RE: Firewall or IDS

From: Rocky Stefano (rstefano@echelonsystems.com)
Date: 03/19/02


From: "Rocky Stefano" <rstefano@echelonsystems.com>
To: "Michael Vallejo" <mvallejo@innovativemerchant.com>, "Tony Deacon" <td@workzone.co.uk>, <jonathan@stdnet.com>
Date: Tue, 19 Mar 2002 14:02:34 -0500

I DOUBT IT. How can a vendor state that they can break an SSL encrypted
channel in order to detect if an attack is being propagated through it or
not. If that was the case then ecommerce would be dead right now.

Yes they can detect certain SSL exploits and weaknesses but they nor anyone
else can READ an already established and encrypted channel.

At that point you need a good host based intrusion agent on your web server
or host in question.

-----Original Message-----
From: Michael Vallejo [mailto:mvallejo@innovativemerchant.com]
Sent: Tuesday, March 19, 2002 1:39 PM
To: 'Rocky Stefano'; Tony Deacon; jonathan@stdnet.com
Cc: focus-ms@securityfocus.com
Subject: RE: Firewall or IDS

Hello

        I just had a meeting with Cisco and they say that they do read the
SSL traffic with their IDS systems Also they say that their IDS system
closes ports when the problem comes up.

Is this true

Thanks

-----Original Message-----
From: Rocky Stefano [mailto:rstefano@echelonsystems.com]
Sent: Tuesday, March 19, 2002 8:45 AM
To: Tony Deacon; jonathan@stdnet.com
Cc: focus-ms@securityfocus.com
Subject: RE: Firewall or IDS

Tony,

Most if not all IDS's cannot really look at SSL streams for attacks
propagated through them because the channel is encrypted.

-----Original Message-----
From: Tony Deacon [mailto:td@workzone.co.uk]
Sent: Tuesday, March 19, 2002 4:15 AM
To: jonathan@stdnet.com
Cc: focus-ms@securityfocus.com
Subject: Firewall or IDS

Jonathan,
Your comment:

(As part of my "day job" I've successfully hacked several networks
running
a firewall which restricted traffic to HTTP and ran IDS
software...secure
port 443 is usually more than enough to get in, and the IDS systems
rarely
flag me...all tests performed with permission of course!)

makes me nervous as I admin a firewall at a third party to protect our
servers.
Where these attacks recognised ones, special or a port 443
vulnerability?
Is there anything I need to read up on here?

--
Tony Deacon

********************************************************************** This email and any files transmitted with it are confidential and intended solely for the person or entity to whom they are addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this email in error please contact the sender and delete the material from any computer.

Innovative Merchant Solutions <www.InnovativeMerchant.com> IMSLD Tag **********************************************************************