RE: ssh and ids

["Wozny, Scott (US - New York)" <swozny () deloitte com>]

This has long been a conundrum within the IDS world.  How can you
inspect the contents of encrypted traffic?  If you can, then your
encryption algorithm is broken and you may as well not be using
encryption.  If you can't, then there are potential attacks that you're
missing hiding within.  When I was selling IDS the stock answer we gave
is, "that's what host based IDS is for".  Not an all encompassing
answer, but it does lend itself to the "defense in depth" principle.  I
would suggest installing HIDS on nodes based upon likelihood of
compromise.  It's not cost effective to do them all, but if you know the
systems on your network you should be able to figure out which are the
most interesting to hackers.  Basically the two factors to consider are
how easy the box is to get to (i.e. how close to the Internet) and how
valuable the information contained on the box is (i.e. does it contain
payroll data or trade secrets).  When choosing a HIDS solution you
should keep in mind both the power of the HIDS itself in what it can
detect AND it's ability to integrate with the data produced by your
NIDS.  If you've not already purchased / developed a correlation tool
then seriously considering adding one to your SOC unless your existing
NIDS vendor has both a powerful HIDS and good correlation tools built
in.  If you don't then you're likely to go bug eyed bouncing from
console to console.

Hope this helps...

Scott
-----Original Message-----
From: Runion Mark A FGA DOIM WEBMASTER(ctr)
[mailto:mark.runion () us army mil] 
Sent: Friday, June 18, 2004 2:19 PM
To: focus-ids () securityfocus com
Subject: ssh and ids


Lets suppose the attacker is mildly sophisticated, and after making the
initial assault roots the box and installs a secure backdoor or two.  Is
there any IDS capable of isolating data it cannot read, except to
monitor
authorized port usage of a system or group of systems?  Not to
complicate
the question, but when the attacker is using portal gates and all
communications traffic is encrypted in normal channels how can an IDS
participate?  Monitoring normal traffic patterns seems a bit slow for
detection.

-
Mark Runion 


------------------------------------------------------------------------
---

------------------------------------------------------------------------
---


















































This message (including any attachments) contains confidential information intended for a specific individual and 
purpose, and is protected by law.  If you are not the intended recipient, you should delete this message.  Any 
disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.

---------------------------------------------------------------------------

---------------------------------------------------------------------------