SecureMyi.com Security and Systems Management Newsletter for the IBM i             February 11, 2015 - Vol 5, Issue 2
Security Training from SecureMyi.com


Security software from Powertech



Security? See how SKYVIEW PARTNERS can help!



Training from The 400 School

Feature Article

Using the Intrusion Detection System for IBM i

By Dan Riehl - SecureMyi.com

How do you know if someone is scanning your IP ports for vulnerabilities? Or how do you know if you're being attacked by denial of service attacks like a SYN Flood or Smurf attack?

The IBM i Intrusion Detection System (IDS) alerts you when an attack against the system is in progress. In most cases, you have no other way to monitor for these intrusion events. With IBM i version 6.1 and 7.1, you can have the IDS up and running in a few minutes. IBM i Navigator for Windows provides an IDS Setup Wizard, which makes setting up the IDS a very simple process. On my system, I had it up and running in about 30 minutes25 of those were spent reading the documentation and the On-Line help text.

Why do I need an Intrusion Detection System?

An IBM i connected to any network should be running the IDS. Some may say they're protected behind a corporate firewall and therefore are immune to these types of attacks. But attacks also come from inside your network, and as far as outside attacks, do you want to bet the security and availability of your System that the firewalls can reject ALL unwanted traffic?

Each host system needs to be the final arbiter of who and what has access to the system resources. You cannot disregard the security of the IBM i simply because you have a firewall. In most cases, it's the IBM i in your data center that manages and protects the critical company jewels. It's the system that stores the very sensitive data that you must protect. Setting up the IDS on your IBM i just makes sense.

When an attack occurs, instant notification of the attack can be sent to a message queue as well as via email to several email addresses you stipulate. When you see an incoming attack, you can then take preventative actions to stop the attack or prevent the attacker from getting to you again. As prevention, you can set packet filtering rules within IBM i Navigator and adjust firewall rules as needed. The IDS is a detection system; it, alone, cannot prevent an attack.

In addition to monitoring for attacks, the IDS also detects if the IBM i is being used as the attacker of another system. You would certainly want to know if someone is launching an attack from within your system.

IBM i 6.1 and 7.1 Differences from 5.4

Since OS/400 V5R4M0, IBM i has included the IDS that monitors network activity for numerous types of attacks. Under V5R4M0, setting up the IDS is a difficult and frustrating exercise. But as of IBM i 6.1, and the introduction of the IDS Setup Wizard, configuring the IDS has become a very simple process. The dependency on the Quality of Service (QoS) Server in V5R4M0 has been removed. The QoS server integration was my biggest stumbling block in that older implementation. I just could not get it to work.

The remainder of this article will focus on the IDS in IBM i 6.1 and 7.1. If you're still at 5.4, you can configure the IDS using the instructions in the IBM Redbook IBM i5/OS Intrusion Detection System at http://www.redbooks.ibm.com/redpapers/pdfs/redp4226.pdf

Configuring the IDS for IBM i 6.1 and 7.1

Running the IDS requires that you set up the System Security Audit Journal QAUDJRN and that the system value QAUDCTL contains the value *AUDLVL. When you start the IDS through the IBM i Navigator option, the value *ATNEVT is automatically added to the system value QAUDLVL, or QAUDLVL2. This specifies that the system is to audit the Intrusion Events, referred to as Attention Events.

Read More

In This Issue


Featured Article - Using IDS

Carsten's Code - Control the IDS

Industry News and Calendar

Security Resources

Quick Links


Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives


Our Newsletter Sponsors


Platinum Sponsor

    The 400 School, Inc


Gold Sponsor

    PowerTech

    Skyview Partners, Inc

Silver Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

IBM i Security Videos - SecureMyi

SecureMyi Newsletter Archives

Search Security for IBM i

IBM i Security Ref - 6.1

IBM i Security Ref - 7.1

QAUDJRN Entries By AUDLVL

QAUDJRN Entry Layouts

RedBook - Security Guide IBM i


Open Security Foundation - DataLoss DB

National Vulnerability Database - NIST

PCI Data Security Standard

COBIT - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification


Follow SecureMyi on Twitter
Follow SecureMyi on LinkedIn=
Follow SecureMyi on YouTube


