IDS mailing list archives
RE: How to monitor encrypted connections...
From: "Srinivasa Addepalli" <srao () intoto com>
Date: Mon, 24 Sep 2007 15:48:32 -0700
Hi, There are many protocols to obfuscate data - SSL, SSH, IPsec VPN, openVPN, proprietary protocols etc.. Many IPS vendors today support decryption of SSL traffic. There are two common methods used by IPS vendors: Transparent Proxy mode: Proxy in IPS box terminates SSL connections coming from clients and makes new SSL connections to servers. Vulnerability analysis is done on the clear traffic. In transparent case, both client and servers don't know the existence of proxy servers. In this mode, servers don't see client side certificates. But this is not a big problem in majority of cases as clients don't use certificates to authenticate to the servers. This is also more computationally intensive as it does crypto operations twice. Passive decryption: SSL connections are not terminated. Traffic is decrypted on the fly and vulnerability analysis is done on the clear traffic. This method works well if all cipher suites are implemented by IPS. Note that, IPS does not play role in ciphersuite negotiation unlike proxy mode. If there is a mismatch between ciphersuites supported by IPS and negotiated suites, then some traffic might pass through without vulnerability inspection. Many vendors using this method don't support SSL connections using DH shared secret. It may be due to technical limitations of this method, but I am not completely sure though. Note that many IPS vendors support these methods for local servers only. Administrators are expected to configure IPS with private keys of local servers. Hope it helps. Thanks Srini Confidentiality Notice : If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. This email and any attachments may contain confidential or legally privileged information that is intended only for the use of the individual or entity named in this email. If you are not the intended recipient, or an authorized representative of the intended recipient, you are hereby notified that any review, dissemination, disclosure, copying or reliance upon the contents of this email or its attachments, if any, is strictly prohibited. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jean-Pierre FORCIOLI Sent: Wednesday, September 19, 2007 10:23 AM To: focus-ids () securityfocus com Subject: How to monitor encrypted connections... Hi, Still working on my IDS/IPS project... When browsing some IDS/IPS vendors' datasheets, I noticed that some of them claimed being able to monitor encrypted traffic. Could someone provide me with some insight on what is currently possible (and already implemented) and what are the eventual limitations? Best regards. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in tro_sfw to learn more. ------------------------------------------------------------------------ ******************************************************************************** This email message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential, proprietary and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please immediately notify the sender by reply email and destroy all copies of the original message. Thank you. Intoto Inc. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- How to monitor encrypted connections... Jean-Pierre FORCIOLI (Sep 20)
- RE: How to monitor encrypted connections... Ofer Shezaf (Sep 24)
- RE: How to monitor encrypted connections... Leonardo Cavallari Militelli (Sep 25)
- RE: How to monitor encrypted connections... Ofer Shezaf (Sep 27)
- RE: How to monitor encrypted connections... Leonardo Cavallari Militelli (Sep 27)
- RE: How to monitor encrypted connections... Leonardo Cavallari Militelli (Sep 25)
- RE: How to monitor encrypted connections... Ofer Shezaf (Sep 24)
- RE: How to monitor encrypted connections... Srinivasa Addepalli (Sep 25)
- <Possible follow-ups>
- Re: How to monitor encrypted connections... proneetb (Sep 24)
- Re: How to monitor encrypted connections... abhicc285 (Sep 24)
- Re: How to monitor encrypted connections... Stefano Zanero (Sep 25)
- RE: How to monitor encrypted connections... Kevin Overcash (Sep 25)