Re: Snort with IPSec

["Josh Berry" <josh.berry () netschematics com>]

Yes, we would be implementing IPSec all the way down to ALL desktops and
servers.  All network communication would be through IPSec.

> Josh,
>
> Will you be implementing IPSec VPN all the way down to the desktop/server
> level or will you be using a  concentrator/router/firewall device? If you
> are using one of these devices, you will have unencrypted traffic on the
> LAN side where you will be able to place a Snort sensor. I suspect that
> only the WAN side will be encrypted. Depending on the device, you could,
> in
> theory, place a sensor in-line, but... (see Chris' comment)
>
> Regards,
> Mark
>
>
>
>                       "Josh Berry"
>                       <josh.berry () netschematics co        To:
> snort-users () lists sourceforge net
>                       m>                                  cc:       "Josh
> Berry" <josh.berry () netschematics com>,
>                       Sent by:
> snort-users () lists sourceforge net
>                       snort-users-admin () lists sour        Subject:  Re:
> [Snort-users] Snort with IPSec
>                       ceforge.net
>
>
>                       11/04/2003 01:02 PM
>
>
>
>
>
>
> I understand the overhead and difficulty.  I just want to know if it is
> technically feasible.  The reason I am asking is that one of the directors
> where I work is considering implementing site wide IPSec encryption for
> every connection on the internal network.  This will make internal attacks
> impossible to see, therefore I cannot just sit the IDS behind the VPN
> because essentially the whole network will be one big VPN.
>
>
> > "Josh Berry" <josh.berry () netschematics com> writes:
> >
> > > Are there any plugins for Snort, or is there any way with Snort, to
> > > decrypt IPSec traffic and then analyze for malicious traffic (given
> > > that
> > > snort has the key to decrypt with)?  Is there any reason this would be
> > > impossible?
> >
> > Packet loss, processing time, and implementation time are the biggies :)
> >
> > --
> > Chris Green <cmg () sourcefire com>
> >  "Not everyone holds these truths to be self-evident, so we've worked
> >                   up a proof of them as Appendix A." --  Paul Prescod
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: SF.net Giveback Program.
> > Does SourceForge.net help you be more productive?  Does it
> > help you create better code?   SHARE THE LOVE, and help us help
> > YOU!  Click Here: http://sourceforge.net/donate/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive?  Does it
> help you create better code?   SHARE THE LOVE, and help us help
> YOU!  Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users







-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users