The partner company model consists of two interconnected networks, with the server protecting traffic that originates from hosts outside the internal network.
The following statements and concepts are covered in the discussion of this model:
Figure 1 shows the partner company portion of the security model network.
The partner company model is similar to that of the internal network, but an increased need for security means that a greater number of connections rely on data authentication and encryption. Although some services are allowed in the clear, sensitive data needs IPSec protection. To apply IPSec to a connection, the traffic that flows over that connection must match an IP filter rule that has an ipsec action.
For this example, assume you must meet the following requirements to allow network communications from a partner company in an untrusted zone B over a connected network (9.4.0.0/16) to a public IP address (9.2.2.2) on this host:
Secure FTP has its own security mechanism. Although IPSec can be used together with TLS/SSL, using both adds processing expense. For this example, secure FTP is allowed without IPSec protection.
Because there is no encryption mechanism used in this example for EE, IPSec provides the secure service.
Perform the following steps to meet these requirements and configure the partner company model.
IpService IKE-local
{
SourcePortRange 500
DestinationPortRange 500
Protocol UDP
Direction bidirectional
Routing local
SecurityClass 0
}
IpService FTPServer-Control
{
SourcePortRange 21
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional InboundConnect
Routing local
SecurityClass 0
}
IpService FTPServer-Data
{
SourcePortRange 20
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional OutboundConnect
Routing local
SecurityClass 0
}
IpService SecureFTPServer-Control
{
SourcePortRange 990
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional InboundConnect
Routing local
SecurityClass 0
}
IpService SecureFTPServer-Data
{
SourcePortRange 989
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional OutboundConnect
Routing local
SecurityClass 0
}
IpService Enterprise-Extender
{
SourcePortRange 12000 12004
DestinationPortRange 12000 12004
Protocol UDP
Direction bidirectional
Routing local
SecurityClass 0
}
IP services can be grouped together for convenience, flexibility, and reuse of configuration. Any IP filter rule that includes an IP service group will be expanded to include all of the services from that group. The following IP service groups include the IP services that define the FTPServer and the SecureFTPServer:
IpServiceGroup FTPServer
{
IpServiceRef FTPServer-Control
IpServiceRef FTPServer-Data
}
IpServiceGroup SecureFTPServer
{
IpServiceRef Secure-FTPServer-Control
IpServiceRef Secure-FTPServer-Data
}
Local public IP address: 9.2.2.2
Remote subnet: 9.4.0.0/16
IKE traffic - permit
Secure FTP traffic - permit
EE traffic - IPSec encryption and authentication
FTP traffic - IPSec authentication
IpGenericFilterAction permit-nolog
{
IpFilterAction permit
IpFilterLogging no
}
IpGenericFilterAction ipsec-nolog
{
IpFilterAction ipsec
IpFilterLogging no
}
Authentication, SHA1 algorithm
Encryption, 3DES algorithm
DHGroup, Diffie-Hellman Group2
RSA signature
Because the remote data endpoint represents multiple hosts in this example, RSA signature is used. RSA signature authentication provides greater flexibility, scalability, and security than pre-shared key authentication. Because there are potentially multiple remote peers in the partner company's subnet, RSA signature is a reasonable choice.
The use of RSA signature requires setup of RACF® certificates and certificate authority information. Both IKE peers need access to a key ring with at least one X.509 digital certificate to identify itself. To set up the IKE daemon for certificates, see Steps for preparing to run IP security. The site should decide what certificate authorities are recognized. A certificate authority can be an outside commercial entity, or it can be defined locally in RACF. For information about installing certificate authorities in RACF, see z/OS Security Server RACF Security Administrator's Guide.
