Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Openvpn-users] Anyone know how to detect OpenVPN traffic?

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Sat, 20 Nov 2004 12:42:18 +1300
Michael Scheidell wrote:
Seriously - I think this sort of thing is happening more and more. We don't allow P2P - and our IDS could always pick it. Then along came Skype - changes port numbers at random, and encrypts traffic. But we managed to come up with a Snort rule for that too. Now it appears we have met the "perfect" implementation that can't be detected. Now I expect to see more and more of them. 

I think there might be any number of us who would do it for a price...

Its all ones and zeros.  There has to be a way.

Just not an easy (eg: free) way.
I don't think any product - commercial or otherwise - could detect such things - if they are implemented correctly.
Most commercial "VPN" products available either don't work on our network (firewalled), or generate alerts from our IDS network. OpenVPN is the first thing I've tried that worked out-of-the-box and got under the radar (well done :-).
Only policy stands between it and open access. And if you have a policy, you at least need to be able to monitor to prove your policy is enforced. And I can't even detect OpenVPN.
The only way I can think of to detect something specifically written to remain hidden would be by traffic analysis techniques - looking for long-term HTTPS sessions/etc. Trouble is, 99% of sites cannot justify (money, time, administration, personnel) changing their network usage patterns in order to make such techniques actually practical. (i.e. if your network allows almost any type of traffic internally [like ours - we write network services amongst other things], then how can you define what is "known" traffic and therefore what isn't?). We certainly run our proxies as "allow all sites except those we don't" - compared with firewall "block everything except that we allow". To flip the proxy security principle would be impossible: we have 2500 employees in a variety of roles - how do you define what sites they're allowed to go to? Who decides? And how to manage the allowed sites list - it'd change on a minutely basis?!?!? Gah. Maybe sites (i.e. those not in the software dev industry) can define their Internet access totally via whitelists - I know we can't. 

Fun, fun, fun. That's why I like this work :-)
This discussion isn't leading anywhere - but I'm enjoying it. That's why I'm keep CC'ing the Snort IDS list. Like myself, they are interested in knowing about everything on their networks (we're twisted like that) - and OpenVPN appears "unknowable". 

Jason



-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: