Overview of using IP security
z/OS® Communications Server provides the ability to control and monitor network traffic on one or more TCP/IP stacks on a z/OS system. IP security for z/OS Communications Server supports IP filtering, IPSec, and Internet Key Exchange (IKE). IP security for z/OS Communications Server supports two versions of the IKE protocol: IKEv1 and IKEv2. See Dynamic key management - IKE and IPSec negotiations for more information.
IP security policy can be used for the following protection:
- Protect a secure host on an internal network from unwanted network traffic
- Provide protection for traffic between partner companies over connected networks
- Allow secure sending of data over the Internet by providing IPSec virtual private network (VPN) support
These features are implemented in the IP layer on a per packet basis, and thus are available to any network application without requiring any special modifications. Applications can also implement their own additional security features as necessary, on top of the underlying IP security.
IP security policy is enabled, enforced, managed, and monitored through a coordinated effort of several z/OS Communications Server components:
- Policy Agent
The Policy Agent is used to configure IP security on a z/OS system. It reads the configuration files that contain the IP security policy configuration statements, checks them for errors, and installs them into the IKE daemon and the TCP/IP stack.
- Internet Key Exchange daemon (IKED)
The Internet Key Exchange daemon is responsible for retrieving IP security policy from Policy Agent, and dynamically managing keys that are associated with dynamic IPSec VPNs. This daemon also provides network management capabilities for IP security aspects of local TCP/IP stacks.
- Network Security Services daemon (NSSD)
The Network Security Services daemon provides the NSS server functionality. It provides the NSS IPSec certificate service to perform digital signature creation and verification operations on behalf of NSS IPSec clients. The NSS IPSec certificate service is used by the IKED during phase 1 negotiations when digital signature authentication is required.
- TCP/IP stack
The stack maintains a list of currently active IP filters and IPSec Security Associations, actively filters network traffic, controls encryption and decryption of network data, and maintains counters that are associated with an IPSec Security Association lifetime.
- Traffic Regulation Manager daemon (TRMD)
The Traffic Regulation Manager daemon is responsible for logging IP security events that are detected by the stack, including IP filter events, updates to IP security policy, and the creation, deletion, and refresh of IPSec Security Associations.
- System logging daemon (syslogd)
The system logging daemon manages the logging of messages and events for all of the other components, including where the log messages are written.
These components provide a combination of technologies that form the basis of IP security:
- IP filtering
- IP filter logging
- Data encryption and authentication