Re: ssh and ids

From: Adam Powers (apowers_at_lancope.com)
Date: 06/19/04

  • Next message: Madalin Bratu: "FW: IDS Opinions"
    Date: Sat, 19 Jun 2004 00:29:09 -0400
    To: <focus-ids@securityfocus.com>
    
    

    There is really no one full-proof answer to this question (that I'm aware
    of). Encryption remains the bane of network-based intrusion detection
    technologies.

    At the risk of speaking on behalf of such flow-based vendors as Arbor, Mazu,
    Q1, and (yes, my personal favorite) Lancope, I think some of the new
    behavioral traffic analysis technologies go a long way toward solving some
    of the problems presented by encryption technologies.

    <light details>
    By observing the duration of a "flow" (read: a TCP socket or series of
    related sockets) and the manner in which packets are exchanged over a "long
    duration" flow, a behavior-based system can pinpoint those connections that
    seem to be "out of the norm". During the baselining period, a behavior
    driven system observes connections attributes such as "duration" and
    "relative connectedness" to gain an understanding of the nature of the flows
    being created by a given network node. The flow-based, behavior-driven
    system should have the ability to discern between a AES gotomypc.com
    connection over TCP 443 and an automatic refresh connection to
    www.weather.com. The determination that "covert communications" are underway
    is done not through string matching or protocol anomaly but rather through
    the analysis of the flow attributes themselves (duration, packets sent/rcvd,
    pkt size, etc). Bottoms line: the magic is in the algorithms used to examine
    header traffic. Header traffic is not encrypted.
    </light details>

    The #1 defining attribute of flow-analysis techniques is that they typically
    DO NOT require use of payload data to determine the presence of an attack.

    As previously mentioned, there is no fool-proof plan... Flow-based
    technologies can be tricked... It just requires a much different science
    than that used by snot, sidestep, or encrypted shell shoveling.

    - AP

    On 6/18/04 2:18 PM, "Runion Mark A FGA DOIM WEBMASTER(ctr)"
    <mark.runion@us.army.mil> wrote:

    > Lets suppose the attacker is mildly sophisticated, and after making the
    > initial assault roots the box and installs a secure backdoor or two. Is
    > there any IDS capable of isolating data it cannot read, except to monitor
    > authorized port usage of a system or group of systems? Not to complicate
    > the question, but when the attacker is using portal gates and all
    > communications traffic is encrypted in normal channels how can an IDS
    > participate? Monitoring normal traffic patterns seems a bit slow for
    > detection.
    >
    > -
    > Mark Runion
    >
    >
    > ---------------------------------------------------------------------------
    >
    > ---------------------------------------------------------------------------
    >

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------


  • Next message: Madalin Bratu: "FW: IDS Opinions"

    Relevant Pages

    • RE: ssh and ids
      ... Note that SSL decryption is available in both IDS and IPS ... Encryption remains the bane of network-based intrusion ... "long duration" flow, a behavior-based system can pinpoint those ... connections that seem to be "out of the norm". ...
      (Focus-IDS)
    • Re: ssh and ids
      ... McAfee's IntruShield network IPS will offer the ability to ... >>new behavioral traffic analysis technologies go a long way toward ... >>solving some of the problems presented by encryption technologies. ... >>the nature of the flows being created by a given network node. ...
      (Focus-IDS)
    • RE: ssh and ids
      ... > range of encryption attacks. ... This really only works for inbound attacks over SSL ... >> detection technologies. ...
      (Focus-IDS)
    • AW: audit perspective: proof that all connections are encrypted
      ... sshd only allows encrypted connections! ... doesn't accept any specified encryption, ... remote access devices only allow encrypted connections, not plaintext". ...
      (SSH)
    • Re: ssh and ids
      ... encryption channels in which you have the private ... This really only works for inbound attacks over SSL traffic. ... the dozen or so other popular encryption technologies a hacker might select ...
      (Focus-IDS)