RE: IDS & encryption

["Brito, Nelson (ISS Brazil)" <nbrito () iss net>]

Warning: My ideas represents only my own opinions, neither my Employer's
opinions nor the company's opinions.

> AFAIK, so far some common approaches have been:
>
> * Using HIDS to complement NIDS in encrypted traffic
> situations.

This is the most used in the market.

> * Placing the encryption keys in the IDS (any known
> products that do that??).

I don't know if any IDS company do that thing, especially because it'll consume
average resources that could be used by analysis instead of decrypt process. The
HIDS solution works, almost all time, with the data that was already decrypted
by the OS (layer 3) or the application (layer 5).

> * Using a "clear-text DMZ" between 2 VPN firewalls for
> VPN traffic.

That's used for a no-critical cases. It's an 1:1 case.

> Any other approaches that I must know of? Can any of
> you point to interesting references in this direction?

Yes. The use of an all-in-one solution, where you have FW, VPN Concentrator and
IPM (Intrusion Prevention Module) in one box.


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 
and use priority code SF4.
---------------------------------------------------------------------------