9.3.1 Basic information about firewalls
Before describing the operation in a firewall environment, this subsection provides basic information about firewalls.
If you run JP1 in a network environment that includes a firewall, you must evaluate support of two of the firewall functions:
-
Packet filtering (access permissions)
With packet filtering, only required communications are permitted and unauthorized communications are blocked.
-
NAT (address translation)
With NAT, an IP address is converted in order to connect to a network that has a different address. Connection cannot be made directly. In addition, the machine used to convert the IP address is hidden from the outside.
To evaluate support of these functions and to set up an environment, you must understand the method used by the firewall to control communications.
- Important
-
The information provided here constitutes a simple overview intended to acquaint you with the basics of firewalls and does not provide sufficient detail for you to evaluate and set up an actual firewall. When you install a firewall, consult the firewall documentation as well as appropriate security documentation to evaluate and set up an environment.
- Organization of this subsection
(1) Packet filtering
The packet filtering function filters through the firewall the applications that can be used. It checks each communication packet that attempts to pass through the firewall and discards packets that do not satisfy the specified passage conditions, thereby blocking unauthorized communications from passing through the firewall. Only applications that are specified in the passage conditions can be used.
JP1/IM supports packet filtering.
(a) Setting packet filtering
To set packet filtering:
-
Check the communication method, such as the port numbers used by applications.
Check the port numbers, IP addresses, and passage directions that are set as the firewall passage conditions.
In the case of JP1/IM, check the communication method by referencing the information provided in this chapter and in Appendix C. Port Numbers in the JP1/Integrated Management 2 - Manager Overview and System Design Guide.
-
Set the passage conditions for the firewall.
Initially, you should prohibit all passage, then set passage conditions so that only specific applications can communicate through the firewall.
In the case of JP1/IM, set the JP1/IM communications checked in step 1 to pass the firewall.
(b) Example of settings for JP1/IM
This subsection describes the settings for packet filtering using an example of an environment in which there is a firewall between JP1/IM - View and JP1/IM - Manager.
Example: Connecting JP1/IM - View to JP1/IM - Manager via a firewall
-
The IP address of the JP1/IM - View machine is 192.168.19.37.
-
The IP address of the JP1/IM - Manager machine is 172.16.100.24.
-
The port numbers are JP1's default port numbers.
Figure 9‒5: Example of setting packet filtering ![[Figure]](GRAPHICS/CS140500.GIF)
-
Check JP1's communication method.
First, check JP1's communication method, which is required for setting packet filtering. According to the information provided in Appendix C.2 Direction of communication through a firewall in the JP1/Integrated Management 2 - Manager Overview and System Design Guide, the port numbers used by JP1/IM are described as shown in the following table.
Table 9‒9: Firewall passage directions Service name
Port number
Firewall passage direction
jp1imevtcon
20115/tcp
JP1/IM - View → JP1/IM - Manager (Central Console)
jp1imcmda
20238/tcp
JP1/IM - View → JP1/Base#1
JP1/IM - Manager (Central Console) → JP1/Base#1
jp1imcss
20305/tcp
JP1/IM - View → JP1/IM - Manager (Central Scope)
jp1rmregistry
20380/tcp
JP1/IM - View → JP1/IM - Rule Operation
jp1rmobject
20381/tcp
jp1imegs
20383/tcp
Firewall setup is unnecessary because all communication takes place on the machine on which JP1/IM - Manager is installed.
jddmain
20703/tcp
Web browser → JP1/IM - Manager (Intelligent Integrated Management Base)
None#2
Port number of the IM database#3
JP1/IM - Manager (physical host) → JP1/IM - Manager (IM database (physical host))
Port number of the IM database#4
JP1/IM - Manager (logical host) → JP1/IM - Manager (IM database (logical host))
jp1imcf
20702/tcp
JP1/IM - View → JP1/IM - Manager (IM Configuration Management)
jp1imfcs
20701/tcp
Firewall setup is unnecessary because all communication takes place on the machine on which JP1/IM - Manager is installed.
jimmail
25/tcp#5
JP1/IM - Manager → mail server (SMTP) (without authentication)
587/tcp#5
JP1/IM - Manager → mail server (SMTP) (with SMTP-AUTH authentication)
110/tcp#5
JP1/IM - Manager → mail server (POP3) (with POP-before-SMTP authentication)
- Legend:
-
→: Direction of the connection when established
#1: Refers to JP1/Base on the manager.
#2: Not registered in the services file.
#3: This is the port number for the IM database (physical host) that was set in the setup information file when the IM database was set up on the physical host.
#4: This is the port number for the IM database (logical host) that was set in the cluster setup information file when the IM database was set up on the logical host.
#5: The destination port number might differ depending on which port is used on the destination server.
#6: The port number might differ depending on the HTTP server settings.
This table assumes the following communication method:
-
Service name and Port number columns
These are the service names and port numbers used by JP1 for communication. According to this table, port number 20115 (service name jp1imevtcon), port number 20238 (service name jp1imcmda), and port number 20305 (service name jp1imcss) are used, and TCP is used as the communication protocol for communication between JP1/IM - View and JP1/IM - Manager.
-
Firewall passage direction column
This column shows the direction of communication when connection begins (at the time connection is established). The direction for establishing connection is required in order to limit the firewall passage direction. For example, in No. 1 in this table, connection is permitted from JP1/IM - View to JP1/IM - Manager (Central Scope).
