AppNote: NBM Filter Management for BorderManager 3.8 SP3
Novell Cool Solutions: AppNote
By Chitra Atul Gurjar, Rashmi Sahu
Digg This -
Posted: 2 Jun 2005
This AppNote discusses the implementation scenarios and different usage perspectives of a new feature provided with the latest support pack (SP3) of BorderManager 3.8 - the Filter Management Wizard, also referred to as the Firewall Wizard. This feature helps you configure filters and exceptions for services easily. The AppNote details the configuration of filters using the wizard, by using several deployment scenarios, a number of screen shots, and some simple troubleshooting information.
BorderManager includes packet-filtering capability, which secures all the traffic through the BorderManager server. This feature helps system administrators to allow only desired traffic to and from the firewall by configuring service exceptions and at the same time restrict undesired traffic by configuring appropriate filters.
In the previous versions of BorderManager (NBM 3.7 and prior), packet filtering was configured on the server using filtcfg. Remote management and configuration of filters and exceptions through iManager was introduced with NBM 3.7. Known as NBM Access Management, it allowed users to add packet filters and exceptions through iManager. However, this utility remained similar to filter configuration using filtcfg; the main difference being that filter management was GUI-driven. A user using the NBM Access Management utility still needs to go through the entire list of services available on the server while selecting the appropriate exception. That user is also expected to have a thorough knowledge of how each service type works.
With the release of NBM 3.8 SP3, users now have the Firewall Wizard, which solves this shortcoming and adds many more features. The Firewall Wizard is an iManager-based wizard that enables users to implement packet filtering on a BorderManager server in a more comprehensive and organized manner.
The default filters block all the traffic from the Internet or any interface of the BorderManager server to the public interface of the BorderManager server, and vice versa. Service exceptions can then be created to allow specific services through the BorderManager server. The Firewall Wizard provides the facility to create exceptions in one shot to allow access to the required services.
Note: Filters are still stored only in the Directory Services.
New Features of the Firewall Wizard
Figure 1 and Figure 2 demonstrate the differences in NBM Access Management between the versions available prior to NBM 3.8SP3 and the new Firewall Wizard.
Figure 1 - NBM Access Management available with versions prior to NBM 3.8SP3
Figure 2 - Firewall Wizard or NBM Filter Management
The major difference between the Firewall Wizard and NBM Access Management and filtcfg, for the end user, is how the filters have been grouped. In the Firewall Wizard, the logical separation of services and exceptions enables you to set up packet filtering according to the requirements of the network. This makes it easier to configure filters depending on the service exceptions required to pass through the network and block others.
The Easy Filter Configuration option in the Firewall Wizard adds exceptions for the required services through the firewall in a few clicks. Under this task, services are logically grouped together under three tabs: NBM service exceptions, On-Server service exceptions, and Off-Server service exceptions.
The Filter Maintenance option of the wizard allows the user to restore all default filters and exceptions as well as delete all existing filters and exceptions. The older way of filter management is also retained in the wizard as the Legacy Filter Configuration task.
Lastly, the List All Firewall Policies task in the wizard displays all the configured filters and exceptions so you can add or delete filters and exceptions.
Advantages of the Firewall Wizard
Here are the main advantages of this tool, over using the existing filtcfg and NBM Access Management:
Advantage 1: The logical grouping of services. BorderManager servers are deployed in networks where there are different services and a number of servers hosting them. The Firewall Wizard enables you to set up filter configurations for these services in an organized way. Service exceptions can be set up based on BorderManager services (such as proxy or VPN), on other Netware based services (such as Groupwise, iFolder, iPrint, ZENWorks, etc.), or on services running on servers other than the ones running BorderManager (proxy and VPN services).
Earlier versions involved selecting exceptions from a large list. This required you to know the specific exceptions required to access each service. Now the wizard makes it easier because you only need to select the services through the wizard, and the related exceptions and filters for the selected service are added.
Advantage 2: Additional services. To access services such as Mail, Web, DNS etc. running on a different server other than the BorderManager server, the exceptions and filters can be easily configured. This is done through the Off-Server Service exceptions option of the wizard.
Advantage 3: Consolidation of options. When you add exceptions and filters to access the services, the wizard helps you navigate to these actions from a single point. The options for Easy Filter Configuration, Filter Maintenance (delete and restore defaults), Legacy Filter Configuration (for users familiar with NBM Access Management) and List All Firewall Policies (for a list of what exceptions have been configured) are all under a single heading. That makes it easier to configure and control than the previous filter configuration utilities.
