Steps for verifying IP security and defensive filter operation

Verify IP security and defensive filters operations.

About this task

Figure 1 shows the decisions involved for IP security operation.

Figure 1. Overview of verifying IP security operation

Perform the following steps:

1. Use the Netstat CONFIG/-f command to determine whether the TCP/IP stack is configured for IP security for IPv4, IPv6, or both. For information about the Netstat command, see z/OS Communications Server: IP System Administrator's Commands.
   Do one of the following:

   • If the stack is not configured for IP security for the IP protocol that you want, proceed to step 2.
   • If the stack is configured for IP security for the IP protocol that you want, proceed to step 3.
2. If you want IP security enabled for IPv4, configure the stack for IPv4 IP security using the IPCONFIG IPSECURITY statement in the TCP/IP profile. If you want IP security enabled for IPv6, configure the stack for IPv6 IP security using the IPCONFIG6 IPSECURITY statement in the TCP/IP profile. See z/OS Communications Server: IP Configuration Reference for more information about the IPCONFIG IPSECURITY and IPCONFIG6 IPSECURITY statements. See z/OS Communications Server: IP Configuration Guide for general information about IP security concepts, including IP filtering.
3. Use the MODIFY command to display the configuration values for the Defense Manager daemon (DMD). For more information about the MODIFY command, see z/OS Communications Server: IP System Administrator's Commands.
   If you want defensive filtering enabled, do one of the following:

   • If the stack name is not listed in the DMD configuration , proceed to step 4.
   • If the stack name is listed in the DMD configuration but does not have the mode that you want, proceed to step 5.
   • If the stack name is listed in the DMD configuration with the mode that you want, proceed to 6.

   Otherwise, if you do not want defensive filtering, proceed to 6.
4. Update the DMD configuration file to include a DmStackConfig statement for the stack for which you want defensive filtering. Specify the defensive filtering mode, Active or Simulate, on the DmStackConfig statement with the stack name. See z/OS Communications Server: IP Configuration Reference for more information about the DMD configuration file. Proceed to 6.
5. Update the DMD configuration file to specify the defensive filtering mode, Active or Simulate, on the DmStackConfig statement. See z/OS Communications Server: IP Configuration Reference for more information about the DMD configuration file.
6. Use the ipsec -t command to determine which IP filter applies to the identified IP packet. At the top of the ipsec -t command output, note whether Source indicates Stack Profile or Stack Policy.

   Limited IP filter controls can be configured using the IPSECRULE statement (for IPv4) and the IPSEC6RULE statement (for IPv6) in the TCP/IP profile. Full IP security capability, including manual and dynamic IPSec protection, requires use of the Policy Agent for IP security policy configuration.

   Locate the Type field in the ipsec -t command output to determine the type of filter. If the Type field indicates Defensive, then the filter is a defensive filter. Defensive filters are not configured but are added to the stack by the ipsec command. Typically, this is done by an external security information and event manager that detects an attack. However, the ipsec command can be issued manually by a user with the appropriate authority to add a defensive filter.

   Tip: The ipsec -t command can return multiple filter rules because the actual packet filtering compares more attributes than might be supplied as input on the ipsec -t command. To minimize this effect, supply as much information as possible on the ipsec -t command.
   If the returned filter rules include a defensive filter, take the following actions:

   • Locate the exclusion list at the top of the ipsec -t command output and determine whether there are any IP addresses listed. Traffic from IP addresses in the exclusion list will bypass defensive filters.
   • Locate the Action field in the ipsec -t command output to determine the mode of the defensive filter. If the Action field indicates Defensive Block the filter is discarding traffic. If the Action field indicates Defensive Simulate only filter logging is done, packets continue to be processed.
   • If the defensive filter rule is blocking traffic that should be allowed, determine the user that added the filter by inspecting the syslog messages. Locate the "EZD1723I Defensive filter added" defensive filter message that corresponds to this defensive filter. The userid of the user that added the filter is included in the message.

   If none of the filters that are returned by the ipsec -t command include the action for the identified IP packet that you want, then correct the IP filter configuration. See z/OS Communications Server: IP Configuration Guide for general information about configuring IP filters.

7. Locate the Type field in the ipsec -t command output to determine whether IPSec protection is configured for the identified IP packet. If the Type field indicates Generic or Defensive, then IPSec protection is not configured for the identified IP packet. See Steps for verifying IP security policy or defensive filter enforcement to verify that the configured policy is enforced for the IP traffic characterized by the identified IP packet.
8. Locate the Type field in the ipsec -t command output to determine whether manual or dynamic IPSec protection is configured for the identified IP packet. If the Type field indicates Manual, then see Steps for verifying manual IPSec protection. If the Type field indicates Dynamic or Dynamic Anchor, then see Steps for verifying dynamic IPSec protection.