IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ssh and ids

From: Jason <security () brvenik com>
Date: Mon, 21 Jun 2004 22:54:21 -0400


Martin Roesch wrote:

[...]
I know the NAI guys just released a mod to their sensors that allow them to do real-time SSL decryption if you're willing to escrow the private crypto keys on the box (shudder). There's been talk of implementing the same sort of thing in Snort (ala ssldump) for a while, but it's never come together...
This is an interesting area I think deserves more conversation. I want to toss out a few questions and hopefully someone will have first hand experience and can elaborate.
Simply doing the escrow of the private key allows the capture of the symetric key but... 

How many simultaneous SSL sessions can be tracked?

What are the DoS potentials to detection by forcing a constant rekey?
How is spoofing handled? If you walk the possible session id space and attempt a connection you force every existing session to rekey and tracking of each possible session for a period of time, this is expensive to track. 

When passive what happens if a rekey is missed?
When inline what performance impact can be imposed on the network with a $300 SSL acelerator card and a perl script? 

What ciphers are supported?

How are new ciphers handled?

What if an unsupported cipher is used?

Does it validate the trust chains? Anything in the SSL session? Time...
How does it handle client certs? It cannot possibly know the private key for client certs too. IIRC, some servers allow client/server key negotiation without requiring authentication.
I understand that the intent is to detect attacks over known SSL channels but these are issues I would like to explore deeper. I do not think it is possible to properly handle the SSL case without terminating and watching behind the termination point and even then it does not gracefully handle the client cert issue gracefully when authentication is involved. 


---------------------------------------------------------------------------

---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: