RE: IDS & encryption

From: Brito, Nelson (ISS Brazil) (
Date: 10/30/03

  • Next message: X-Force: "ISS Security Alert Summary AS03-44"
    To: "Aaron Cheek" <aaron_cheek@YAHOO.COM>, <>
    Date: Wed, 29 Oct 2003 21:05:30 -0200

    Warning: My ideas represents only my own opinions, neither my Employer's
    opinions nor the company's opinions.

    > AFAIK, so far some common approaches have been:
    > * Using HIDS to complement NIDS in encrypted traffic
    > situations.

    This is the most used in the market.

    > * Placing the encryption keys in the IDS (any known
    > products that do that??).

    I don't know if any IDS company do that thing, especially because it'll consume
    average resources that could be used by analysis instead of decrypt process. The
    HIDS solution works, almost all time, with the data that was already decrypted
    by the OS (layer 3) or the application (layer 5).

    > * Using a "clear-text DMZ" between 2 VPN firewalls for
    > VPN traffic.

    That's used for a no-critical cases. It's an 1:1 case.

    > Any other approaches that I must know of? Can any of
    > you point to interesting references in this direction?

    Yes. The use of an all-in-one solution, where you have FW, VPN Concentrator and
    IPM (Intrusion Prevention Module) in one box.

    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    and use priority code SF4.

  • Next message: X-Force: "ISS Security Alert Summary AS03-44"