In this example, the IKEv1 protocol is used and the IKE daemon is using the native certificate service. A certificate authority with label CA4PartnerCompany is used, which is presumed to have been defined as a certificate authority in the RACF database. The label CA4PartnerCompany should be added to the iked.conf file as a recognized certificate authority as follows:
SupportedCertAuth CA4PartnerCompany
KeyExchangeOffer RSA-SHA1-3DES-DH2
{
HowToEncrypt 3DES
HowToAuthMsgs SHA1
HowToAuthPeers RsaSignature
DHGroup Group2
RefreshLifetimeProposed 480
RefreshLifetimeAccepted 240 1440
RefreshLifesizeProposed none
RefreshLifesizeAccepted none
}
In this example, the following parameter is used:
AllowNat No
KeyExchangeAction Main-RSA-SHA1-3DES-DH2
{
HowToInitiate main
HowToRespondIKEv1 main
KeyExchangeOfferRef RSA-SHA1-3DES-DH2
}
LocalSecurityEndpoint Public_IKED
{
Identity IpAddr 9.2.2.2
Location 9.2.2.2
}
Similarly, the same information is needed for remote hosts. Notice that in the RemoteSecurityEndpoint statement, an IP address range is specified for both identity and location. Although it is possible to configure a RemoteSecurityEndpoint statement for every host in the remote subnetwork, unless they have unique key exchange requirements, it is not necessary. Wildcards can be used for the Identity and Location parameters. Any of the identity types can potentially contain wildcards to include a group of remote hosts with similar identities.
RemoteSecurityEndpoint ZoneB_IKED
{
Identity IpAddr 9.4.0.0/16
Location 9.4.0.0/16
CaLabel CA4PartnerCompany
}
The use of an IPv4 address on the Identity parameter for the Local_IKED security endpoint requires that the X.509 digital certificate for the local IKE daemon include the IPv4 address in the Subject Alternative Name field of the certificate. The use of an IPv4 subnet on the Identity parameter for the ZoneB_IKED security endpoint requires that an IPv4 address within that subnet (9.4.0.0/16) appear in the Subject Alternative Name field of the X.509 digital certificate for the remote IKE daemon.
The inclusion of the CaLabel parameter in the ZoneB_IKED security endpoint emphasizes the fact that the local host requests that the remote host use only certificates that are signed by the certificate authority that is identified by the label CA4PartnerCompany.
For detailed specifications on the use of wildcards in the RemoteSecurityEndpoint statement, see z/OS Communications Server: IP Configuration Reference.
KeyExchangeRule ZoneB_KeyExRule1
{
LocalSecurityEndpointRef Public_IKED
RemoteSecurityEndpointRef ZoneB_IKED
KeyExchangeActionRef Main-RSA-SHA1-3DES-DH2
}
KeyExchangePolicy
{
KeyExchangeRuleRef ZoneB_KeyExRule1
}
In this example, there is a unique requirement for each traffic type. Therefore, there are two types of IPSec protection for each type of traffic as follows:
EE traffic - strong encryption: ESP, 3DES
strong ESP authentication: Hmac SHA1
Normal FTP traffic - strong AH authentication, Hmac SHA1
This information eventually translates into two IpDataOffer statements.
Tunnel mode is required only if either endpoint of the Security Association is a secure gateway. The choice is optional in a host-to-host configuration, but transport mode is typically used.
IpDataOffer TRAN-AHSHA-NOENCR
{
HowToEncap Transport
HowToEncrypt DoNot
HowToAuth AH HMAC_SHA1
RefreshLifetimeProposed 240
RefreshLifetimeAccepted 120 480
RefreshLifesizeProposed none
RefreshLifesizeAccepted none
}
IpDataOffer TRAN-ESPSHA-3DES
{
HowToEncap Transport
HowToEncrypt 3DES
HowToAuth ESP HMAC_SHA1
RefreshLifetimeProposed 240
RefreshLifetimeAccepted 120 480
RefreshLifesizeProposed none
RefreshLifesizeAccepted none
}
Because the EE VPN activates when outbound EE traffic is detected, you need to be able to start the negotiation locally. The remote host initiates the negotiation of the Security Association for the FTP control connection, so local initiation is not required. The FTP data connection is initiated from the local host, so to activate the Security Association, local initiation is required.
