There are basically three ways to monitor SSL traffic:
+ Terminate at the edge of the network and connect your IDS to the
cleartext segment. While trivial, this is the most common solution. The
disadvantages are of course:
(a) Decrypting early, requiring your data to flow through part
of your network unencrypted.
(b) Need for an additional device to decrypt SSL at the edge.
+ SSL Bridge - terminate and then re-encrypt. Works only for an in-line
device and might validate non-repudiation.
+ Passively decrypt - decrypt a copy of the traffic, without actually
being part of the conversation. This one is the best add on for existing
IDS systems (*SAMELESS PLUG* we sell such an add on)
~ Ofer
Ofer Shezaf
[EMAIL PROTECTED], Phone:+972-9-9560036 #212, Cell: +972-54-4431119
CTO, Breach Security;
Chair, OWASP Israel;
Leader, ModSecurity Core Rule Set Project
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Jean-Pierre
FORCIOLI
> Sent: Wednesday, September 19, 2007 7:23 PM
> To: [email protected]
> Subject: How to monitor encrypted connections...
>
> Hi,
>
> Still working on my IDS/IPS project...
> When browsing some IDS/IPS vendors' datasheets, I noticed that some of
> them
> claimed being able to monitor encrypted traffic.
> Could someone provide me with some insight on what is currently
> possible (and already
> implemented) and what are the eventual limitations?
>
> Best regards.
>
>
-----------------------------------------------------------------------
> -
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
>
http://www.coresecurity.com/index.php5?module=Form&action=impact&campai
> gn=intro_sfw
> to learn more.
>
-----------------------------------------------------------------------
> -
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
