[Snort-users] Snort with IPSec

Josh Berry josh.berry at ...10221...
Tue Nov 4 12:27:07 EST 2003


Yes, we would be implementing IPSec all the way down to ALL desktops and
servers.  All network communication would be through IPSec.

>
> Josh,
>
> Will you be implementing IPSec VPN all the way down to the desktop/server
> level or will you be using a  concentrator/router/firewall device? If you
> are using one of these devices, you will have unencrypted traffic on the
> LAN side where you will be able to place a Snort sensor. I suspect that
> only the WAN side will be encrypted. Depending on the device, you could,
> in
> theory, place a sensor in-line, but... (see Chris' comment)
>
> Regards,
> Mark
>
>
>
>                       "Josh Berry"
>                       <josh.berry at ...10472...        To:
> snort-users at lists.sourceforge.net
>                       m>                                  cc:       "Josh
> Berry" <josh.berry at ...10221...>,
>                       Sent by:
> snort-users at lists.sourceforge.net
>                       snort-users-admin at ...4626...        Subject:  Re:
> [Snort-users] Snort with IPSec
>                       ceforge.net
>
>
>                       11/04/2003 01:02 PM
>
>
>
>
>
>
> I understand the overhead and difficulty.  I just want to know if it is
> technically feasible.  The reason I am asking is that one of the directors
> where I work is considering implementing site wide IPSec encryption for
> every connection on the internal network.  This will make internal attacks
> impossible to see, therefore I cannot just sit the IDS behind the VPN
> because essentially the whole network will be one big VPN.
>
>
>> "Josh Berry" <josh.berry at ...10221...> writes:
>>
>>> Are there any plugins for Snort, or is there any way with Snort, to
>>> decrypt IPSec traffic and then analyze for malicious traffic (given
>>> that
>>> snort has the key to decrypt with)?  Is there any reason this would be
>>> impossible?
>>
>> Packet loss, processing time, and implementation time are the biggies :)
>>
>> --
>> Chris Green <cmg at ...1935...>
>>  "Not everyone holds these truths to be self-evident, so we've worked
>>                   up a proof of them as Appendix A." --  Paul Prescod
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: SF.net Giveback Program.
>> Does SourceForge.net help you be more productive?  Does it
>> help you create better code?   SHARE THE LOVE, and help us help
>> YOU!  Click Here: http://sourceforge.net/donate/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive?  Does it
> help you create better code?   SHARE THE LOVE, and help us help
> YOU!  Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
>









More information about the Snort-users mailing list