On 7-Mar-07, at 12:38 PM, Ove Dalgård Hansen wrote:
Hello Everyone,
I am in a bit of trouble,
On a network where i am configuring IDS - using ASA5510 + SSM
module, we try to deny access to Bittorrent downloads - it consumes
quite a bit of bandwith and is not allowed by the company's policy.
We try to filter bittorrent which succedes - but the utorrent
changes protocol and goes by the SSL port 443 and thereby
circumvent the IDS, since its not possible to see the encrypted
traffic.
Does anyone out there have a good idea of how i am to solve the issue?
Best Regards
Ove Hansen
IT-Quality A/S
Banemarksvej 50F
Denmark - 2605
I'd recommend looking at something like Bluecoat which allows you to
examine the SSL traffic. The caveat being you'll want to exclude
banking and financial institutions from inspection to avoid capturing/
compromising private user data.
Alternately, block all outbound 443 traffic after examining a months
worth of logs to determine which is legit and which is questionable.,
then explicitly allow 443 to those sites. The better a job you do at
identifying which are legit, the fewer follow up tickets you get to
create further access.
Create a list of all destination IP's on 443 for $now -30days. At
this point you can then use the linux sort utility to both organize
the list and eliminate duplicates. From there you should be able to
identify which are legitimate destinations.
Cheers,
Tremaine Lea
Network Security Consultant
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
