Re: IDS and SSL

[Gabriel Lawrence <gabe () butterflysecurity com>]

Well, I've only used the SSL terminators myself. I think the one we used
was an Intel one. But there appear to be lots of companies in the
market. Here's an old review from network computing that might be a good
place to start: <http://www.networkcomputing.com/1212/1212f4.html>

As far as IDS's specifically, well... I may have been mis-informed (or
operating on non-public info.) When we were talking to VC's about what
Butterfly does the technically savvy VC's seemed to always bring up the
idea of putting the SSL cert into the NIDS. I heard it so often I
figured it was true. But from looking around to answer your question for
specific vendors, I'm seeing most folks have taken the HIDS route. I
wonder if the VC's are seeing some products that are yet to hit the
market? Thinking a little about it, I imagine dealing with keeping all
the certificates in sync and ready to go may be a lot more trouble then
it's worth. Especially when HIDS solutions are so simple...

ISS has an agent you can install on a machine to deal with SSL. I
haven't used their products so all I really know is what I gleaned from
their web site. I imagine most other IDS do to. I'm not really and IDS
guy so... 

ssldump allows you to descrypt ssl sessions in lne. I know this isn't an
IDS, but if you are just looking for some information on how to do it
this could be a good place to start. <http://www.rtfm.com/ssldump/>

I would be surprised if there isn't an open source project to merge
ssldump and snort out there somewhere. I did try and look for a couple
of minutes but didn't find one. Sounds like it would be a fun project,
if nobody else is already doing it I might have to take a look.

-gabe


On Wed, 2002-03-20 at 07:02, zeno wrote:
> Can you name some brands?
>
> - zeno