Hi Panos,
In fact, the statement that no IDS can "look" into SSL is not completely
accurate.
Here is a number of indicative solutions:
- Change from Cisco to either McAfee Intrushield or ISS Proventia. Under certain
conditions, they can decrypt and encrypt the SSL stream. Of course, this would
not be easy in money terms as I may understand.
- Use a Web/Application firewall (or a reverse proxy) to eliminate Applications
(not connections) that behave like *torrent
- Deploy personal firewalls with a centralized policy that can assist you in
controlling the applications on user's desktops.
- Deploy a gateway content filtering solution (e.g. BlueCoat) that is capable of
monitoring incoming/outgoing SSL traffic.
Hope these help.
Dimitrios G. Patsos
Quoting Panayiotis Psihoyios <ppsih@hol.gr>:
Since it is going through SSL (and no IDS can look into SSL), you have two
options:
Plan A: Deny SSL traffic, but that usually this is not possible,
Plan B: Let your users out through a proxy server, which will identify
non-browser traffic using http/s header inspection. Configure your firewall
to permit HTTP/S out only from your proxy and not your clients.
Regards,
Panayiotis
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Ove Dalgard Hansen
Sent: Wednesday, March 07, 2007 9:38 PM
To: focus-ids@securityfocus.com
Subject: Bittorrent - utorrent
Hello Everyone,
I am in a bit of trouble,
On a network where i am configuring IDS - using ASA5510 + SSM module, we try
to deny access to Bittorrent downloads - it consumes quite a bit of bandwith
and is not allowed by the company's policy.
We try to filter bittorrent which succedes - but the utorrent changes
protocol and goes by the SSL port 443 and thereby circumvent the IDS, since
its not possible to see the encrypted traffic.
Does anyone out there have a good idea of how i am to solve the issue?
Best Regards
Ove Hansen
IT-Quality A/S
Banemarksvej 50F
Denmark - 2605
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
