Re: Bittorrent - utorrent

[Tremaine Lea <focus-ids () ddiction com>]

You actually has it right, it intercepts and re-signs the  
certificate.  The way you prevent this generating a warning to the  
user is by creating a CA for your domain and ensuring all machines  
have this set as a trusted CA.  If you are using something like  
Bluecoat, you then intercept and re-sign the certs with that CA or a  
subsidiary of the CA.  The users machine automatically trusts that re- 
signed certificate because of these previous steps, and allows you to  
inspect the SSL traffic.

Cheers,

Tremaine Lea
Network Security Consultant


On 13-Mar-07, at 9:20 AM, Hari Sekhon wrote:

> does anyone understand how these products can inspect SSL?
>
> Perhaps I could understand if it was just the bitorrent encypted  
> traffic... but surely SSL is designed to be encrypted end to end?
>
> You'd have to intercept the certificate and replace it, prompting a  
> warning to the user.
>
> The only other way I can think of would be something like a  
> cryptographic weakness in SSL or brute forcing it somehow, but this  
> seems like it would take a ridiculous amount of computing power and  
> just doesn't seem possible...
>
> If SSL is truely decryptable on the fly in real-time in this way  
> (or even just from packet captures after some effort) it would  
> effectively render all e-business too dangerous to ever do again.  
> I'd never buy another book from Amazon ever again!
>
> Anyone care to explain how these products are supposed to work and  
> if they really can decrypt SSL or if this is marketing speech for  
> noticing encrypted patterns which isn't the same thing?
>
> -h
>
> Hari Sekhon
>
>
>
> Kevin Overcash wrote:
> > Breach Security has a product called BreachView SSL that passively  
> > decrypts SSL traffic for an IDS without terminating the SSL  
> > session.  The product comes as either a software plug-in or an  
> > appliance.
> > http://www.breach.com/products_breachviewssl.aspI can't  (although  
> > personally I haven't encrypted bitorrent so
> >
> > ko
> >
> > -----Original Message-----
> > From: listbounce () securityfocus com  
> > [mailto:listbounce () securityfocus com] On Behalf Of Panayiotis  
> > Psihoyios
> > Sent: Thursday, March 08, 2007 10:01 AM
> > To: 'Ove Dalgård Hansen'; focus-ids () securityfocus com
> > Subject: RE: Bittorrent - utorrent
> >
> > Since it is going through SSL (and no IDS can look into SSL), you  
> > have two
> > options:
> >
> > Plan A: Deny SSL traffic, but that usually this is not possible,
> > Plan B: Let your users out through a proxy server, which will  
> > identify
> > non-browser traffic using http/s header inspection. Configure your  
> > firewall
> > to permit HTTP/S out only from your proxy and not your clients.
> >
> > Regards,
> > Panayiotis
> >
> > -----Original Message-----
> > From: listbounce () securityfocus com  
> > [mailto:listbounce () securityfocus com] On
> > Behalf Of Ove Dalgard Hansen
> > Sent: Wednesday, March 07, 2007 9:38 PM
> > To: focus-ids () securityfocus com
> > Subject: Bittorrent - utorrent
> >
> > Hello Everyone,
> >
> > I am in a bit of trouble,
> >
> > On a network where i am configuring IDS - using ASA5510 + SSM  
> > module, we try
> > to deny access to Bittorrent downloads - it consumes quite a bit  
> > of bandwith
> > and is not allowed by the company's policy.
> > We try to filter bittorrent which succedes - but the utorrent changes
> > protocol and goes by the SSL port 443 and thereby circumvent the  
> > IDS, since
> > its not possible to see the encrypted traffic.
> > Does anyone out there have a good idea of how i am to solve the  
> > issue?
> >
> >
> > Best Regards
> >
> > Ove Hansen
> > IT-Quality A/S Banemarksvej 50F
> > Denmark - 2605
> >
> >
> >
> >
> > --------------------------------------------------------------------- 
> > ---
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks  
> > from CORE IMPACT.
> > Go to
> > http://www.coresecurity.com/index.php5? 
> > module=Form&action=impact&campaign=in
> > tro_sfw to learn more.
> > --------------------------------------------------------------------- 
> > ---
> >
> >
> >
> > --------------------------------------------------------------------- 
> > ---
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks  
> > from CORE IMPACT.
> > Go to http://www.coresecurity.com/index.php5? 
> > module=Form&action=impact&campaign=intro_sfw to learn more.
> > --------------------------------------------------------------------- 
> > ---
> >
> >
> > --------------------------------------------------------------------- 
> > ---
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks  
> > from CORE IMPACT.
> > Go to http://www.coresecurity.com/index.php5? 
> > module=Form&action=impact&campaign=intro_sfw to learn more.
> > --------------------------------------------------------------------- 
> > ---
>
> ---------------------------------------------------------------------- 
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks  
> from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5? 
> module=Form&action=impact&campaign=intro_sfw to learn more.
> ---------------------------------------------------------------------- 
> --


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------