IDS mailing list archives
RE: ssh and ids
From: Omar Herrera <oherrera () prodigy net mx>
Date: Sat, 19 Jun 2004 15:31:12 -0600
-----Original Message----- From: Runion Mark A FGA DOIM WEBMASTER(ctr)
Lets suppose the attacker is mildly sophisticated, and after making
the
initial assault roots the box and installs a secure backdoor or two.
Is
there any IDS capable of isolating data it cannot read, except to
monitor
authorized port usage of a system or group of systems? Not to
complicate
the question, but when the attacker is using portal gates and all communications traffic is encrypted in normal channels how can an IDS participate?
I haven't seen a product but I suppose there are, It wouldn't be too difficult for most applications. You would need something like a gateway+inline+nids. What this thing should do is kind of a man in the middle attack, connections to the outside would be redirected through and trapped by this device, then, this device will answer spoofing the real destination and forward all traffic through a new encrypted connection to the original destination. So, for someone connecting from your internal network to the outside, this client will actually connect to the IDS box, there the IDS will act as the SSH server, extract the data, analyze it and encrypt it again with another SSH connection until reaching the final destination.
From outside to inside would be more or less the same, although some
protocols might need some adjustments to work appropriately, for example, for SSL you might need to put the digital certificate on this box, rather than on your web server.
Monitoring normal traffic patterns seems a bit slow for detection.
What makes this slow is the memory to keep all traffic and statistics and search through it all. However, the search process should be faster for there would be fewer patterns to look at and the query would be less complicated than looking for certain strings within packets. The approach that I mention would be probably be much more slower. Actually, it would be no good having all this in place if after all the signatures you look for while traffic is decrypted does not match any predefined signature. You see, merely verifying authorized port usage has some important advantages after all (If you know exactly which ports are allowed to be used and which are not). Regards, Omar Herrera --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: ssh and ids, (continued)
- Re: ssh and ids Jason (Jun 22)
- Re: ssh and ids Adam Powers (Jun 22)
- Re: ssh and ids Martin Roesch (Jun 23)
- Re: ssh and ids Christian Kreibich (Jun 24)
- Re: ssh and ids Gary Flynn (Jun 21)
- Re: ssh and ids Frank Knobbe (Jun 22)
- Re: ssh and ids Bamm Visscher (Jun 23)
- Re: ssh and ids Frank Knobbe (Jun 23)
- Re: ssh and ids Frank Knobbe (Jun 22)
- RE: ssh and ids Frank Knobbe (Jun 22)
- Re: ssh and ids Adam Powers (Jun 22)
- Re: ssh and ids David W. Goodrum (Jun 22)
- RE: ssh and ids Thierry Evangelista (Jun 23)
- Re: ssh and ids David W. Goodrum (Jun 23)
- Re: ssh and ids Tony Carter (Jun 24)