IDS mailing list archives

Re: ssh and ids

From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 22 Jun 2004 18:09:30 -0400

On Jun 22, 2004, at 4:31 PM, Peter_Schawacker () NAI com wrote:

Hi Marty,

Since you were kind enough to mention us :-) I thought I would offertwo

comments about what you wrote regarding SSL "key escrow" (is it really
"key escrow" when the key isn't handed to a third party?) and IDS/IPS.
First, remember that storing your web server's private key on an
external system is something that's done routinely with SSL
accelerators.  Hardware SSL accelerators are commonplace these days.

SSL accelerators typically provide algorithmic (cryptographic)acceleration only, they don't have any service ports to get into norare they performing highly complex stateful analysis of the traffic andsimulating an entire network stack. The opportunities areprobabilistically higher (significantly!) for something goingdisastrously wrong in an IDS engine are a lot higher than they are in ahardwired cryptographic MPU. I certainly wouldn't feel comfortableabout it, I can't speak for others...

Second, we fully understand that folks are often squeamish aboutsharing

keys, so great care was taken to protect the private keys on the
IntruShield appliance.  We believe we have found the best possible
strategy for mitigating private key theft risk while eliminating the
SSL/NIDS "blind spot".  Through the use of public key cryptography, we
persist the key in such a way that one would need information that is
resident only in the sensor, along with information that is resident

only in the IntruShield Manager in order to recover the key. Havingjust

one or the other will not suffice.  I won't bore the list with the
details, but our implementation is described here:

http://www.nai.com/us/_tier2/products/_media/sniffer/wp_encr_th_prot.pdf

Looks like the security of the server's private keys is dependent onthe attacker never getting access to the unencrypted copy you keep inyour sensor's RAM. Can you assure people that that scenario can neverhappen with 100% certainty? I guess it depends on what people areusing SSL for ultimately, if they want truly secure communications orif they just want to have some level of sessionintegrity/privacy/nonrepudiation for whatever purpose.

Should an attacker root your web server, how safe will your privatekeys

be?  If your IDS/IPS can't handle TCP/443 to your production web
servers, you have a blind spot where attackers can operate unseen and
unhindered.  Which is worse, copying your web servers' private keys to
your IPS to prevent a web server compromise, or being blind to attacks
against those same servers?

How about just using a host-based IPS? Seems to me that a HIPS wouldgive you better coverage in all scenarios against compromise withoutsharing your secret key off the system. After all, a shared secretisn't really a secret...

 Frankly, I can't think of a single IDS/IPS
product that is less secure than a typical web server.

Oh man, that's a blanket statement if I ever saw one. How manycommercial IDS/IPS systems have been through real 3rd party code auditswhere the results are available for inspection by 3rd parties? We'vedone analysis of some 3rd party commercial IPSes here that have beenconsiderably less secure than the a well configured web server. What'sthe track record of security for a product that's been on the marketfor ~18 months that costs so much that maybe a thousand units are outin the field?

To quote Schneier's Law: Anyone can come up with a security system soclever that he can't see its flaws. The only way to find the flaws insecurity is to disclose the system's workings and invite publicfeedback.

Security is all about trade-offs.  This is not a difficult one.

Depends on how serious you are about your crypto. I personally think aHIPS addresses the scenario you outline more appropriately than a NIPS,but that's just me.

You also alluded to the problem of covert channels.  I believe that the
best protection against covert channels is to stop the attacker before
the back door is installed.  Failing that, a host based IPS/firewall is
the last, strongest line of defense.

Sure, if your deterministic detection engine has been tuned to detectand prevent it. If your engine can't recognize things that it hasn'tbeen told to look for (or worse yet, isn't deployed in a position whereit can see the covert channel because it only has visibility into thetraffic traversing it) then you're not going to be able to do anythingabout it. The best defense for covert channels is to be able torecognize and remediate them whether or not they are the result of anattack or of an authorized insider acting contrary to site policy,regardless of how they route their traffic to the internet.


     -Marty

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


---------------------------------------------------------------------------

---------------------------------------------------------------------------

Current thread:

Re: ssh and ids, (continued)
- - Re: ssh and ids Adam Powers (Jun 22)
  - Re: ssh and ids David W. Goodrum (Jun 22)
    - RE: ssh and ids Thierry Evangelista (Jun 23)
    - Re: ssh and ids David W. Goodrum (Jun 23)
    - Re: ssh and ids Tony Carter (Jun 24)
- RE: ssh and ids Koç.net (Jun 22)
- RE: ssh and ids Murtland, Jerry (Jun 22)
- RE: ssh and ids Runion Mark A FGA DOIM WEBMASTER(ctr) (Jun 22)
- RE: ssh and ids Peter_Schawacker (Jun 22)
  - now SSL and ids ( was Re: ssh and ids ) Jason (Jun 23)
  - Re: ssh and ids Martin Roesch (Jun 25)
- RE: ssh and ids Drew Copley (Jun 22)