RE: IDS and SSL

["Oliver Petruzel" <opetruzel () cox rr com>]

But as I stated previously, a SSL terminator or any IDS with
key-sharing, is just a big chokepoint/buttplug on a network... today's
bandwidth nearly makes these obsolete... 

./oliver


-----Original Message-----
From: Gabriel Lawrence [mailto:gabe () butterflysecurity com] 
Sent: Tuesday, March 19, 2002 11:06 PM
To: zeno
Cc: vuln-dev () securityfocus com; bugtraq () securityfocus com;
webappsec () securityfocus com
Subject: Re: IDS and SSL

There are a couple of solutions to this problem that I've seen. I don't
recall all the vendors and all the products so forgive me. But I'll give
you a dump of what I know.

First, some IDS's (and this is where I forget the vendors) allow you to
specify the private key that is used to encrypt the https data. With
this in hand, the IDS is able to eavesdrop on the communication flowing
by. Thats why its so important to keep those private keys private :-) If
other people know what they are then they can snoop in on the
communication.

Second, you can use an SSL terminator. There are many vendors who have
products that do this, some of them are simply SSL terminators and some
of them include other features such as load balancing as part of the
package. If you place the IDS on the non encrypted side of the SSL
terminator you are free to look at the HTTP traffic as it flows by as it
is all unencrypted.

-gabe


On Tue, 2002-03-19 at 10:09, zeno wrote:
> Hello,
>
> Currently IDS products monitor for webserver or web application
attacks over http.
> Do any monitor attacks over https? If so can people name a few
products that do this?
> Also if any info is availble how can they handle themselves on web
hosting companies?
> (Thats tons of math to compute)
>
>
> Thanks
>
> - zeno () cgisecurity com
>