Firewall Support

A firewall is a set of programs and/or hardware, located at a network gateway server, that is used to prevent unauthorized access to a system or network. There are four types of firewalls:

  1. Network level, packet-filter, or screening router firewalls

    • A screening router firewall works by screening incoming packets by protocol attributes.

    • The protocol attributes screened may include source or destination address, type of protocol, source or destination port, or some other protocol-specific attributes.

    • You need to ensure that all the ports used by DB2 are open for incoming and outgoing packets. DB2 uses port 523 for the DB2 Administration Server (DAS), which is used by the DB2 tools.

    • Determine the ports used by all your server instances by using the services file to map the service name in the server database manager configuration file to its port number.

  2. Classic application level proxy firewalls

    • A level proxy firewall is a technique that acts as an intermediary between a Web client and a Web server.

    • A proxy firewall acts as a gateway for requests arriving from clients. When client requests are received at the firewall, the final server destination address is determined by the proxy software. The application proxy translates the address, performs additional access control checking and logging as necessary, and connects to the server on behalf of the client.

    • The DB2 Connect product on a firewall machine can act as a proxy to the destination server.

    • Also, a DB2 server on the firewall, acting as a hop server to the final destination server, acts like an application proxy.

  3. Circuit level or transparent proxy firewalls

    • A Circuit level firewall is a transparent proxy firewall that does not modify the request or response beyond what is required for proxy authentication and identification. An example of a transparent proxy firewall is SOCKS.

    • DB2 supports SOCKS Version 4.

  4. Stateful multi-layer inspection (SMLI) firewalls

    • This is a sophisticated form of packet-filtering that examines all seven layers of the Open System Interconnection (OSI) model.

    • Each packet is examined and compared against known states of friendly packets. Whereas screening router firewalls examine only the packet header, SMLI firewalls examine the entire packet, including the data.