RE: IDS->Encrypted->IPv6

From: Chad Harrington (
Date: 03/05/02

Date: Tue, 5 Mar 2002 13:51:11 -0800
From: "Chad Harrington" <>
To: "Kohlenberg, Toby" <>, "Dario N. Ciccarone" <>, <>, <>

To continue the thread of HIDS and encryption:

It is possible, but not common, for HIDS to view / analyze HTTPS
As Toby mentions below, SSL (which HTTPS uses) is an application-layer
encryption protocol, so the traffic is encrypted and decrypted in the
web server application itself, not in the TCP/IP stack. Thus, most
HIDS that are doing traffic analysis are blind to HTTPS traffic. It
is possible, however, to solve the problem by plugging the HIDS into
the web server application directly. Using ISAPI plug-ins w/ IIS and
modules w/ Apache and iPlanet, a properly constructed HIDS can analyze
HTTPS traffic after it has been decrypted. This is the technique
Entercept uses, and it has proven to work very well. However, most HIDS

products that do traffic analysis are blind to HTTPS traffic, so buyers
must beware.

Chad Harrington
Entercept Security Technologies
2460 Zanker Road
San Jose, CA 95131
Voice: 408-576-5932
Fax: 408-576-5901

-----Original Message-----
From: Kohlenberg, Toby []
Sent: Friday, March 01, 2002 1:05 PM
To: 'Dario N. Ciccarone';;
Subject: RE: IDS->Encrypted->IPv6

This is something I've been thinking a lot about- depending on which
you use, you won't necessarily get anything more from it than you would
from a NIDS. This gets into definition but for instance if you are using
a HIDS that monitors network traffic, but does so below layer 7, you may
very well miss any attacks since things like HTTPS get decrypted by the
application, not the stack.

Of course traffic analysis is still a powerful form of IDS that has its
(perhaps a growing one now?).

All opinions are my own and in no way represent the views of my


Toby Kohlenberg, CISSP, GCIA
Intel Corporate Information Security
Security Technology and Testing Team
Senior Information Security Specialist
503-264-9783 Office & Voicemail
877-497-1696 Pager
"Just because you're paranoid, doesn't mean they're not after you."

PGP Fingerprint:
92E2 E2FC BB8B 98CD 88FA 01A1 6E09 B5BA 9E84 9E70

> -----Original Message-----
> From: Dario N. Ciccarone []
> Sent: Friday, March 01, 2002 11:13 AM
> To:;
> Subject: Re: IDS->Encrypted->IPv6
> for encrypted data, use HIDS insted of NIDS (not every HIDS
> would work - check with the vendor & test it by yourself). on
> an HTTPS environment, deply an SSL accelerator in front of
> the web farm and NIDS the traffic that comes out of the
> accelerator - security issue here, of course.
> At 12:56 3/1/2002 -0300, wrote:
> >Hi,
> >
> >The IDSs can not analyze encrypted traffic.
> >What it works on VPNs?
> >What can you say about IDS and IPv6? Have you done any tests?
> >
> >Regards,
> >Rodrigo Ramos
> ==============================================================
> ===================================
> Cisco SAFE - A Security Blueprint for Enterprise Networks
> SAFE for Enterprise, SAFE for SMB and SAFE for VPNs
> ==============================================================
> ===================================
> Disclaimer:
> These are my own personal opinions and not necessarily those
> of Cisco Systems.
> Sed quis custodiet ipsos custodes?
> Dario N. Ciccarone
> Cisco Systems
> Argentina, Paraguay, Uruguay y Bolivia
> Ing. Enrique Butty 240 Piso 19
> C1001ABF, Buenos Aires , Argentina
> Phone/Vmail: 54-11-4341-0203
> Fax: 54-11-4341-0149

Relevant Pages

  • Re: Encrypting data vs using HTTPS?
    ... Utilizing remoting doesn't seem to be the way ... >> not to mention using HTTPS is also transport specific. ... >> eventually the development community will realize sending SOAP messages ... > custom message encryption, or to use standard SSL connection? ...
  • Re: How can I encrypt files on a HTTPS file server?
    ... Because I use a limited account when I work locally on the server, ... I really doubt that anyone has any reason to crack the session. ... Can You tell me what encryption algorithm is recommended for HTTPS ...
  • RE: Secure Transactions over HTTPS????
    ... different keys). ... encryption is weak and the Linux world with vouch for that. ... Subject: Secure Transactions over HTTPS???? ... How secure is HTTPS?? ...
  • RE: Secure Transactions over HTTPS????
    ... different keys). ... encryption is weak and the Linux world with vouch for that. ... Subject: Secure Transactions over HTTPS???? ... How secure is HTTPS?? ...
  • Re: Wireless at Osh
    ... By definition, https is encrypted. ... of a wireless network makes it less secure. ... transmit unencrypted data over a hard-wired network connection than it is to ... any encryption such as WEP or WPA). ...