RE: How to monitor encrypted connections...

["Leonardo Cavallari Militelli" <leonardo () lsi usp br>]

Jean,

On my Msc thesis I finished last year, I proposed an IDS/IPS architecture
and developed what I call Application-based sensor.
In this sense, I debugged Apache behavior and catch the requests after they
were decrypted and before they were processed by the app server.

BTW, Did you check about WAF - Web Application firewall??

Regards,

Leonardo Cavallari Militelli, MSc. / GIAC-GAWN 
Universidade de São Paulo - USP
www.lsi.usp.br/~nsrav
----------------------------------------------------------------------------
-------------------------------------------
Esta mensagem e seu conteúdo é dedicada exclusivamente para seu(s)
destinatário(s), podendo conter material confidencial. Qualquer modificação,
retransmissão, disseminação ou outro uso, assim como a tomada de qualquer
ação baseada nessas informações por pessoas não autorizadas, é estritamente
proibida. Se você recebeu esta mensagem por engano, por favor informe o
remetente e imediatamente destrua todo o material e suas cópias.




-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Ofer Shezaf
Sent: domingo, 23 de setembro de 2007 10:51
To: Jean-Pierre FORCIOLI; focus-ids () securityfocus com
Subject: RE: How to monitor encrypted connections...


There are basically three ways to monitor SSL traffic:

+ Terminate at the edge of the network and connect your IDS to the
cleartext segment. While trivial, this is the most common solution. The
disadvantages are of course:
        (a) Decrypting early, requiring your data to flow through part
of your network unencrypted.
        (b) Need for an additional device to decrypt SSL at the edge.

+ SSL Bridge - terminate and then re-encrypt. Works only for an in-line
device and might validate non-repudiation.

+ Passively decrypt - decrypt a copy of the traffic, without actually
being part of the conversation. This one is the best add on for existing
IDS systems (*SAMELESS PLUG* we sell such an add on)

~ Ofer


Ofer Shezaf
ofers () breach com, Phone:+972-9-9560036 #212, Cell: +972-54-4431119

CTO, Breach Security; 
Chair, OWASP Israel; 
Leader, ModSecurity Core Rule Set Project

> -----Original Message-----
> From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com] On Behalf Of Jean-Pierre
FORCIOLI
> Sent: Wednesday, September 19, 2007 7:23 PM
> To: focus-ids () securityfocus com
> Subject: How to monitor encrypted connections...
>
> Hi,
>
> Still working on my IDS/IPS project...
> When browsing some IDS/IPS vendors' datasheets, I noticed that some of
> them
> claimed being able to monitor encrypted traffic.
> Could someone provide me with some insight on what is currently
> possible (and already
> implemented) and what are the eventual limitations?
>
> Best regards.
-----------------------------------------------------------------------
> -
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campai
> gn=intro_sfw
> to learn more.
-----------------------------------------------------------------------
> -


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw 
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------