Defensive filtering
An external security information and event manager, by analyzing and correlating messages from multiple sources and systems in the network, can take action to block attacks by installing defensive filters in your TCP/IP stack. A defensive filter is an IP filter rule to discard packets, separate from IP security filters, and is typically installed for a short duration (for example, 30 minutes) to block a specific attack or a pattern of attacks. If traffic being blocked by a defensive filter should be blocked on a long-term basis, update your configured IP security policy to add an IP security deny rule.
A defensive filter uses a combination of the following characteristics to target traffic to be discarded:
- IP source or destination address
- IP protocol
- Source or destination port
- ICMP type or code
- Direction of flow
- Type of traffic: Routed or local
For example, a defensive filter might be installed to block all TCP traffic from IP address 10.1.1.1 that is destined for the Telnet server. The characteristics of this filter are the following characteristics:
- IP source address is 10.1.1.1.
- IP protocol is TCP.
- Destination port is 23.
- Direction of flow is inbound.
- Traffic is local.
Defensive filters are given higher priority than IP security filters. That is, IP filter processing first checks any installed defensive filters for a match against a packet, before checking the IP security filters. When a defensive filter is added to a TCP/IP stack, it is placed at the top of the filter search order.
Figure 1 provides an overview of defensive filtering.
Defensive filters are added and managed using the z/OS® UNIX ipsec command with the -F primary option.
- Defensive filters are typically added as an automated action resulting from an external security information and event manager's analysis. The manager issues the set of ipsec commands that install the required defensive filters.
- You can also add a defensive filter by manually issuing the ipsec command.
- After a defensive filter is created, you can use the ipsec command to update some attributes of the filter, such as its lifetime, and also to display and delete defensive filters.
For more information about the ipsec command, see z/OS Communications Server: IP System Administrator's Commands.
- You must enable the IP security function for defensive filters to be installed in a stack. If you do not have the IP security function enabled, see Enabling the IP security function.
- The Defense Manager daemon (DMD) plays an integral role in managing defensive filters, and must be active for defensive filters to be added, updated, or deleted. One instance of the DMD manages all eligible stacks on a z/OS image. An eligible stack is one that is enabled for IP security and that is included in the DMD configuration file with a mode of Active or Simulate. For information about configuring the DMD, see Steps for configuring the DMD. You can refresh most of the DMD configuration parameters so that options can be changed without recycling the DMD.