Setting Up the Firewall Wizard
The new packet filtering configuration tasks are automatically plugged into iManager when NBM 3.8 SP3 is installed. To bring up iManager for filter configuration,
- Go to this URL: https://<IP Address or DNS of the server>/nps/iManager.html
- Log in to iManager.
The Firewall Wizard options appear as an NBM Filter Management role on the left pane of iManager.
Configuring Exceptions for Services using the Firewall Wizard
Easy Filter Configuration
Easy Filter Configuration has three main tabs (see the figure below): NBM Service Exceptions, On-Server Service Exceptions, and Off-Server Service Exceptions. Each of these tabs contain a list of services that have been grouped based on their implementation and usage. These are explained in detail with some typical scenarios below.
Figure 3 - Easy Filter configuration
NBM Service Exceptions Tab
This tab allows creation of service exceptions for Novell BorderManager Proxy and VPN services. You select the proxy and VPN services for which filters and exceptions need to be configured on the NBM server by the checking enable filter button next to the required service. Then, the related service exceptions get created on the server.
The Enable Log option enables logging for the selected services. However, this logging option slows down server performance. Consider disabling logging after you have tested your filters and exceptions.
The Stateful option is selected by default for all the service exceptions; it can be unchecked if not required. Stateful filters can be enabled on less secure applications that have no application gateways and therefore require security at the packet filtering level. Secure apps like iFolder, iManager, iPrint etc. would not require the stateful filtering to be enabled, which would reduce the overhead at the IP stack level. For more details on this option, see the Stateful IP Filters section of the following AppNote:
Below is a scenario where users in the internal LAN require access to the public web and FTP server. Exceptions need to be created for HTTP, FTP and DNS proxy services to allow the users in the protected network to access these public resources located outside the firewall.
Figure 4 - Sample setup/scenario for NBM service exceptions
One interface of the BorderManager server is connected to the public internet router and the other connects to the internal LAN for which forward proxy is enabled on the NBM server.
To create the exceptions,
- Select HTTP, FTP and DNS services from the list of proxy services as shown in Figure 4.
- Click Add to create exceptions for these services to be allowed through the BorderManager server.
Figure 5 - Details of NBM service exceptions
Service exceptions are added for the outgoing requests as seen in Figure 6 below. Filters denying all other traffic to and from the public interface of the NBM server are also added, along with the required service exceptions if not already present. However, if these filters are already configured then they will not be added again.
Figure 6 - List of exception created after selecting required services from NBM service exceptions
Clicking OK directs you back to the main page (see Figure 5) instead of displaying the list of policies configured above. To verify the list of policies created, you only need to select the List All Firewall Policies option of the wizard. This option displays the list of added filters and exceptions as shown in Figure 7.
Figure 7 - List of the Firewall policies
On-Server Service Exceptions
On-Server Service Exceptions are a way to create exceptions for the selected NetWare based services running on the BorderManager server.
These services include:
- File and print
- Mail and messaging
- Network management
Figure 8 - Details of On-Server Service exceptions
Below is a sample setup that configures exceptions that allow iFolder access on a BorderManager server, for clients located in the public network.
Figure 9 - Sample scenario for iFolder access on the NBM server
One interface of the NBM server is connected to the public Internet router. This assumes, per the figure above, that users in the public network who have iFolder client installed on their machine require access to the iFolder service. That service is hosted on the NBM server.
To add service exceptions in this scenario,
- Select iFolder under File Services.
- Click Add to add the required exceptions for allowing the iFolder service as shown in Figure 10.
Figure 10 - Exceptions setup for iFolder access
Note: Selecting services such as iFolder, iPrint, Web Server and iManager require only a single exception allowing port 443.
Off-Server Service Exceptions
This option adds service exceptions for services running on a non-BorderManager server. This "other" server is identified by its IP address, which needs to be provided under this option shown in the figure below.
This section lists all the Proxy and VPN services along with few other services like Mail, Web, DNS etc. Here the proxy services can either be present behind the firewall or outside the firewall. The related check boxes for both the scenarios can be selected while configuring packet filters. This option is not available for services such as Mail, Web, FTP, DNS and VPN. The figure below shows all the available services with the options.
Figure 11 - Details of Off-Server Service exceptions
Below is a sample scenario to set up using Off-Server service exceptions.
Figure 12 - Sample setup scenario for C2S VPN service running in the private network
One interface of the NBM server is connected to public router, and the other connects to the internal LAN that hosts the VPN server. Static NAT is enabled on the NBM server to allow the clients in the public network to connect to the private VPN server. The secondary IP address (220.127.116.11) of the NBM server is statically mapped to the Private VPN server's IP address (172.16.10.1). This allows the public client to connect to the private server using the statically mapped public IP address (18.104.22.168).
