Am 15.03.2018 um 17:58 schrieb Carl Mehner:
On Thu, Mar 15, 2018 at 9:59 AM, Kathleen Moriarty
<kathleen.moriarty.i...@gmail.com
<mailto:kathleen.moriarty.i...@gmail.com>> wrote:
> I think what Yoav is referring to by detecting BOTS within the
> network, is really so called advance persistent threat (APT) actors
> that are moving around the internal network leveraging existing access
> rights of compromised accounts and privilege escalation
> vulnerabilities. These might be detectable with 'visibility'.
> Patterns and behavior might be used to detect the APT use case whether
> or not encryption protects the stream, but it is more difficult.
Yes, they might, however, the best place for malware detection is on
the edge (which is out of scope for "in the Datacenter" type
connections) and the endpoint, where an agent is able to run that does
not need to 'break in' to the TLS session. Yes, the Fenter draft talks
about how malware endpoints can be anywhere in the network, and that
they can delete logs as a reason to require out of band network
decryption. However, if "breaking TLS" becomes an effective malware
mitigation means, more malware makers may move to using app-level
encryption (as some already have). Therefore, the conclusion we can
draw is that malware is not a reasonable reason requiring this
enhanced "visibility".
I don't think you can make this conclusion when the fact that app-level
encryption is used can be detected and blocked. However there might be
ways to hide like steganography.
-carl
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls