How to monitor encrypted connections...

Hi,

Still working on my IDS/IPS project...
When browsing some IDS/IPS vendors' datasheets, I noticed
that some of them
claimed being able to monitor encrypted traffic.
Could someone provide me with some insight on what is
currently
possible (and already
implemented) and what are the eventual limitations?

Best regards.

------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw 
to learn more.
------------------------------------------------------------
------------

There are basically three ways to monitor SSL traffic:

+ Terminate at the edge of the network and connect your IDS
to the
cleartext segment. While trivial, this is the most common
solution. The
disadvantages are of course:
	(a) Decrypting early, requiring your data to flow through
part
of your network unencrypted.
	(b) Need for an additional device to decrypt SSL at the
edge.

+ SSL Bridge - terminate and then re-encrypt. Works only for
an in-line
device and might validate non-repudiation.

+ Passively decrypt - decrypt a copy of the traffic, without
actually
being part of the conversation. This one is the best add on
for existing
IDS systems (*SAMELESS PLUG* we sell such an add on)

~ Ofer


Ofer Shezaf
ofersbreach.com, Phone:+972-9-9560036 #212, Cell:
+972-54-4431119

CTO, Breach Security; 
Chair, OWASP Israel; 
Leader, ModSecurity Core Rule Set Project

> -----Original Message-----
> From: listbouncesecurityfocus.com
> [mailto:listbouncesecurityfocus.com] On Behalf Of
Jean-Pierre
FORCIOLI
> Sent: Wednesday, September 19, 2007 7:23 PM
> To: focus-idssecurityfocus.com
> Subject: How to monitor encrypted connections...
> 
> Hi,
> 
> Still working on my IDS/IPS project...
> When browsing some IDS/IPS vendors' datasheets, I
noticed that some of
> them
> claimed being able to monitor encrypted traffic.
> Could someone provide me with some insight on what is
currently
> possible (and already
> implemented) and what are the eventual limitations?
> 
> Best regards.
> 
>
------------------------------------------------------------
-----------
> -
> Test Your IDS
> 
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
>
http://www.coresecurity.com/index
.php5?module=Form&action=impact&campai
> gn=intro_sfw
> to learn more.
>
------------------------------------------------------------
-----------
> -


------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw
to learn more.
------------------------------------------------------------
------------

Jean,

On my Msc thesis I finished last year, I proposed an IDS/IPS
architecture
and developed what I call Application-based sensor.
In this sense, I debugged Apache behavior and catch the
requests after they
were decrypted and before they were processed by the app
server.

BTW, Did you check about WAF - Web Application firewall??

Regards,

Leonardo Cavallari Militelli, MSc. / GIAC-GAWN 
Universidade de São Paulo - USP
www.lsi.usp.br/~nsrav
------------------------------------------------------------
----------------
-------------------------------------------
Esta mensagem e seu conteúdo é dedicada exclusivamente para
seu(s)
destinatário(s), podendo conter material confidencial.
Qualquer modificação,
retransmissão, disseminação ou outro uso, assim como a
tomada de qualquer
ação baseada nessas informações por pessoas não autorizadas,
é estritamente
proibida. Se você recebeu esta mensagem por engano, por
favor informe o
remetente e imediatamente destrua todo o material e suas
cópias.




-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
Behalf Of Ofer Shezaf
Sent: domingo, 23 de setembro de 2007 10:51
To: Jean-Pierre FORCIOLI; focus-idssecurityfocus.com
Subject: RE: How to monitor encrypted connections...


There are basically three ways to monitor SSL traffic:

+ Terminate at the edge of the network and connect your IDS
to the
cleartext segment. While trivial, this is the most common
solution. The
disadvantages are of course:
	(a) Decrypting early, requiring your data to flow through
part
of your network unencrypted.
	(b) Need for an additional device to decrypt SSL at the
edge.

+ SSL Bridge - terminate and then re-encrypt. Works only for
an in-line
device and might validate non-repudiation.

