Setting up IP security configuration files can be a complex task, as there are many powerful features, options, and controls. However, after the security needs of the business are identified, implementing an IP security policy becomes a matter of translating the requirements to a Policy Agent configuration file.
The choice of protection model primarily depends on the network topology. Although it is perfectly permissible to follow a single model when configuring IP security policy, the z/OS® IP security function enables any number of models to be installed concurrently. Commonly, one set of rules governs internal network traffic, another protects traffic from connected networks, and a third provides security for traffic that is routed over the Internet. The following scenarios presume that you are configuring a secure server that is a multihomed host that is connected to an internal, an external, and a wide-area network that traverses the Internet. The configuration guidelines that are presented in the following subtopics are based on three business models:
- Trusted internal network (permit, deny)
In the trusted internal network model, the server is protecting traffic that originates from hosts inside a privately controlled network. IP packets on the internal network are not generally subject to the stringent restrictions that are placed on traffic that is generated from outside the business. This model is usually more tolerant, given that users inside the company need access to internal network resources and services, such as the web, FTP, and Telnet.
- Partner company (permit, deny, strong IPSec protection)
The partner company model consists of two interconnected networks, with the server protecting traffic that originates from hosts outside the internal network. Typically, two separate networks are physically connected to the z/OS server. Because the traffic is not restricted to internal hosts, security is usually somewhat tighter than in the trusted internal network model. Each partner company has no physical control over the machine of the other partner company. The services that are provided are determined by the needs of the business, but typically include many of the same services that are provided to the internal network, such as access to a web server, FTP, and Telnet. Though many services might be allowed between partner companies, the need for confidentiality and authentication of data is more stringent than in the trusted internal network model, because there is little to no control over the other network. IPSec is often specified to authenticate and optionally encrypt data that flows between the two networks.
- Branch office (permit, deny, strong tunnel-mode IPSec protection)
The branch office model consists of two networks whose IP connectivity relies on the Internet. The server is protecting traffic that originates from hosts outside the internal network, which at some point is routed over the Internet. Because there is no control over any data that traverses the Internet, the need for security is greatest in this model. The services that are provided are based on business need, but typically include a subset of what is available internally. All traffic that traverses the Internet carrying vital information should be secured using some form of authentication and encryption.
Figure 1 shows a sample network for all three security models.
The following subtopics describe how to configure these models using the steps described in Steps for configuring IP security policy. The policy examples assume that a default-deny policy is in place. Any traffic not explicitly permitted is blocked.