RE: ssh and ids
From: Omar Herrera (oherrera_at_prodigy.net.mx)
Date: 06/19/04
- Previous message: Darren Bounds: "Re: Testimonials on IDS"
- Maybe in reply to: Runion Mark A FGA DOIM WEBMASTER(ctr): "ssh and ids"
- Next in thread: Gary Flynn: "Re: ssh and ids"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 19 Jun 2004 15:31:12 -0600 To: focus-ids@securityfocus.com
> -----Original Message-----
> From: Runion Mark A FGA DOIM WEBMASTER(ctr)
> Lets suppose the attacker is mildly sophisticated, and after making
the
> initial assault roots the box and installs a secure backdoor or two.
Is
> there any IDS capable of isolating data it cannot read, except to
monitor
> authorized port usage of a system or group of systems? Not to
complicate
> the question, but when the attacker is using portal gates and all
> communications traffic is encrypted in normal channels how can an IDS
> participate?
I haven't seen a product but I suppose there are, It wouldn't be too
difficult for most applications. You would need something like a
gateway+inline+nids. What this thing should do is kind of a man in the
middle attack, connections to the outside would be redirected through
and trapped by this device, then, this device will answer spoofing the
real destination and forward all traffic through a new encrypted
connection to the original destination.
So, for someone connecting from your internal network to the outside,
this client will actually connect to the IDS box, there the IDS will act
as the SSH server, extract the data, analyze it and encrypt it again
with another SSH connection until reaching the final destination.
From outside to inside would be more or less the same, although some
protocols might need some adjustments to work appropriately, for
example, for SSL you might need to put the digital certificate on this
box, rather than on your web server.
> Monitoring normal traffic patterns seems a bit slow for
> detection.
What makes this slow is the memory to keep all traffic and statistics
and search through it all. However, the search process should be faster
for there would be fewer patterns to look at and the query would be less
complicated than looking for certain strings within packets.
The approach that I mention would be probably be much more slower.
Actually, it would be no good having all this in place if after all the
signatures you look for while traffic is decrypted does not match any
predefined signature. You see, merely verifying authorized port usage
has some important advantages after all (If you know exactly which ports
are allowed to be used and which are not).
Regards,
Omar Herrera
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Darren Bounds: "Re: Testimonials on IDS"
- Maybe in reply to: Runion Mark A FGA DOIM WEBMASTER(ctr): "ssh and ids"
- Next in thread: Gary Flynn: "Re: ssh and ids"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
