Intrusion detection

 

Intrusion detection involves gathering information about unauthorized access attempts and attacks coming in over the TCP/IP network. Security administrators can analyze the audit records that intrusion detection provides to secure the System i™ network from these types of attacks.

"Intrusions" encompass many undesirable activities such as information theft and denial of service attacks. The objective of an intrusion might be to acquire information that a person is not authorized to have (information theft). The objective might be to cause a business harm by rendering a network, system, or application unusable (denial of service), or it might be to gain unauthorized use of a system as a means for further intrusions elsewhere. Most intrusions follow a pattern of information gathering, attempted access, and then destructive attacks. Some attacks can be detected and neutralized by the target system. Other attacks cannot be effectively neutralized by the target system. Most of the attacks also make use of spoofed packets, which are not easily traceable to their true origin. Many attacks make use of unwitting accomplices, which are machines or networks that are used without authorization to hide the identity of the attacker. For these reasons, a vital part of intrusion detection is gathering information, detecting access attempts, and system attacks.

You can create an intrusion detection policy that audits suspicious intrusion events that come in through the TCP/IP network. (See the Details: Intrusion detection policy directives.) Examples of problems that the intrusion detection function looks for includes:

  • Denial of service attacks

  • Port scans

  • Malformed packets

  • Internet Protocol (IP) fragments

  • Restricted IP options and protocols

  • Internet Control Message Protocol (ICMP) redirect messages

  • Perpetual echo attacks on User Datagram Protocol (UDP) port 7 (the echo port)

You also can write an application to analyze the auditing data and report to the security administrator if TCP/IP intrusions are likely to be underway.

The term intrusion detection is used two ways in i5/OS® documentation. In the first sense, intrusion detection refers to the prevention and detection of security exposures. For example, a hacker might be trying to break into the system using an invalid user ID, or an inexperienced user with too much authority might be altering important objects in system libraries. In the second sense, intrusion detection refers to the intrusion detection function that uses policies to monitor suspicious traffic on the system.

  • What's new for V5R4
    The entire intrusion detection topic is new in V5R4.

  • Printable PDF
    Use this to view and print a PDF of the intrusion detection information.

  • Intrusion detection concepts
    This topic describes how the intrusion detection system works.

  • Intrusion detection terminology
    Definitions and descriptions of commonly used intrusion detection terms are included here.

  • Setting up an intrusion detection policy
    Intrusion detection allows you to set up policies to notify you of any network intrusions that are detected on your system.

  • Writing intrusion detection programs
    You can create an intrusion detection program to send e-mail to alert system administrators to suspicious events and provide suggested responses.

  • Auditing intrusion detection activities
    It is important to audit intrusion detection activities. If the intrusion detection system flags a suspicious event, it writes an Intrusion Monitor (IM) audit record.

  • Analyzing the auditing data
    You can analyze the auditing data for intrusion detection activities, and obtain reference information about the fields in the IM audit record.

  • Related information
    Listed here are the product manuals and IBM® Redbooks™ (in PDF format), Web sites, and information center topics that relate to the Intrusion detection topic. You can view or print any of the PDFs.