Comparison of IP security filters and defensive filters
Table 1 compares IP security filters and defensive filters.
Topic | IP security filters (policy) | IP security filters (default) | Defensive filters |
---|---|---|---|
Configuring | Configured in a Policy Agent flat file. | Configured in the TCP/IP profile. | Not configured. The ipsec command is used to create defensive filters, either automatically or manually. |
Installing in the TCP/IP stack | Installed by the Policy Agent. | Installed by TCP/IP profile processing. | Installed by the Defense Manager daemon (DMD). |
Filter search order | The order in the configuration file. | The order in the configuration file. | Defensive filters are searched before IP security
filters. When a defensive filter is created, it is installed at the top of the search order. |
Displaying a filter | Use pasearch and ipsec -f display. The ipsec -f display -c current command displays all installed filters, both defensive filters and IP security filters. |
Use ipsec -f display -c profile. | Use ipsec -F display. |
Filter display order | The order in the configuration file. The pasearch command displays IP security filters as complex filter rules, not split filters as they are in the stack. The ipsec -f display command displays IP security filters as split filters, like they are in the stack. IPv4 IP security filters are shown first, followed by IPv6 IP security filters. |
The order in the configuration file. The ipsec -f display command displays IP security filters as split filters, like they are in the stack. A single profile filter in the configuration file is split into an inbound and outbound filter in the stack. IPv4 IP security filters are shown first, followed by IPv6 IP security filters. |
The ipsec -F display command displays defensive filters from the stack in four groups:
Within each group, the filters are displayed from most recently installed to least recently installed. The ipsec -F display -G command displays global defensive filters from the DMD. The global filters are displayed from most recently installed to least recently installed. |
Deleting a filter | Remove the filter rule from the configuration
file. When Policy Agent detects the configuration file change, the
filter rule is removed from the stack. Policy Agent detects the change
in one of the following ways:
|
Use a VARY TCPIP,,OBEYFILE command with a data set that contains a new IPSEC statement with the filter rule removed. | Use ipsec -F delete. Defensive filters are also deleted when their lifetime expires. |
Updating a filter | Update the filter rule in the configuration file. When the Policy Agent detects the configuration file change, the filter rule is updated in the stack. | Use a VARY TCPIP,,OBEYFILE command with a data set that contains a new IPSEC statement with the filter rule updated. | Use ipsec -F update. A defensive filter's lifetime, mode, and logging values can be updated. |
Specifying time conditions | Specify time conditions in the policy. The Policy Agent installs an IP security filter when it becomes active, and deletes the filter when it becomes inactive due to time. | Not supported. | Not supported. Defensive filters have a lifetime that is minutes in length. A defensive filter is deleted when its lifetime expires. |
Simulation mode | Not supported. | Not supported. | Controlled by the DMD configuration file and the ipsec -F add and ipsec -F update commands. |
Global filters | IP security filters defined in a CommonIPSecConfig file are added to all eligible stacks. | Not supported. | Defensive filters added with the -G option of the ipsec command are added to all eligible stacks on the z/OS® system. |
Filter-match logging |
|
|
|