Planning your multilevel secure network

Separate your network into security zones. Each subnetwork of physically managed systems should be defined as a single security zone. Several subnetworks with identical security labels and discretionary access control policy requirements can be assigned the same security zone name. Each trusted subnetwork of self-managed multilevel secure systems likely requires several security zones. The trusted subnetwork can also contain physically managed resources, such as routers and network administrator workstations. The trusted subnetwork security zone is likely to require a SYSHIGH security label. Multilevel secure stacks within the trusted subnetwork must have their interface addresses in security zones with the security label of the stack. VIPAs are usually placed in separate subnetworks dedicated to VIPAs and containing no real interface addresses. Multicast addresses, loopback addresses, and unspecified addresses (IPv4 INADDR_ANY and IPv6 in6addr_any) require security zones as well.

The security administrator takes the following actions:

• Defines security labels in the z/OS® security server.
• Creates user IDs in the security server with appropriate security labels.
• Defines common discretionary access control policies.
• Defines the security zone name for each required combination of security label and discretionary access control policy.
• Identifies groups of managed machines that belong in each security zone.
• Provides physical security for each group of machines to ensure only users with appropriate security clearance can use them.
• Configures managed machines so that only the network administrator can set IP addresses.

The network administrator takes the following actions:

• Isolates each group of machines into a subnetwork.
• Configures IP addresses on the machines.
• Configures a firewall to limit each group to communicate only with other subnetworks that have the same security label.
• Assigns network security zone names to subnetworks.
• Defines a NETACCESS statement that maps subnetworks and systems into network security zones. This can be placed in a shared data set that can be included in the PROFILE.TCPIP of all z/OS CS stacks in the network.