The IpDynVpnAction statement can control which host is allowed to initiate the negotiation. You must allow the IPSec VPN for the FTP control connection to be initiated by the remote peer, and the data connection by the local host. EE should be allowed to initiate an IKE negotiation locally.
IpDynVpnAction FTP-vpnaction
{
Initiation either
InitiateWithPfs group2
AcceptablePfs group2
VpnLife 1440
IpDataOfferRef TRAN-AHSHA-NOENCR
}
IpDynVpnAction EE-vpnaction
{
Initiation localonly
InitiateWithPfs group2
AcceptablePfs group2
VpnLife 1440
IpDataOfferRef TRAN-ESPSHA-3DES
}
Neither the EE nor FTP VPNs require a LocalDynVpnPolicy statement, because neither is command-line activated or autoactivated.
Before a phase 2 negotiation can initiate, the IKE daemon needs to know the IP addresses, ports, and protocols that the Security Association covers. In most cases, these can be inferred from the filter rule, or from the packet that started the on-demand activation. An IpLocalStartAction statement explicitly defines where these parameters are obtained. The granularity setting determines whether the information comes from the matching filter rule, or from the packet. By explicitly specifying packet, you can guarantee that a new Security Association is created for each connection request.
IpLocalStartAction ZoneB-Start-Action
{
AllowOnDemand yes
LocalPortGranularity packet
RemotePortGranularity packet
ProtocolGranularity packet
LocalIpGranularity packet
RemoteIpGranularity packet
LocalSecurityEndpointRef Public_IKED
RemoteSecurityEndpointRef ZoneB_IKED
}
In this example, specifying packet is not required. IKE detects that the filter rule has a range of ports specified and resorts to packet granularity instead of the default of rule. Specifying packet is required, however, if the EE and FTP rules had all ports specified. In that case, one Security Association is negotiated for all ports, not a single port. To avoid confusion, it is better to specify your intention.
When the system begins to process encapsulated traffic, the encapsulated packets are subject to filtering. The encrypted and authenticated packets are denied unless they are explicitly allowed. There are two options to configure this that are subtly different. The first is less restrictive, allowing AH and ESP packets from anywhere and not subjecting them to filtering until after the packets have had their IPSec headers removed. The second method is to add an IpFilterRule statement that explicitly permits the IPSec-encapsulated traffic. This option adds an additional layer of security, in that you can control exactly who is allowed to send encrypted traffic. This protects system resources by preventing the processing of IPSec packets unnecessarily, such as might happen in the case of a malicious attack of IPSec packets. Although more secure, this solution is less efficient because it requires additional processing resources to filter all IPSec-encapsulated traffic.
For the first option, in the main IpFilterPolicy block, code PreDecap off as follows:
IpFilterPolicy
{
PreDecap off
⋮
}
For the second option, configure a filter rule in the IpFilterPolicy block that explicitly allows AH and ESP traffic as follows:
IpFilterRule Allow-IPSec-traffic
{
IpSourceAddr 9.2.2.2
IpDestAddrSet 9.4.0.0/16
IpService AH-traffic
{
Protocol AH
Direction bidirectional
Routing local
SecurityClass 0
}
IpService ESP-traffic
{
Protocol ESP
Direction bidirectional
Routing local
SecurityClass 0
}
IpGenericFilterRef permit-nolog
}
IpFilterRule ZoneB-Permitted-traffic
{
IpSourceAddrRef PublicServerAddress
IpDestAddrSetRef ZoneB-subnet
IpServiceRef IKE-local
IpServiceGroupRef SecureFTPServer
IpGenericFilterActionRef permit-nolog
}
IpFilterRule FTPServer-ZoneB
{
IpSourceAddr 9.2.2.2
IpDestAddrSet 9.4.0.0/16
IpServiceGroupRef FTPServer
IpGenericFilterActionRef ipsec-nolog
IpDynVpnAction FTP-vpnaction
IpLocalStartActionRef ZoneB-Start-Action
}
IpFilterRule EE-ZoneB
{
IpSourceAddr 9.2.2.2
IpDestAddrSet 9.4.0.0/16
IpService
{
SourcePortRange 12000 12004
DestinationPortRange 12000 12004
Protocol udp
Direction bidirectional
Routing local
SecurityClass 0
}
IpGenericFilterActionRef ipsec-nolog
IpDynVpnAction EE-vpnaction
IpLocalStartActionRef ZoneB-Start-Action
}
Because both IKE and Secure FTP need to be permitted without IPSec protection, an IpFilterRule statement for both is not needed. The two services can be combined into one rule.
