Re: Covert Channels

[Michal Zalewski <lcamtuf () dione ids pl>]

On Wed, 23 Oct 2002, Roland Postle wrote:

> I disagree. How do you detect an attack (involving a low level buffer
> overflow etc..) that rides inside an encrypted session?

The whole issue of IDSes (and virus scanners) dealing with encrypted
sessions (SSL, SSH, PGP mail, etc) is a mess in all aspects - no matter
whether you talk about attack detection, covert channel detection, policy
enforcement, etc, and it's a tough call - either a matter of host-based
analysis on the endpoint; complex key management and transparent
decryption; using centralized encryption mechanisms, or such. My statement
applied only to sessions that can be viewed, either on the wire or on the
endpoint. Yes, saying this may be too much, yet I still stand by the
opinion this is the case in general, to which there may be some fairly
specific exceptions.

> Once again privacy and protection come head to head. Using encryption
> compromises your network,

Compromises the infrastructure, protects the information. You can't have
privacy with compromised infrastructure, you can't have privacy if your
sessions are being watched or tampered with... Don't we all love that?;)

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2002-10-23 17:36 --