IPSec is an industry-standard protocol that provides end-to-end authentication and encryption. IPSec provides an excellent method of securing EE connections. z/OS® itself can be an IPSec endpoint or IP security can be offloaded to an attached router platform.

• By placing the IPSec endpoint on z/OS, you have end-to-end protection but your System z CPU will incur the cost of the encryption.
  • Additional assistance for IPSec protocol traffic is available with any IBM® System z® Integrated Information Processor (IBM zIIP). You might need to modify some of your Workload Manager (WLM) definitions when you use zIIPs for IPSec-enabled EE connections. See z/OS Communications Server: IP Configuration Guide for information about modifying WLM definitions for zIIPs.
• By offloading the IPSec function to a router, you offload the encryption cost but you have an unprotected segment between z/OS and the router hosting the IPSec endpoint.