Scenario: Managing remote user access to resources using group policies and IP filtering

Group access policies identify distinct user groups for a connection, and allow you to apply common connection attributes and security settings to the entire group. You can use group policies, along with IP filtering, to permit and restrict access to specific IP addresses on your network.

Situation

Your network has several groups of distributed users, each of whom needs access to different resources on your corporate LAN. A group of data entry users needs access to the database and several other applications. A group of people from other companies needs dial-up access to HTTP, File Transfer Protocol (FTP), and Telnet services, but for security reasons, this group must not be allowed access to other TCP/IP services or traffic. Defining detailed connection attributes and permissions for each user duplicates your efforts, and providing network restrictions for all the users of this connection profile does not ensure enough control. You want a way to define connection settings and permissions for several distinct groups of users who routinely dial into this system.

Figure 1. Applying connection settings to dial-up connections based on group policy settings
Apply connection settings to dial-up connections based on group policy settings

Solution

You need to apply unique IP filtering restrictions to two different groups of users. To accomplish this, you create group access policies and IP filter rules. Group access policies reference IP filter rules, so you must create your filter rules first. In this example, you need to create a PPP filter to include IP filter rules for the IBM Business Partner Group Access Policy. These filter rules permit HTTP, FTP, and Telnet services, but restrict access to all other TCP/IP traffic and services through the system. This scenario only shows the filter rules needed for the sales group; however, you can also set up similar filters for the Data Entry group.

Finally, you need to create the group access policies (one per group) to define your group. A group access policy enables you to define common connection attributes to a group of users. By adding a group access policy to a validation list on the system, you can apply these connection settings during the authentication process. The group access policy specifies several settings for the user's session, including the ability to apply IP filtering rules that restrict the IP addresses and TCP/IP services available to a user during the session.

Sample configuration

To set up a sample configuration from IBM® Navigator for i, follow these steps:

  1. Create the Point-to-Point Protocol (PPP) filter identifier and IP packet rules filters that specify the permissions and restrictions for this group access policy.
    1. In IBM Navigator for i, expand IBM i Management > Network > All Tasks > Remote Access Services > Receiver Connection Profiles and select Group Access Policies.
    2. Right-click a predefined group listed in the right pane and select Properties.
      Note: If you want to create a new group access policy, right-click Group Access Policies and select New Group Access Policies. Complete the General tab. Then select the TCP/IP Settings tab and continue with step e below.
    3. Select the TCP/IP IPv4 Settings tab, and click Advanced.
    4. Select Use IP packet rules for this connection, and click Edit Rules File. This will start the IP Packet Rules Editor, and open the PPP filters packet rules file.
    5. Open the Insert menu, and select Filters to add filter sets. Use the General tab to define the filter sets, and the Services tab to define the service you are permitting, such as HTTP. The following filter set, "services_rules," will permit HTTP, FTP and Telnet services. The filter rules include an implicit default deny statement, restricting any TCP/IP services or IP traffic not specifically permitted.
      Note: The IP addresses in the following example are globally routable, and are for example purposes only.
      ###The following 2 filters will permit HTTP (Web browser) traffic in & out of the system.
 
FILTER SET services_rules ACTION = PERMIT DIRECTION = INBOUND SRCADDR  %
        = * DSTADDR = 192.18.2.3 PROTOCOL = TCP DSTPORT = 80 SRCPORT  %
        = * FRAGMENTS = NONE JRN = OFF 
 
FILTER SET services_rules ACTION = PERMIT DIRECTION = OUTBOUND SRCADDR  %
        = 192.18.2.3 DSTADDR = * PROTOCOL = TCP DSTPORT = * SRCPORT =  %
        80 FRAGMENTS = NONE JRN = OFF 
 
###The following 4 filters will permit FTP traffic in & out of the system.
 
FILTER SET services_rules ACTION = PERMIT DIRECTION = INBOUND SRCADDR  %
        = * DSTADDR = 192.18.2.3 PROTOCOL = TCP DSTPORT = 21 SRCPORT  %
        = * FRAGMENTS = NONE JRN = OFF 
 
FILTER SET services_rules ACTION = PERMIT DIRECTION = OUTBOUND SRCADDR  %
        = 192.18.2.3 DSTADDR = * PROTOCOL = TCP DSTPORT = * SRCPORT =  %
        21 FRAGMENTS = NONE JRN = OFF 
 
FILTER SET services_rules ACTION = PERMIT DIRECTION = INBOUND SRCADDR  %
        = * DSTADDR = 192.18.2.3 PROTOCOL = TCP DSTPORT = 20 SRCPORT  %
        = * FRAGMENTS = NONE JRN = OFF 
 
FILTER SET services_rules ACTION = PERMIT DIRECTION = OUTBOUND SRCADDR  %
        = 192.18.2.3 DSTADDR = * PROTOCOL = TCP DSTPORT = * SRCPORT =  %
        20 FRAGMENTS = NONE JRN = OFF 
###The following 2 filters will permit telnet traffic in & out of the system.
 
FILTER SET services_rules ACTION = PERMIT DIRECTION = INBOUND SRCADDR  %
        = * DSTADDR = 192.18.2.3 PROTOCOL = TCP DSTPORT = 23 SRCPORT  %
        = * FRAGMENTS = NONE JRN = OFF 
 
FILTER SET services_rules ACTION = PERMIT DIRECTION = OUTBOUND SRCADDR  %
        = 192.18.2.3 DSTADDR = * PROTOCOL = TCP DSTPORT = * SRCPORT  %
        = 23 FRAGMENTS = NONE JRN = OFF
    6. Open the Insert menu, and select Filter Interface. Use the filter interface to create a PPP filter identifier, and include the filter sets you've defined.
      1. On the General tab, enter permitted_services for the PPP filter identifier.
      2. On the Filter sets tab, select the filter set services_rules, and click Add.
      3. Click OK. The following line will be added to the rules file: 
        ###The following statement binds (associates) the 'services_rules' filter set with the 
PPP filter ID "permitted_services." This PPP filter ID
can then be applied to the physical interface associated with a PPP connection profile 
or Group Access Policy. 

FILTER_INTERFACE PPP_FILTER_ID = permitted_services SET = services_rules
    7. Save your changes, and exit. If you need to undo these changes later, use the character-based interface to enter the command RMVTCPTBL *ALL. This command removes all filter rules and NAT on the system.
    8. On the Advanced TCP/IP settings dialog, leave the PPP filter identifier box blank, and click OK to exit. Later, you should apply the filter identifier you just created to a group access policy, not this connection profile.
  2. Define a new group access policy for this user group.
    1. In IBM Navigator for i, expand IBM i Management > Network > All Tasks > Remote Access Services > Receiver Connection Profiles > Group Access Policy and select Group Access Policy.
    2. On the General page, enter a name and description for the group access policy.
    3. On the TCP/IP settings page:
      • Select Use IP packet rules for this connection, and select the PPP filter identifier permitted_services.
    4. Select OK to save the group access policy.
  3. Apply the group access policy to the users associated with this group.
    1. Open the receiver connection profile controlling these dial-up connections.
    2. On the Authentication page of the receiver connection profile, select the validation list that contains the users' authentication information, and click Open.
    3. Select a user in the Sales group to which you want to apply the group access policy, and click Open.
    4. Click Apply a Group Policy to the user, and select the group access policy defined in step 2.
    5. Repeat for each Sales user.