[prev in list] [next in list] [prev in thread] [next in thread]
List: ids
Subject: IDS: RE: Hybrid Sensors and encrypted network traffic
From: "Ballerini, Jean Paul (ISS Zurich)" <JPBallerini () iss ! net>
Date: 2001-04-24 13:04:47
[Download RAW message or body]
Archive: http://msgs.securepoint.com/ids
FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner@uow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo@uow.edu.au
-----------------------------------------------------------------------------
Hi Micheal,
I am sorry to step in the conversation a bit late, but I think I have my bit
to add.
I agree with the fact that you should never choose a product blindely. I
agree that non-vendor centric groups can be very helpful.
I just wonder at the end which solution requires more "resourcefulness" to
get to the same level of security.
Said that, I would like to support you in non trusting encrypted traffic.
Very simple scenario:
An employee goes home with his laptop and navigates on the web for long
enough for a trojan to be installed. He than connect via VPN to his
company's intranet and there you go, the trojan can ride!
I might state the obvious, but don't forget that you cannot get to the
proper level of security with only one product. That employee should have a
personal FW, he should have his machine locked down. He should close and
reopen the connection before entering the intranet. Etc, etc.
Thanks for your time,
Jean Paul Ballerini
--------------------------------------------------------------------
ISSX Internet Security Systems AG Tel: +41 (0)1 3083679
Jean Paul Ballerini Fax: +41 (0)1 3083500
System Engineer CH/A Mob: +41 (0)79 2547364
World Trade Center email: jpballerini@iss.net
Leutschenbachstrasse 95
CH-8050 Zurich web: http://www.iss.net/
Switzerland
*** Internet Security Systems - The Power to Protect ***
--------------------------------------------------------------------
> -----Original Message-----
> From: Burkhart, John [mailto:john.t.burkhart@saic.com]
> Sent: Freitag, 13. April 2001 22:00
> To: Becker, Pat (ISS Atlanta); 'hennecke@gmx.de'; ids@uow.edu.au
> Subject: Hybrid Sensors and encrypted network traffic
>
>
> Archive: http://msgs.securepoint.com/ids
> FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
> FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner@uow.edu.au
> NOTE: Remove this section from reply msgs otherwise the msg
> will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomo@uow.edu.au
> --------------------------------------------------------------
> ---------------
>
> Thanks for speaking up Pat. I too am certified under ISSs
> product line and
> am familiar with its architecture. I also have
> operated/engineered solutions
> with ISS products for a few years; along with numerous others.
>
> In regards to Pat's statement, "...apples to trash
> compactors...," agreed
> whole-heartedly, though I am not sure yet which one is
> associated with trash
> in the analogy.
>
> Be mindful too Michael of just how much configuration you can
> actually do
> with this product. And ask some of the hard questions...how
> often can I
> expect updates? How long do bug reports take to fix? Ask
> for statistics
> and if you do get them then post them to the group for
> comparison...we would
> all like to see some of that I am sure.
>
> I think you will find that ISS does have a good product
> offering (largest
> market share) if maintained by trained staff with an
> outstanding methodology
> but ISS products do have their weaknesses that can be offset
> with other
> technologies. You will, IMO, be best served by taking Pat's
> advice...check
> out other products and use some resourcefulness to solve your
> problem. You
> may find out that you can detect problems effectively in the
> long run by
> doing so. If you need more help in deciding what works best for your
> environment then please ask the non-vendor centric group...they will
> probably be able to help you through the waters provided there is more
> information on your architecture and proposed setup.
>
> Cheers,
> John Burkhart
>
>
>
>
>
> -----Original Message-----
> From: Becker, Pat (ISS Atlanta) [mailto:PBecker@iss.net]
> Sent: Friday, April 13, 2001 12:04 PM
> To: 'Burkhart, John'; 'hennecke@gmx.de'; ids@uow.edu.au
> Subject: RE: RE: Hybrid Sensors and encrypted network traffic
>
>
> I start by saying that I'm with ISS and have been here forever, so add
> whatever grain of salt you wish.
>
> However, comparing Snort and tripwire to ISS Server Sensor is really
> comparing apples to trash compactors. I beleive that rather
> than thinking
> Server Sensor will be your magic bullet, that there are
> definite reasons to
> use products like ISS Server Sensor, ISS RealSecure NIDS, and
> System Scanner
> for scanning the local filesystem.
