some kind
of audit trail for each user.
TACACS looks like it's an authentication server. Check out the Cisco
website at; http://www.cisco.com/warp/public/480/4.html for
more info on TACACS. Currently our Firewall does not support TACACS
or Radius servers, but we are looking at adding that to our product
in the future.
We are beginning to use DHCP within IBM, and yes, IBM does use its own
Firewall - the AIX version. Unless we are forced to authenticate
at the Firewall, other than Email that would have our Email address
to identify us, there is probably no way to associate a specific user
function they are performing going throught the Firewall. If someone
wanted to use SOCKS5, they could force 'strong authentication' at
the Firewall to get out to the network. Also, if the user was in a
specific subnet, the audit trail at the Firewall would show that
IP address associated with the specific subnet, so that could be
narrowed down that way. I believe the Firewall that IBM uses is
primarily to keep our secure network secure from outside of IBM, and
allowing users within IBM to get out to the Internet easily. The
administration tasks associated with 'authenticating' at the Firewall
to allow users to get outside of the trusted network could get pretty
large in a huge company like IBM if they wanted that granular of
security. But I wouldn't be surprised if specific subnets weren't
required to authenticate.
Thanks for using ASKQ.
When will the IBM firewall support SOCKS5 Clients? Also, is this more
an AIX issue or a firewall issue or both?
Happy New Year˘ Hope you had good holidays.
The plan for IBMs AIX Firewall to support SOCKS5 is for version 4.0
which currently looks like it will go G.A. in the late 3rd or early
4th quarter of this year.
I'm told by the lead SOCKS developer on the Firewall team that this
is really both an AIX and a Firewall issue. From an AIX perspective,
the SOCKS5 protocol needs to be incorporated into the AIX operating
system (I'm not sure if that is done yet, that would be a question
for someone that supports AIX operating system) in order for SOCKS5
to work on AIX. From a Firewall perspective, we need to incorporate
the SOCKS5 code we licensed from Aventil into our Firewall product,
and that's a time/resource issue.
Thanks for using ASKQ.
WWQA: ITEM: RTA000154130 ITEM: RTA000154130
Dated: 01/1999 Category: FIREWAIX
This HTML file was generated 99/06/24~12:43:42
Comments or suggestions?