Forwarded From: darek milewski <darekm@cmeasures.com>
http://www2.nwfusion.com:8001/cgi-bin/print.cgi?article=http://www.nwfusion.com/news/1999/0316security.html
Sound the alarm!
IETF working group seeks to improve security alerting.
By Sandra Gittlen
Network World Fusion, 03/16/99
MINNEAPOLIS - An IETF working group has stepped up work on a protocol for
broadcasting alerts of network breaches across proprietary security
applications.
The Intrusion Detection Message Exchange Protocol (IDMEP) would let
applications - and system managers - quickly share information about
attacks, according to IDMEP working group members. They are meeting here
as part of an overall IETF conference.
"[IDMEP] will be useful for attacks launched from one domain to another,"
says working group attendee Brian Tung, a computer scientist at the
University of Southern California's Information Sciences Institute. "If a
source domain notices an attack, it can notify the destination network.
Right now, that's done by a human."
The group had met last year at the IETF meeting in Orlando, but was
unsuccessful in gaining consensus and had to revamp its plans. This time,
meeting attendees seemed encouraged by the group's efforts.
With the protocol, which could be based on SNMP Version 3, an alert
detailing the type of attack in progress will be automatically sent across
the network, along with a reference, such as a URL or a system file, where
the network manager can find further information. That information could
be the threshold setting of the alerter's system letting the recipient
know what the alerter considers an attack or what the alerter suggests as
a response for such an attack.
Mark Wood, product line manager at Internet Security Systems in Atlanta,
says IDMEP could dramatically improve responses to attacks because
networks will be sharing information, not duplicating efforts.
In fact, Tung says that hooking the IDMEP to policy networks could let
users set up automatic responses to alerts and, therefore, ward them off.
"There are a number of dollars to be had in [the intrusion detection
tools] market," says Stuart Staniford-Chen, co-chair of the working group.
In fact, the projected market for intrusion detection tools is expected to
be $200 million, according to analysts at the Aberdeen Group, a Boston
consultancy. "Therefore, we need to get moving on this [protocol]."
Wood says he expects the protocol to be completed by the middle of next
year, but products based on a proposed standard could be released as early
as the first quarter of next year. Cisco and Axent are also working on the
protocol.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Mar 18 09:03:34 1999