Software from Cilasoft


Security software from Powertech
Security Training from SecureMyi.com
Security news and Events


Live Security Related Webcasts and Training for IBM i

February Events

Live Hands-On - IBM i, iSeries System Administration and Control Workshop
with Dan Riehl

Training Workshop - February 23-27 - Presented by The 400 School, Inc.
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

March Events

Live Hands-On - Expanded Security Workshop for IBM i, iSeries & AS/400
with Dan Riehl

Training Workshop - March 17-20 - Presented by The 400 School, Inc.
Dan Riehl presents this 4-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - QAUDJRN Auditing and Forensic Analysis Workshop
with Dan Riehl

Training Workshop - March 24-25 - Presented by The 400 School, Inc.
Dan Riehl presents this 2-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - Expanded Control Language Programming Workshop
with Dan Riehl

Training Workshop - March 30-April 3 - Presented by The 400 School, Inc.
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

April Events

Live Hands-On - IBM i, iSeries System Administration and Control Workshop
with Dan Riehl

Training Workshop - April 20-24 - Presented by The 400 School, Inc.
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

2015 COMMON Conference and Expo - Anahein, CA
COnference and Expo - April 26-29
More Information and Register to Attend





Security? See how SKYVIEW PARTNERS can help!




Training from The 400 School

Carsten's Security Code for IBM i

CL Command to Manage the IBM i Intrusion Detection System

Downloadable Source code included!

By Carsten Flensburg

In this current issue of the SecureMyi Security Newsletter, Dan Riehl presents an article on the Intrusion Detection System for IBM i.

As I was doing additional research on the IDS(Intrusion Detection System) topic, I came across the "Control Intrusion Detection and Prevention API". This API(Application Programming Interface) is provided by IBM to allow you to perform some vital IDS management routines.

I've wrapped the API up in a new CL command CTLIDS(Control Intrusion Detection System), giving me direct, green-screen access to the IDS functions supported by the API.

Here is the command prompt display.


                                   Control IDS(CTLIDS)                             
                                                                               
 Type choices, press Enter.                                                    
                                                                               
 Option . . . . . . . . . . . . .   *STATUS           *ACTIVATE, *DEACTIVATE...    



By pressing F1=Help during the prompt display, the Help Text explains the use of the command, the restrictions and additional information on the IDS. Listed here are selected snippets of the online Help Text.

The Control Intrusion Detection and Prevention (CTLIDS) command is used to control the Intrusion Detection System (IDS).

It can be used to activate, deactivate, recycle (deactivate and reactivate) the IDS or retrieve the status (active or inactive) of the IDS, and it is provided as an interface to the code that processes the IDS policy file.

Note: TCP/IP Connectivity Utilities for i5/OS must be installed in order to use this command.

Restrictions:

You must have *IOSYSCFG special authority to run the command.

The Option (OPTION) Parameter

Specifies the requested function.

*ACTIVATE                                                                           
             Activate the Intrusion Detection System (IDS).
*DEACTIVATE
             Deactivate the Intrusion Detection System (IDS).
*RECYCLE                                                                                
             Recycle the Intrusion Detection System (IDS).
*STATUS                                                                                 
             Retrieve the status of the Intrusion Detection System (IDS).                        
             The current status is returned in an informational message sent                     
             to the job running the CTLIDS command.

In addition to controlling IDS, the CTLIDS command also verifies that TCP/IP is active and operational.

The Source code that comprises the CTLIDS command is listed here.

SEC101      RPGLE       Control Intrusion Detection Services - CPP      
SEC101H     PNLGRP      Control Intrusion Detection Services - Help     
SEC101M     CLP         Control Intrusion Detection Services - Build cmd
SEC101X     CMD         Control Intrusion Detection Services            

Download the source code as text files

Download SEC101.
Download SEC101H.
Download SEC101M.
Download SEC101X.

Additional Resources:

Control Intrusion Detection and Prevention (QTOQIDSC, QtoqIDSControl) API for IBM I 6.1

IBM Info Center - Complete coverage of IDS for IBM I 7.1


Security Training from The 400 School

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2015 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017