Description: z/OS® V2R1
Communications Server includes the following enhancements for security:
- Enhanced IDS IP fragment attack detection - The Intrusion Detection Services (IDS) IP fragment attack type is enhanced to detect fragment overlays that change the data in the packet. In addition, the IP fragment attack detection is extended to IPv6 traffic.
- Improve auditing of NetAccess rules - Control over the
level of caching that is used for network access control checks is
introduced. You can reduce the level of caching to pass more network
access control checks to the System Authorization Facility (SAF).
Passing more network access control checks to SAF allows the security
server product to provide more meaningful auditing of access control
checks.
An additional enhancement entails including the IP address that the user is attempting to access in the log string that is provided to the security server product on each network access control check.
- AT-TLS support for TLS v1.2 and related features - Application
Transparent TLS (AT-TLS) currency with z/OS System
SSL is supported. Support is added for the following functions that
are provided by System SSL:
- Renegotiation (RFC 5746) in z/OS V1R12
- Elliptic Curve Cryptography (RFC 4492 and RFC 5480) in z/OS V1R13
- TLSv1.2 (RFC 5246) in z/OS V2R1
- AES GCM Cipher Suites (RFC 5288) in z/OS V2R1
- Suite B Profile (RFC 5430) in z/OS V2R1
- ECC and AES GCM with SHA-256/384 (RFC 5289) in z/OS V2R1
- Improved FIPS 140 diagnostics - Enhanced diagnostics for
the IKE and NSS daemons and the AT-TLS function are provided when
FIPS 140 processing is required.
Integrated Cryptographic Services Facility (ICSF) is required when FIPS 140 is configured for the IKE or NSS daemons or for an AT-TLS group. Starting in V2R1, these daemons and the AT-TLS groups will fail to initialize if ICSF is not active.
- Limit defensive filter logging - The existing defensive filtering function provides a mechanism to install temporary filters to either deny attack packets or log when a packet would have been denied if blocking mode was used. You can now limit the number of defensive filter messages that are written to syslogd for a blocking or simulate mode filter. You can configure a default limit to be used for all defensive filters that are added to a TCP/IP stack. You can also specify a limit when adding an individual defensive filter with the z/OS UNIX ipsec command.
- QDIO Outbound flood prevention - CSM storage constraints
are relieved when processing ICMP Timestamp requests.
Because the z/OS TCP/IP stack replies to these requests, a flood of such requests can cause problems under the right conditions. Such a flood causes the TCP/IP stack to back up because it cannot get the responses out quickly enough, which results in a constrained CSM condition.
If the constrained CSM condition is not relieved, it might cause a stack outage. This behavior might happen with:- Other ICMP requests that always generate a response (for example, echo requests)
- UDP requests to an application that behaves in a similar manner
QDIO outbound packets will be dropped when CSM storage is constrained and the outbound queues are congested. This support alleviates these problems.
- TN3270 client-bound data queueing limit - MAXTCPSENDQ, a new parameter in the Telnet profile, is introduced to prevent large amounts of storage from being held for data that is destined for an unresponsive Telnet client.
AT-TLS enablement for DCAS - With APAR PM96898
installed, the Digital Certificate Access Server (DCAS) is enhanced
to use Application Transparent Transport Layer Security (AT-TLS).
To use TLSv1.2 to secure the connection, you must define AT-TLS policies
for the DCAS. Migrate to AT-TLS to allow the DCAS to use the latest support for SSL/TLS. Configuring TLS/SSL by using the DCAS configuration file is supported, but such support is deprecated and will no longer be enhanced.
- Network security enhancements for SNMP - With
APAR PM96901 installed, the SNMP Agent, the z/OS UNIX snmp command,
and the SNMP manager API are enhanced to support the Advanced Encryption
Standard (AES) 128-bit cipher algorithm as an SNMPv3 privacy protocol
for encryption. The AES 128-bit cipher algorithm is a stronger encryption
protocol than the current Data Encryption Standard (DES) 56-bit algorithm.
AES is a symmetric cipher algorithm that the National Institute of
Standards (NIST) selects to replace DES. RFC 3826, The Advanced
Encryption Standard (AES) Cipher Algorithm in the SNMP User-based
Security Model (USM), specifies that Cipher Feedback Mode (CFB)
mode is to be used with AES encryption.
- TLS security enhancements for sendmail - With
APAR PM96896 installed, z/OS UNIX sendmail is enabled to support
TLSv1.1 and TLSv1.2 with a new set of TLSv1.2 2-byte specific ciphers.
- TLS security enhancements for Policy Agent -
With APAR PM96891 installed, centralized Policy Agent is enabled to
support TLSv1.1 and TLSv1.2 with a new set of TLSv1.2 2-byte specific
ciphers. In addition, the import services between the Policy Agent
and IBM® Configuration Assistant
for z/OS Communications Server
allow user-defined AT-TLS policies to create a secure SSL connection.
When change was introduced: z/OS V2R1
Reference information: See the following topics in z/OS V2R1.0 Communications Server: New Function Summary for
detailed descriptions that include any applicable restrictions, dependencies,
and steps on using the functions:
- Enhanced IDS IP fragment attack detection
- Improve auditing of NetAccess rules
- AT-TLS support for TLS v1.2 and related features
- Improved FIPS 140 diagnostics
- Limit defensive filter logging
- QDIO Outbound flood prevention
- TN3270 client-bound data queueing limit
- AT-TLS enablement for DCAS
- Network security enhancements for SNMP
- TLS security enhancements for sendmail
- TLS security enhancements for Policy Agent