Re: Bittorrent - utorrent

There's more here then just marketroid-speak, but less here then perfect
transparent visibility into your SSL traffic.

2 ways and 2 different market segments.

For outbound traffic inspection they MITM all connections, terminate your
SSL connection at the border and proxy your data within another SSL
conversation (which would send a browser warning to the client, which can
be addressed via Microsoft Active Directory GPO's to turn off all
certificate warnings).

For incoming traffic, you load the SSL Key (not the certificate, THE KEY)
of all the webservers you want to inspect on your network into the
de-SSLerizer, which can then send plain-text HTTP streams to your IDS.

Nothing can "on the fly" brute force SSL at this time. And when it can, we
will user bigger keys. How do you tell if your web servers are being
hacked if the hacker just has to use SSL to circumvent your IPS/IDS? With
the ones that you load your web server keys into, you can then use an IDS
with confidence that all HTTP headers and data are being deeply inspected.
So there's a durn fine story here for network security regarding incoming
SSL traffic, however for outbound traffic, the cost of inspection is that
your end-user's blindly click "accept" at every certificate warning they
see. IMHO that tradeoff isn't justifiable under any risk assessment
framework I've found useful.



Disclaimer: These opinions are my own and no one else's. My opinions are
neither a tacit nor an overt endorsement from my employer on any subject .
No warranty is expressed or implied.




Hari Sekhon
<hpsekhon@googlem
ail.com> To
Sent by: focus-ids@xxxxxxxxxxxxxxxxx
listbounce@securi cc
tyfocus.com
Subject
Re: Bittorrent - utorrent
03/13/2007 10:20
AM








does anyone understand how these products can inspect SSL?

Perhaps I could understand if it was just the bitorrent encypted
traffic... but surely SSL is designed to be encrypted end to end?

You'd have to intercept the certificate and replace it, prompting a
warning to the user.

The only other way I can think of would be something like a
cryptographic weakness in SSL or brute forcing it somehow, but this
seems like it would take a ridiculous amount of computing power and just
doesn't seem possible...

If SSL is truely decryptable on the fly in real-time in this way (or
even just from packet captures after some effort) it would effectively
render all e-business too dangerous to ever do again. I'd never buy
another book from Amazon ever again!

Anyone care to explain how these products are supposed to work and if
they really can decrypt SSL or if this is marketing speech for noticing
encrypted patterns which isn't the same thing?

-h


Hari Sekhon



Kevin Overcash wrote:
Breach Security has a product called BreachView SSL that passively
decrypts SSL traffic for an IDS without terminating the SSL session. The
product comes as either a software plug-in or an appliance.

http://www.breach.com/products_breachviewssl.aspI can't (although
personally I haven't encrypted bitorrent so

ko

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Panayiotis Psihoyios
Sent: Thursday, March 08, 2007 10:01 AM
To: 'Ove Dalgård Hansen'; focus-ids@xxxxxxxxxxxxxxxxx
Subject: RE: Bittorrent - utorrent

Since it is going through SSL (and no IDS can look into SSL), you have
two
options:

Plan A: Deny SSL traffic, but that usually this is not possible,

Plan B: Let your users out through a proxy server, which will identify
non-browser traffic using http/s header inspection. Configure your
firewall
to permit HTTP/S out only from your proxy and not your clients.

Regards,
Panayiotis

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On
Behalf Of Ove Dalgard Hansen
Sent: Wednesday, March 07, 2007 9:38 PM
To: focus-ids@xxxxxxxxxxxxxxxxx
Subject: Bittorrent - utorrent

Hello Everyone,

I am in a bit of trouble,

On a network where i am configuring IDS - using ASA5510 + SSM module, we
try
to deny access to Bittorrent downloads - it consumes quite a bit of
bandwith
and is not allowed by the company's policy.
We try to filter bittorrent which succedes - but the utorrent changes
protocol and goes by the SSL port 443 and thereby circumvent the IDS,
since
its not possible to see the encrypted traffic.

Does anyone out there have a good idea of how i am to solve the issue?


Best Regards

Ove Hansen
IT-Quality A/S
Banemarksvej 50F
Denmark - 2605




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to

http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in

tro_sfw
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw

to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw

to learn more.
------------------------------------------------------------------------




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw

to learn more.
------------------------------------------------------------------------




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Relevant Pages

  • Re: Bittorrent - utorrent
    ... (bi-directional cap - no rx / tx control) ... The only other way I can think of would be something like a cryptographic weakness in SSL or brute forcing it somehow, but this seems like it would take a ridiculous amount of computing power and just doesn't seem possible... ... Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • Re: Bittorrent - utorrent
    ... The users machine automatically trusts that re- signed certificate because of these previous steps, and allows you to inspect the SSL traffic. ... Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • Re: SSL - Man-in-the-Middle filtering
    ... Typically where SSL is being intercepted and re-signed by the appliance, a GPO push is down of the new CA to ensure users aren't constantly getting certificate warnings. ... with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • RE: Firewall or IDS
    ... Yes they can detect certain SSL exploits and weaknesses but they nor anyone ... Subject: Firewall or IDS ... Most if not all IDS's cannot really look at SSL streams for attacks ...
    (Focus-Microsoft)
  • Fwd: Bittorrent - utorrent
    ... BreachView SSL is highly effective at ... Subject: Bittorrent - utorrent ... with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)