IDS&SSL - some thoughs perhaps

[Roelof Temmingh <roelof () SENSEPOST COM>]

All,

Some days ago i wrote to ask your opinion on SSL and IDS. I do understand that
encryption and IDS does not fit together well - i was looking at understanding
just to solve the web problem - exploiting CGI scripts and the likes.

One solution put forward was to use a SSL front-end that strips off the SSL and
let the IDS "sniff" on the clear requests beind the SSL proxy. In some cases
this might work. Some companies do not like traffic in the clear at all -
esp. in banking environments (non-repudiation etc.). So this is not a solution
of everyone.

Others suggested looking at the logfiles, and letting the pattern recognition
loose on it. Might work, but it seems a bit clumsy - some daemons only log
AFTER they request has been processed. There might be other ways to bypass this
method - even exploiting this method - it would prolly works for some, but its
really not elegant.

Another thought was that HIDS should solve the problem - does it? Does anyone
know of such a product?

How about sharing the encryption keys with the IDS - hmmm...dunno, first of all
the company would not like to have the keys on an IDS that might not be so
secure. It would also introduce a lot of overhead - in heavy traffic situations
the IDS might fail unless it is a beast of a machine.

One way that *might* work is to test for the patterns in the daemon itself -
let say like a CVP-ish implementation. The server thus gets the request and
sends it to the IDS-machine before the request is really served. The IDS then
replies either YES or NO. Could be implemented for IIS via the ISAPI, and
should not be that difficult with Apache.

Any thoughts?
Regards,
Roelof.

PS: I know that this does not solve the whole encryption/IDS issue.

------------------------------------------------------
Roelof W Temmingh               SensePost IT security
roelof () sensepost com         +27 83 448 6996
                http://www.sensepost.com