To set up Off-Server exceptions in this scenario,
- Select VPN client-to-site from the VPN Services tab for IKE mode.
- Provide the IP address of the private VPN server.
Note: SKIP mode has also been provided for setting up exceptions for NBM servers running versions below NBM 3.8.
Figure 13 - VPN "Off-Server" services selected (running on a server other than the NBM server which is configured for packet filtering)
The following service exceptions and filters will be added:Figure 14 - List of exceptions created between the NBM server and any other server
This option restores any or all of the default filters. This works just like the option of brdcfg that is available on NBM servers from NBM 3.7 SP3 onwards. You can also clear all existing filters on the NBM server using this option.
Figure 15 - Option for Filter maintenance
The Restore Default Filters sets up the list of filters shown below. This list is similar to the list set up by running brdcfg on the public interface of the NBM server.
Figure 16 - List of default filters (same as running brdcfg)
- Select Clear All Filters to clear all existing filters as shown in the figure below.
- Click OK if you want to clear all the filter configurations.
Figure 17 - Restoring or clearing filter configurations
Legacy Filter Configuration
This option has been present since NBM 3.7 as NBM Access Management. This allows the user to create filters and exceptions by selecting the services from the list of all available services.
List All Firewall Policies
This section lists all the configured service exceptions and filters as selected under Easy Filter Configuration. You can add, delete or modify service exceptions and filters here. Clicking Add here redirects you to the Legacy filter configuration option to add service exceptions and filters. The checkbox for Confirm before Deletion offers the option of prompting before deletion of each filter or exception. If you want to delete an entire list of filters or exceptions and don't want to be prompted several times, this option can be unchecked.
Figure 18 - List of all firewall policies
Problem: The Firewall wizard does not appear in iManager after upgrading to NBM 3.8 SP3, or after an OS upgrade to a server that is already running NBM 3.8 SP3.
Solution: Install bm.npm manually through iManager. This can be done through the configure option of iManager as shown in the figure below:
Figure 19 - Installing bm.npm manually through iManager
See the following link for a detailed understanding of installing, using, and uninstalling Novell plug-in modules:
Also make sure that the latest filtsrv.nlm is installed on the NBM server.
Problem: The Public interface is not visible in iManager.
Solution: Mark the corresponding interface that connects to the public Internet router as Public through filtcfg. That will cause these interfaces to appear in the Firewall Wizard.
Problem: Cannot add service exceptions for multiple public interfaces.
Solution: To add filters and exceptions through multiple public interfaces on the NBM server mark them all as public through filtcfg. Then select them from the public interfaces drop down list present on the top left hand side of the wizard before selecting the relevant services that need to be allowed through each of these interfaces.
Problem: Cannot access the Private VPN server behind the firewall from outside after configuring the exceptions.
Solution: Check the server IP address you provided on the Off-Server Service Exceptions option. Provide the Private VPN servers IP address here and not the translated IP address. (Translated IP refers to the secondary IP address on the public interface of the NBM server that has been statically mapped to the Private VPN server's IP address.) Refer to the sample scenario described in the Off-Server Service Exceptions section above to understand the setup for this.
- Naming and storing of filters: The names of the exceptions as displayed under the List All Firewall Policies option is still in the "PF_xxxx" format previously available with NBM Access Management.
- Interface assignment: The interfaces on the BorderManager need to be explicitly assigned as Public and Private through the filtcfg utility.
- Only Public interfaces are displayed: The tool displays only the public interfaces, which need to be previously marked as Public through filtcfg. Hence, exceptions cannot be added for any other than the public interface.
- Backup option for filters: This needs to be done using the filtsrv_backup utility from the command line on the NetWare (BorderManager) server.
AppNotes regarding packet filtering using BorderManager are available on the support website. Both experienced and new users can gain added understanding of packet filtering through these AppNotes, available at the following locations:
See also the Novell BorderManager product documentation:
This AppNote describes implementation of packet filtering through iManager, using the new Firewall Wizard provided with NBM 3.8 SP3 release. This wizard is helpful to users who want to allow basic services through the firewall without getting into the details of the protocols and ports that need to be selected for allowing those services. This wizard makes filters/exceptions configuration much easier.
The information in this AppNote is derived strictly from test scenarios. In real user scenarios, you may experience deviations from these results. Novell does not recommend deploying directly in a production network. You should always verify on a simulated test network before you deploy anything in a production environment.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com