RE: IDS and SSL

["Oliver Petruzel" <opetruzel () cox rr com>]

Nothing short of a big road-block could monitor encrypted traffic prior
to a host;  it's just not logically possible to examine the encrypted
traffic without a big roadblock and certificate-sharing nightmare.. that
is, on the wire atleast... with the exception of placing an IDS -ON- a
VPN...and that still wont help with SSL specifically, and that would
require SICK amounts of RAM/power to be anything close to efficient...
SSL PROXY/IDS system? No way... same speed/RAM/bandwidth limitations...

Sooo... what to do?

Here's what:
at the host, HIDS (hybrid/host-based) solutions can "hook" into the OS
and/or apps (such as web server app), and monitor the SSL traffic AFTER
it's passed the decryption phase during processing, and PRIOR to it
hitting the OS or app... (and, with just a little foresight: perhaps the
next generation HIDS will monitor encrypted .NET app traffic AFTER
decryption? Down the road, who knows...)  

Put it this way, if there were such a thing as a system that only did
two functions as it's basis for all programs, "read" or "write", and you
could monitor those 2 functions DIRECTLY and PRIOR to their execution,
wouldn't you think THAT is the best spot to place a tool that monitors
destructive behavior?...read on...

Product Examples:  
Entercept (http://www.entercept.com)= mature
HIDS/Cybervaulting/Intrusion Prevention product with some good
support... they are almost up to version 3.0, which I understand will be
very nice, a web-based console and such... As it stands, they have some
neat patented code that prevents even unknown stuff from hitting your
box (Okena does too)... Both solaris and Windows versions are
available...even a rumored linux port!
  
OKENA Stormwatch (http://www.okena.com)= up and comer with same concept
as entercept, just different patents and not as mature...but still looks
like a great nextgen-HIDS-to-be.  Windows version available now, and
solaris scheduled for Q2.

I have been a VERY big advocate of HIDS replacing NIDS for some time
now... When I pitch a new security architecture, I place HIDS at -every-
server, and perhaps one or two Snort nodes in front of critical segments
(or Dragon/NFR if bandwidth is an issue AND they have big money to
spend). bottom line is this though:  If it were my network, I would use
those NIDS nodes ONLY as 1) forensics tools to analyze actual events on
the HIDS reports, or 2) to monitor workstation traffic... ignore the
rest.

(Ahem! folks at entercept, okena, roll out those workstation versions
asap please, then I will shun NIDS altogether! lol)

IMNSHO, encryption mechanisms will ultimately replace ALL traffic on a
wire (see my reference to the encrypted .NET traffic as an example...)
so NIDS will go away and be renamed (back to basics) "Traffic
Analysis/Anomaly-detection Software" appropriately... Also, I feel you
will never get to the .001 false-positive factor with a NIDS, never...
but at the host, it's a real possibility!  NOTHING compares to looking
at ALL incoming traffic decrypted!

To answer your question Zeno about Web-hosting firms:  I've seen the
Entercept rolled out in a gigantic msp environment, and as far as I'm
concerned, ALL msp's should offer it as part of their server standard
build...

-oliver p.
-Sr. Network Security Engineer
-Near DC...

Ps: I added focus-ids list to your destinations... it's most appropriate
there.

-----Original Message-----
From: zeno [mailto:bugtraq () cgisecurity net] 
Sent: Tuesday, March 19, 2002 1:09 PM
To: vuln-dev () securityfocus com; bugtraq () securityfocus com;
webappsec () securityfocus com
Subject: IDS and SSL

Hello,

Currently IDS products monitor for webserver or web application attacks
over http.
Do any monitor attacks over https? If so can people name a few products
that do this?
Also if any info is availble how can they handle themselves on web
hosting companies?
(Thats tons of math to compute)


Thanks

- zeno () cgisecurity com
-----end snippit-----