AS400 Firewall Manager Network Segmentation

The AS400 Firewall Manager is a native software based firewall that enables administrators to define incoming and outgoing access policies based on Ports, IP Addresses, and logical groups of which AS400 Network Segmentation policies can be applied for the types of traffic that may flow in and out of the IBM i. The AS400 Firewall Manager monitors and control network traffic using AS400 exit programs, and provides Administrators a simple point and click GUI interface to define policies. The AS400 exit program for the QIBM_QSO_ACCEPT exit point monitors and controls incoming traffic and an exit program for the QIBM_QSO_CONNECT exit point monitors and controls outgoing traffic.

AS400 exit programs used for typical network access controls, such as those used to monitor and control users access to the Database Server for ODBC and JDBC applications, File Server for IFS, SignOn Server and FTP, often provide sufficient auditing and security controls to satisfy requirements for most IBM i environments. However some AS400 environments are susceptible to additional vulnerabilities that require an additional layer of security that is only offered by the AS400 Firewall Manager. An organization’s AS400 that is hosted in another company’s data center, such as a cloud environment are good candidates for the added security controls the AS400 Firewall Manager offers. Organizations implementing Network Segmentation policies that want to incorporate the AS400 into the Network Segmentation schema, would be another ideal candidate for the AS400 Firewall Manager. Another more common scenario would be AS400 environments that offer secure connections to external sources, and cannot be monitored or controlled as easily, like AS400 sFTP SSH connections. These environments are often more likely to be exposed to the worldwide web, as are AS400’s using web services for accessing the system.

Although the AS400 Firewall is a great solution for monitoring and controlling these types of connections that common AS400 exit programs are not capable of monitoring and controlling, it is also recommended to use IBM i Multi-Factor Authentication MFA for connections like sFTP (SSH). MFA not only provides a log with the user associated, it also adds the additional security needed to address common compliance requirements. As with any logon or initial connection to the AS400, MFA should always be deployed where feasible. Others logon and connection types that support AS400 MFA include Signon Server, Database Server, File Server and FTP Server. These types of logons and connections to the AS400 also involve an associated exit program that can initiate the Multi-Factor Authentication process.

The AS400 Firewall Manager enables system administrators to also define Port Listening policies for ensuring compliance is maintained consistently. For instance, ensuring non-secure ports like Telnet’s Port 23 is never listening. AS400 Port Listening rules use an exit program for the QIBM_QSO_LISTEN exit point, which controls a port’s ability to listen or not. The Port Listening exit program is the simplest of the three, of which simply allows or denies the socket’s ability to listen for new connections.

The three exit programs used by the AS400 Firewall Manager are categorized as socket exit programs, a terminology used by its predecessor ‘IP Packet Filtering’. IP Packet Filtering technology was the IBM predecessor to the Firewall many OS versions ago. Similar to traditional exit programs, socket exit programs provide an additional layer of IBM i security that hardware based Firewalls and Routers cannot, and is enforced before application access control layers. Together, these socket exit programs serve on the front lines, providing administrators’ powerful features for defining complex network access control rules to protect the AS400 and make less vulnerable.

Setting up Incoming Rules in the AS400 Firewall Manager
The AS400 Firewall Manager can monitor and control all IBM i inbound traffic, with the exception of Port 23, or UDP ports such as TFTP and SNMP. The AS400 Firewall’s incoming policies use rules for selecting which source IP Address, IP Address Range or Groups of IP Addresses and Ranges can or cannot connect to the IBM i. For each incoming rule, a destination Port or Port Range must be defined that the source(s) may have access to on the AS400. The Admin must also decide whether to log all events or only violations. An incoming rule will either Allow or Deny a connection, and will be subject to another setting 'On Unauthorized Access', of which can be Warning or Reject. It is recommended to first run any Deny rule in Warning mode for a period of time to ensure the results are as expected, which we call simulation mode. It provides a safe way to implement access control policies without the fear of blocking unintended connections. After reviewing reports and or logs to confirm the desired results, change 'On Unauthorized Access' to Reject to enforce the policy.

You will likely have incoming rules that will overlap, of which you will use the Sequence numbering to determine priority. For instance, a policy that denies File Transfers to all sources, except Administrators. So, the Allow rule will have a lower sequence number to ensure those connections are permitted, while the Deny all rule captures all other connections.

Setting up Outgoing Rules in the AS400 Firewall Manager
Outgoing rules work similarly to Incoming rules, however outgoing rules have the additional ability of defining User and User Group based policies. Since connections from a source are made before a user enters their logon credentials, Incoming rules obviously cannot utilize User based policies. IBM does not impose any limitations Outgoing Firewall rules, unlike Incoming Firewall rules and Port Listening.

Setting up Port Listening Rules in the AS400 Firewall Manager
AS400 Port Listening rules simply determine whether a Port or Port Range should be in listening mode or not, with an Authorization setting of Allow or Deny. Like the Incoming and Outgoing rule, there is an additional setting ‘On Unauthorized Access’ that determines whether or not to enforce the policy with a Reject or to Allow the change with a Warning. A Reject will enforce a Deny policy, by not letting the Port or Port range to be in Listening mode. The Port Listening Rule also has a Log recording option of All or Violation only.

It is important to note, IBM does not allow Port Listening rules for UDP ports such as TFTP and SNMP and will be ignored if created. In additoin, Port 445 with SMBSERVERMAIN cannot be enforced.

AS400 Firewall Manager is supported on IBM i OS400 version V7R1 and higher.

Summary of benefits:
- Quick and easy to set up and maintain. Simple point and click administration means no special training required.
- Implement safely and with confidence. Simulation mode allows traffic to be monitored via logs or reports before making decision to reject.
- Real-time intrusion detection alerts for policy infractions and suspicious activity.
- Adopt network segmentation policies that align with corporate policies and enforce compliance requirements.
- Fully integrated into Enforcive Enterprise Security suite for User and User Group policies and reporting.
- Predefined reports with detailed auditing, distributed via email and archived on IFS desired format.
- Complete visibility of all network traffic in and out of IBM i.
- Flexible controls for incoming and outgoing network traffic.
- Simple port listening policies that cannot be changed.
- Monitor and Control network traffic that avoids common ‘traditional’ exit points, such as IBM i Navigator, sFTP (Secure Shell SSH), FTPs (SSL/TSL), newer and lesser known protocols.
- Expands current HW firewall functions
- Dedicated control for IBM i traffic
- Enhanced user profile based policies
- Blocks network traffic that avoids exit points
- Provides function/command information