A completely configured policy, including all objects and their references, is as follows:
# IpFilterPolicy for secure public server
IpFilterPolicy
{
PreDecap off
IpFilterGroupRef ZoneB
}
KeyExchangePolicy
{
KeyExchangeRuleRef ZoneB_KeyExRule1
}
###### All reusable statements follow #######
IpFilterGroup ZoneB
{
IpFilterRuleRef ZoneB-Permitted-traffic
IpFilterRuleRef FTPServer-ZoneB #IPSec-protected
IpFilterRuleRef EE-ZoneB #IPSec-protected
}
######################################
# IpFilterRules #
# defines: #
# data endpoints #
# Allowed services #
# Actions (permit, deny, ipsec) #
######################################
IpFilterRule ZoneB-Permitted-traffic
{
IpSourceAddrRef PublicServerAddress
IpDestAddrSetRef ZoneB-subnet
IpServiceRef IKE-local
IpServiceGroupRef SecureFTPServer
IpGenericFilterActionRef permit-nolog
}
IpFilterRule EE-ZoneB
{
IpSourceAddrRef PublicServerAddress
IpDestAddrSetRef ZoneB-subnet
IpServiceRef Enterprise-Extender
IpGenericFilterActionRef ipsec-nolog
IpDynVpnActionRef EE-vpnaction
IpLocalStartActionRef ZoneB-Start-Action
}
IpFilterRule FTPServer-ZoneB
{
IpSourceAddrRef PublicServerAddress
IpDestAddrSetRef ZoneB-subnet
IpServiceGroupRef FTPServer
IpGenericFilterActionRef ipsec-nolog
IpDynVpnActionRef FTP-vpnaction
IpLocalStartActionRef ZoneB-Start-Action
}
#######################
# Local Start Actions #
#######################
IpLocalStartAction ZoneB-Start-Action
{
AllowOnDemand yes
LocalPortGranularity packet
RemotePortGranularity packet
ProtocolGranularity packet
LocalIpGranularity packet
RemoteIpGranularity packet
LocalSecurityEndpointRef Public_IKED
RemoteSecurityEndpointRef ZoneB_IKED
}
####################
# IpService groups #
####################
IpServiceGroup FTPServer
{
IpServiceRef FTPServer-Control
IpServiceRef FTPServer-Data
}
IpServiceGroup SecureFTPServer
{
IpServiceRef SecureFTPServer-Control
IpServiceRef SecureFTPServer-Data
}
##################################
# Services provided by this host #
##################################
IpService IKE-local
{
SourcePortRange 500
DestinationPortRange 500
Protocol UDP
Direction bidirectional
Routing local
SecurityClass 0
}
IpService SecureFTPServer-Control
{
SourcePortRange 990
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional InboundConnect
Routing local
SecurityClass 0
}
IpService SecureFTPServer-Data
{
SourcePortRange 989
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional OutboundConnect
Routing local
SecurityClass 0
}
IpService Enterprise-Extender
{
SourcePortRange 12000 12004
DestinationPortRange 12000 12004
Protocol UDP
Direction bidirectional
Routing local
SecurityClass 0
}
IpService FTPServer-Control
{
SourcePortRange 21
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional InboundConnect
Routing local
SecurityClass 0
}
IpService FTPServer-Data
{
SourcePortRange 20
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional OutboundConnect
