Creating the IETF IDWG Intrusion Detection Protocols IDMEF & IDXP

Transcription

1 Creating the IETF IDWG Intrusion Detection Protocols IDMEF & IDXP Ground System Architectures Workshop GSAW 2002 March 12-15, 2002 Joe Betser Andy Walther The Aerospace Corp Mike Erlinger, Tim Buchheim Ben Feinstein, Greg Matthews Harvey Mudd College

2 Motivation Intrusion detection is becoming widespread Many Proprietary systems Volume of data reported increasing Automation and interoperability are needed Collect information in central repository Collate and filter data Automate response Betser, Erlinger, et al GSAW

3 Motivation Ground Stations are vulnerable COTS Systems (known security vulnerabilities) COTS Networking (known security vulnerabilities Separation not always physical CA power network Need common intrusion message format and common transport protocol Goal --Tool Interoperability Betser, Erlinger, et al GSAW

4 Impact Create global Internet IDS protocols and data structures to enable IDS component communication in global enterprises Ubiquitous global dissemination of usage & interoperability -- a condition for advancement in standards track Rough Consensus and Running Code Betser, Erlinger, et al GSAW

5 The IDS Process IP infrastructure under attack IDS sensors/mgrs communicate using IDWG Protocols IDMEF for Message, IDXP for transport IDS information correlated by managers Detection drives response Betser, Erlinger, et al GSAW

6 Technical Approach Develop widely used IDS Internet protocols IETF IDWG (Intrusion Detection W/G) Message structures and communication protocol Participation of Cisco, NAI, HP, Boeing, IBM, ISS, MITRE, MSFT, etc. 3 IETF meetings per year and interim IDWG meetings, much work done over Betser, Erlinger, et al GSAW

7 The IETF Standards body for the Internet Divided into Working Groups driven by Charter and Milestones Rough Consensus and Running Code Betser, Erlinger, et al GSAW

8 The IDWG Intrusion Detection Working Group Develop a common way to communicate Message Format (XML) IDMEF (Intrusion Detection Message Exchange Format) Transport protocol IAP (Intrusion Alert Protocol) IDXP (Intrusion Detection exchange Protocol) Betser, Erlinger, et al GSAW

9 Requirements Reliable Delivery Mutual Authentication & Assurance of Identity Confidentiality and Integrity Work without compromising Firewalls Proxy-able Betser, Erlinger, et al GSAW

10 Architectures Manager Manager Initial connection Flow of intrusion alerts Manager Betser, Erlinger, et al F I R E W A L L Proxy Active Analyzer Active Analyzer Manager Manager Passive Analyzer GSAW

11 IAP The Basics Similar to HTTP Runs over TCP Uses TLS for security Differences Direction of communication does not depend on who initiated the connect Betser, Erlinger, et al GSAW

12 IDXP Motivation IAP predated BEEP (Blocks Extensible Exchange Protocol - RFC 3080) Generalized application level protocol framework Computers connect through a BEEP session Different protocols implemented as profiles, run over BEEP channels IDXP developed as a BEEP profile Betser, Erlinger, et al GSAW

13 IDXP What It Looks Like IDXP syslog Other profile BEEP TCP IP Ethernet, ATM, etc. Betser, Erlinger, et al GSAW

14 IDXP Advantages Flexibility Other BEEP profiles used to satisfy security and firewall operation requirements Simplicity Using other profiles for security and firewall operation reduces the complexity of IDXP Scalability Many BEEP channels running IDXP Cost of security incurred once for each BEEP session Betser, Erlinger, et al GSAW

15 Achievements IDWG Requirements Internet Draft (ID) IDMEF Message Format ID IDXP Message Transport ID Tunnel Proxy ID Skeleton IDMEF Implementation Skeleton IDXP Implementation Betser, Erlinger, et al GSAW

16 Current Status Feb 2002 IDWG Requirements submitted for Informational RFC status IDMEF Message Format submitted for Proposed RFC Status IDXP Message Transport submitted for Proposed RFC Status TUNNEL Transport Proxy submitted for Proposed RFC Status Betser, Erlinger, et al GSAW

17 Future Work Interoperability testing, standards progress Incident reporting, configurations, vulnerabilities possible standard message formats Correlation and Response protocols Community input continually received! Betser, Erlinger, et al GSAW

18 Lessons Learned Tough to build global consensus Wide spectrum of agendas among participants Strong collaboration with forward momentum Researchers and vendors participate Extraordinary leverage and tech transfer Ground systems are vulnerable and need such tools Betser, Erlinger, et al GSAW

19 Acronyms IETF Internet Engineering Task Force IDWG Intrusion Detection Working Group IAP Intrusion Alert Protocol BEEP Blocks Extensible Exchange Protocol IDXP Intrusion Detection exchange Protocol TLS Transport Layer Security Betser, Erlinger, et al GSAW

20 Questions/Comments?

21 Acknowledgements Aerospace Alan Foonberg Dave Evans Ranwa Haddad IETF members Stuart Staniford Darren New Marshall Rose John C. C. White Paul Osterwald Betser, Erlinger, et al GSAW