Previous topic |
Next topic |
Contents |
Glossary |
Contact z/OS |
PDF
![]() Intrusion Detection Services (IDS) Networking on z/OS |
|
In z/OS, the Intrusion Detection Services (IDS) capabilities are built into the stack itself. There are two fundamental varieties of Intrusion Detection Services (IDS). IDS can function within the domain of an individual host, or it can function as a network IDS with a scope including the entire network to which it is attached. On z/OS, the scope is the former kind only: IDS functions within the z/OS host only and no efforts are made to function outside of the z/OS host. There are specialized platforms designed to perform network IDS, and it does not make sense to use z/OS in such a role. Many of the IDS capabilities are automatically handled by z/OS. For example, malformed packets are automatically discarded, independent of any settings controllable by the system administrator. But the capabilities of IDS can be expanded to include the following types
of incidents:
Intrusion detection is not a precise science. Scans can come in slowly or quickly, depending upon the hacking tool in use. Also, a flood of connection requests may just be a large group of users logging back on to the host. For example, if an intermediate router went down briefly and 5 000 users were disconnected–when the router came back up, a flood of new connections could be received at the z/OS host. Therefore, it is up to an individual organization to determine what sequences of events are to be considered an attack and what sequences are benign. The implementation of the IDS rules is done through the policy agent. |
![]() |