Intrusion detection

Intrusion detection involves gathering information about unauthorized access attempts and attacks coming in over the TCP/IP network. Security administrators can analyze the auditing records that intrusion detection provides to secure the iSeries™ network from these types of attacks.

Intrusion encompasses many undesirable activities such as information theft and denial of service attacks. The objective of an intrusion may be to acquire information that a person is not authorized to have (information theft). The objective may be to cause a business harm by rendering a network, system, or application unusable (denial of service), or it may be to gain unauthorized use of a system as a means for further intrusions elsewhere. Most intrusions follow a pattern of information gathering, attempted access, and then destructive attacks. Some attacks can be detected and neutralized by the target system. Other attacks cannot be effectively neutralized by the target system. Most of the attacks also make use of spoofed packets, which are not easily traceable to their true origin. Many attacks make use of unwitting accomplices, which are machines or networks that are used without authorization to hide the identity of the attacker. For these reasons, a vital part of intrusion detection is gathering information, detecting access attempts, and attack behaviors.

You can create an intrusion detection policy that audits suspicious intrusion events that come in through the TCP/IP network. Examples of problems that the intrusion detection function looks for includes:

Denial of service attacks
Port scans
Malformed packets
Internet protocol (IP) fragments
Restricted IP options and protocols
Internet Control Message Protocol (ICMP) redirect messages
Perpetual echo attacks on User Datagram Protocol (UDP) port 7 (the echo port)

You also can write an application to analyze the auditing data and report to the security administrator if TCP/IP intrusions are likely to be underway.

Important: The term intrusion detection is used two ways in the iSeries documentation. In the first sense, intrusion detection refers to the prevention and detection of security exposures. For example, a hacker might be trying to break into the system using an invalid user ID, or an inexperienced user with too much authority might be altering important objects in system libraries. In the second sense, intrusion detection refers to the new intrusion detection function that uses policies to monitor suspicious traffic on the system.

What's new for V5R4
The entire intrusion detection topic is new in V5R4.
Printable PDF
Use this to view and print a PDF of this information.
Concepts
This topic describes how the intrusion detection system works.
Terminology
This topic defines intrusion detection terms.
Set up a new intrusion detection policy
Learn how to set up an intrusion detection policy for the first time.
Manage the intrusion detection policy file
You can configure an intrusion detection program to send e-mail to a system administrator to alert them to suspicious events and provide suggestions as to what action to take.
Audit intrusion detection activities
Learn how to audit intrusion detection activities. If the intrusion detection system (IDS) flags a suspicious event, it writes an IM audit record.
Analyze the auditing data
Learn how to analyze the auditing data for intrusion detection activities, and obtain reference information about the fields in the IM audit record.
Related information for intrusion detection
Listed here are the product manuals and IBM^® Redbooks™ (in PDF format), Web sites, and information center topics that relate to the intrusion detection topic. You can view or print any of the PDFs.