+ Passively decrypt - decrypt a copy of the traffic, without
actually
being part of the conversation. This one is the best add on
for existing
IDS systems (*SAMELESS PLUG* we sell such an add on)

~ Ofer


Ofer Shezaf
ofersbreach.com, Phone:+972-9-9560036 #212, Cell:
+972-54-4431119

CTO, Breach Security; 
Chair, OWASP Israel; 
Leader, ModSecurity Core Rule Set Project

> -----Original Message-----
> From: listbouncesecurityfocus.com
> [mailto:listbouncesecurityfocus.com] On Behalf Of
Jean-Pierre
FORCIOLI
> Sent: Wednesday, September 19, 2007 7:23 PM
> To: focus-idssecurityfocus.com
> Subject: How to monitor encrypted connections...
> 
> Hi,
> 
> Still working on my IDS/IPS project...
> When browsing some IDS/IPS vendors' datasheets, I
noticed that some of
> them
> claimed being able to monitor encrypted traffic.
> Could someone provide me with some insight on what is
currently
> possible (and already
> implemented) and what are the eventual limitations?
> 
> Best regards.
> 
>
------------------------------------------------------------
-----------
> -
> Test Your IDS
> 
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
>
http://www.coresecurity.com/index
.php5?module=Form&action=impact&campai
> gn=intro_sfw
> to learn more.
>
------------------------------------------------------------
-----------
> -


------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/
index.php5?module=Form&action=impact&campaign=in

tro_sfw 
to learn more.
------------------------------------------------------------
------------


------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw
to learn more.
------------------------------------------------------------
------------

Hi,

There are many protocols to obfuscate data - SSL, SSH, IPsec
VPN, openVPN,
proprietary protocols etc..  Many IPS vendors today support
decryption of
SSL traffic. 

There are two common methods used by IPS vendors:

Transparent Proxy mode:  Proxy in IPS box terminates SSL
connections coming
from clients and makes new SSL connections to servers.
Vulnerability
analysis is done on the clear traffic. In transparent case,
both client and
servers don't know the existence of proxy servers.  
In this mode, servers don't see client side certificates.
But this is not a
big problem in majority of cases as clients don't use
certificates to
authenticate to the servers. This is also more
computationally intensive as
it does crypto operations twice.

Passive decryption:  SSL connections are not terminated.
Traffic is
decrypted on the fly and vulnerability analysis is done on
the clear
traffic. This method works well if all cipher suites are
implemented by IPS.
Note that, IPS does not play role in ciphersuite negotiation
unlike proxy
mode. If there is a mismatch between ciphersuites supported
by IPS and
negotiated suites, then some traffic might pass through
without
vulnerability inspection. Many vendors using this method
don't support SSL
connections using DH shared secret. It may be due to
technical limitations
of this method, but I am not completely sure though.

Note that many IPS vendors support these methods for local
servers only.
Administrators are expected to configure IPS with private
keys of local
servers.

Hope it helps.

Thanks
Srini




 

Confidentiality Notice :
If you have received this email in error, please immediately
notify the
sender by return email and delete this email from your
system. This email
and any attachments may contain confidential or legally
privileged
information that is intended only for the use of the
individual or entity
named in this email. If you are not the intended recipient,
or an authorized
representative of the intended recipient, you are hereby
notified that any
review, dissemination, disclosure, copying or reliance upon
the contents of
this email or its attachments, if any, is strictly
prohibited.
-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
Behalf Of Jean-Pierre FORCIOLI
Sent: Wednesday, September 19, 2007 10:23 AM
To: focus-idssecurityfocus.com
Subject: How to monitor encrypted connections...

Hi,

Still working on my IDS/IPS project...
When browsing some IDS/IPS vendors' datasheets, I noticed
that some of them
claimed being able to monitor encrypted traffic.
Could someone provide me with some insight on what is
currently
possible (and already
implemented) and what are the eventual limitations?

Best regards.

------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/
index.php5?module=Form&action=impact&campaign=in

tro_sfw 
to learn more.
------------------------------------------------------------
------------


************************************************************
********************
This email message (including any attachments) is for the
sole use of the intended recipient(s) 
and may contain confidential, proprietary and privileged
information. Any unauthorized review, 
use, disclosure or distribution is prohibited. If you are
not the intended recipient, 
please immediately notify the sender by reply email and
destroy all copies of the original message. 
Thank you.
 