Routing local
SecurityClass 0
}
######################
# Security Endpoints #
######################
LocalSecurityEndpoint Public_IKED
{
Identity IpAddr 9.2.2.2
Location 9.2.2.2
}
RemoteSecurityEndpoint ZoneB_IKED
{
Identity IpAddr 9.4.0.0/16
Location 9.4.0.0/16
CaLabel CA4PartnerCompany
}
##########################
# Generic filter actions #
##########################
IpGenericFilterAction permit-nolog
{
IpFilterAction permit
IpFilterLogging no
}
IpGenericFilterAction ipsec-nolog
{
IpFilterAction ipsec
IpFilterLogging no
}
##################################
# Key Exchange offers #
# defines: #
# Authentication type #
# Encryption type #
# Peer authentication method #
# Refresh limits #
##################################
KeyExchangeOffer RSA-SHA1-3DES-DH2
{
HowToEncrypt 3DES
HowToAuthMsgs SHA1
HowToAuthPeers RsaSignature
DHGroup Group2
RefreshLifetimeProposed 480
RefreshLifetimeAccepted 240 1440
RefreshLifesizeProposed none
RefreshLifesizeAccepted none
}
##################################
# Key Exchange Actions #
# defines: #
# Negotiation mode #
# List of Key exchange offers #
##################################
KeyExchangeAction Main-RSA-SHA1-3DES-DH2
{
HowToInitiate main
HowToRespondIKEv1 main
KeyExchangeOfferRef RSA-SHA1-3DES-DH2
}
######################################
# KeyExchangeRules #
# defines: #
# A pair of security endpoints #
# permitted in IKE negotiations #
######################################
KeyExchangeRule ZoneB_KeyExRule1
{
LocalSecurityEndpointRef Public_IKED
RemoteSecurityEndpointRef ZoneB_IKED
KeyExchangeActionRef Main-RSA-SHA1-3DES-DH2
}
############################
# Data Offers #
# defines: #
# Encapsulation mode #
# Authentication type #
# Encryption type #
# Refresh limits #
############################
### Authenticated offer ###
IpDataOffer TRAN-AHSHA-NOENCR
{
HowToEncap Transport
HowToEncrypt DoNot
HowToAuth AH HMAC_SHA1
RefreshLifetimeProposed 240
RefreshLifetimeAccepted 120 480
RefreshLifesizeProposed none
RefreshLifesizeAccepted none
}
### Encrypted offer ###
IpDataOffer TRAN-ESPSHA-3DES
{
HowToEncap Transport
HowToEncrypt 3DES
HowToAuth DoNot
RefreshLifetimeProposed 240
RefreshLifetimeAccepted 120 480
RefreshLifesizeProposed none
RefreshLifesizeAccepted none
}
##############################
# Dynamic VPN Actions #
# defines: #
# Initiation role #
# Pfs group #
# Lifetime of connection #
# List of Data offers #
##############################
IpDynVpnAction FTP-vpnaction
{
Initiation either
InitiateWithPfs group2
AcceptablePfs group2
VpnLife 1440
IpDataOfferRef TRAN-AHSHA-NOENCR
}
IpDynVpnAction EE-vpnaction
{
Initiation localonly
InitiateWithPfs group2
AcceptablePfs group2
VpnLife 1440
IpDataOfferRef TRAN-ESPSHA-3DES
}
################
# IP addresses #
################
IpAddr PublicServerAddress
{
Addr 9.2.2.2
}
IpAddrSet ZoneB-subnet
{
Prefix 9.4.0.0/16
}