[ISN] IETF working group seeks to improve security alerting

From: mea culpa (jerichoat_private)
Date: Wed Mar 17 1999 - 23:33:31 PST

  • Next message: mea culpa: "[ISN] BBB Web Site Privacy Program Finally Arrives"

      This message is in MIME format.  The first part should be readable text,
      while the remaining parts are likely unreadable without MIME-aware tools.
      Send mail to mimeat_private for more info.
    
    --------------43E9710D4395006671135984
    Content-Type: TEXT/PLAIN; CHARSET=us-ascii
    Content-ID: <Pine.SUN.3.96.990318003236.8313mat_private>
    
    
    Forwarded From: darek milewski <darekmat_private>
    
    http://www2.nwfusion.com:8001/cgi-bin/print.cgi?article=http://www.nwfusion.com/news/1999/0316security.html
    
    Sound the alarm!
    IETF working group seeks to improve security alerting.
    By Sandra Gittlen
    Network World Fusion, 03/16/99
    
     MINNEAPOLIS - An IETF working group has stepped up work on a protocol for
    broadcasting alerts of network breaches across proprietary security
    applications. 
    
     The Intrusion Detection Message Exchange Protocol (IDMEP) would let
    applications - and system managers - quickly share information about
    attacks, according to IDMEP working group members.  They are meeting here
    as part of an overall IETF conference. 
    
     "[IDMEP] will be useful for attacks launched from one domain to another," 
    says working group attendee Brian Tung, a computer scientist at the
    University of Southern California's Information Sciences Institute. "If a
    source domain notices an attack, it can notify the destination network. 
    Right now, that's done by a human." 
    
     The group had met last year at the IETF meeting in Orlando, but was
    unsuccessful in gaining consensus and had to revamp its plans. This time,
    meeting attendees seemed encouraged by the group's efforts. 
    
     With the protocol, which could be based on SNMP Version 3, an alert
    detailing the type of attack in progress will be automatically sent across
    the network, along with a reference, such as a URL or a system file, where
    the network manager can find further information.  That information could
    be the threshold setting of the alerter's system letting the recipient
    know what the alerter considers an attack or what the alerter suggests as
    a response for such an attack. 
    
     Mark Wood, product line manager at Internet Security Systems in Atlanta,
    says IDMEP could dramatically improve responses to attacks because
    networks will be sharing information, not duplicating efforts. 
    
     In fact, Tung says that hooking the IDMEP to policy networks could let
    users set up automatic responses to alerts and, therefore, ward them off. 
    
     "There are a number of dollars to be had in [the intrusion detection
    tools] market," says Stuart Staniford-Chen, co-chair of the working group.
    In fact, the projected market for intrusion detection tools is expected to
    be $200 million, according to analysts at the Aberdeen Group, a Boston
    consultancy. "Therefore, we need to get moving on this [protocol]." 
    
     Wood says he expects the protocol to be completed by the middle of next
    year, but products based on a proposed standard could be released as early
    as the first quarter of next year. Cisco and Axent are also working on the
    protocol. 
    
    
    --------------43E9710D4395006671135984--
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:21:10 PDT