RE: Encrypted packet friendly IDS ?
From: Tom Sevy (tsevy@epx.com)Date: 09/01/01
- Previous message: Kurt Seifried: "Re: Encrypted packet friendly IDS ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <B25211753929D411902A00508B8B066E0124CF1F@NT310PRD> From: Tom Sevy <tsevy@epx.com> To: focus-ids@securityfocus.com Subject: RE: Encrypted packet friendly IDS ? Date: Sat, 1 Sep 2001 08:55:04 -0400
Also, depending on the amount of encrypted traffic, your IDS system may
start to drop packets & miss events since it will be spending a lot of cpu
resource on the decryption process.
-----Original Message-----
From: Kurt Seifried [mailto:bugtraq@seifried.org]
Sent: Friday, August 31, 2001 9:00 PM
To: focus-ids@securityfocus.com
Subject: Re: Encrypted packet friendly IDS ?
You can either use something like an Intel or F5 load balancer, also capable
of doing the SSL/TLS encryption, thus clear text is passed to the server
(which you can merrily sniff away at). Another alternative is to install the
certificate on the sniffer and somehow have the web server pass session
info, never heard of this being done though. You could also just have it do
man in the middle, but the the server would be SSL (de)encrypting traffic it
doesn't need to. Since (de)encryption happens at the app layer not at the
network layer you'd need some sort of application level IDS to monitor
things (like a host IDS almost =). I know a few people kicking around ideas
on "traditional" NIDS to handle encrypted traffic, but nothing concrete yet
(i.e. shipping product).
Kurt
- Previous message: Kurt Seifried: "Re: Encrypted packet friendly IDS ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
