How to Apply IDS/IPS to IBM i
IBM i security expert Robin Tatam is here to discuss one of the most important aspects of cybersecurity: intrusion prevention and detection. IPS/IDS are the terms many of us use, but how does that pertain to the IBM i environment?
The good news is we have a lot of different layers of security we can apply to the IBM i operating system and to the data that it houses. From a server perspective, we have object-level security controls and we absolutely recommend that be the foundation of the house.
We understand that not everybody is going to do that. You may have the application control that you need, or you may simply not have the bandwidth to or the understanding of how to do that. That’s not to say we can’t help you! But, it’s not always going to be the optimal solution.
So, we want to make sure we have good application control, we have exit programs in place (which we’ve talked about in a previous video) to make sure we’re monitoring the connections coming in from PCs. We have a lot of people concerned about ODBC and FTP and they don’t really know how to manage that. The good news is, thanks to IBM’s addition of exit points into the operating system 20 years ago we have that capability through our Powertech Exit Point Manager for IBM i tool. The problem is a lot of people still aren’t protecting that aspect, so that’s a critical component of the prevention side of the house.
Now, assuming you’re logging those events and you have those exit programs in place and you’re looking for those types of activities, how do we know when things are happening that are perhaps unexpected or unauthorized? Well, the events are feeding into the server, and unfortunately for a lot of us we find that we have tens of thousands—maybe even hundreds of thousands—of entries being logged even in a single day.
So, it’s very important to have some aspect of automation to be able to stream through all those entries and determine the ones you need to be apprised of. We have a solution called Interact that allows us to communicate with any number of enterprise-level SIEM solutions. Sometimes the syslog servers are designed to receive log components from virtually any platform, but now we can also include IBM i in that infrastructure.
So, Powertech SIEM Agent for IBM i is going to be able to see the event as it happens in real time, format it, and get it sent out to that SIEM solution. If you haven’t invested in one of these tools, you can still feed it into an environment where perhaps a Robot tool will be able to pick that up. Message management can take that notification and send it through to email.
We also have Powertech Compliance Monitor for IBM i which allows you to generate reports over the audit journal and look for the necessary events so that you can receive a report in a PDF or Excel format that allows you to look and extract the necessary events from the log.
There are two sides to this. We want to make sure we have the best controls in place to ensure the database is protected, but we still need to be monitoring and looking for those exceptions. HelpSystems can address all of that with you. If you want more information, check out the resources on our website. We’d be happy to help you.
To learn more about securing IBM i—including using the platform's built-in intrusion detection features—download our guide to maximizing intrusion detection and prevention on IBM i.