72 lines
4.6 KiB
HTML
72 lines
4.6 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
|||
|
<!DOCTYPE html
|
|||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|||
|
<html lang="en-us" xml:lang="en-us">
|
|||
|
<head>
|
|||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|||
|
<meta name="security" content="public" />
|
|||
|
<meta name="Robots" content="index,follow" />
|
|||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|||
|
<meta name="DC.Type" content="concept" />
|
|||
|
<meta name="DC.Title" content="Concepts" />
|
|||
|
<meta name="abstract" content="This topic describes how the intrusion detection system works." />
|
|||
|
<meta name="description" content="This topic describes how the intrusion detection system works." />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzaubkickoff.htm" />
|
|||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|||
|
<meta name="DC.Format" content="XHTML" />
|
|||
|
<meta name="DC.Identifier" content="rzaubconcepts" />
|
|||
|
<meta name="DC.Language" content="en-us" />
|
|||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|||
|
<!-- US Government Users Restricted Rights -->
|
|||
|
<!-- Use, duplication or disclosure restricted by -->
|
|||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|||
|
<title>Concepts</title>
|
|||
|
</head>
|
|||
|
<body id="rzaubconcepts"><a name="rzaubconcepts"><!-- --></a>
|
|||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|||
|
<h1 class="topictitle1">Concepts</h1>
|
|||
|
<div><p>This topic describes how the intrusion detection system works.</p>
|
|||
|
<p><span>Intrusion detection uses the <span class="filepath">idspolicy.conf</span> file
|
|||
|
that contains a set of policies for intrusion events. Each policy has an associated
|
|||
|
condition and action, but there might be more than one condition associated
|
|||
|
with the same action.</span> The TCP/IP stack reports the most common potential
|
|||
|
intrusion events and audits them, so that you can write an application to
|
|||
|
analyze the data and report to the security administrator if intrusions are
|
|||
|
likely to be underway. The following diagram shows how the intrusion detection
|
|||
|
function works. </p>
|
|||
|
<div class="p"><br /><a name="rzaubconcepts__ids"><!-- --></a><img id="rzaubconcepts__ids" src="rzaub500.gif" alt="Intrusion detection system" /><br /><ol><li>You edit the <span class="filepath">idspolicy.conf</span> file to detect specific
|
|||
|
types of intrusions, and <span>then you</span> start the QoS server.</li>
|
|||
|
<li>The QoS policy agent reads the intrusion detection policy in the <span class="filepath">idspolicy.conf</span> file.</li>
|
|||
|
<li>The QoS policy agent sends a message with machine instructions to the
|
|||
|
QoS manager.</li>
|
|||
|
<li>The QoS manager interprets the machine instructions and sends them to
|
|||
|
the intrusion detection system inside the TCP/IP stack. The TCP/IP stack manages
|
|||
|
outbound traffic and inbound traffic in the network, and routes requests to
|
|||
|
other computers in the network.</li>
|
|||
|
<li>The intrusion detection system creates the policies in the port table.
|
|||
|
The port table entries represent ports 0 through port 65 535.
|
|||
|
For example, port 0, <span>which contains conditions that apply
|
|||
|
to all ports</span>, points to intrusion condition 1 which points to action
|
|||
|
1. Similarly, port 1 points to condition 2 which points to action 2. Port
|
|||
|
1 also points to condition 3 which points to action 1, and so on.</li>
|
|||
|
<li>When the TCP/IP stack detects an intrusion, it looks for matching conditions
|
|||
|
in the port table and executes the specific action, for example, creating
|
|||
|
an IM auditing record or system statistics.</li>
|
|||
|
<li>The system creates an IM audit record which describes the type of intrusion
|
|||
|
event.</li>
|
|||
|
<li>The system administrator analyzes the IM audit record to determine which
|
|||
|
security actions to take, such as closing off the port from where the intrusion
|
|||
|
originated.</li>
|
|||
|
</ol>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
<div>
|
|||
|
<div class="familylinks">
|
|||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaubkickoff.htm" title="Intrusion detection involves gathering information about unauthorized access attempts and attacks coming in over the TCP/IP network. Security administrators can analyze the auditing records that intrusion detection provides to secure the iSeries network from these types of attacks.">Intrusion detection</a></div>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
</body>
|
|||
|
</html>
|