Re: SSL & IDS

[Ed Padin <epadin () WAGWEB COM>]

I don't know of any IDS systems that can decode SSL traffic on the fly. An
IDS just a smarter network sniffer. SSL and other encrypted protocols are
used to prevent network sniffers from gleaning any information from network
traffic. If there was an IDS that could read SSL traffic then SSL would be a
joke.

Then only way I could think of using an IDS to monitor SSL connections is to
use a dedicated SSL wrapper that would establish the SSL session and then
forward the plain text protocol to another server. The IDS can then monitor
the traffic as it leaves the SSL wrapper. This can all take place inside a
physically and logically secured DMZ (well, as secure as you can make it,
anyway.)



> -----Original Message-----
> From: Roelof Temmingh [mailto:roelof () SENSEPOST COM]
> Sent: Thursday, August 31, 2000 12:24 PM
> To: VULN-DEV () SECURITYFOCUS COM
> Subject: SSL & IDS
>
>
> All,
>
> I am working on an article-thingy, and while writing I stumbled across
> this: IDS & SSL does not work together well...wow! (this was a joke).
> Even if you put an IDS on the same platform as the webserver
> it would not
> work. How should this be addressed? Is it addressed in some
> way by the ppl on
> the IDS mailling list? I did a -=very=- quick search for SSL
> and IDS and didnt
> really get anything.
>
> I have some ideas of how one can try to solve it, but I dont
> want to barge
> into other ppl's territory.
>
> Yeah, I know .. its prolly not the best list for the discussion.
>
> Regards,
> Roelof.
>
> ------------------------------------------------------
> Roelof W Temmingh              SensePost IT security
> roelof () sensepost com                +27 83 448 6996
>               http://www.sensepost.com