Re: ssh and ids

• Previous message: Shafi, Shahid: "RE: Anomaly Based Network IDS"
• In reply to: Martin Roesch: "Re: ssh and ids"
• Next in thread: Peter_Schawacker_at_NAI.com: "RE: ssh and ids"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 21 Jun 2004 22:54:21 -0400
To: focus-ids@securityfocus.com

Martin Roesch wrote:

[...]

>
> I know the NAI guys just released a mod to their sensors that allow
> them to do real-time SSL decryption if you're willing to escrow the
> private crypto keys on the box (shudder). There's been talk of
> implementing the same sort of thing in Snort (ala ssldump) for a while,
> but it's never come together...
>

This is an interesting area I think deserves more conversation. I want
to toss out a few questions and hopefully someone will have first hand
experience and can elaborate.

Simply doing the escrow of the private key allows the capture of the
symetric key but...

How many simultaneous SSL sessions can be tracked?

What are the DoS potentials to detection by forcing a constant rekey?

How is spoofing handled? If you walk the possible session id space and
attempt a connection you force every existing session to rekey and
tracking of each possible session for a period of time, this is
expensive to track.

When passive what happens if a rekey is missed?

When inline what performance impact can be imposed on the network with a
$300 SSL acelerator card and a perl script?

What ciphers are supported?

How are new ciphers handled?

What if an unsupported cipher is used?

Does it validate the trust chains? Anything in the SSL session? Time...

How does it handle client certs? It cannot possibly know the private key
for client certs too. IIRC, some servers allow client/server key
negotiation without requiring authentication.

I understand that the intent is to detect attacks over known SSL
channels but these are issues I would like to explore deeper. I do not
think it is possible to properly handle the SSL case without terminating
and watching behind the termination point and even then it does not
gracefully handle the client cert issue gracefully when authentication
is involved.

---------------------------------------------------------------------------

---------------------------------------------------------------------------

• Previous message: Shafi, Shahid: "RE: Anomaly Based Network IDS"
• In reply to: Martin Roesch: "Re: ssh and ids"
• Next in thread: Peter_Schawacker_at_NAI.com: "RE: ssh and ids"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]