Snort mailing list archives
RE: Encrypted sessions
From: "Bob Walder" <bwalder () nss co uk>
Date: Wed, 28 Nov 2001 08:53:55 -0000
In order for any device to perform decryption it needs the private key of the end-point. If an organisation uses end-to-end (i.e. user to user) encryption, Snort would require access to EVERY private key of EVERY user in the organisation. The whole point of a PRIVATE key is hinted at by its name..... it's PRIVATE. Once a user loses control of his private key, even to a supposedly "trusted" third party, then there is no longer a case for non-repudiation - only by keeping private keys private does the PKI model work. No private key - no in-line decrypt. Sorry - you cannot have your cake and eat it in this case. The only way around this is to employ perimeter tunnel termination devices to that data is decrypted at the edge of the network and travels in clear text over the private LAN. Then Snort can have at it. Regards, Bob
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Erek Adams Sent: 28 November 2001 06:57 To: Abe L. Getchell Cc: 'Ronneil Camara'; snort-users () lists sourceforge net; snort-devel () lists sourceforge net Subject: RE: [Snort-users] Encrypted sessions On Wed, 28 Nov 2001, Abe L. Getchell wrote: [...snip...]What I would love to see is a crypto feature built intoSnort much likehas been built into tcpdump (compiled using './configure--with-crypto'and used at run-time using 'tcpdump -E <stuff>'), with a little more flexibility (more algorithm options, better support for theESP RFC's,etc). If the correct key or passphrase is known, it couldbe providedto Snort at run-time, traffic could be decrypted on the fly by a preprocessor, and the clear text data checked against therule set beingused.That would indeed be a kick ass pre/post processor to have!The one major drawback I see to this approach is the possibility of processor saturation. A Snort box in a high-trafficenvironment alreadyhas it's hands full checking packets against the largenumber of sigscommon in networks such as these. Chances are, it wouldn'thave manyfree proc cycles to perform such a processor intensive task as decrypting data. This feature would thus only be useful in a low-traffic environment without introducing a packet loss problem.Hrm... This brings to mind something--Sun and IBM are both sporting Crypto Accelerator cards. Intel (and 3com?) now have a crypto chip built into some ethernet cards... With the benefit of those two bits of hardware, I wonder how much saturation you would get? If the key/algorithm is known, and can have a decoder built for it, it should scream! And no, I'm not a Crypto Monkey, nor do I play one on T.V. :) ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Encrypted sessions, (continued)
- RE: Encrypted sessions Abe L. Getchell (Nov 27)
- RE: Encrypted sessions Erek Adams (Nov 27)
- RE: Encrypted sessions Abe L. Getchell (Nov 28)
- RE: Encrypted sessions Erek Adams (Nov 27)
- Re: Encrypted sessions Ralf Hildebrandt (Nov 27)
- Re: Encrypted sessions Ralf Hildebrandt (Nov 28)
- Re: Encrypted sessions Mike Shaw (Nov 27)
- RE: Encrypted sessions Michael Aylor (Nov 27)
- Re: Encrypted sessions Fyodor (Nov 27)
- Encrypted sessions Michael Scheidell (Nov 27)
- RE: Encrypted sessions Ronneil Camara (Nov 27)
- RE: Encrypted sessions Bob Walder (Nov 28)
- RE: Encrypted sessions Abe L. Getchell (Nov 28)
- RE: Encrypted sessions Tom Sevy (Nov 28)
- RE: Encrypted sessions Chris Eidem (Nov 28)
- RE: Encrypted sessions Ju Kong Fui (Nov 28)
- RE: Encrypted sessions Abe L. Getchell (Dec 03)
- RE: Encrypted sessions Ju Kong Fui (Nov 28)
- Re: Encrypted sessions Fyodor (Nov 28)
- RE: Encrypted sessions Abe L. Getchell (Nov 27)