Vulnerability Development mailing list archives
IDS&SSL - some thoughs perhaps
From: Roelof Temmingh <roelof () SENSEPOST COM>
Date: Mon, 4 Sep 2000 11:53:24 +0200
All, Some days ago i wrote to ask your opinion on SSL and IDS. I do understand that encryption and IDS does not fit together well - i was looking at understanding just to solve the web problem - exploiting CGI scripts and the likes. One solution put forward was to use a SSL front-end that strips off the SSL and let the IDS "sniff" on the clear requests beind the SSL proxy. In some cases this might work. Some companies do not like traffic in the clear at all - esp. in banking environments (non-repudiation etc.). So this is not a solution of everyone. Others suggested looking at the logfiles, and letting the pattern recognition loose on it. Might work, but it seems a bit clumsy - some daemons only log AFTER they request has been processed. There might be other ways to bypass this method - even exploiting this method - it would prolly works for some, but its really not elegant. Another thought was that HIDS should solve the problem - does it? Does anyone know of such a product? How about sharing the encryption keys with the IDS - hmmm...dunno, first of all the company would not like to have the keys on an IDS that might not be so secure. It would also introduce a lot of overhead - in heavy traffic situations the IDS might fail unless it is a beast of a machine. One way that *might* work is to test for the patterns in the daemon itself - let say like a CVP-ish implementation. The server thus gets the request and sends it to the IDS-machine before the request is really served. The IDS then replies either YES or NO. Could be implemented for IIS via the ISAPI, and should not be that difficult with Apache. Any thoughts? Regards, Roelof. PS: I know that this does not solve the whole encryption/IDS issue. ------------------------------------------------------ Roelof W Temmingh SensePost IT security roelof () sensepost com +27 83 448 6996 http://www.sensepost.com
Current thread:
- IDS&SSL - some thoughs perhaps Roelof Temmingh (Sep 04)
- <Possible follow-ups>
- Re: IDS&SSL - some thoughs perhaps Lincoln Yeoh (Sep 04)