[Snort-users] Snort with IPSec

Ravi Kumar ravivsn at ...9637...
Wed Nov 5 21:10:13 EST 2003

  You cant decrypt the packets unless you know the keys IPSec is using
currently, With IKE the security gateways exchange keys periodically and
as well on number of bytes transfered. As the keys changes every now and
then you cant decrypt the packets. 

Moreover IPSec/IKE  uses encryption algorithms like 3DES and AES which
have no history of breaking them.

The solutions could be 
  - your VPN box and Snort should work in touch with each about the keys
used currently.
  - OR you run snort in LAN behind the security gateway VPN box
  - If you are using VPN client on machines then better run HIDS on the

IF you can make snort to decrypt the packets then it is going to be a
big security threat!!

Best Regards,
Rendezvous On Chip (i) Pvt Ltd,
iSecure -A complete security gateway device.
On Wed, 2003-11-05 at 11:51, Frank Knobbe wrote:
> On Tue, 2003-11-04 at 13:02, Josh Berry wrote:
> > I understand the overhead and difficulty.  I just want to know if it is
> > technically feasible.  The reason I am asking is that one of the directors
> > where I work is considering implementing site wide IPSec encryption for
> > every connection on the internal network.  This will make internal attacks
> > impossible to see, therefore I cannot just sit the IDS behind the VPN
> > because essentially the whole network will be one big VPN.
> What is the reason/business case behind this? Do the benefits you gain
> really outweigh the drawbacks? 
> Curious,
> Frank

More information about the Snort-users mailing list