Intrusion Detection & Prevention on an IBM i
Take two seconds and tell me what you think of when I say “Intrusion Detection”? Did you think hacking, viruses, Microsoft? You probably didn’t say IBM i because an IBM i is…well, an IBM i. It’s widely regarded as one of the most secure systems on the planet. Many people think it has too much security to worry about outside attacks.
That perception is wrong. Even if your IBM i system sits comfortably inside an internal network behind multiple Cisco firewalls, it can still be attacked by bad actors who want to hack into, disrupt, or deny service to the system.
Who’s attacking my IBM i?
Here are six ways someone can get to an IBM i system, even if you’ve implemented as many security recommendations as you can find.
- Your outward facing firewall fails or is misconfigured
- You poked a hole in your firewall from FTP to an outside site and that site is virus-infected
- A user with *ALLOBJ authority accidentally deletes files
- IBM i Integrated File System (IFS) folders get infected by ransomware, encrypting and renaming critical documents
- Your IFS gets infected with a virus and becomes an infection point for PCs that are connected through a Windows mapped drive
- Someone executes a destructive command on your system
What can you do about potential intrusions?
As of i 6,1, IBM added an intrusion detection and prevention system (IDS) to the IBM i operating system. The IDS can notify you of attempts to hack into, disrupt, or deny service to the system (intrusion events). The IDS also monitors for potential extrusion events, where an IBM i becomes a compromised system that launches attacks on other machines. It also has a prevention element where responses can be triggered when an intrusion is detected.
The IBM i IDS is configured via GUI. It uses a Navigator for i wizard to build policies that detect system intrusions and to perform any of the following actions when an intrusion event is detected.
- Write an intrusion monitoring record to the audit journal (QAUDJRN) for later review or export to a syslog server running Security Information and Event Management (SIEM) software
- Send notifications to a message queue or email an on-call responder
- Automatically execute preventative actions to counteract the intrusion, functioning as an intrusion protection system (IPS) to ward off any attacks it detects
Activating IDS on your IBM is a good strategy to provide additional defense for your production data, even if you already have other IDS/IPS devices protecting your network. Running multiple layers of intrusion detection systems creates a defense in depth strategy for battling security intrusions, where multiple IDS systems provide redundancy in case any single IDS fails.
What the IBM i IDS doesn’t do
There are some things that the IBM i IDS doesn’t do. It doesn’t monitor for IFS viruses, and it can’t detect Trojan horse programs where the program is allegedly written for one function (i.e., virus detection) but it really is there for another function (virus infection). It also can’t detect viruses in malicious email attachments.
It’s wise to look at third-party packages that fill in the gaps the IBM i IDS doesn’t cover and provide detection capabilities beyond IBM i IDS. Some of these packages may include:
- An IBM i-based firewall product such as iSecurity Firewall, that controls access for local and external users and precisely controls what users can and cannot do on the system. System firewalls also protect IBM i objects, regulate user limits, protects exit programs and servers from malicious code, and provides reporting, scheduling, and logging.
- An IBM-i based anti-virus product such as iSecurity Anti-Virus that protects against IFS viruses, Trojan horses, and malicious code. Anti-virus software can also help you comply with regulatory requirements from organizations such as Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), and Sarbanes-Oxley (SOX).
- An IBM i command monitoring and filtering solution such as iSecurity Command, that checks commands before they are run to insure they match your organization’s usage policy. Command filtering also monitors the context in which commands run (such as allowing or rejecting the command) and it can generate alerts, log command results, and provide command usage reports.
Intrusion detection and prevention covers a lot of ground on the IBM i system. While it’s valuable to have an IDS/IPS solution for the network outside of your IBM i. you’ll get better capabilities setting up a complete end-to-end IDS/IPS solution based on the IBM i IDS combined with third-party IBM i products.
