Thursday, February 01, 2007

To Encrypt or Not to Encrypt

Most computer folks would agree, encryption is a good thing, and for the most part, so would I. However, the point where it becomes harder to justify is when there is an IDS in the mix. There are things that you can do to "get around" the problem, but no matter how you look at it, encryption makes IDS harder to do.

As I mentioned in a previous post, one of the things I use my IDS for is to monitor software that reports it's version number over the network in some fashion. All I do is look for a particular combination of destination port, and a string within that packet, and I can pick out what version of software a machine is reporting. Very effective in catching out of date software that was missed in the last round of upgrades.

Once you add encryption to this, it becomes significantly more difficult to do this type of monitoring, along with numerous others. What happens when a Trojan bot connects to IRC using SSL? I can no longer see the commands that were issued to the bot, but seeing encrypted IRC traffic still tells me that something. Same thing with HTTPS, however, HTTPS traffic isn't likely to be considered unusual.

Food for thought.



Post a Comment

Links to this post:

Create a Link

<< Home