Can NAT and IP Packet Filtering Work For You?

By Rich Loeber

In your efforts to secure your IBM i, you often come up against constraints imposed by company management. Often, you will find that a specific technology or software add-on will give you an extra measure of needed security, but management has turned you down because of cost. Since this is often an issue, it is always nice to find security tools that are built into the operating system that you can deploy without additional expense. This tip will introduce you to two such tools on your system, NAT and IP Packet Filtering. Both are included in the IBM i OS and are deployed through the Navigator For i.

NAT stands for "Network Address Translation". Among other things, NAT will allow you to provide public access to your system even though it sits behind a firewall. It does so by changing the source and destination IP addresses for data packets as they flow through your system. It can also be used to simplify configuration when multiple networks in your system operate on different addressing schemes. Your system can act as a go-between making the connections possible. NAT can also be used to hide real IP addresses between networks.

IP Packet Filtering lets you block specific IP addresses or filter packets based on information contained in each packet header. This gives you a lot of power to control who can access your system and who cannot access your system based on the IP address they are coming from. Using IP Packet Filtering, you can:

• Permit or reject packets based on their destination IP address.
• Permit or reject packets based on their source IP address.
• Permit or reject packets based on either their source port number or their destination port number.
• Apply these rules selectively when you have multiple network connections to your system. Different rules can apply to each network adapter.
• Stop undesirable traffic from passing through your system to other nodes in your network.
• Selectively log traffic based on the way your rules are set up.

You can find more information about setting up and configuring NAT and IP Packet Filtering at the IBM iSeries Information Center (https://www.ibm.com/support/knowledgecenter/ssw_ibm_i). Look for a manual titled "Networking - IP Filtering and NAT" for your release level of the IBM i OS. The Navigator For i includes a setup wizard for IP Packet Filtering that may also help you to get started.

One note of caution. While these "free" tools are available for your use, they are just another tool in your security toolbag. Used together, these functions provide some of the functionality you'll find in a firewall, but full implementation of a firewall product is preferable. These tools should be used in conjunction with your overall security plan and strategy.

If you have questions about details of this tip, feel free to contact me directly by email: rich at kisco.com.