RE: ssh and ids

["Runion Mark A FGA DOIM WEBMASTER(ctr)" <mark.runion () us army mil>]

Great feedback, thanks!   

Let me extend the question a bit.  

Are there any solutions that exist that allow a network which already
supports an SSH keyed and escrowed infrastructure to allow the IDS platforms
access to the relative keys?  This might allow the IDS to know and read all
authorized traffic on a network while at the same time, leaving the litmus
test of "if I can't read it, something is wrong".  Does this raise any
additional issues?

-
Mark Runion


-----Original Message-----
From: Runion Mark A FGA DOIM WEBMASTER(ctr) [mailto:mark.runion () us army mil]

Sent: Friday, June 18, 2004 10:19 AM
To: focus-ids () securityfocus com
Subject: ssh and ids

Lets suppose the attacker is mildly sophisticated, and after making the
initial assault roots the box and installs a secure backdoor or two.  Is
there any IDS capable of isolating data it cannot read, except to monitor
authorized port usage of a system or group of systems?  Not to complicate
the question, but when the attacker is using portal gates and all
communications traffic is encrypted in normal channels how can an IDS
participate?  Monitoring normal traffic patterns seems a bit slow for
detection.

-
Mark Runion 


---------------------------------------------------------------------------

---------------------------------------------------------------------------

---------------------------------------------------------------------------

---------------------------------------------------------------------------