ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaub_5.4.0.1/rzaubconcepts.htm

72 lines
4.6 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Concepts" />
<meta name="abstract" content="This topic describes how the intrusion detection system works." />
<meta name="description" content="This topic describes how the intrusion detection system works." />
<meta name="DC.Relation" scheme="URI" content="rzaubkickoff.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaubconcepts" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Concepts</title>
</head>
<body id="rzaubconcepts"><a name="rzaubconcepts"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Concepts</h1>
<div><p>This topic describes how the intrusion detection system works.</p>
<p><span>Intrusion detection uses the <span class="filepath">idspolicy.conf</span> file
that contains a set of policies for intrusion events. Each policy has an associated
condition and action, but there might be more than one condition associated
with the same action.</span> The TCP/IP stack reports the most common potential
intrusion events and audits them, so that you can write an application to
analyze the data and report to the security administrator if intrusions are
likely to be underway. The following diagram shows how the intrusion detection
function works. </p>
<div class="p"><br /><a name="rzaubconcepts__ids"><!-- --></a><img id="rzaubconcepts__ids" src="rzaub500.gif" alt="Intrusion detection system" /><br /><ol><li>You edit the <span class="filepath">idspolicy.conf</span> file to detect specific
types of intrusions, and <span>then you</span> start the QoS server.</li>
<li>The QoS policy agent reads the intrusion detection policy in the <span class="filepath">idspolicy.conf</span> file.</li>
<li>The QoS policy agent sends a message with machine instructions to the
QoS manager.</li>
<li>The QoS manager interprets the machine instructions and sends them to
the intrusion detection system inside the TCP/IP stack. The TCP/IP stack manages
outbound traffic and inbound traffic in the network, and routes requests to
other computers in the network.</li>
<li>The intrusion detection system creates the policies in the port table.
The port table entries represent ports 0 through port 65 535.
For example, port 0, <span>which contains conditions that apply
to all ports</span>, points to intrusion condition 1 which points to action
1. Similarly, port 1 points to condition 2 which points to action 2. Port
1 also points to condition 3 which points to action 1, and so on.</li>
<li>When the TCP/IP stack detects an intrusion, it looks for matching conditions
in the port table and executes the specific action, for example, creating
an IM auditing record or system statistics.</li>
<li>The system creates an IM audit record which describes the type of intrusion
event.</li>
<li>The system administrator analyzes the IM audit record to determine which
security actions to take, such as closing off the port from where the intrusion
originated.</li>
</ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaubkickoff.htm" title="Intrusion detection involves gathering information about unauthorized access attempts and attacks coming in over the TCP/IP network. Security administrators can analyze the auditing records that intrusion detection provides to secure the iSeries network from these types of attacks.">Intrusion detection</a></div>
</div>
</div>
</body>
</html>