RE: ssh and ids

From: Runion Mark A FGA DOIM WEBMASTER(ctr) (mark.runion_at_us.army.mil)
Date: 06/22/04

  • Next message: Drew Copley: "RE: Anomaly Based Network IDS" 
    To: focus-ids@securityfocus.com
Date: Tue, 22 Jun 2004 18:32:33 -0000

    Great feedback, thanks!

    Let me extend the question a bit.

    Are there any solutions that exist that allow a network which already
    supports an SSH keyed and escrowed infrastructure to allow the IDS platforms
    access to the relative keys? This might allow the IDS to know and read all
    authorized traffic on a network while at the same time, leaving the litmus
    test of "if I can't read it, something is wrong". Does this raise any
    additional issues?

    -
    Mark Runion

    -----Original Message-----
    From: Runion Mark A FGA DOIM WEBMASTER(ctr) [mailto:mark.runion@us.army.mil]

    Sent: Friday, June 18, 2004 10:19 AM
    To: focus-ids@securityfocus.com
    Subject: ssh and ids

    Lets suppose the attacker is mildly sophisticated, and after making the
    initial assault roots the box and installs a secure backdoor or two. Is
    there any IDS capable of isolating data it cannot read, except to monitor
    authorized port usage of a system or group of systems? Not to complicate
    the question, but when the attacker is using portal gates and all
    communications traffic is encrypted in normal channels how can an IDS
    participate? Monitoring normal traffic patterns seems a bit slow for
    detection.

    -
    Mark Runion

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------

  • Next message: Drew Copley: "RE: Anomaly Based Network IDS"

    Relevant Pages

    • Re: An insider attack scenario
      ... Suppose a company has a large network, ... IDS they do have. ... will know which sub-networks are monitored and others are not, ... Or the attacker could blind the IPS or overwhelm any analyst ...
      (Focus-IDS)
    • Re: IDS and NMS
      ... Start by designing and installing a network. ... Next, a more detailed view of the network is required, so a NMS is ... the network administrator wants to see what ... This is where integrating the IDS console into the NMS makes sense. ...
      (Focus-IDS)
    • Re: "false positive" inanity
      ... So Mr. Snyder is asking for an IDS that does not need to be configured? ... maximum control of his/her network. ... attack. ... > assuming that it is not an intrusion. ...
      (Focus-IDS)
    • Re: Secure Network Design (DMZ, LAN, etc)
      ... I'd like one outside the firewall and one ... I assumed I could make the first IDS ... should I have the IDS listening on the 192.168.1.0/24 network as well (web ... >Since the whole world will need access to your web servers, ...
      (Security-Basics)
    • Re: which attacks will generate false positive or false negative?
      ... addresses of the servers on your network that are allowed to do DNS Zone ... you first install a Network IDS, snmpwalks may trigger from your network ... Matt brings up the point of alerts to things that didn't have any ... you're not sure of the best way to tune out false positives during your ...
      (Focus-IDS)