Manage Learn to apply best practices and optimize your operations.

Enhancements in the intrusion detection system for i5/OS V6R1

The newest i5/OS release, V6R1 offers an Intrusion Detection System that logs information to your security audit journal about intrusion and extrusion activity. It can also be configured to notify you about violations of your established policies. Within the policies that you set, you can use a new feature called Dynamic Throttling that ramps up when an event reaches a threshold level, and begins discarding packets to halt the use of system resources for that event.

Rich Loeber
In my first two articles on what's new in V6 security, I talked about new system values and new exit points. Here, I'll examine enhancements in the OS for IBM's Intrusion Detection System.

Intrusion protection is needed to prevent hackers from gaining access to your system. With V6, IBM has also added extrusion protection, where your system is used as the source of an attack on someone else's system. Both events can be configured and controlled in V6 using IBM's Intrusion Detection System (IDS). Within the IDS, the OS will add log information to your security audit journal about intrusion and extrusion activity. With V6, you can also configure notification about violations of your established policies. IDS policies are implemented and controlled through a GUI interface provided by IBM. IDS does not include things like scanning for viruses or Trojan horse programs.

With V6, IDS has come of age and operates as its own function within the OS. Earlier implementations required the use of the QoS (quality of service) server function. This is no longer the case in V6.

IDS works by examining message packets that arrive at the system looking for malformed packets and spoof packets. You administer the IDS by establishing intrusion and extrusion policies for things like:

  • Default intrusion policies
  • Attack policies
  • Scan policies
  • Traffic regulation policies

When IDS is active on your system and policy rules have been implemented, the IDS within the OS examines traffic through the system against the established rules. When events occur that do not conform to your policies, actions are taken. You can simply log the activity, or you can optionally configure the system to deny the activity and issue a warning notification message. These messages can be delivered by email, so you can route messages to your beeper or your cell phone as needed.

Using available V6 documentation at the IBM Information Center website. You can identify a variety of intrusion types that can be monitored and controlled. The list is quite comprehensive and too much for this article; however, you should take a look when you have a few minutes. It includes things like "Address poisoning", "Fraggle attack", "IP fragment", "Ping-of-death attack" and much more. (I'd like to meet the folks that come up with some of these names, very creative.)

Within the policies that you set up, you can use a new feature called Dynamic Throttling. When an event reaches a threshold level that you establish, the IDS will then begin to discard packets so that the suspected attack will be denied further access to your system resources.

This brief article just scratches the surface of the IDS feature. For more information, go to the IBM Information Center and download the PDF manual that IBM has available. Or, if you find it easier, just ask me and I'll send you a copy of the PDF file directly.

If you have any questions about anything included in this tip, you can reach me at (, All email messages will be answered as quickly as possible.

ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Dig Deeper on iSeries system and application security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.