The old question...

From: Matt Collins (matt@clues.com)
Date: 09/26/01


Date: Wed, 26 Sep 2001 12:04:37 +0100
From: Matt Collins <matt@clues.com>
To: focus-ids@securityfocus.com
Subject: The old question...
Message-ID: <20010926120437.A34635@sherlock.clues.com>

I know this one bugs a lot of people, but I'm going to ask it again
anyway.... Its sort of a hybrid audit/analysis/IDS/enforcement
issue...

I work as in security for some fairly major companies and recently
we've been seeing more and more concern over the web; its becoming
business critical to those who generate revenue, and as a result
what have previously been carefully controlled border networks are
moving towards policies that permit any outbound web traffic. This
in itself has many issues with increasing attack vectors via the
actual HTML content delivered itself, but even more unmanagable
than that risk is the use of tunneled protocols.

We're seeing more and more "freeware" or even commercial applications
delivered that tunnel application streams over HTTP POST and SSL
(CONNECT) proxy connections, amongst other mechanisms, and thats
not counting the truly covert stuff that pretends to be FTP data
and so forth.

We've got some ideas on how to address this - traffic analysis at
the firewalls and proxies, session time, data flow patterns, etc
- but I'd like to know if anybody has already set up forumns for
discussing this sort of thing and developing solutions, or perhaps
even already created the wheel (in commercial form or otherwise).

Its a real issue; very liberal multi usage protocols such as the
HTTP specification that we pretty much have to permit through the
border at some points (wheras we can just deny most other stuff) on a
wide basis.

Any ideas? Any solutions? Any discussions or development
efforts we can contribute to?

Matt