Description: z/OS® V2R1
Communications Server includes the following enhancements for security:
- Enhanced IDS IP fragment attack detection - The Intrusion
Detection Services (IDS) IP fragment attack type is enhanced to detect
fragment overlays that change the data in the packet. In addition,
the IP fragment attack detection is extended to IPv6 traffic.
- Improve auditing of NetAccess rules - Control over the
level of caching that is used for network access control checks is
introduced. You can reduce the level of caching to pass more network
access control checks to the System Authorization Facility (SAF).
Passing more network access control checks to SAF allows the security
server product to provide more meaningful auditing of access control
checks.
An additional enhancement entails including the IP address
that the user is attempting to access in the log string that is provided
to the security server product on each network access control check.
- AT-TLS support for TLS v1.2 and related features - Application
Transparent TLS (AT-TLS) currency with z/OS System
SSL is supported. Support is added for the following functions that
are provided by System SSL:
- Renegotiation (RFC 5746) in z/OS V1R12
- Elliptic Curve Cryptography (RFC 4492 and RFC 5480) in z/OS V1R13
- TLSv1.2 (RFC 5246) in z/OS V2R1
- AES GCM Cipher Suites (RFC 5288) in z/OS V2R1
- Suite B Profile (RFC 5430) in z/OS V2R1
- ECC and AES GCM with SHA-256/384 (RFC 5289) in z/OS V2R1
- Improved FIPS 140 diagnostics - Enhanced diagnostics for
the IKE and NSS daemons and the AT-TLS function are provided when
FIPS 140 processing is required.
Integrated Cryptographic Services
Facility (ICSF) is required when FIPS 140 is configured for the IKE
or NSS daemons or for an AT-TLS group. Starting in V2R1, these daemons
and the AT-TLS groups will fail to initialize if ICSF is not active.
- Limit defensive filter logging - The existing defensive
filtering function provides a mechanism to install temporary filters
to either deny attack packets or log when a packet would have been
denied if blocking mode was used. You can now limit the number of
defensive filter messages that are written to syslogd for a blocking
or simulate mode filter. You can configure a default limit to be used
for all defensive filters that are added to a TCP/IP stack. You can
also specify a limit when adding an individual defensive filter with
the z/OS UNIX ipsec command.
- QDIO Outbound flood prevention - CSM storage constraints
are relieved when processing ICMP Timestamp requests.
Because the z/OS TCP/IP stack replies to these
requests, a flood of such requests can cause problems under the right
conditions. Such a flood causes the TCP/IP stack to back up because
it cannot get the responses out quickly enough, which results in a
constrained CSM condition.
If the constrained CSM condition
is not relieved, it might cause a stack outage. This behavior might
happen with:
- Other ICMP requests that always generate a response (for example,
echo requests)
- UDP requests to an application that behaves in a similar manner
QDIO outbound packets will be dropped when CSM storage
is constrained and the outbound queues are congested. This support
alleviates these problems.
- TN3270 client-bound data queueing limit - MAXTCPSENDQ,
a new parameter in the Telnet profile, is introduced to prevent large
amounts of storage from being held for data that is destined for an
unresponsive Telnet client.
- AT-TLS enablement for DCAS - With APAR PM96898
installed, the Digital Certificate Access Server (DCAS) is enhanced
to use Application Transparent Transport Layer Security (AT-TLS).
To use TLSv1.2 to secure the connection, you must define AT-TLS policies
for the DCAS.
Migrate to AT-TLS to allow the DCAS to use the latest
support for SSL/TLS. Configuring TLS/SSL by using the DCAS configuration
file is supported, but such support is deprecated and will no longer
be enhanced.
- Network security enhancements for SNMP - With
APAR PM96901 installed, the SNMP Agent, the z/OS UNIX snmp command,
and the SNMP manager API are enhanced to support the Advanced Encryption
Standard (AES) 128-bit cipher algorithm as an SNMPv3 privacy protocol
for encryption. The AES 128-bit cipher algorithm is a stronger encryption
protocol than the current Data Encryption Standard (DES) 56-bit algorithm.
AES is a symmetric cipher algorithm that the National Institute of
Standards (NIST) selects to replace DES. RFC 3826, The Advanced
Encryption Standard (AES) Cipher Algorithm in the SNMP User-based
Security Model (USM), specifies that Cipher Feedback Mode (CFB)
mode is to be used with AES encryption.
- TLS security enhancements for sendmail - With
APAR PM96896 installed, z/OS UNIX sendmail is enabled to support
TLSv1.1 and TLSv1.2 with a new set of TLSv1.2 2-byte specific ciphers.
- TLS security enhancements for Policy Agent -
With APAR PM96891 installed, centralized Policy Agent is enabled to
support TLSv1.1 and TLSv1.2 with a new set of TLSv1.2 2-byte specific
ciphers. In addition, the import services between the Policy Agent
and IBM® Configuration Assistant
for z/OS Communications Server
allow user-defined AT-TLS policies to create a secure SSL connection.
When change was introduced: z/OS V2R1