Intrusion Detection System (IDS) - Configuring TCP/IP Ranges to Exclude Hosts from IDS

Troubleshooting

Problem

This document describes the use of Intrusion Detection System (IDS), and configuring various TCP/IP ranges to exclude hosts from triggering IDS events.

Resolving The Problem

The Intrusion Detection and Prevention System (IDS) notifies you of attempts to hack into, disrupt, or deny service to the system. IDS also monitors for potential extrusions, where your system might be used as the source of the attack. These potential intrusions and extrusions are logged as intrusion monitor audit records in the security audit journal and displayed as intrusion events in the Intrusion Detection System graphical user interface (GUI). You can configure IDS to prevent intrusions and extrusions from occurring.

Some administrators will choose to exclude various hosts from triggering IDS events (for example, port scanners). By default, any TCP/IP address will trigger an event. However, IDS policies do not allow you to simply configure a TCP/IP address to be excluded. Rather, TCP/IP ranges are used to define what hosts will trigger an event. These ranges are based on the Class A, Class B, and Class C design of TCP/IP addressing:

Class A: 1.0.0.1－126.255.255.255
Class B：128.0.0.1－191.255.255.255
Class C：192.0.0.1－223.255.255.255

In this document, we will assume the client has a network scanner with a TCP/IP address of 10.10.10.10. To configure IDS and exclude this particular host, four (4) separate policies would be needed:

Policy1 - includes a range of 1.0.0.1 - 10.10.10.9
Policy2 - includes a range of 10.10.10.11 - 126.255.255.255
Policy3 - includes a range of 128.0.0.1 - 191.255.255.255
Policy4 - includes a range of 192.0.0.1 - 223.255.255.255

A screen shot of Policy1 being configured with the Remote IP Address range follows:

After the New IP Address Range has been defined, select the range to be used in the new policy:

Screen shot of the Policy1 properties where the New IP Address Range is defined.

Create a policy for each range, and you now have IDS configured for scan events from everything but 10.10.10.10.

An example of what the policies would look like from the IDS Policies screen in Navigator follows:

Screen shot of the Intrusion Detection Policies.
Notice how the only address not included in the range is 10.10.10.10, as well as the 127.x.x.x network because that encompasses *LOOPBACK, as well as the 224.x.x.x since that is multicast.

The above policy would allow scans from any TCP/IP address, other than 10.10.10.10 to flag an IDS scan event.

For further information on IDS, you should refer to the following URL: https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/rzaub/rzaubkickoff.htm

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"6.1.0"}]

Historical Number

612946357

Was this topic helpful?

Document Information

Modified date:
18 December 2019

UID

nas8N1011323

Tips