Re: SSL - Man-in-the-Middle filtering

["David Williams" <dwilliamsd () gmail com>]

I know this is a bit late, but I recently saw a webcast on this
specific subject from a new player called Netronome Systems.  They
claim to work with any IDS/IPS on the market, and to do it
transparently (not sure what that means).  More interestingly, they're
claiming performance speeds at over a gigabit per second, doing it on
the x86 architecture still (I've seen BlueCoat's and Palo Alto's
pricing.  I haven't gotten pricing from Netronome, but I'm hoping it's
cheaper than theres).  I'd rather not have a two box solution, but
when I looked at some of the IPS players who claim to be able to do
the SSL decryption in a single box, they all say that it takes their
performance to their knees.   The sales engineer I talked to mentioned
that I could bundle snort onto their appliance if I really wanted a
single box solution, but I'm not using snort for IPS.  Might be
interested in it for IDS though.

If they ever send me an eval unit, I'll post my results here.

-dave

On Wed, Dec 12, 2007 at 2:42 PM, Joseph Jenkins
<maillist () breathe-underwater com> wrote:
> You could also look into the Palo Alto appliance.  They allow you to
>  decrypt the traffic and then look inside to see what is going on.
>  After that you can then based on policy allow or disallow the traffic
>  to go on.
>
>
> On Dec 11, 2007, at 3:45 PM, Tremaine Lea wrote:
>
>  > More accurately, it will warn the user if their *browser* doesn't
>  > trust the CA.  SSL solutions like Bluecoat are used pretty widely to
>  > allow network administrators/security groups/compliance groups
>  > visibility into that traffic.  Typically where SSL is being
>  > intercepted and re-signed by the appliance, a GPO push is down of
>  > the new CA to ensure users aren't constantly getting certificate
>  > warnings.
>  >
>  > On the policy side of things, clearly users need to be advised of
>  > the company policy and sign off on it - which should be true for all
>  > monitoring regardless of whether it's encrypted or not.
>  >
>  > As a side note, once you've decrypted the SSL like this it's pretty
>  > trivial to check the type of traffic and deny someone who's trying
>  > to tunnel ;)
>  >
>  > Cheers,
>  >
>  > ---
>  > Tremaine Lea
>  > Network Security Consultant
>  > Intrepid ACL
>  > "Paranoia for hire"
>  >
>  >
>  >
>  > On 11-Dec-07, at 10:28 AM, Scalcione.David wrote:
>  >
>  >>> is there any standard mechanism (in SSL standard or in HTTP
>  >>> standard)
>  >>> to send actual CA certificate to the browser by forward proxies?
>  >>
>  >> I think that would defeat the whole purpose of SSL. The whole point
>  >> of SSL is to warn the user if they don't trust the CA. Users would
>  >> need to manually install that CA cert before that kind of IPS
>  >> system would work. Otherwise they'd get a security warning every
>  >> time they access an SSL connection. If it WERE possible to make the
>  >> browser display a prompt to install the CA cert, the IPS device
>  >> would not know if the user ever installed it and would prompt them
>  >> to install it every time they opened an SSL connection. Also,
>  >> remember, any protocol can travel through SSL. It's not always a
>  >> browser as the SSL client, could be email, VPN, etc.
>  >>
>  >>
>  >> Dave
>  >>
>  >> -----Original Message-----
>  >> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com
>  >> ] On
>  >> Behalf Of Ravi Chunduru
>  >> Sent: 08 December 2007 18:33
>  >> To: focus-ids () securityfocus com
>  >> Subject: SSL - Man-in-the-Middle filtering
>  >>
>  >> it seems that some network IPS devices and application firewalls are
>  >> not only providing SSL based HTTP inspection on server side, but also
>  >> on client side (i know  of one IPS device which is in beta testing).
>  >> i understand that it is required as attacks can be sent in SSL to
>  >> avoid blocking.
>  >>
>  >> when deployed on client side, these devices resign certificates (of
>  >> public servers) with local CA certificate. i see two aspects to it -
>  >> users need to trust local authority (enterprise administrators) and
>  >> second is users will have  false sense of security (that is users are
>  >> no longer see the actual CA of server certificate).
>  >>
>  >> any comments on acceptance of this functionality in enterprise
>  >> deployments?
>  >>
>  >> is there any standard mechanism (in SSL standard or in HTTP standard)
>  >> to send actual CA certificate to the browser by forward proxies?
>  >>
>  >> thanks
>  >> Ravi
>  >>
>  >> ------------------------------------------------------------------------
>  >> Test Your IDS
>  >>
>  >> Is your IDS deployed correctly?
>  >> Find out quickly and easily by testing it
>  >> with real-world attacks from CORE IMPACT.
>  >> Go to
>  >> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
>  >> tro_sfw
>  >> to learn more.
>  >> ------------------------------------------------------------------------
>  >>
>  >>
>  >>
>  >> ------------------------------------------------------------------------
>  >> Test Your IDS
>  >>
>  >> Is your IDS deployed correctly?
>  >> Find out quickly and easily by testing it
>  >> with real-world attacks from CORE IMPACT.
>  >> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
>  >> to learn more.
>  >> ------------------------------------------------------------------------
>  >>
>  >> The information contained in this communication is confidential and
>  >> privileged information intended only for the use of the individual
>  >> or entity to which it is addressed. If you are not the addressee
>  >> indicated in this message (or an agent responsible for delivery of
>  >> the message to such person), you are hereby notified that you have
>  >> received this communication in error and that any review,
>  >> dissemination, copying, or any action or omission taken by you in
>  >> reliance on it, is strictly prohibited. Please destroy this message
>  >> and notify the sender immediately if you have received it in error.
>  >> Please also advise immediately if you or your employer do not
>  >> consent to e-mail communications. Opinions, conclusions and other
>  >> information in this message that do not relate to the official
>  >> business of Yardville National Bank shall be understood as neither
>  >> given nor endorsed by it.
>  >>
>  >> ------------------------------------------------------------------------
>  >> Test Your IDS
>  >>
>  >> Is your IDS deployed correctly?
>  >> Find out quickly and easily by testing it
>  >> with real-world attacks from CORE IMPACT.
>  >> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
>  >> to learn more.
>  >> ------------------------------------------------------------------------
>  >>
>  >
>  >
>  > ------------------------------------------------------------------------
>  > Test Your IDS
>  >
>  > Is your IDS deployed correctly?
>  > Find out quickly and easily by testing itwith real-world attacks
>
>
> > from CORE IMPACT.
>  > Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfwto
>  >  learn more.
>  > ------------------------------------------------------------------------
>  >
>
>
>  ------------------------------------------------------------------------
>  Test Your IDS
>
>  Is your IDS deployed correctly?
>  Find out quickly and easily by testing it
>  with real-world attacks from CORE IMPACT.
>  Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
>  to learn more.
>  ------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------