• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

Monitoring Encrypted traffic

T

tgboy

n00b
Joined
Aug 30, 2011
Messages
20
Hey all,

Just wanted some help with my project. Intrusion attempts and malicious attacks within encrypted packets go undetected through IPS mainly due to their inability to inspect the content of the encrypted packets. So what are the different solutions to identify intrusion attempts and malicious attacks made through encrypted packets like
VPN
SFTP, SCP, FTPS
SSL/TLS

Thanks for the help.
 
SSL/TLS could be done through a reverse proxy. Or, give your IDS the web server SSL keys for decryption purposes. VPN endpoint isolated and all traffic forced through an IDS.
 
Is there a way like when the encrypted packets reach their destinations on specific servers, a software or hardware that monitors the packets which are decrypted at their destination identifies if the packet has a threat and then notifies a central management system which in turn notifies the IPS or Firewall to block packets from that IP and also keep a log of it in a server. Just some random thoughts ...

Can VPN packets be monitored to see if it contains anythin harmful? I didnt get wat u meant by the "VPN endpoint isolated"
 
tgboy said:
Is there a way like when the encrypted packets reach their destinations on specific servers, a software or hardware that monitors the packets which are decrypted at their destination identifies if the packet has a threat and then notifies a central management system which in turn notifies the IPS or Firewall to block packets from that IP and also keep a log of it in a server. Just some random thoughts ...
Click to expand...

Yes VPN packets can be inspected..it depends on your VPN hardware. Higher end VPN hardware can decapsulate the packets to allow its IDS to do its thing.
 
Can I have an example of such hardware if possible.

What about SFTP packets? Can their contents be inspected?

For SSL the thing is i wish to avoid offloading
 
Last edited:
Nothing can inspect the encrypted packets inline. That would negate the whole point of encryption. Typically you would place an IPS behind whatever edge device is terminating the tunnel so it can look into the decrypted packets. In the case of SSH (and other end host to end host protocols like SSL/TLS) the IPS would simply pass these packets and it is up to your host level IPS/IDS and anti-virus to protect itself.

Some devices like Cisco ISR routers and ASAs have the ability to act as an IPSEC tunnel end-point and have IPS features available to them. In this case the IPSEC packets are first decrypted according to the interface order of operations and then passed to the inspection engine which then decides what to do with the packet (I'm simplifying this of course).

More complicated scenarios like web server farms for instance would entail using a load-balancer to off-load SSL/TLS from the server to the LB. The LB then forwards straight HTTP (which can be inspected by an IPS or IDS) to the application servers.

The best way to see all those protocols in action is with a packet sniffer. If you look at the packets all you see is cipher text, which is all the IPS sees, which is just a bunch of garbage unless you have the decryption key (which you won't have unless you were part of the key exchange process, i.e. one of the end-points).
 
How would you think it would be best to implement this to a network containing SFTP server, a web server farm and VPN access.
 
There really isn't enough information here to design a complete solution but a basic DMZ deployment will probably work best. Place external facing servers in an isolated DMZ where their access to other internal servers and hosts, that are not reachable from the outside, can be restricted. In the event a server in the DMZ is compromised only other DMZ servers would be at risk. Place an IPS in inline mode between your VPN end point and the next hop router which leads to the DMZ. If you have a nice UTM type device you could accomplish it all on one piece of hardware potentially.

This is where defense-in-depth comes into play though. You can't rely solely on IPS to "secure" your network. You will need to employ a variety of security measures to mitigate as much of the risk as possible from internal and external threats. What types and how much you choose depends largely on your budget and what you are trying to protect, e.g. you aren't going to spends umpteen thousands of dollars on HIPS/NIPS/firewalls/anti-x/etc to protect a simple print server or some blogs.
 
tgboy said:
How would you think it would be best to implement this to a network containing SFTP server, a web server farm and VPN access.
Click to expand...

Take a look at Palo Alto Networks. They do boxes that do application identification and reverse SSL inspection. Stick one in at the edge of your network and it acts as the VPN endpoint so does IPS/IDS on the traffic as it arrives, and it'll also do inspection of the sftp/web traffic inline.
 
So basically SSL traffic can be monitored by using a Man in the Middle method where SSL is decypted inspected by IPS/IDS then re encrypted and send to their destination, with the required keys present in the IPS/IDS for encryption and decryption.
SSH can also utilize the same technique when a SSH tunnel is terminated at a proxy and then inspected for malicious content, forwarding and brute force attempts etc.
VPN inspection also can be accomplished by placing the IPS/IDS after VPN endpoint.
In this way the encrypted traffic stays encrypted while travelling thru the network while getting inspected. Placing Host based IPS/IDS can place a load on the said system i guess.
 
Pretty much. It's an overhead for the firewall which is why you'll usually see throughput quoted with and without all the IPS/IDS features.
 
I thik your best bet would be to offload your SSL to a third party device, I've done it with F5 BigIP's, but there are other (less expensive) options out there. we needed the load balancing anyway, and since we had some beefy boxes, they had no problem doing our encryption along with load balancing in the cluster.

client > router > firewall > load balancers > ids/ips > cores > server
 
Just one more thing bout the SSH proxy, i came across FileGate SFP and Shell Control Box.
Do they block malicious traffic or prevent brute force attacks?
Or is it more advisable to have a host based IPS/IDS on the SFTP?
 
You must log in or register to reply here.
Back
Top