2.3.2 Firewall and communication basics
When you use JP1 in a network environment that includes a firewall, you must consider the following two firewall functionalities:
-
Access restriction (packet filtering)
Allow only necessary communication, and prevent invalid communications.
-
Network address translation (NAT)
IP addresses are translated so that direct connections are not possible; connections are made to a network with a different address. The existence of the computer that translates IP addresses is concealed from outsiders.
To set an environment with these considerations, you must understand the method by which the firewall controls communications.
This subsection covers basic knowledge related to firewalls and communications, including packet filtering and NAT. For details about communication settings required for using JP1/AJS3 in an environment with a firewall, see 2.3.4 Communications in firewall environments.
- Supplementary note
-
The explanation given here is an overview to help you understand the basics of firewalls. You must read and properly understand the firewall documentation and reference works on security before attempting to plan and make the security settings for a firewall.
- Organization of this subsection
(1) Packet filtering
Packet filtering restricts the communications that are allowed to pass through a firewall. By checking each of the communications packets that pass through the firewall one by one and destroying packets that do not match the predetermined data-passing conditions, invalid communications are prevented from passing through the firewall. This means that only the packets specified in the data-passing conditions will be available behind the firewall.
JP1/AJS3 supports packet filtering.
(a) Setting packet filtering
To set packet filtering:
-
Investigate the method of communications (the port number that the application uses and so on).
Check the port number, IP address and data-passing direction to be set as firewall data-passing conditions.
Check the communications conditions for JP1/AJS3 by referring to the explanation in this subsection and the explanation in A. List of Port Numbers.
-
Set data-passing conditions for the firewall.
First block all data packets, and then set passing conditions to allow only specific packets to pass through the firewall.
In JP1/AJS3, specify settings that will allow JP1 communications checked using the procedure described above to pass through the firewall.
(b) Example of Settings for JP1/AJS3
This example shows how to set packet filtering in an environment in which a firewall is placed between JP1/AJS3 - View and JP1/AJS3 - Manager.
- Example: Connect JP1/AJS3 - View to JP1/AJS3 - Manager through the firewall.
-
-
JP1/AJS3 - Manager is operating in a non-cluster system.
-
100.100.100.10 is set as the IP address of the computer running JP1/AJS3 - View.
-
200.200.200.20 is set as the IP address of the computer running JP1/AJS3 - Manager.
-
The default port number for JP1 is used.
Figure 2‒15: Example of setting packet filtering with JP1/AJS3 ![[Figure]](GRAPHICS/ZH020070.GIF)
-
-
Investigate the method of communications for JP1
First, find out the method of communications of JP1; this is required information for setting packet filtering. If you see 2.3.4(2) JP1/AJS3 communications below, you find see that the port numbers that JP1/AJS3 - View uses are explained in tables like the one below.
Table 2‒5: Communications between JP1/AJS3 - View and JP1/AJS3 - Manager JP1/AJS3 - View
Direction
JP1/AJS3 - Manager
ANY
>>
20244/tcp (jp1ajs2monitor)
This table indicates the following methods of communication:
-
JP1/AJS3 - Manager accepts connections from JP1/AJS3 - View using port number 20244. In other words, JP1/AJS3 - View is connected to port number 20244 on the JP1/AJS3 - Manager side.
-
Port number 20244 is defined with the service name jp1ajs2monitor. You can change the port number to a number other than 20244 in the environment settings.
-
The port number at the JP1/AJS3 - View side is automatically assigned by the OS as any port number that is available at the time (ANY).
-
The direction of the connection is from JP1/AJS3 - View to JP1/AJS3 - Manager. This direction setting is used when you want to restrict the direction in which data passes through the firewall, for example only permitting connections from network A to network B.
-
The protocol is TCP.
-
TCP involves bi-directional communication, and there are outward (JP1/AJS3 - View >> JP1/AJS3 - Manager) and return (JP1/AJS3 - View << JP1/AJS3 - Manager) communications. The outward and return communication packets are designated by the terms Source and Destination.
The available IP addresses depend on the communication settings in JP1/Base. For details, see the JP1/Base User's Guide.
-
-
Set packet filtering.
