RE: How to monitor encrypted connections...



Jean,

On my Msc thesis I finished last year, I proposed an IDS/IPS architecture
and developed what I call Application-based sensor.
In this sense, I debugged Apache behavior and catch the requests after they
were decrypted and before they were processed by the app server.

BTW, Did you check about WAF - Web Application firewall??

Regards,

Leonardo Cavallari Militelli, MSc. / GIAC-GAWN 
Universidade de São Paulo - USP
www.lsi.usp.br/~nsrav
----------------------------------------------------------------------------
-------------------------------------------
Esta mensagem e seu conteúdo é dedicada exclusivamente para seu(s)
destinatário(s), podendo conter material confidencial. Qualquer modificação,
retransmissão, disseminação ou outro uso, assim como a tomada de qualquer
ação baseada nessas informações por pessoas não autorizadas, é estritamente
proibida. Se você recebeu esta mensagem por engano, por favor informe o
remetente e imediatamente destrua todo o material e suas cópias.




-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Ofer Shezaf
Sent: domingo, 23 de setembro de 2007 10:51
To: Jean-Pierre FORCIOLI; focus-ids@xxxxxxxxxxxxxxxxx
Subject: RE: How to monitor encrypted connections...


There are basically three ways to monitor SSL traffic:

+ Terminate at the edge of the network and connect your IDS to the
cleartext segment. While trivial, this is the most common solution. The
disadvantages are of course:
(a) Decrypting early, requiring your data to flow through part
of your network unencrypted.
(b) Need for an additional device to decrypt SSL at the edge.

+ SSL Bridge - terminate and then re-encrypt. Works only for an in-line
device and might validate non-repudiation.

+ Passively decrypt - decrypt a copy of the traffic, without actually
being part of the conversation. This one is the best add on for existing
IDS systems (*SAMELESS PLUG* we sell such an add on)

~ Ofer


Ofer Shezaf
ofers@xxxxxxxxxx, Phone:+972-9-9560036 #212, Cell: +972-54-4431119

CTO, Breach Security;
Chair, OWASP Israel;
Leader, ModSecurity Core Rule Set Project

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Jean-Pierre
FORCIOLI
Sent: Wednesday, September 19, 2007 7:23 PM
To: focus-ids@xxxxxxxxxxxxxxxxx
Subject: How to monitor encrypted connections...

Hi,

Still working on my IDS/IPS project...
When browsing some IDS/IPS vendors' datasheets, I noticed that some of
them
claimed being able to monitor encrypted traffic.
Could someone provide me with some insight on what is currently
possible (and already
implemented) and what are the eventual limitations?

Best regards.


-----------------------------------------------------------------------
-
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to

http://www.coresecurity.com/index.php5?module=Form&action=impact&campai
gn=intro_sfw
to learn more.

-----------------------------------------------------------------------
-


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------