An external security information and event manager, by analyzing and correlating messages from multiple sources and systems in the network, can take action to block attacks by installing defensive filters in your TCP/IP stack. A defensive filter is an IP filter rule to discard packets, separate from IP security filters, and is typically installed for a short duration (for example, 30 minutes) to block a specific attack or a pattern of attacks. If traffic being blocked by a defensive filter should be blocked on a long-term basis, update your configured IP security policy to add an IP security deny rule.
A defensive filter uses a combination of the following characteristics to target traffic to be discarded:
Defensive filters are given higher priority than IP security filters. That is, IP filter processing first checks any installed defensive filters for a match against a packet, before checking the IP security filters. When a defensive filter is added to a TCP/IP stack, it is placed at the top of the filter search order.
Defensive filters are added and managed using the z/OS UNIX ipsec command with the -F primary option.
Defensive filters are typically added as an automated action resulting from an external security information and event manager's analysis. The manager issues the set of ipsec commands that install the required defensive filters. You can also add a defensive filter by manually issuing the ipsec command.
After a defensive filter is created, you can use the ipsec command to update some attributes of the filter, such as its lifetime, and also to display and delete defensive filters.
For more information about the ipsec command, see z/OS Communications Server: IP System Administrator's Commands.
For more information about the DMD, see z/OS Communications Server: IP Configuration Guide.