Where to put a firewall when using partitions

The advantages and disadvantages of several firewall scenarios.

Symantec Enterprise Firewall (SEF) for iSeries running Linux V7.0.3 will be available in the near future. You can

install this product in a Linux LPAR partition within an iSeries server. This way, you can have a Web server, Web application server, database server and firewall all together in a single iSeries server. To get you thinking about how you would deploy a firewall product within an iSeries partition, this tip suggests some scenarios with comparison of pros and cons of each option.

Topology 1: The firewall on Linux for iSeries with an intranet
The first topology shown in Figure 1 is designed to protect an iSeries server from an intranet. The firewall has one iSeries Ethernet adapter assigned to it, and the Ethernet adapter connects to an intranet. The firewall also has two virtual Ethernet LAN adapters to access each OS/400 logical partition. All traffic from the intranet must pass through the firewall partition before reaching any OS/400 logical partition. This topology allows firewall administrators to control access to the iSeries from an intranet.

Figure 1: The firewall on Linux for iSeries with an intranet.

 

Advantages of Topology 1:

  • Simple configuration
  • Protects iSeries server from unauthorized access from intranet
  • Controls iSeries access to intranet and Internet
  • Controls access between OS/400 partitions
  • Uses high-speed virtual LAN

Disadvantages of Topology 1:

  • No direct access to iSeries partition if intranet is trusted
  • No control of intranet access to Internet
  • Cannot protect intranet from Internet attacks

Topology 2: The firewall with an intranet and with a virtual LAN perimeter network
The topology shown in Figure 2 protects the iSeries server from the Internet and the intranet. The topology provides a virtual LAN perimeter network. A perimeter network provides separation from a front-end application and a back-end database to provide additional security. For example, the perimeter network may contain an Apache HTTP server on Linux, IBM HTTP server for iSeries or WebSphere Application Server that communicates with a database on the LPAR1 partition. This topology does not trust the intranet and can control access from the intranet to the iSeries server.

Figure 2: The firewall with an intranet and with a virtual LAN perimeter network.

 

Advantages of Topology 2:

  • Provides perimeter network for increased security
  • Protects iSeries server and the intranet from Internet attacks
  • Controls access from the intranet to the perimeter network and to the Internet
  • Uses high-speed virtual LAN

Disadvantages Topology 2:

  • No physical perimeter network for hosts that are not on the virtual LAN
  • Complex configuration

Topology 3: The firewall with an intranet and a perimeter network
The topology shown in Figure 3 protects the iSeries server from the Internet and the intranet, and it provides a real perimeter network. This topology is important if the hosts in the perimeter network are not OS/400 logical partitions and cannot be a part of the virtual LAN perimeter network. This topology does not trust the intranet and can control access from the intranet to the iSeries server.

Figure 3: The firewall with an intranet and with a perimeter network.

 

Advantages Topology 3:

  • Provides perimeter network for increased security
  • Provides real perimeter network for hosts not on the virtual LAN
  • Protects iSeries server, the intranet and the perimeter network from Internet attacks
  • Controls access from the intranet to the iSeries server, the perimeter network and the Internet

Disadvantages of Topology 3:

  • Complex configuration
  • Does not use high-speed virtual LAN for external hosts in the perimeter network

----------------------------
About the author: Yessong Johng is an IBM Certified IT Specialist at the IBM International Technical Support Organization, Rochester Center. His major responsibilities are WebSphere and Domino implementation on iSeries focusing on their integration. His new responsibilities include Linux and its solutions on iSeries. Yessong can be contacted by e-mail at yessong@us.ibm.com.


This was first published in November 2002

Dig deeper on Performance

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchEnterpriseLinux

SearchDataCenter

Close