Virtual Private Network (VPN) is a general term used to describe a secure tunnel (data stream) between two endpoints. The term does not describe a protocol. The industry standard protocol for a VPN is an architecture called IPSec. The IPSec architecture is outlined in RFC 2401, and its implementation encompasses RFCs 2402, 2406, and 2407 (there are various others, but those are the big three).

There are some similarities between IPSec and TLS. They both provide encryption of data on the network between two endpoints. They both can provide authentication of those endpoints. An important difference is that IPSec is implemented at the network layer; this is illustrated in Figure 1.

Figure 1. IPSec in the IP layer model

Because IPSec is at the network layer, the endpoints of a VPN occur at the TCP/IP stack. The endpoints of TLS occur only at an application (like the FTP server). This implies that the endpoint of a VPN may exist on the same host as the application is running on, or the endpoint could be at an adjacent firewall on the network. It all depends upon the organization's needs.

The other implication of being at the network layer is that all IP traffic can be directed through a VPN. "All traffic" implies not just traffic from different applications, but also traffic from different applications using other protocols like UDP or ICMP. With TLS, only the traffic between the two implementing applications is protected.

A VPN can be further divided into two different types: a manual VPN and a dynamic VPN. Although z/OS supports manual VPNs, they are not very commonly used. Consequently, this information only discusses dynamic VPNs.

A dynamic VPN requires a separate server to support the exchange of the keys that will be used to encrypt data at each end point. In z/OS, the key exchange is supported by the IKE daemon. IKE stands for Internet Key Exchange, which is the standard (RFC 2409) protocol used to exchange keys for a VPN.

How is this all accomplished on z/OS? The characteristics of the dynamic VPN are controlled by the TCP/IP stack using information from the policy agent. The policy agent is a daemon that runs with the purpose of reading policy definitions from a Lightweight Directory Access Protocol (LDAP) server. The policy definitions are in turn read by the TCP/IP stack.

Here's where you can breath a sigh of relief: the policy definitions themselves are created using a graphical user interface application running on a workstation. The application is called the z/OS IP Security Configuration Assistant. It makes the creation of the rules surrounding a VPN a relatively simple task.