Intoto Inc. 


------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw 
to learn more.
------------------------------------------------------------
------------

Leonardo wrote:
> 
> Jean,
> 
> On my Msc thesis I finished last year, I proposed an
IDS/IPS
> architecture
> and developed what I call Application-based sensor.
> In this sense, I debugged Apache behavior and catch the
requests after
> they
> were decrypted and before they were processed by the
app server.

How is it different than ModSecurity?

> 
> BTW, Did you check about WAF - Web Application
firewall??
> 
> Regards,
> 

~ Ofer

Ofer Shezaf
ofersbreach.com, Phone:+972-9-9560036 #212, Cell:
+972-54-4431119

CTO, Breach Security; Chair, OWASP Israel; Leader,
ModSecurity Core Rule
Set Project; 
Leader, WASC Web Hacking Incidents Database Project





------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw
to learn more.
------------------------------------------------------------
------------

Hi,

To capture the SSL there is a MITM technique.Suppoes client
wants to
communicate using SSL  then first the IDS/IPS will act as a
server to
the client and uses fake certificates.all the data come to
the IPS/IDS
and then they communicate with the real server.
the thing which make it work is that user dont check the
authencity of
the certificates and blindly click on yes,so it works.

-- 
---------------------------------------
write your infosec blog on http://secgeeks.com
register here:-
http://secgeeks.com
/user/register
rss feeds :-
http://secgeeks.com/nod
e/feed
---------------------------------------

On 9/25/07, Leonardo Cavallari Militelli <leonardolsi.usp.br> wrote:
> In line:
>
> > > On my Msc thesis I finished last year, I
proposed an IDS/IPS
> > > architecture
> > > and developed what I call Application-based
sensor.
> > > In this sense, I debugged Apache behavior and
catch the requests
> > after
> > > they
> > > were decrypted and before they were processed
by the app server.
> >
> > How is it different than ModSecurity?
> >
> In the time I developed my thesis, the WAF concept had
just start to be
> discussed. I found some solutions like BrachView SSL
and McAfee "Intrushield
> SSL Traffic Inspection and Prevention" only when I
was to present my thesis.
>
> When I studied ModSecurity, I felt it lacked some
features, mainly the
> integration with traditional detection/prevention
architectures and attack
> prevention. Apart from the last that I now is already
implemented on new
> version of modsecurity, I'm not aware its new
capabilities.
>
> As part of the project, I developed an API to enable
interprocess
> communication and used portion of snort as a detection
engine, so it could
> detect web attacks.
> Another way to detect user misuse/attacks is based on
pre-defined rules,
> that protect the application/server for unauthorized
requests, like HTTP
> OPTIONS, TRACE, even if they are enable at server
settings.
>
> The developed prototype shown very stable and with a
little performance cost
> about 100 microseconds, when operating in active mode
(preventing attacks).
> It wasn't notice considerable delay for passive mode
(reactive mode).
> According to the alert level, the sensor can
automatically set some
> predefined rules in the local server to stop the attack
and send alert
> information to a complete IDS in real time, thus
permitting activate some
> protection rules at border controls (firewalls).
>
> Last, I implemented the still not-so-much
known/acceptable IDMEF format and
> IDXP protocol to exchange messages in proper standard.
>
> Although lots of work remains to be improved, I cannot
continue it for now
> due other activities (more than a year since I
finished). I hope I can put
> some effort on it and publish for the community.
>
> Regards,
>
> Leonardo Cavallari Militelli, MSc. / GIAC-GAWN
> Núcleo de Segurança e Redes de Alta Velocidade
> Escola Politécnica
> Universidade de São Paulo
> www.lsi.usp.br/~nsrav
>
>
>
------------------------------------------------------------
------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw
> to learn more.
>
------------------------------------------------------------
------------
>
>

------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw
to learn more.
------------------------------------------------------------
------------