Using the IBM® Firewall with a VPN

The IBM Firewall enables safe, secure e-business by controlling all communications to and from the Internet. This firewall technology was developed by IBM research in 1985 and has been protecting IBM and thousands of global corporations' assets for more than 15 years. The IBM Firewall is ICSA certified. The IBM firewall provides customers the ability to optimize between performance and security by choosing between packet filtering or application proxy technology. In addition to ftp, telnet, http, WAIS, gopher, and DNS proxies, it includes a high performance secure mail proxy for SMTP or MIME mail that protects private domain names from the nonsecure network. It includes a network security auditor that proactively scans the firewall and other hosts for potential security exposures, a setup wizard that simplies firewall installs, and a management facility for the management and configuration of multiple firewalls. The IBM Firewall provides alerts and comprehensive logging of all significant events and runs on either AIX or NT operating systems.

The VPN and the IBM Firewall can operate together in a variety of configurations, each optimized for different design criteria. Typically, VPNs are added to an existing perimeter network. In each of the designs presented, it is assumed that the VSU-1100 is being installed into a network that will also be protected by an IBM Firewall.

The addition of a VPN to a network is usually the first time traffic must pass through a firewall from the Internet into the internal, secure network. Since the originator of this traffic is authenticated, and the packets themselves are protected from eavesdropping and tampering while traversing the Internet, the security administrator can apply a different policy from that applied to generic Internet traffic.

VPN traffic may greatly increase the volume of packets which must be processed by a firewall . Depending on the capacity and performance characteristics of the underlying system which hosts the IBM Firewall application, if may make sense to process VPN and non-VPN traffic via separate paths through the perimeter network if security policy allows.

Two design scenarios are presented:

• VSU in Front of Firewall
• VSU "Parallel Into" the Firewall

VSU In Front of Firewall

Design Overview

The IBM Firewall provides both standard packet filtering as well as more sophisticated application proxy and content filtering capabilities. For security applications requiring the strictest processing of both incoming and outgoing network traffic, placing the VSU between the IBM Firewall and the Internet access router forces both VPN and non-VPN traffic to pass through the firewall.

The VSU processes inbound and outbound VPN traffic by intercepting it as it passes through, and transparently bridges non-VPN traffic otherwise (see Figure 1.)

The VSU and Firewall work together to deliver optimal performance for high speed connections by allocating the functions that each performs best. However, in the event that connection line speeds exceed T-3 or that the firewall is configured to support application proxies or perform content filtering, VPN traffic performance may be affected by firewall performance. It is important to select an underlying platform with the capacity to forward traffic at the highest anticipated rates of VPN traffic.

Figure 1. Perimeter network design placing VSU outside the IBM Firewall

This configuration is subject to the following issues:

• The VSU becomes a single point of failure for non-VPN traffic; that is, a mis-configuration of the VSU could impact all traffic to and from the Internet.

• Changes to VPN membership or placement of VPN accessible resources on the secure network will require corresponding changes to firewall filter rules. While not in and of itself a great concern, this introduces additional management complexity and opportunity for error.

VSU "Parallel Into" the Firewall

Design Overview

To avoid placing the VSU in the path of non-VPN traffic, it is possible to place the VSU between the the non-secure interface of the IBM Firewall and a third, "semi-trusted" interface. Such designs are common when the perimeter network includes a "demilitarized zone", or DMZ. (See Figure 2.)

Non-VPN traffic passes directly from the Internet access router to the non-secure interface of the IBM Firewall. VPN traffic arrives at the VSU separately, is processed, and is finally passed to the DMZ interface of the firewall.

This design offers the following advantages:

• Flexibility. It provides the ability to segregate filter rules specifically for VPN traffic since it is arriving on a different interface that the firewall.

• It eliminates the VSU as a single point of failure through the network.

Figure 2. Perimeter network design placing VSU private port onto DMZ network

However, additional issues are raised:

• A third interface on the firewall may not be available or may be costly to implement.

• The addition of VPN traffic to a DMZ network already containing resources such as Web servers, FTP servers, etc., may complicate security analysis.

• The additional complexity of a third firewall interface may increase chances for administrative error.

When To Use the IBM Firewall and the VPNware System

The VPN VSU provides for many remote client VPN sessions as well as providing wire-speed VPN throughput for 100BaseT networks. This capacity is achieved through dedicated hardware, ASIC technology for encryption and compression, as well as a ground up design specifically for high-speed VPN processing.

The IBM Firewall provides a high degree of network protection through a combination of packet filtering and proxies and includes a sophisticated mail gateway which is capable of processing multiple mail addresses and provides anti-spamming and spoofing. The IBM Firewall also provides outbound authentication and hides internal mail addresses from the non-secure network. It provides logging, reporting and alerts for all inbound and outbound traffic.

Together, these products provide the robust security and unmatched performance required for even the most demanding e-business connectivity needs of the large enterprise customer or ISP.