Based on the checked method of communications between JP1/AJS3 - View and JP1/AJS3 - Manager, configure the system so that only these communications can pass through the firewall.
The following table shows the data-passing conditions for packet filtering.
This table shows the conditions for checking packets and the control if there is a match with the conditions. The Control column indicates whether passage through the firewall is accepted or rejected.
Set the packet filtering of the firewall in accordance with the filtering conditions in this table.
The details of the setting method differ for individual firewalls. See the documentation for your firewall.
(2) NAT (Network Address Translator)
NAT translates private IP addresses to global IP addresses and vice versa. Translating the addresses conceals the private addresses from outsiders, increasing the internal security of the computer.
In addition to its use in firewalls, the NAT functionality is also used with routers.
JP1/Base and JP1/AJS3 support NAT in static mode (addresses are translated according to predetermined rules). The following description applies to address translation in static mode only.
Note that JP1/Base and JP1/AJS3 can be used only in an environment in which a unique host name or IP address can be resolved from the host name used for communication. Therefore, JP1/Base and JP1/AJS3 do not support NAT in the dynamic mode (an available number is dynamically assigned to set or change the rules automatically) or NAPT (IP Masquerade, NAT+) that includes the port-translation functionality.
(a) Setting NAT
To set NAT:
-
Check the IP address to be used.
First, check the IP address that the application uses. This is simple when dealing with a computer that only uses one IP address, but if multiple network adaptors are used (meaning that there is more than one IP address), or if a logical IP address is used in a cluster system, the IP address used differs depending on the application.
In the case of JP1/AJS3, the IP address used in a non-cluster system will be different from that in a cluster system with a logical host setting. For details, see the JP1/Base User's Guide.
-
Determine and set the address translation rules.
Once you have checked the IP address that the application uses, decide the IP address after translation.
When you have decided the address translation rules, set them for NAT.
(b) Example setting with JP1/AJS3
The following explains NAT setting for JP1 in a configuration with a firewall between JP1/AJS3 - View and JP1/AJS3 - Manager.
- Example: Connecting from JP1/AJS3 - View to a JP1/AJS3 - Manager host with a translated address
-
-
JP1/AJS3 - Manager operates in a non-cluster system.
-
100.100.100.10 is set as the IP address of the JP1/AJS3 - View computer.
-
150.150.150.15 is set as the IP address of the JP1/AJS3 - Manager computer.
The IP address of this JP1/AJS3 - Manager is translated to 200.200.200.20.
After translation, JP1/AJS3 - View connects to 200.200.200.20.
-
|
|
![[Figure]](GRAPHICS/ZH020075.GIF)
-
Check the IP address to be used.
Check the IP address used by JP1. This information is required for setting NAT.
Since the system in this example is non-cluster, communications are conducted using an IP address that corresponds to the host name (result of the hostname command).
-
Determine and set the address translation rule.
Decide the translation rule for translating the IP address of the JP1/AJS3 - Manager computer from 150.150.150.15 to 200.200.200.20 using NAT.
This table shows the correspondence between the source packet and the packet after address translation.
Define this address translation rule in the NAT setting for the firewall.
The precise details of the setting method will differ depending on the firewall and router. See the documentation for the products you are using.
Now, JP1/AJS3 - View does not access the actual address of the computer where JP1/AJS3 - Manager is installed (150.150.150.15) but the address after translation (200.200.200.20).
From JP1/AJS3 - View, it appears as if a JP1/AJS3 - Manager host with the IP address 200.200.200.20 is being accessed.
(3) Communication settings for using JP1 in a firewall environment
When using a network environment that goes through a firewall, consider the effects of setting "IP bind" as the JP1 communication method for setting multiple LAN connections.
To use JP1 in an environment with a firewall, you must set conditions for packet filtering and NAT in accordance with the IP address and port number, as explained previously. For that reason, use the IP bind method determined by the JP1 settings to clearly establish the JP1 IP addresses.
For example, when JP1 runs in a cluster system or on a server connected to multiple LANs, because the IP address is determined by the OS, an unintended IP address might be used. You can remedy this situation by setting the IP bind method as the JP1 communications method so that communications use the IP address specified in the JP1 environment settings.