[Snort-users] Snort with IPSec

Mark.Schutzmann at ...10438... Mark.Schutzmann at ...10438...
Tue Nov 4 12:20:21 EST 2003


Josh,

Will you be implementing IPSec VPN all the way down to the desktop/server
level or will you be using a  concentrator/router/firewall device? If you
are using one of these devices, you will have unencrypted traffic on the
LAN side where you will be able to place a Snort sensor. I suspect that
only the WAN side will be encrypted. Depending on the device, you could, in
theory, place a sensor in-line, but... (see Chris' comment)

Regards,
Mark


                                                                                                                                                  
                      "Josh Berry"                                                                                                                
                      <josh.berry at ...10472...        To:       snort-users at lists.sourceforge.net                                             
                      m>                                  cc:       "Josh Berry" <josh.berry at ...10221...>,                                  
                      Sent by:                             snort-users at lists.sourceforge.net                                                      
                      snort-users-admin at ...4626...        Subject:  Re: [Snort-users] Snort with IPSec                                            
                      ceforge.net                                                                                                                 
                                                                                                                                                  
                                                                                                                                                  
                      11/04/2003 01:02 PM                                                                                                         
                                                                                                                                                  
                                                                                                                                                  




I understand the overhead and difficulty.  I just want to know if it is
technically feasible.  The reason I am asking is that one of the directors
where I work is considering implementing site wide IPSec encryption for
every connection on the internal network.  This will make internal attacks
impossible to see, therefore I cannot just sit the IDS behind the VPN
because essentially the whole network will be one big VPN.


> "Josh Berry" <josh.berry at ...10221...> writes:
>
>> Are there any plugins for Snort, or is there any way with Snort, to
>> decrypt IPSec traffic and then analyze for malicious traffic (given that
>> snort has the key to decrypt with)?  Is there any reason this would be
>> impossible?
>
> Packet loss, processing time, and implementation time are the biggies :)
>
> --
> Chris Green <cmg at ...1935...>
>  "Not everyone holds these truths to be self-evident, so we've worked
>                   up a proof of them as Appendix A." --  Paul Prescod
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive?  Does it
> help you create better code?   SHARE THE LOVE, and help us help
> YOU!  Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users









More information about the Snort-users mailing list