RE: IDS->Encrypted->IPv6

From: Chad Harrington (CHarrington@entercept.com)
Date: 03/05/02


Date: Tue, 5 Mar 2002 13:51:11 -0800
From: "Chad Harrington" <CHarrington@entercept.com>
To: "Kohlenberg, Toby" <toby.kohlenberg@intel.com>, "Dario N. Ciccarone" <dciccaro@cisco.com>, <ramos@ipad.com.br>, <focus-ids@securityfocus.com>

To continue the thread of HIDS and encryption:

It is possible, but not common, for HIDS to view / analyze HTTPS
traffic.
As Toby mentions below, SSL (which HTTPS uses) is an application-layer
encryption protocol, so the traffic is encrypted and decrypted in the
web server application itself, not in the TCP/IP stack. Thus, most
HIDS that are doing traffic analysis are blind to HTTPS traffic. It
is possible, however, to solve the problem by plugging the HIDS into
the web server application directly. Using ISAPI plug-ins w/ IIS and
modules w/ Apache and iPlanet, a properly constructed HIDS can analyze
HTTPS traffic after it has been decrypted. This is the technique
Entercept uses, and it has proven to work very well. However, most HIDS

products that do traffic analysis are blind to HTTPS traffic, so buyers
must beware.

Chad Harrington
Entercept Security Technologies
2460 Zanker Road
San Jose, CA 95131
Voice: 408-576-5932
Fax: 408-576-5901
charrington@entercept.com

-----Original Message-----
From: Kohlenberg, Toby [mailto:toby.kohlenberg@intel.com]
Sent: Friday, March 01, 2002 1:05 PM
To: 'Dario N. Ciccarone'; ramos@ipad.com.br; focus-ids@securityfocus.com
Subject: RE: IDS->Encrypted->IPv6

This is something I've been thinking a lot about- depending on which
HIDS
you use, you won't necessarily get anything more from it than you would
from a NIDS. This gets into definition but for instance if you are using
a HIDS that monitors network traffic, but does so below layer 7, you may
very well miss any attacks since things like HTTPS get decrypted by the
application, not the stack.

Of course traffic analysis is still a powerful form of IDS that has its
place
(perhaps a growing one now?).

All opinions are my own and in no way represent the views of my
employer.

Toby

Toby Kohlenberg, CISSP, GCIA
Intel Corporate Information Security
Security Technology and Testing Team
Senior Information Security Specialist
503-264-9783 Office & Voicemail
877-497-1696 Pager
"Just because you're paranoid, doesn't mean they're not after you."

PGP Fingerprint:
92E2 E2FC BB8B 98CD 88FA 01A1 6E09 B5BA 9E84 9E70

> -----Original Message-----
> From: Dario N. Ciccarone [mailto:dciccaro@cisco.com]
> Sent: Friday, March 01, 2002 11:13 AM
> To: ramos@ipad.com.br; focus-ids@securityfocus.com
> Subject: Re: IDS->Encrypted->IPv6
>
>
> for encrypted data, use HIDS insted of NIDS (not every HIDS
> would work - check with the vendor & test it by yourself). on
> an HTTPS environment, deply an SSL accelerator in front of
> the web farm and NIDS the traffic that comes out of the
> accelerator - security issue here, of course.
>
>
>
> At 12:56 3/1/2002 -0300, ramos@ipad.com.br wrote:
> >Hi,
> >
> >The IDSs can not analyze encrypted traffic.
> >What it works on VPNs?
> >What can you say about IDS and IPv6? Have you done any tests?
> >
> >Regards,
> >Rodrigo Ramos
>
> ==============================================================
> ===================================
> Cisco SAFE - A Security Blueprint for Enterprise Networks
> SAFE for Enterprise, SAFE for SMB and SAFE for VPNs
> www.cisco.com/go/safe
> ==============================================================
> ===================================
> Disclaimer:
> These are my own personal opinions and not necessarily those
> of Cisco Systems.
>
> Sed quis custodiet ipsos custodes?
>
> Dario N. Ciccarone
>
> Cisco Systems
> Argentina, Paraguay, Uruguay y Bolivia
> Ing. Enrique Butty 240 Piso 19
> C1001ABF, Buenos Aires , Argentina
> Phone/Vmail: 54-11-4341-0203
> Fax: 54-11-4341-0149
> dciccaro@cisco.com
>
>
>



Relevant Pages

  • Re: Encrypting data vs using HTTPS?
    ... Utilizing remoting doesn't seem to be the way ... >> not to mention using HTTPS is also transport specific. ... >> eventually the development community will realize sending SOAP messages ... > custom message encryption, or to use standard SSL connection? ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: How can I encrypt files on a HTTPS file server?
    ... Because I use a limited account when I work locally on the server, ... I really doubt that anyone has any reason to crack the session. ... Can You tell me what encryption algorithm is recommended for HTTPS ...
    (microsoft.public.windows.server.networking)
  • Re: Wireless at Osh
    ... By definition, https is encrypted. ... of a wireless network makes it less secure. ... transmit unencrypted data over a hard-wired network connection than it is to ... any encryption such as WEP or WPA). ...
    (rec.aviation.piloting)
  • Re: SSL security with server certificate compromised
    ... With HTTPS, first a handshake is done, and a unique session key is established next to the exchange of public parts of the certificates used. ... The encryption like any asymmetrical method, relies on a sufficiently large encryption key based on all this data, that can be decrypted by the client (web browser) quickly since the private part of the key needed is known to the client. ... It is, even with "low-grade" encryption, still a time consuming process since the way to find the right key would be to brute-force the private key to decipher the data. ...
    (comp.security.misc)
  • RE: Secure Transactions over HTTPS????
    ... different keys). ... encryption is weak and the Linux world with vouch for that. ... Subject: Secure Transactions over HTTPS???? ... How secure is HTTPS?? ...
    (Security-Basics)