Hi Randy,
thanks for your feedback and the start of a discussion about IDPEF and
its management features / options.
IDXP provide already an interface for configuration exchange. Therefore
IDPEF was developed close to IDMEF and IDXP. An important argument was
that only one transport protocol is need for configuration and
signalling. That reduces the probability of vulnerabilities in the
implementation (one implementation instead of two).
The key point for IDPEF is that the parametrization of the Analyzer will
be harmonized and the Manager become independent. Based on this you are
able to combine different (vendor and analyzing technique) IDS Analyzers
under one independent central Manager. With YANG and netconf the
configuration will be still vendor-specific and vendor-specific
adjustments are still needed on site of the central Manager. That is why
I preferred a specialized format.
Maybe there are some other good points which plead for YANG as IDS
configuration format that we should put focus on.
Kind regards
Bjoern-C.
Am 01.05.2015 um 00:45 schrieb Randy Presuhn:
Hi -
Has there been some discussion of the reasons why this work
doesn't emply one of the established management information
data modeling languages, such as Yang or SNMP SMI?
Randy
-----Original Message-----
From: "B.-C. Boesch" <bjoernboesch(_at_)gmx(_dot_)net>
Sent: Apr 29, 2015 7:41 AM
To: saag(_at_)ietf(_dot_)org, sacm(_at_)ietf(_dot_)org, ietf(_at_)ietf(_dot_)org,
OPSAWG(_at_)ietf(_dot_)org, Kathleen Moriarty
<kathleen(_dot_)moriarty(_dot_)ietf(_at_)gmail(_dot_)com>
Cc: Stephen Farrell <stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie>
Subject: [OPSAWG] Review and contribution requested: draft-boesch-idxp-idpef-01
(Bjoern-C. Boesch)
Dear community,
I have post the attached draft and looking for feedback from people with
security management and / or security (IDS) operations expertise
(including IDS developer). I am particularly interested in your opinions
on the communication proceedings, the parametrization methodology and
the provided attributes (and such I did not think of). If the text needs
updating by your point of view, please let me know that as well. Here is
the link to the new draft:
http://www.ietf.org/id/draft-boesch-idxp-idpef-01.txt
At the first view the draft looks very long but after page 44 a lot of
examples and definitions are included for better understanding. So the
first 43 pages are primary in scope for feedback but feedback for the
other pages is welcome, too.
Abstract
The Intrusion Detection Parametrization Exchange Format (IDPEF) defines
data formats and exchange procedures to standardize parametrization
information exchange into intrusion detection and response systems from
an independent central Manager to any Analyzer. The IDPEF enables a
combination of different (vendor and analyzing technique) IDS Analyzers
under one independent central Manager. A separate operations of IDS is
not longer needed. Base is a new parametrization methodology where IDS
operating parameters (configurations) are separated in an environmental
parametrization part and a vendor-specific analyzing part.
This Internet-Draft describes a data model to represent parametrization
information of intrusion detection system entities, and explains the
rationale for using this model. An implementation of the data model in
the Extensible Markup Language (XML) is presented, a XML Document Type
Definition is developed, and parametrization examples are provided.
I am looking forward to your suggestions, feedback, notations, hints,
recommendations, etc. to improve the Internet Draft. Also native speaker
feedback with scope on wording and typo is welcome.
Kind regards,
Bjoern-C.
_______________________________________________
OPSAWG mailing list
OPSAWG(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/opsawg