Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

Chapter 14: IP defensive filtering > 14.1: Overview of defensive filtering - Pg. 616

14.1 Overview of defensive filtering For a better understanding of defensive filtering, we first contrast IP defensive filtering with IP security filtering. Filters are rules that are defined to either deny or permit packets. IP filtering matches a filter rule to data traffic based on any combination of IP source or destination address (or masked address), protocol, source or destination port address, direction of flow, and time. Thus, IP filtering enables a z/OS system to classify any IP packet from a network interface and to take specific action according to a predefined set of rules. An administrator can configure IP filtering to permit or deny any given network packet into or out of a z/OS system with an IP filtering rule. Two types of IP filtering rules exist: IP security filtering, where an administrator defines a long-term and usually permanent policy that is then loaded into a TCP/IP stack by the policy agent procedure IP defensive filtering, where an administrator executes an ipsec command to install a temporary defensive filter into a TCP/IP stack Both types of IP filtering provide packet filtering and logging. Figure 14-1 illustrates the basics of IP security filtering architecture that we discuss in Chapter 7, "IP filtering" on page 215 and Chapter 8, "IP Security" on page 243. z/OS