Re: SSL - Man-in-the-Middle filtering

[carlh2007 () gmail com]

I am aware of such devices but have no experience with them.  Included within the issues you have raised may be serious 
privacy issues depending on where you are and what your corporate policies state.  If nothing else, consider the added 
potential risk to your company -- for example, perhaps you are deciphering someone's online banking, what if you are 
compromised and thieves are able to get your staff's banking details along with everything else.  Can they suggest that 
through SSL they had a reasonable expectation of privacy?  As should always be the case with potential privacy issues:  
clear it with legal and clear it with HR first.  Obviously, some enterprises will have a strict usage policy that will 
make this a non-issue and this could be a good fit for them.  Otherwise, I would encourage people to tread carefully 
here. 

I have heard of some less intrusive monitoring options that may include monitoring SSL connection duration.  You  may 
want to look for SSL connections longer than a couple of minutes (i.e. most banking is done quickly), filter out IP 
addresses that you expect to see longer SSL connections with.  If you are seeing much longer than usual SSL connections 
you may want to look more closely at traffic to/from that host. 

Carl

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------