>
> There are even some good tools that you could use. Tripwire
> and Snort are
> don't cost anything up-front.
>
> Snort is a NIDS, built mostly on pattern matching ala regular
> expressions.
> There are advantages to this, making it easy to add new
> signatures, but the
> methodology is prone to false positives.
>
> The key is how much and what kinds of security do you need
> today? Next
> month, next year.
>
> I'm cognizant and familiar with the ISS Server Sensor
> architecture, but
> don't claim to be an expert. There are 2 places where it
> hooks into the
> network stack. One is in the transport layer, in OSI
> parlance similar many
> networking socket apps. The other is at the network layer.
> The other is
> lower, which is in the network layer. This will allow it to very
> effectively squash DoS attacks, since by blocking at the
> network, rather
> than as a transport protocol peer.
>
> Server Sensor may be an way detect encrypted channels because
> it is a host
> application and may get to look at the datastream before if
> is encrypted.
> It depends on the specifics of the encryption application.
>
> If you are really serious, get in touch with us. In the
> meantime, it will
> only help if you do look at other tools that are out there. You need
> something to compare. We usually find the more informed you
> are, the better
> ISS will end up.
>
> Hope some of this is helpful,
>
> Pat Becker
> Sr. Researcher,
> Internet Security Systems, Inc.
> http://www.iss.net
>
>
>
>
>
>
> -----Original Message-----
> From: Burkhart, John [mailto:john.t.burkhart@saic.com]
> Sent: Friday, April 13, 2001 12:23 PM
> To: 'hennecke@gmx.de'; ids@uow.edu.au
> Subject: IDS: RE: Hybrid Sensors and encrypted network traffic
>
>
> Archive: http://msgs.securepoint.com/ids
> FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
> FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner@uow.edu.au
> NOTE: Remove this section from reply msgs otherwise the msg
> will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomo@uow.edu.au
> --------------------------------------------------------------
> --------------
> -
> Sind Sie Deutscher?
>
> Frankly why would you want to monitor encrypted traffic? If
> it is encrypted
> with a VPN then place that traffic into a "secure DMZ." Then
> monitor all
> unencrypted traffic leaving the cleartext side of the VPN.
> If you must
> monitor encrypted traffic then you likely do not want ISS. It doesn't
> monitor encrypted traffic per-se and I am pretty sure it does
> not monitor
> much outside of tcp, udp, icmp and ip. You may want to
> consider Recourse
> ManHunt if you want to look at traffic anomalies. You still
> need some form
> of HBIDS if you want to seriously look at "key" machines.
> But take special
> care to make sure that it is difficult to uncover or discover
> the IDS on the
> host when it is r00t3).
>
> "What are the capabilities of the ISS Server Sensor in
> particular?" You
> would need to contact an ISS account rep to get an answer to
> this and then
> talk to an engineer who has been there for a while. What do
> you want its
> capabilities to be? You might find that you would be better off with
> TripWire or some other product like KSE.
>
> What primary platform are you trying to defend? Have you
> looked at snort?
>
> John T. Burkhart
> Network Security Engineer / Intrusion Detection Lead
> Science Applications International Corporation (SAIC)
> Secure Business Solutions Group (SBSG)
> Managed Network Services Center (MNSC)
> Office: 858-826-9678
> Cell: 858-967-6346
> "Claudo Prosterno" und "Sperren Sie hinunter"
>
>
> -----Original Message-----
> From: hennecke@gmx.de [mailto:hennecke@gmx.de]
> Sent: Friday, April 13, 2001 4:41 AM
> To: ids@uow.edu.au
> Subject: IDS: Hybrid Sensors and encrypted network traffic
>
>
> Archive: http://msgs.securepoint.com/ids
> FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
> FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner@uow.edu.au
> NOTE: Remove this section from reply msgs otherwise the msg
> will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomo@uow.edu.au
> --------------------------------------------------------------
> --------------
> -
> Hello,
>
> what are your opinions regarding the use of hybrid-sensors (a
> combination of
> host- and network sensor) as the only solution for monitoring
> encrypted
> network traffic ?
> Where does the hybrid sensor fits into the IP stack (level of
> the ISO/OSI
> model) in general ?
> What are the capabilities of the ISS Server Sensor in particular ?
>
> Regards, Michael
>
> --
> http://mh.home.pages.de/
> (pgp key available)
>
> GMX - Die Kommunikationsplattform im Internet.
> http://www.gmx.net
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic