RE: Firewall or IDS

From: Rocky Stefano (rstefano@echelonsystems.com)
Date: 03/19/02


From: "Rocky Stefano" <rstefano@echelonsystems.com>
To: "Michael Vallejo" <mvallejo@innovativemerchant.com>, "Tony Deacon" <td@workzone.co.uk>, <jonathan@stdnet.com>
Date: Tue, 19 Mar 2002 14:02:34 -0500

I DOUBT IT. How can a vendor state that they can break an SSL encrypted
channel in order to detect if an attack is being propagated through it or
not. If that was the case then ecommerce would be dead right now.

Yes they can detect certain SSL exploits and weaknesses but they nor anyone
else can READ an already established and encrypted channel.

At that point you need a good host based intrusion agent on your web server
or host in question.

-----Original Message-----
From: Michael Vallejo [mailto:mvallejo@innovativemerchant.com]
Sent: Tuesday, March 19, 2002 1:39 PM
To: 'Rocky Stefano'; Tony Deacon; jonathan@stdnet.com
Cc: focus-ms@securityfocus.com
Subject: RE: Firewall or IDS

Hello

        I just had a meeting with Cisco and they say that they do read the
SSL traffic with their IDS systems Also they say that their IDS system
closes ports when the problem comes up.

Is this true

Thanks

-----Original Message-----
From: Rocky Stefano [mailto:rstefano@echelonsystems.com]
Sent: Tuesday, March 19, 2002 8:45 AM
To: Tony Deacon; jonathan@stdnet.com
Cc: focus-ms@securityfocus.com
Subject: RE: Firewall or IDS

Tony,

Most if not all IDS's cannot really look at SSL streams for attacks
propagated through them because the channel is encrypted.

-----Original Message-----
From: Tony Deacon [mailto:td@workzone.co.uk]
Sent: Tuesday, March 19, 2002 4:15 AM
To: jonathan@stdnet.com
Cc: focus-ms@securityfocus.com
Subject: Firewall or IDS

Jonathan,
Your comment:

(As part of my "day job" I've successfully hacked several networks
running
a firewall which restricted traffic to HTTP and ran IDS
software...secure
port 443 is usually more than enough to get in, and the IDS systems
rarely
flag me...all tests performed with permission of course!)

makes me nervous as I admin a firewall at a third party to protect our
servers.
Where these attacks recognised ones, special or a port 443
vulnerability?
Is there anything I need to read up on here?

--
Tony Deacon

********************************************************************** This email and any files transmitted with it are confidential and intended solely for the person or entity to whom they are addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this email in error please contact the sender and delete the material from any computer.

Innovative Merchant Solutions <www.InnovativeMerchant.com> IMSLD Tag **********************************************************************



Relevant Pages

  • Re: Changes in IDS Companies?
    ... >> There's also the option of using a non-inline style IDS, ... >> firewall rules anyways, ... > 3) Many attacks are internal. ... come from the internet. ...
    (Focus-IDS)
  • Re: IDS on Switched Networks
    ... connecting a network IDS to it would be fine. ... Higher state of alert you know what attacks you are ... If your firewall has NAT turned on, ...
    (Focus-IDS)
  • Re: Firewall or IDS
    ... You can actually use IPSec on Win2K to do the same thing - plus you can ... PIX firewall will not be ... >> able to defend against application layer attacks like Code Red. ... A network IDS won't be able to defend against Code-Red-like attacks as soon ...
    (Focus-Microsoft)
  • RE: amount of alarms generated by IDS
    ... Obviously to manage, control, and mitigate these types of attacks it is ... "They used to read the 3000ppm water monitor with a magnifying glass." ... amount of alarms generated by IDS ... The comparison is more appropriately made as a firewall with the ability ...
    (Focus-IDS)
  • Re: Any personal Intrusion Detection Systems
    ... BlackIce is actually an IDS that happens to be able to block using ... it's own IP filter (some people would call this a firewall). ... carriers of such attacks like UNicode and double decode style attacks. ...
    (comp.security.firewalls)