[Snort-users] Re: [Openvpn-users] Anyone know how to detect OpenVPN traffic?

Jason Haar Jason.Haar at ...294...
Fri Nov 19 15:43:01 EST 2004


Michael Scheidell wrote:

>>Seriously - I think this sort of thing is happening more and more. We 
>>don't allow P2P - and our IDS could always pick it. Then along came 
>>Skype - changes port numbers at random, and encrypts traffic. But we 
>>managed to come up with a Snort rule for that too. Now it appears we 
>>have met the "perfect" implementation that can't be detected. Now I 
>>expect to see more and more of them.
>>    
>>
>
>I think there might be any number of us who would do it for a price...
>
>Its all ones and zeros.  There has to be a way.
>
>Just not an easy (eg: free) way.
>  
>

I don't think any product - commercial or otherwise - could detect such 
things - if they are implemented correctly.

Most commercial "VPN" products available either don't work on our 
network (firewalled), or generate alerts from our IDS network. OpenVPN 
is the first thing I've tried that worked out-of-the-box and got under 
the radar (well done :-).

Only policy stands between it and open access. And if you have a policy, 
you at least need to be able to monitor to prove your policy is 
enforced. And I can't even detect OpenVPN.

The only way I can think of to detect something specifically written to 
remain hidden would be by traffic analysis techniques - looking for 
long-term HTTPS sessions/etc. Trouble is, 99% of sites cannot justify 
(money, time, administration, personnel) changing their network usage 
patterns in order to make such techniques actually practical. (i.e. if 
your network allows almost any type of traffic internally [like ours - 
we write network services amongst other things], then how can you define 
what is "known" traffic and therefore what isn't?). We certainly run our 
proxies as "allow all sites except those we don't" - compared with 
firewall "block everything except that we allow". To flip the proxy 
security principle would be impossible: we have 2500 employees in a 
variety of roles - how do you define what sites they're allowed to go 
to? Who decides? And how to manage the allowed sites list - it'd change 
on a minutely basis?!?!? Gah. Maybe sites (i.e. those not in the 
software dev industry) can define their Internet access totally via 
whitelists - I know we can't.

Fun, fun, fun. That's why I like this work :-)

This discussion isn't leading anywhere - but I'm enjoying it.  That's 
why I'm keep CC'ing the Snort IDS list. Like myself, they are interested 
in knowing about everything on their networks (we're twisted like that) 
- and OpenVPN appears "unknowable".

Jason





More information about the Snort-users mailing list