156 IBM Enterprise Workload Manager
In today’s e-business environment most companies are extremely pro-active in defending
against internal and external attacks to their corporate networks. e-business infrastructures
may span multiple security zones which can be protected with a mix of routers, firewalls, and
virtual private networks. The most common security zones for Internet-initiated transactions
are Web, application, data and enterprise, and systems management. While our configuration
did not include all security zones, the configurations provided should be general enough to
apply to different security architectures.
This section provides a general overview of firewall technology, EWLM support of firewalls,
and finally, describes the firewall configurations we used, stateful inspection, and proxy.
6.1.1 General firewall overview
This section briefly describes different firewall technologies and introduces the StoneGate
firewall, which was used in our configuration.
Packet filter firewall
Packet filter firewalls are the oldest kind of firewall. Modern routers can support this kind of
firewall, which is based on network-level access lists that describe what kind of traffic can
traverse the firewall. A packet filter firewall has the following advantages:
Application independence: It operates at IP-address level and does not care about the
It is transparent to the application for the same reason. You can compare this type of
firewall to a router with an access list.
High performance: The firewall just checks network layer properties and does not have to
check application layer traffic.
Low security: There are no application layer checks.
It is difficult to maintain and the firewall rule base will grow fast if you want the rules to be
very granular. The number of rules affects performance because the firewall has to go
through the whole rulebase before it can discard a packet.
Proxy firewalls are the next generation of firewall technology. In the early days, firewalls and
proxies used to be separate entities. Then they were merged together to make a proxy
firewall. It has the following advantage:
High security: The proxy firewall can examine the application layer data.
Low performance: The proxy firewall will examine the application layer data, which is
Limited application support: Each application has to have a proxy for it. Firewalls have
support for most common applications and protocols like HTTP (www) and SMTP (e-mail),
but not for more exotic or less frequently used protocols.
Lack of high availability: In order to make a firewall highly available one should be able to
maintain the state of the proxy, but that is a complex task and it is normally not well done.