Hi Hari,
Looking at the whitepaper for the suggested product:
"
It should be noted, however, that sniffing outbound connections is not
the intended purpose. Rather, BreachView SSL is intended to provide
visibility into traffic destined for an SSL-secured host that is under
the user's control, and for which the certificate and private key are
available. In this way, BreachView SSL is highly effective at
detecting attacks on the internal intranet servers.
"
So this does no magic 'breaking' of SSL it requires the keys used and
so is just encrypting and decrypting traffic you actually have the
keys for, thus providing protection for your any of your servers that
host SSL pages by allowing the ids to detect attacks that have been
hidden in the SSL stream.
Cheers
Kevin
-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com] On Behalf Of Hari Sekhon
Sent: 13 March 2007 15:20
To: focus-ids@securityfocus.com
Subject: Re: Bittorrent - utorrent
does anyone understand how these products can inspect SSL?
Perhaps I could understand if it was just the bitorrent encypted
traffic... but surely SSL is designed to be encrypted end to end?
You'd have to intercept the certificate and replace it, prompting a
warning to the user.
The only other way I can think of would be something like a
cryptographic weakness in SSL or brute forcing it somehow, but this
seems like it would take a ridiculous amount of computing power and just
doesn't seem possible...
If SSL is truely decryptable on the fly in real-time in this way (or
even just from packet captures after some effort) it would effectively
render all e-business too dangerous to ever do again. I'd never buy
another book from Amazon ever again!
Anyone care to explain how these products are supposed to work and if
they really can decrypt SSL or if this is marketing speech for noticing
encrypted patterns which isn't the same thing?
-h
Hari Sekhon
Kevin Overcash wrote:
Breach Security has a product called BreachView SSL that passively decrypts SSL
traffic for an IDS without terminating the SSL session. The product comes as
either a software plug-in or an appliance.
http://www.breach.com/products_breachviewssl.aspI can't (although personally I
haven't encrypted bitorrent so
ko
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Panayiotis Psihoyios
Sent: Thursday, March 08, 2007 10:01 AM
To: 'Ove Dalgård Hansen'; focus-ids@securityfocus.com
Subject: RE: Bittorrent - utorrent
Since it is going through SSL (and no IDS can look into SSL), you have two
options:
Plan A: Deny SSL traffic, but that usually this is not possible,
Plan B: Let your users out through a proxy server, which will identify
non-browser traffic using http/s header inspection. Configure your firewall
to permit HTTP/S out only from your proxy and not your clients.
Regards,
Panayiotis
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Ove Dalgard Hansen
Sent: Wednesday, March 07, 2007 9:38 PM
To: focus-ids@securityfocus.com
Subject: Bittorrent - utorrent
Hello Everyone,
I am in a bit of trouble,
On a network where i am configuring IDS - using ASA5510 + SSM module, we try
to deny access to Bittorrent downloads - it consumes quite a bit of bandwith
and is not allowed by the company's policy.
We try to filter bittorrent which succedes - but the utorrent changes
protocol and goes by the SSL port 443 and thereby circumvent the IDS, since
its not possible to see the encrypted traffic.
Does anyone out there have a good idea of how i am to solve the issue?
Best Regards
Ove Hansen
IT-Quality A/S
Banemarksvej 50F
Denmark - 2605
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
