IDS mailing list archives
RE: How to monitor encrypted connections...
From: "Ofer Shezaf" <OferS () Breach com>
Date: Sun, 23 Sep 2007 09:50:41 -0400
There are basically three ways to monitor SSL traffic:
+ Terminate at the edge of the network and connect your IDS to the
cleartext segment. While trivial, this is the most common solution. The
disadvantages are of course:
(a) Decrypting early, requiring your data to flow through part
of your network unencrypted.
(b) Need for an additional device to decrypt SSL at the edge.
+ SSL Bridge - terminate and then re-encrypt. Works only for an in-line
device and might validate non-repudiation.
+ Passively decrypt - decrypt a copy of the traffic, without actually
being part of the conversation. This one is the best add on for existing
IDS systems (*SAMELESS PLUG* we sell such an add on)
~ Ofer
Ofer Shezaf
ofers () breach com, Phone:+972-9-9560036 #212, Cell: +972-54-4431119
CTO, Breach Security;
Chair, OWASP Israel;
Leader, ModSecurity Core Rule Set Project
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jean-Pierre
FORCIOLI
Sent: Wednesday, September 19, 2007 7:23 PM To: focus-ids () securityfocus com Subject: How to monitor encrypted connections... Hi, Still working on my IDS/IPS project... When browsing some IDS/IPS vendors' datasheets, I noticed that some of them claimed being able to monitor encrypted traffic. Could someone provide me with some insight on what is currently possible (and already implemented) and what are the eventual limitations? Best regards.
-----------------------------------------------------------------------
- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campai
gn=intro_sfw to learn more.
-----------------------------------------------------------------------
-
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- How to monitor encrypted connections... Jean-Pierre FORCIOLI (Sep 20)
- RE: How to monitor encrypted connections... Ofer Shezaf (Sep 24)
- RE: How to monitor encrypted connections... Leonardo Cavallari Militelli (Sep 25)
- RE: How to monitor encrypted connections... Ofer Shezaf (Sep 27)
- RE: How to monitor encrypted connections... Leonardo Cavallari Militelli (Sep 27)
- RE: How to monitor encrypted connections... Leonardo Cavallari Militelli (Sep 25)
- RE: How to monitor encrypted connections... Ofer Shezaf (Sep 24)
- RE: How to monitor encrypted connections... Srinivasa Addepalli (Sep 25)
- <Possible follow-ups>
- Re: How to monitor encrypted connections... proneetb (Sep 24)
- Re: How to monitor encrypted connections... abhicc285 (Sep 24)
- Re: How to monitor encrypted connections... Stefano Zanero (Sep 25)
- RE: How to monitor encrypted connections... Kevin Overcash (Sep 25)