Sound the alarm!

IETF working group seeks to improve security alerting.

By Sandra Gittlen
Network World Fusion, 03/16/99

MINNEAPOLIS - An IETF working group has stepped up work on a protocol for broadcasting alerts of network breaches across proprietary security applications.

The Intrusion Detection Message Exchange Protocol (IDMEP) would let applications - and system managers - quickly share information about attacks, according to IDMEP working group members. They are meeting here as part of an overall IETF conference.

"[IDMEP] will be useful for attacks launched from one domain to another," says working group attendee Brian Tung, a computer scientist at the University of Southern California's Information Sciences Institute. "If a source domain notices an attack, it can notify the destination network. Right now, that's done by a human."

The group had met last year at the IETF meeting in Orlando, but was unsuccessful in gaining consensus and had to revamp its plans. This time, meeting attendees seemed encouraged by the group's efforts.

With the protocol, which could be based on SNMP Version 3, an alert detailing the type of attack in progress will be automatically sent across the network, along with a reference, such as a URL or a system file, where the network manager can find further information. That information could be the threshold setting of the alerter's system letting the recipient know what the alerter considers an attack or what the alerter suggests as a response for such an attack.

Mark Wood, product line manager at Internet Security Systems in Atlanta, says IDMEP could dramatically improve responses to attacks because networks will be sharing information, not duplicating efforts.

In fact, Tung says that hooking the IDMEP to policy networks could let users set up automatic responses to alerts and, therefore, ward them off.

"There are a number of dollars to be had in [the intrusion detection tools] market," says Stuart Staniford-Chen, co-chair of the working group. In fact, the projected market for intrusion detection tools is expected to be $200 million, according to analysts at the Aberdeen Group, a Boston consultancy. "Therefore, we need to get moving on this [protocol]."

Wood says he expects the protocol to be completed by the middle of next year, but products based on a proposed standard could be released as early as the first quarter of next year. Cisco and Axent are also working on the protocol.