MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » December 2013

Re: Intrusion Detection System at V7R1



fixed

On 08-Nov-2013 12:06 -0800, ALopez@xxxxxxxxxx wrote:
I've just used the Navigator wizard to configure this on a new
system. It seems that at V7R1 I do not need to have the QOS TCP/IP
server running (and I have IPQOSENB set to *NO in CHGTCPA). What I
can't figure out is how you tell INS that you want it to start
automatically.

Presumably that meant to suggest Intrusion Detection System (IDS), not INS.?

All of the TCP/IP servers have this option under their properties in
the Navigator, but Intrusion Detection has options just for
Notifications and ICMP. All of the descriptions of starting/stopping
it that I can find online refer to manually doing so in Navigator.
That doesn't help much unless it automatically restarts after an IPL,
as I also can't find a command line interface for starting it.

The documentation suggests that the function of the IDS feature does not run in\as a separate TCP/IP server, but as part of the TCP/IP stack itself [the TCP/IP code itself], activated by policies. Thus there is not a configurable AUTOSTART setting as there would be with a TCP server. Seems the feature starts functioning as part of the stack, automatically after IPL, per those same docs:

<http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/topic/rzaub/rzaub.pdf>
_i IBM i Security Intrusion detection 7.1 i_
"...
When you create an intrusion detection policy, the IDS GUI builds the IDS policy file and activates IDS using the Control Intrusion Detection and Prevention (QTOQIDSC, QtoqIDSControl) API.
Note: After you create a new policy, IDS is automatically stopped and restarted for the policy to take effect. In V5R4, the QoS server is automatically stopped and restarted.
...
The /production stack/ consists of the TCP/IP modules involved in most of the network operations on the System i® platform.
The /service stack/ consists of the TCP/IP modules involved in service and support of the System i platform.

The service stack comes up first and remains until the next IPL. The production stack comes up after the service stack and remains until TCP/IP is ended. After an IPL, the service stack checks to see if IDS was active before the IPL. If so, IDS is reactivated. ...
..."

The above docs are in the IBM i 7.1 InfoCenter as well, under the same parent topic:
<http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/topic/rzaub/rzaubidsoverview.htm>
IBM i 7.1 Information Center -> Security -> Intrusion detection -> Intrusion detection concepts
_Intrusion detection system initialization_

<http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/topic/rzaub/rzaubidsoperation.htm>
_Intrusion detection system operation_






Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact