An external security information and event manager, by analyzing
and correlating messages from multiple sources and systems in the
network, can take action to block attacks by installing defensive
filters in your TCP/IP stack. A defensive filter is an IP filter rule
to discard packets, separate from IP security filters, and is typically
installed for a short duration (for example, 30 minutes) to block
a specific attack or a pattern of attacks. If traffic being blocked
by a defensive filter should be blocked on a long-term basis, update
your configured IP security policy to add an IP security deny rule.
A defensive filter uses a combination of the following characteristics
to target traffic to be discarded:
- IP source or destination address
- IP protocol
- Source or destination port
- ICMP type or code
- Direction of flow
- Type of traffic: Routed or local
For example, a defensive filter might be installed to block all
TCP traffic from IP address 10.1.1.1 that is destined for the Telnet
server. The characteristics of this filter are the following characteristics:
- IP source address is 10.1.1.1.
- IP protocol is TCP.
- Destination port is 23.
- Direction of flow is inbound.
- Traffic is local.
Defensive filters are given higher priority than IP security filters.
That is, IP filter processing first checks any installed defensive
filters for a match against a packet, before checking the IP security
filters. When a defensive filter is added to a TCP/IP stack, it is
placed at the top of the filter search order.
Figure 1 provides an overview of defensive
filtering.
Figure 1. Defensive filtering overview
Defensive filters are added and managed using the z/OS® UNIX ipsec command
with the -F primary option.
- Defensive filters are typically added as an automated action resulting
from an external security information and event manager's analysis.
The manager issues the set of ipsec commands that
install the required defensive filters.
- You can also add a defensive filter by manually issuing the ipsec command.
- After a defensive filter is created, you can use the ipsec command
to update some attributes of the filter, such as its lifetime, and
also to display and delete defensive filters.
For more information about the ipsec command, see z/OS Communications Server: IP System Administrator's
Commands.
Requirements: - You must enable the IP security function for defensive filters
to be installed in a stack. If you do not have the IP security function
enabled, see Enabling the IP security function.
- The Defense Manager daemon (DMD) plays an integral role in managing
defensive filters, and must be active for defensive filters to be
added, updated, or deleted. One instance of the DMD manages all eligible
stacks on a z/OS image. An
eligible stack is one that is enabled for IP security and that is
included in the DMD configuration file with a mode of Active or Simulate.
For information about configuring the DMD, see Steps for configuring the DMD. You can refresh most of the DMD
configuration parameters so that options can be changed without recycling
the DMD.
Guideline: The DMD can support a maximum
of 10 concurrent ipsec command connections.
Restriction: Remote management of defensive filters using
a network security services (NSS) server is not supported. Management
of defensive filters is provided only through the local ipsec command.