Filter rules and actions

The IP security policy enables a z/OS® system to classify any IP packet that comes across a network interface and take specific action according to a predefined set of rules. The set of properties that identify a packet, together with the action to be performed on it, is known as an IP filter rule. The rule can be used to filter out unwanted packets from the network stream, while allowing others. The collection of all filter rules comprise the IP filter table. The IP filter table contains all of the IP filter rules in the order in which they were configured. IP filter rules are configured using the IpFilterRule statement in an IP security policy configuration file. For more details about the IpFilterRule statement, see z/OS Communications Server: IP Configuration Reference.

For example, a simple filter table might have the following set of rules:

Allow Telnet traffic from IP address A.
Allow FTP traffic from IP address B and IP address C.
Allow any traffic from subnet D, but ensure that it is encrypted.
Allow encrypted traffic from any location if the remote IKE identity is a corporate email address.
Allow outbound connections to anywhere.
Deny anything that does not match the previous rules.

This set of rules would be considered to be a filter table consisting of six rules.

The filter table that is configured for a particular installation reflects the security needs for that site. The rules can be restrictive or permissive, as the security policy allows. Normally the rules would deny anything not explicitly permitted, a configuration known as a default-deny policy, in which rules are added as necessary to allow only crucial network traffic. In a default-deny environment, the absence of any IP filter rules essentially isolates the system from the network. The alternative, a default-allow policy, allows all network traffic in the absence of any configured rules. Specific rules can be added as needed to deny unwanted or potentially malicious traffic. A default-deny policy is considered to be much more secure.

Rule: A z/OS Communications Server TCP/IP stack that is configured for IP security follows a default-deny policy by default, in the absence of any configured filter rules.

IP filter tables can grow very complex, and in many implementations are difficult to maintain. However, the configuration mechanism that is provided by IP security enables you to attach meaningful descriptors to rules, hosts, and other configured items, which makes keeping track of complex filter tables an easier task.

To protect data between hosts, hosts must agree on what type of traffic to protect, and how to protect that traffic. These IP traffic pattern definitions are stored in the locally configured security policy and installed in the IP filter table, which is consulted for each IP packet that enters or leaves the system. When a packet matches one of the rules in the IP filter table, the policy determines what action is taken for that packet. IP filter actions are configured using the IpGenericFilterAction statement in an IP security policy configuration file. For more details about the IpGenericFilterAction statement, see z/OS Communications Server: IP Configuration Reference.

On a z/OS stack that has IPCONFIG IPSECURITY configured (and perhaps also has IPCONFIG6 IPSECURITY configured) and an active IP security policy, there are three possible actions:

Deny the packet.
Permit the packet.
Permit the packet with IPSec protection.

If the action that is associated with the filter rule is an ipsec action, the packet is subject to the application of IPSec authentication and encryption before it is received or sent. Any packet that matches a filter rule with an ipsec action is processed using the IPSec protocols, either Authentication Header (AH), Encapsulating Security Payload (ESP), or both, depending on the locally configured policy. z/OS IP security requires that data authentication be done if the filter rule specifies an ipsec action.