IDS mailing list archives
RE: ssh and ids
From: "Wozny, Scott (US - New York)" <swozny () deloitte com>
Date: Mon, 21 Jun 2004 10:47:41 -0400
This has long been a conundrum within the IDS world. How can you inspect the contents of encrypted traffic? If you can, then your encryption algorithm is broken and you may as well not be using encryption. If you can't, then there are potential attacks that you're missing hiding within. When I was selling IDS the stock answer we gave is, "that's what host based IDS is for". Not an all encompassing answer, but it does lend itself to the "defense in depth" principle. I would suggest installing HIDS on nodes based upon likelihood of compromise. It's not cost effective to do them all, but if you know the systems on your network you should be able to figure out which are the most interesting to hackers. Basically the two factors to consider are how easy the box is to get to (i.e. how close to the Internet) and how valuable the information contained on the box is (i.e. does it contain payroll data or trade secrets). When choosing a HIDS solution you should keep in mind both the power of the HIDS itself in what it can detect AND it's ability to integrate with the data produced by your NIDS. If you've not already purchased / developed a correlation tool then seriously considering adding one to your SOC unless your existing NIDS vendor has both a powerful HIDS and good correlation tools built in. If you don't then you're likely to go bug eyed bouncing from console to console. Hope this helps... Scott -----Original Message----- From: Runion Mark A FGA DOIM WEBMASTER(ctr) [mailto:mark.runion () us army mil] Sent: Friday, June 18, 2004 2:19 PM To: focus-ids () securityfocus com Subject: ssh and ids Lets suppose the attacker is mildly sophisticated, and after making the initial assault roots the box and installs a secure backdoor or two. Is there any IDS capable of isolating data it cannot read, except to monitor authorized port usage of a system or group of systems? Not to complicate the question, but when the attacker is using portal gates and all communications traffic is encrypted in normal channels how can an IDS participate? Monitoring normal traffic patterns seems a bit slow for detection. - Mark Runion ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: ssh and ids, (continued)
- Re: ssh and ids Tony Carter (Jun 22)
- Re: ssh and ids Jason (Jun 22)
- Re: ssh and ids Adam Powers (Jun 22)
- Re: ssh and ids Martin Roesch (Jun 23)
- Re: ssh and ids Christian Kreibich (Jun 24)
- Re: ssh and ids Gary Flynn (Jun 21)
- Re: ssh and ids Frank Knobbe (Jun 22)
- Re: ssh and ids Bamm Visscher (Jun 23)
- Re: ssh and ids Frank Knobbe (Jun 23)
- Re: ssh and ids Frank Knobbe (Jun 22)
- RE: ssh and ids Frank Knobbe (Jun 22)
- Re: ssh and ids Adam Powers (Jun 22)
- Re: ssh and ids David W. Goodrum (Jun 22)
- RE: ssh and ids Thierry Evangelista (Jun 23)
- Re: ssh and ids David W. Goodrum (Jun 23)
- Re: ssh and ids Tony Carter (Jun 24)