Enhancements in the intrusion detection system for i5/OS V6R1

Rich Loeber

Intrusion protection is needed to prevent hackers from gaining access to your system. With V6, IBM has also added extrusion protection, where your system is used as the source of an attack on someone else's system. Both events can be configured and controlled in V6 using IBM's Intrusion Detection System (IDS). Within the IDS, the OS will add log information to your security audit journal about intrusion and extrusion activity. With V6, you can also configure notification about violations of your established policies. IDS policies are implemented and controlled through a GUI interface provided by IBM. IDS does not include things like scanning for viruses or Trojan horse programs.

With V6, IDS has come of age and operates as its own function within the OS. Earlier implementations required the use of the QoS (quality of service) server function. This is no longer the case in V6.

IDS works by examining message packets that arrive at the system looking for malformed packets and spoof packets. You administer the IDS by establishing intrusion and extrusion policies for things like:

• Default intrusion policies
• Attack policies
• Scan policies
• Traffic regulation policies

When IDS is active on your system and policy rules have been implemented, the IDS within the OS examines traffic through the system against the established rules. When events occur that do not conform to your policies, actions are taken. You can simply log the activity, or you can optionally configure the system to deny the activity and issue a warning notification message. These messages can be delivered by email, so you can route messages to your beeper or your cell phone as needed.

Using available V6 documentation at the IBM Information Center website. You can identify a variety of intrusion types that can be monitored and controlled. The list is quite comprehensive and too much for this article; however, you should take a look when you have a few minutes. It includes things like "Address poisoning", "Fraggle attack", "IP fragment", "Ping-of-death attack" and much more. (I'd like to meet the folks that come up with some of these names, very creative.)

Within the policies that you set up, you can use a new feature called Dynamic Throttling. When an event reaches a threshold level that you establish, the IDS will then begin to discard packets so that the suspected attack will be denied further access to your system resources.

This brief article just scratches the surface of the IDS feature. For more information, go to the IBM Information Center and download the PDF manual that IBM has available. Or, if you find it easier, just ask me and I'll send you a copy of the PDF file directly.

If you have any questions about anything included in this tip, you can reach me at ( rich@kisco.com), All email messages will be answered as quickly as possible.

ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT iSeries security tips Developing a security incident response system for System i Tracking remote access users on System i Setting up security for programmers on IBM i Controlling remote access on your IBM i Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users iSeries system and application security Developing a security incident response system for System i Setting up security for programmers on IBM i Blocking AS/400 DB2 users Trouble accessing IFS path from Win2k3 server Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file i5/OS Recovering from DST QSECOFR password disablement on V5R4 Checking if a local port is used by another job on AS/400 How to: Configure a backup schedule between partitions on HMC The enhanced DB2 inside i5/OS V6R1 New password-control security features for i5/OS V6R1 Is i5/OS V6R1 in your System i shop's future New i5/OS features announced as anticipation mounts Using indexes on DB2 for i5/OS to improve performance IBM previews new version of i5/OS for System i IBM System i division filing for divorce i5/OS Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.