Overview of IPSec

z/OS® Communications Server provides the ability to control and monitor network traffic on one or more TCP/IP stacks on a z/OS system. With z/OS Communications Server IP security, the Communications Server provides the necessary function to support IP filtering, IPSec, and Internet Key Exchange (IKE), without requiring Integrated Security Services Firewall Technologies. Key advantages of IP security are easier configuration, greater scalability, improved performance, and enhanced serviceability over the capabilities that are provided by Firewall Technologies. Functionally, IP security provides support for NAT traversal in common server configurations, while Firewall Technologies does not. This function is critical in many environments where private addressing is used in a portion of the network's topology and IPSec protection is also required. For more information regarding the use and configuration of Firewall Technologies, refer to z/OS Integrated Security Services Firewall Technologies.

IP security policy can be used for the following:

• Protect a secure host on an internal network from unwanted network traffic;
• Provide protection for traffic between business associates over connected networks;
• Allow secure sending of data over the Internet by providing IPSec virtual private network (VPN) support.

These features are implemented in the IP layer on a per packet basis, and thus are available to any network application without requiring any special modifications. Applications can also implement their own additional security features as necessary, on top of the underlying IP security.

IP security policy is enabled, enforced, managed, and monitored through a coordinated effort of several z/OS Communications Server components:

Policy Agent

The Policy Agent is used to configure IP security on a z/OS system. It reads the configuration files that contain the IP security policy configuration statements, checks them for errors, and installs them into the IKE daemon and the TCP/IP stack.

Internet Key Exchange daemon (IKED)

The Internet Key Exchange daemon is responsible for retrieving IP security policy from Policy Agent, and dynamically managing keys that are associated with dynamic IPSec VPNs.

TCP stack

The stack maintains a list of currently active IP filters and IPSec security associations, actively filters network traffic, controls encryption and decryption of network data, and maintains counters that are associated with an IPSec security association lifetime.

Traffic Regulation Manager daemon (TRMD)

The Traffic Regulation Manager daemon is responsible for logging IP security events that are detected by the stack, including IP filter events, updates to IP security policy, and the creation, deletion, and refresh of IPSec security associations.

System logging daemon (SYSLOGD)

The system logging daemon manages the logging of messages and events for all of the other components, including where the log messages are written.

These components provide a combination of technologies that form the basis of IP security:

• IP filtering
• IP filter logging
• Data encryption and authentication