Vulnerability Development mailing list archives
RE: IDS and SSL
From: "Oliver Petruzel" <opetruzel () cox rr com>
Date: Tue, 19 Mar 2002 19:54:33 -0500
Nothing short of a big road-block could monitor encrypted traffic prior to a host; it's just not logically possible to examine the encrypted traffic without a big roadblock and certificate-sharing nightmare.. that is, on the wire atleast... with the exception of placing an IDS -ON- a VPN...and that still wont help with SSL specifically, and that would require SICK amounts of RAM/power to be anything close to efficient... SSL PROXY/IDS system? No way... same speed/RAM/bandwidth limitations... Sooo... what to do? Here's what: at the host, HIDS (hybrid/host-based) solutions can "hook" into the OS and/or apps (such as web server app), and monitor the SSL traffic AFTER it's passed the decryption phase during processing, and PRIOR to it hitting the OS or app... (and, with just a little foresight: perhaps the next generation HIDS will monitor encrypted .NET app traffic AFTER decryption? Down the road, who knows...) Put it this way, if there were such a thing as a system that only did two functions as it's basis for all programs, "read" or "write", and you could monitor those 2 functions DIRECTLY and PRIOR to their execution, wouldn't you think THAT is the best spot to place a tool that monitors destructive behavior?...read on... Product Examples: Entercept (http://www.entercept.com)= mature HIDS/Cybervaulting/Intrusion Prevention product with some good support... they are almost up to version 3.0, which I understand will be very nice, a web-based console and such... As it stands, they have some neat patented code that prevents even unknown stuff from hitting your box (Okena does too)... Both solaris and Windows versions are available...even a rumored linux port! OKENA Stormwatch (http://www.okena.com)= up and comer with same concept as entercept, just different patents and not as mature...but still looks like a great nextgen-HIDS-to-be. Windows version available now, and solaris scheduled for Q2. I have been a VERY big advocate of HIDS replacing NIDS for some time now... When I pitch a new security architecture, I place HIDS at -every- server, and perhaps one or two Snort nodes in front of critical segments (or Dragon/NFR if bandwidth is an issue AND they have big money to spend). bottom line is this though: If it were my network, I would use those NIDS nodes ONLY as 1) forensics tools to analyze actual events on the HIDS reports, or 2) to monitor workstation traffic... ignore the rest. (Ahem! folks at entercept, okena, roll out those workstation versions asap please, then I will shun NIDS altogether! lol) IMNSHO, encryption mechanisms will ultimately replace ALL traffic on a wire (see my reference to the encrypted .NET traffic as an example...) so NIDS will go away and be renamed (back to basics) "Traffic Analysis/Anomaly-detection Software" appropriately... Also, I feel you will never get to the .001 false-positive factor with a NIDS, never... but at the host, it's a real possibility! NOTHING compares to looking at ALL incoming traffic decrypted! To answer your question Zeno about Web-hosting firms: I've seen the Entercept rolled out in a gigantic msp environment, and as far as I'm concerned, ALL msp's should offer it as part of their server standard build... -oliver p. -Sr. Network Security Engineer -Near DC... Ps: I added focus-ids list to your destinations... it's most appropriate there. -----Original Message----- From: zeno [mailto:bugtraq () cgisecurity net] Sent: Tuesday, March 19, 2002 1:09 PM To: vuln-dev () securityfocus com; bugtraq () securityfocus com; webappsec () securityfocus com Subject: IDS and SSL Hello, Currently IDS products monitor for webserver or web application attacks over http. Do any monitor attacks over https? If so can people name a few products that do this? Also if any info is availble how can they handle themselves on web hosting companies? (Thats tons of math to compute) Thanks - zeno () cgisecurity com -----end snippit-----
Current thread:
- Re: IDS and SSL Gabriel Lawrence (Mar 20)
- RE: IDS and SSL Oliver Petruzel (Mar 20)
- Re: IDS and SSL pgiacomi (Mar 21)
- Re: IDS and SSL Thor (Mar 21)
- <Possible follow-ups>
- RE: IDS and SSL Oliver Petruzel (Mar 20)
- RE: IDS and SSL Jason Lewis (Mar 21)
- RE: IDS and SSL Dom De Vitto (Mar 22)
- Re: IDS and SSL Jon (Mar 23)
- RE: IDS and SSL Bojan Zdrnja (Mar 24)
- RE: IDS and SSL Dom De Vitto (Mar 24)
- RE: IDS and SSL Jason Lewis (Mar 24)
- RE: IDS and SSL Jason Lewis (Mar 21)
- Re: IDS and SSL Florian Weimer (Mar 25)