-
Other
Although it is not specified in the table, based on the information provided in the table and the TCP communication specifications, the following is true:
Because TCP is a bi-directional communications protocol, it involves two-way communications (JP1/IM - View to JP1/IM - Manager and JP1/IM - Manager to JP1/IM - View). In the source and destination packets of TCP communications, the source IP address and destination IP address are switched.
-
Set packet filtering.
Based on the direction of communication between JP1/IM - View and JP1/IM - Manager, set packet filtering in such a manner that only communications in the correct direction can pass through the firewall.
The passage conditions for packet filtering are as follows:
- Example: Filtering condition: For JP1/IM - View and JP1/IM - Manager
-
Table 9‒10: Passage conditions for packet filtering No.
Source IP address
Destination IP address
Protocol
Source port
Destination port
Control
1
192.168.19.37
172.16.100.24
TCP
(ANY)
20115
accept
2
192.168.19.37
172.16.100.24
TCP
(ANY)
20238
accept
3
192.168.19.37
172.16.100.24
TCP
(ANY)
20305
accept
4
172.16.100.24
192.168.19.37
TCP
20115
(ANY)
accept
5
172.16.100.24
192.168.19.37
TCP
20238
(ANY)
accept
6
172.16.100.24
192.168.19.37
TCP
20305
(ANY)
accept
7
(ANY)
(ANY)
(ANY)
(ANY)
(ANY)
reject
This table shows the conditions for checking packets and the control to be applied when the conditions are satisfied.
The Control column specifies whether the firewall permits (accept) or blocks (reject) the passage of packets. (ANY) means that any available port number assigned by the OS is to be used.
Set packet filtering for a firewall according to the filtering conditions shown in this table.
Note that the detailed setting method depends on the firewall. See your firewall documentation.
(2) NAT (address translation)
NAT (Network Address Translator) is a function for translating between private IP addresses and global IP addresses. By translating addresses, you can hide the private addresses from the outside, thereby improving internal machine security. NAT might be provided as a router function as well as a firewall function.
JP1 supports only static-mode NAT (method for translating addresses according to predefined rules).
(a) Setting NAT
To set NAT:
-
Check the IP addresses to be used.
First, check the IP addresses used by the applications. It is simple if a machine uses only one IP address. If there are multiple network adapters (using multiple IP addresses), or a logical IP address is used in a cluster system, the IP addresses to be used depend on the application.
In the case of JP1/IM, the IP addresses to be used depend on the settings, such as when communication settings are specified in JP1/Base, or a logical IP address is used for cluster operation.
-
Evaluate and set the address translation rules.
After you have checked the IP addresses used by the applications, determine the IP addresses obtained after translation.
Once you have determined rules for address change, set them in NAT.
(b) Example of settings for JP1/IM
This subsection describes the NAT settings based on an example of an environment in which there is a firewall between JP1/IM - View and JP1/IM - Manager.
Example: Connecting from JP1/IM - View to JP1/IM - Manager whose address has been translated
-
The IP address of the JP1/IM - View machine is 192.168.19.37.
-
The IP address of the JP1/IM - Manager machine is 172.16.100.24.
The IP address of this JP1/IM - Manager is translated to 192.168.100.24.
JP1/IM - View connects to 192.168.100.24 that is obtained after address translation.
Figure 9‒6: Example of NAT settings ![[Figure]](GRAPHICS/CS140600.GIF)
Note: This is an example of address translation by NAT. Other translation methods are also available.
To set NAT:
-
Check the IP address to be used.
First, check the IP addresses used by JP1, which is required in order to set NAT.
This example uses the IP address that corresponds to the host name (host name displayed by executing the hostname command).
-
Evaluate and set the address translation rule.
Define the translation rule in such a manner that the IP address of the JP1/IM - Manager machine is translated from 172.16.100.24 to 192.168.100.24 by NAT.
- Example: Address translation rule: Translating from 172.16.100.24 to 192.168.100.24
-
Table 9‒11: Address translation rule No.
Source IP address
Destination IP address
Source IP address (translated)
Destination IP address (translated)
1
(ANY)
192.168.100.24
(ANY)
172.16.100.24
2
172.16.100.24
(ANY)
192.168.100.24
(ANY)
This table shows the correspondence between the source packet and the (translated) packet obtained after address translation.
Define this address translation rule in the NAT settings for the firewall.
Note that the detailed setting method depends on the firewall and router. See your product documentation.
JP1/IM - View accesses the address obtained after address translation (192.168.100.24), not the actual address of the JP1/IM - Manager machine (172.16.100.24).
Therefore, to JP1/IM - View, it appears that access is to the JP1/IM - Manager host whose address is 192.168.100.24.
(3) Communication settings for a JP1 that is run in a firewall environment
If you run JP1 in a network environment that includes a firewall, consider setting the JP1 communication method to the IP binding method and the effects of multi-LAN connection settings.
To run JP1 in a firewall environment, you must set IP address and port number conditions in packet filtering and NAT as discussed above.
The IP addresses used by JP1 must be clear. Therefore, the IP binding method that determines JP1's IP addresses by the JP1 settings is suitable.
For example, in a configuration in which the server that executes JP1 is connected to multiple LANs or in a cluster system configuration, the IP address to be used might be determined by the OS, resulting in an unintended IP address. In such a case, if you set JP1's communication method to the IP binding method, the IP address specified in the JP1 environment settings is always used for communication.