Chapter 6. Using a firewall and securing EWLM 157
Stateful inspection firewall
A stateful inspection firewall is the most recent firewall technology. It is a combination of the
packet inspection firewall and proxy firewall along with state tables.
State tables are used to
make the firewall aware about related connections. For example, a simple ftp connection has
two parts: the command connection and the data connection. Packet filter firewalls had
problems with ftp, because they had to handle those two connections as separate
connections. Stateful inspection firewalls use state tables to keep track of open connections
and their relationship with other connections. A stateful inspection firewall would know
whether it has an open ftp command connection, then it can allow the data connection to
come back from the server without any additional rules in the firewall.
A stateful inspection firewall has the following advantages:
Transparency: The application does not have to care about the existence of the firewall.
High security: State tables add connection awareness for the firewall.
Performance: It is closer to the packet filter firewall.
A stateful inspection firewall has the following disadvantage:
Limited application layer awareness: It does not have proxy level capabilities.
The StoneGate firewall is a stateful inspection type of firewall that has some application layer
awareness. One of the StoneGate features is the Protocol Agent, which enables it to see the
application layer data stream and perform actions based on that. The Protocol Agent can
check that the traffic actually is HTTP traffic and not something else—like a hacker trying to
pipe some other traffic to that port. In such a case, the Protocol Agent can disconnect the
We chose StoneGate as our example firewall because it does not require any additional
configuration from the EWLM side. Statistics also show that most modern firewalls are
stateful inspection firewalls. Since there are still many existing proxy firewalls, we also explain
how to configure EWLM to work with a proxy firewall.
StoneGate is also the only commercial firewall available that can be used across IBM
xSeries, iSeries, and zSeries machines. If the WebSphere environment or other parts of the
environment are consolidated inside an iSeries or zSeries machine, you can use StoneGate
firewall on those machines too. You do not need an external firewall, because StoneGate
firewall operates as a virtual firewall inside iSeries or zSeries machine.
6.1.2 EWLM firewall support
EWLM supports stateful inspection firewalls, HTTP Proxy, and SOCKS. HTTP Tunneling is
not supported. For stateful inspection firewalls, no additional configuration is required at the
domain manager or managed server. HTTP Proxy requires a configuration change to the
managed server. SOCKS server requires a configuration change to the managed server and
an additional EWLM component called the
Firewall Broker needs to be installed and
We focus here on stateful inspection and HTTP Proxy since these are the most modern
firewalls and we discuss the SOCKS server since it requires modifications to the EWLM
configuration. In all cases, though, it is important to understand what you need to think about
when placing EWLM into an existing or new firewall environment. In “EWLM configuration in
our ITSO environment” on page 32, we described how to configure the domain manager.
There are three sets of parameters that are important to know when setting up the firewall for
Domain manager address: -ma