IDS mailing list archives
RE: ssh and ids
From: "Runion Mark A FGA DOIM WEBMASTER(ctr)" <mark.runion () us army mil>
Date: Tue, 22 Jun 2004 18:32:33 -0000
Great feedback, thanks! Let me extend the question a bit. Are there any solutions that exist that allow a network which already supports an SSH keyed and escrowed infrastructure to allow the IDS platforms access to the relative keys? This might allow the IDS to know and read all authorized traffic on a network while at the same time, leaving the litmus test of "if I can't read it, something is wrong". Does this raise any additional issues? - Mark Runion -----Original Message----- From: Runion Mark A FGA DOIM WEBMASTER(ctr) [mailto:mark.runion () us army mil] Sent: Friday, June 18, 2004 10:19 AM To: focus-ids () securityfocus com Subject: ssh and ids Lets suppose the attacker is mildly sophisticated, and after making the initial assault roots the box and installs a secure backdoor or two. Is there any IDS capable of isolating data it cannot read, except to monitor authorized port usage of a system or group of systems? Not to complicate the question, but when the attacker is using portal gates and all communications traffic is encrypted in normal channels how can an IDS participate? Monitoring normal traffic patterns seems a bit slow for detection. - Mark Runion --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: ssh and ids, (continued)
- RE: ssh and ids Matthew F. Caldwell (Jun 22)
- RE: ssh and ids Frank Knobbe (Jun 22)
- RE: ssh and ids Peter_Schawacker (Jun 22)
- Re: ssh and ids Adam Powers (Jun 22)
- Re: ssh and ids David W. Goodrum (Jun 22)
- RE: ssh and ids Thierry Evangelista (Jun 23)
- Re: ssh and ids David W. Goodrum (Jun 23)
- Re: ssh and ids Tony Carter (Jun 24)
- RE: ssh and ids Matthew F. Caldwell (Jun 22)
- RE: ssh and ids KoƧ.net (Jun 22)
- RE: ssh and ids Murtland, Jerry (Jun 22)
- RE: ssh and ids Runion Mark A FGA DOIM WEBMASTER(ctr) (Jun 22)
- RE: ssh and ids Peter_Schawacker (Jun 22)
- now SSL and ids ( was Re: ssh and ids ) Jason (Jun 23)
- Re: ssh and ids Martin Roesch (Jun 25)
- RE: ssh and ids Drew Copley (Jun 22)