RE: How to monitor encrypted connections...

["Srinivasa Addepalli" <srao () intoto com>]

Hi,

There are many protocols to obfuscate data - SSL, SSH, IPsec VPN, openVPN,
proprietary protocols etc..  Many IPS vendors today support decryption of
SSL traffic. 

There are two common methods used by IPS vendors:

Transparent Proxy mode:  Proxy in IPS box terminates SSL connections coming
from clients and makes new SSL connections to servers. Vulnerability
analysis is done on the clear traffic. In transparent case, both client and
servers don't know the existence of proxy servers.  
In this mode, servers don't see client side certificates. But this is not a
big problem in majority of cases as clients don't use certificates to
authenticate to the servers. This is also more computationally intensive as
it does crypto operations twice.

Passive decryption:  SSL connections are not terminated. Traffic is
decrypted on the fly and vulnerability analysis is done on the clear
traffic. This method works well if all cipher suites are implemented by IPS.
Note that, IPS does not play role in ciphersuite negotiation unlike proxy
mode. If there is a mismatch between ciphersuites supported by IPS and
negotiated suites, then some traffic might pass through without
vulnerability inspection. Many vendors using this method don't support SSL
connections using DH shared secret. It may be due to technical limitations
of this method, but I am not completely sure though.

Note that many IPS vendors support these methods for local servers only.
Administrators are expected to configure IPS with private keys of local
servers.

Hope it helps.

Thanks
Srini




 

Confidentiality Notice :
If you have received this email in error, please immediately notify the
sender by return email and delete this email from your system. This email
and any attachments may contain confidential or legally privileged
information that is intended only for the use of the individual or entity
named in this email. If you are not the intended recipient, or an authorized
representative of the intended recipient, you are hereby notified that any
review, dissemination, disclosure, copying or reliance upon the contents of
this email or its attachments, if any, is strictly prohibited.
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Jean-Pierre FORCIOLI
Sent: Wednesday, September 19, 2007 10:23 AM
To: focus-ids () securityfocus com
Subject: How to monitor encrypted connections...

Hi,

Still working on my IDS/IPS project...
When browsing some IDS/IPS vendors' datasheets, I noticed that some of them
claimed being able to monitor encrypted traffic.
Could someone provide me with some insight on what is currently
possible (and already
implemented) and what are the eventual limitations?

Best regards.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw 
to learn more.
------------------------------------------------------------------------


********************************************************************************
This email message (including any attachments) is for the sole use of the intended recipient(s) 
and may contain confidential, proprietary and privileged information. Any unauthorized review, 
use, disclosure or distribution is prohibited. If you are not the intended recipient, 
please immediately notify the sender by reply email and destroy all copies of the original message. 
Thank you.
 
Intoto Inc. 


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------