iCan Blog Archive

Another day, another security vulnerability. System administrators everywhere battle daily to keep their systems secure. When security algorithms are deemed vulnerable or another network attack is disclosed, how do you know if you’re impacted? How many issues could be caused by turning a weak security algorithm off? Tracing network traffic and analyzing the data is a tedious task and isn’t always straightforward.

In IBM i 7.3, security auditing has been enhanced to audit a wide variety of network connections and traffic with sockets connection (SK) journal entries. While security auditing has included the ability to audit TCP sockets connections for years, the new network audit function now lets you audit UDP and secure traffic using new audit levels.

Network auditing gives you the ability to identify network traffic flowing into and out of your IBM i 7.3 partitions. As security requirements continue to increase, auditing is a useful tool to analyze potential exposures and determine what security is being used to protect network traffic.

TCP and UDP Auditing

TCP connections and UDP traffic in and out of the system are audited by enabling audit levels *NETSCK, *NETUDP, and *NETTELSVR. You can combine these audit levels to audit both TCP and UDP traffic simultaneously.

Previously, the Telnet server was specifically not audited with TCP sockets connections because the quick reconnect rates of some Telnet clients could result in a high number of audit records on a system. The special Telnet audit level *NETTELSVR has been added so you can audit the Telnet server separately from other TCP connections.

Audit records for TCP and UDP traffic contain the following information (for more details, see IBM i Knowledge Center topic TCP and UDP auditing):

• Address family (IPv4 or IPv6)
• Local IP address
• Local port
• Remote IP address
• Remote port


Secure Socket Connection Auditing

You can now audit secure traffic with the new secure network audit level *NETSECURE. System SSL/TLS connections can be audited to determine what protocols and cipher suites are being used on the system. With that information, you can identify exposure to known vulnerabilities and ensure the desired levels of security are being used on the system to protect network traffic. You can also audit secure and non-secure TCP connections at the same time to determine which connections are secure and which aren’t by analyzing the IP addresses and ports in the audit records generated.

The new secure audit function also includes auditing successful VPN Internet Key Exchange (IKE) negotiations, successful IP Security (IPsec) connections, and secure UDP traffic. Secure Telnet server connections can also be audited when both audit levels *NETTELSVR and *NETSECURE are enabled.

Audit records for secure TCP and UDP traffic contain the following information (for more details, see IBM i Knowledge Center topic Secure socket connection auditing):

• Address family (IPv4 or IPv6)
• Local IP address
• Local port
• Remote IP address
• Remote port
• Secure version
• Secure properties
• Secure information


Enabling Network Auditing

Network auditing can be defined for a system at two different levels: system-wide network auditing that occurs for all users and network auditing that occurs for specific users. System values and user profile parameters are used to enable network security auditing.

You can audit specific traffic on the system based on the auditing levels enabled. The following table describes the different network audit level values and how they are used. See IBM i Knowledge Center topic Enable socket connection auditing to learn more about enabling network auditing on your system.


Analyzing Network Auditing Records

The security audit journal (QAUDJRN in library QSYS) is the primary source of auditing information on your system. When a network event is audited, the system writes a sockets journal entry (type SK) in the current journal receiver for QAUDJRN. Each sockets journal entry has a detailed entry type that indicates what kind of network event was audited. See IBM i Knowledge Center topic Analyze socket connection auditing records to learn more about the sockets journal entry format and the different methods available to analyze the journal entries that are logged.

Network connection auditing allows you to better understand the network traffic and security on your systems. For more information about network connection auditing, visit Socket connection auditing in the IBM Knowledge Center.

This blog post was originally published on IBMSystemsMag.com and is reproduced here by permission of IBM Systems Media.