The branch office model part 2 is similar to the branch
office model part 1. Here, there are multiple data endpoints on both
the local side and the remote side, but only one pair of security
endpoints, one local and one remote.
Before you begin
It is not likely that the z/OS® system
will function strictly as a router or a firewall at the network perimeter,
but it is possible to configure the z/OS system
to provide the IPSec functionality that many secure gateway devices
provide. This topic includes instructions on how to configure a scenario
in which the z/OS system is
routing network traffic from inside the internal network. This functionality
is similar to the functionality that is provided by the branch office
gateway in Steps for configuring the branch office model: Part 1 (host-to-gateway with IPSec).
Here, there are multiple data endpoints on both the local side and
the remote side, but only one pair of security endpoints, one local
and one remote.
In this example, assume that the local z/OS system is acting as a secure
gateway for hosts on an internal network A, and tunneling the IPSec-protected
traffic to a remote secure gateway for subnetwork C. The following
list summarizes the requirements for this example:
- Permit IKE negotiations between the two security gateways, the
secure local host and the secure remote gateway for subnetwork C.
- Permit traffic from the internal network to the internal interface
on the secure local host.
- Add IPSec protection to any traffic that flows between the two
secure gateways.
In this scenario, the z/OS system
is a secure forwarding agent for the internal hosts, rather than a
data endpoint. Traffic from the internal hosts that is destined for
the remote network first comes to the secure local gateway in the
clear. Before it is sent out to the remote network, it is IPSec encapsulated.
The process is reversed for traffic that comes from the remote network.
Traffic that comes from the remote network to the local secure gateway
is IPSec decapsulated on the local secure host and forwarded to the
internal host in the clear.
Procedure
Perform the following steps to meet the above requirements
and configure part 2 of the branch office model.
- Permit IKE negotiations between the two secure gateways. UDP port 500 traffic must be allowed for IKE negotiations.
IpFilterRule Rule1AtoC
{
IpSourceAddrRef PublicServerAddressA1
IpDestAddrRef BranchOfficeGateway
IpServiceRef IKE
IpGenericFilterActionRef permit
}
- Permit traffic from the internal network to the internal
interface on the secure host.
IpFilterRule Rule2AtoC
{
IpSourceAddrSetRef SubnetC
IpDestAddrSetRef InternalNetworkA
IpServiceGroupRef All-traffic-routed
IpGenericFilterActionRef permit
}
The bidirectional keyword on the IpService statement
creates two filter rules, one inbound and one outbound. Expansion
of this IpFilterRule statement is shown in Table 1.
Table 1. Expanded filter rule for internal trafficSource |
Destination |
Routing |
Direction |
Action |
SubnetC |
InternalNetworkA |
Routed |
Outbound |
permit |
InternalNetworkA |
SubnetC |
Routed |
Inbound |
permit |
As required, traffic that enters the secure server from
InternalNetworkA that is destined for SubnetC is permitted by the
secure host as an inbound routed packet. Traffic that leaves the secure
server from SubnetC destined for InternalNetworkA is permitted by
the secure host as an outbound routed packet.
- Add IPSec protection to any traffic that flows between
the two secure gateways.
IpFilterRule Rule3AtoC
{
IpSourceAddrSetRef InternalNetworkA
IpDestAddrSetRef SubnetC
IpServiceGroupRef All-traffic-routed
IpGenericFilterActionRef ipsec-log
}
Expansion of this rule is shown in Table 2.
Table 2. Expanded filter rule for remote trafficSource |
Destination |
Routing |
Direction |
Action |
InternalNetworkA |
SubnetC |
Routed |
Outbound |
ipsec |
SubnetC |
InternalNetworkA |
Routed |
Inbound |
ipsec |
Traffic that leaves the secure server from InternalNetworkA
that is destined for SubnetC is permitted with ipsec. Traffic that
enters the secure server from SubnetC that is destined for InternalNetworkA
is permitted with ipsec.