Networking on z/OS
Previous topic | Next topic | Contents | Glossary | Contact z/OS | PDF


Intrusion Detection Services (IDS)

Networking on z/OS

In z/OS, the Intrusion Detection Services (IDS) capabilities are built into the stack itself.

There are two fundamental varieties of Intrusion Detection Services (IDS). IDS can function within the domain of an individual host, or it can function as a network IDS with a scope including the entire network to which it is attached. On z/OS, the scope is the former kind only: IDS functions within the z/OS host only and no efforts are made to function outside of the z/OS host. There are specialized platforms designed to perform network IDS, and it does not make sense to use z/OS in such a role.

Many of the IDS capabilities are automatically handled by z/OS. For example, malformed packets are automatically discarded, independent of any settings controllable by the system administrator.

But the capabilities of IDS can be expanded to include the following types of incidents:
Scanning
A scan is a systematic accessing of network resources over a period of time from a single IP address. Scan attacks are not detrimental to a host. However, they are an indication that a host on the network is trying to determine what ports are open for business on the target host. Detection and reporting of scan attacks are important since the host doing the scan may later be the same host that launches a more virulent attack.
Attacks
An attack on a host can take many forms. It is impossible to list all of them here, but a few examples are flood attacks, redirection attacks, and restricted protocol attacks. IDS can be configured to detect, report, and prevent all well-known attacks.

Intrusion detection is not a precise science. Scans can come in slowly or quickly, depending upon the hacking tool in use. Also, a flood of connection requests may just be a large group of users logging back on to the host. For example, if an intermediate router went down briefly and 5 000 users were disconnected–when the router came back up, a flood of new connections could be received at the z/OS host.

Therefore, it is up to an individual organization to determine what sequences of events are to be considered an attack and what sequences are benign. The implementation of the IDS rules is done through the policy agent.

Parent topic: TCP/IP on z/OS security features

Go to the previous page   |   Go to the next page

Notices | Terms of use | Support | Contact z/OS



Copyright IBM Corporation 1990, 2010