Mainframe Intrusion-Detection Services - Intruders Beware!

More enterprises are architecting their mainframe systems for direct connections from the Internet in place of traditional point-to-point networks. The network is often configured with a protective outer boundary - a sort of demilitarized zone (DMZ). This DMZ includes firewall technologies and Intrusion Detection Services (IDS) that are a valuable line of defense. However, in the event that an intruder does gain access to your system, how can you detect suspicious activity or system misuse? How can you be alerted to denial-of-service (DoS) attacks? More importantly, how can you provide immediate response to these events? This requires a complement of monitoring, data analysis, notification and automation. The basis of this is built into the IDS that is part of the mainframe's z/OS* operating system.

A Complementary System
"We view the z/OS Intrusion Detection Services as complementary to these outboard network-based IDSs," says Linwood Overby, IBM* lead network security designer for z/OS. "It extends the overall IDS coverage that an enterprise can achieve by detecting attacks that may otherwise go undetected by outboard network-based IDS devices."

z/OS IDS is built into the networking component called the TCP-IP stack. This allows evaluation as the traffic first enters the z/OS system. It can detect network attacks directed at the z/OS system by evaluating data in context at predetermined points, called attack probes. Adding a mainframe level of IDS can help you address two trends in network traffic that are putting pressure on the outbound IDS option. These trends are the increase in encryption over the network and the increased pace of attacks.

The rapid increase of end-to-end encryption in network traffic has decreased the effectiveness of using outboard network-based IDS. Network devices don't typically have access to the clear data and can't detect an intrusion based on the data content. The z/OS system, however, can evaluate the traffic and check for intrusions after the inbound traffic has been decrypted in the mainframe system. The traffic content can be analyzed against the policies defined in the z/OS IDS.

As the technologies available to attackers become more sophisticated, the challenges of intrusion detection (ID) become more difficult. ID systems must be continually enhanced to keep ahead of the attackers. Outbound ID systems typically use an "attack signature" that detects known attacks. An attack signature is a unique set of information that intrusion detection technology can use to identify an attacker's attempt to penetrate a known operating system or application vulnerability. When ID detects an attack signature, it displays a security alert.