Setting Up a Firewall Intrusion Detection System
To set how Firewall reacts to intrusions, select 5. Intrusion Detection System, from the iSecurity (part I) Global Parameters screen (STRFW > 81).
The Firewall Intrusion Detection System screen appears:
| Firewall Intrusion Detection System When intrusion is detected: Real Mode | *FYI Mode End the offending interactive session . . . N | N Send message to the user . . . . . . . . . N | N Disable user (F15 for exceptions) . . . . . N | N Email Security Admin (Y, M=1/Min, D=6/Min). N | N Email: Run Action (If Action installed) . . . . . | Write to QAUDJRN (security audit journal) . N | N Audit journal code is U. Journal entry type is FW. Data format: SMZ8/GSCALP Do not send Email regarding: useful during penetration test IP . . . . . . . . . . . . OR AND, OR User . . . . . . . . . . . Setting up an Intrusion Detection System: Name Library Send rejects to message queue or QSYSOPR . *NONE At the monitoring workstation, enter: CHGMSGQ DLVRY(*BREAK) SEV(0) This causes rejection messages to break-in with a beep. Send allowed messages to message queue . . *NONE F3=Exit F12=Previous |
The screen contains the following sections and fields:
When intrusion is detected
These items have two fields apiece which take Y (yes) or N (no) values, except as noted. The fields under the label *FYI Mode control how Firewall responds to intrusions when it is running in FYI simulation mode (as shown in Running Firewall in FYI Simulation mode). The fields under the label Real Mode control how Firewall responds when running normally.
End the offending interactive session
End the interactive session in which the intrusion occurred.
Send a message to the user
Send a message to the user of the session in which the intrusion occurred.
Disable user (F15 for exceptions)
Disable the account of the user in whose session the intrusion occurred.
To set users whose accounts are not disabled if intrusions occur in their sessions, press the F15 (Shift+F3) key. The Auto-Disable Exceptions screen appears, as shown in Setting Users who Are Never Disabled by the Firewall Intrusion Detection System.
Email Security Admin (Y, M=1/Min, D=6/Min)
Email a message to the Security Admin. Possible values are:
- Y: Email all messages.
- M: Email no more than one message per minute.
- D: Email no more than six messages per minute.
Enter the email address of the Security Admin in the Email: sub-field.
Run Action (if Action installed)
If the iSecurity Acton product is installed, perform the indicated named actions.
Write to QAUDJRN (security audit journal)
Log the intrusion to QAUDJRN with the data format used in the file SMZ8/GSCALP. Use the audit journal code "U" and the Journal entry format "FW".
Setting up an Intrusion Detection System
Send rejects to message queue or QSYSOPR
Enter the Name and Library of a message queue to which rejects will be sent, or QSYSOPR.
If you are sending messages to a monitoring workstation, enter the command CHGMSGQ DLVRY(*BREAK) SEV(0) at the workstation to cause the messages to break in with a beep.