ietf
[Top] [All Lists]

Re: [OPSAWG] Internet Draft: Standardized Parameterization of Intrusion Detection Entities

2015-02-02 13:14:25
Dear David,

thanks for your hint to the SACM WG. I have also posted it within the SACM community for any comments, feedback, suggestions, notations, hints, recommendations, etc. but haven´t received any response or feedback to the Internet Draft so far. I hope this will change and a lively discussion is going to come up.

Kind regards

B.-C. Boesch


Am 02.02.2015 um 18:32 schrieb David Harrington:
I think similar work is being addressed in the sacm wg.

David Harrington
ietfdbh(_at_)comcast(_dot_)net



On Jan 18, 2015, at 3:23 AM, B.-C. Boesch <bjoernboesch(_at_)gmx(_dot_)net> 
wrote:

Dear Community,

Efficiency of Intrusion Detection Systems (IDS) depends on their configuration 
and coverage of services. The coverage depends on used IDS with currently 
vendor-specific configurations. In case of usage of multiple systems the 
operations could become complex. Individual Communication between management 
interface and the IDS entities results that current multi-vendor IDS 
architectures do not interact with each other. They are independent coexistent.

The Internet Draft defines data formats and exchange procedures to standardize 
parametrization information exchange into intrusion detection and response 
systems from a Manager to an Analyzer.

The created Intrusion Detection Parametrization Exchange Format (IDPEF) is 
intended to be a standard data format to parametrize IDS. The development of 
this open standardized format and the Intrusion Detection Message Exchange 
Format (IDMEF) will be enable in combination interoperability among commercial, 
open source, and research systems, allowing users to mix-and-match the 
deployment of these systems according to their strong and weak points to obtain 
an optimal IDS implementation.

The most obvious place to implement IDPEF is in the data channel between a 
Manager and an Analyzer of an IDS within this data channel where the Manager 
sends the configuration parameters to the Analyzers. But there are other places 
where the IDPEF can be useful:

- Combination of specialized IDS like application-IDS with server-IDS, WLAN-IDS 
and network-IDS to one functional interacting meta-IDS.

- Management of different IDS vendors with one central management interface.

- Interaction of different IDS by using IDPEF and IDMEF.

- Parametrization backups and restore of parametrized IDS entities.

- For a communication between a Manager and a Manager in a multi-stage 
management architecture.

I am happy to invite you to give me feedback, suggestions, notations, hints, 
recommendations, etc. to improve the Internet Draft. The initial version of the 
Internet Draft could be found at:

http://www.ietf.org/id/draft-boesch-idxp-idpef-00.txt

Kind regards,

B.-C. Boesch

_______________________________________________
OPSAWG mailing list
OPSAWG(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/opsawg

<Prev in Thread] Current Thread [Next in Thread>