[Snort-users] Re: [Openvpn-users] Anyone know how to detect OpenVPN traffic?
Jason.Haar at ...294...
Fri Nov 19 15:43:01 EST 2004
Michael Scheidell wrote:
>>Seriously - I think this sort of thing is happening more and more. We
>>don't allow P2P - and our IDS could always pick it. Then along came
>>Skype - changes port numbers at random, and encrypts traffic. But we
>>managed to come up with a Snort rule for that too. Now it appears we
>>have met the "perfect" implementation that can't be detected. Now I
>>expect to see more and more of them.
>I think there might be any number of us who would do it for a price...
>Its all ones and zeros. There has to be a way.
>Just not an easy (eg: free) way.
I don't think any product - commercial or otherwise - could detect such
things - if they are implemented correctly.
Most commercial "VPN" products available either don't work on our
network (firewalled), or generate alerts from our IDS network. OpenVPN
is the first thing I've tried that worked out-of-the-box and got under
the radar (well done :-).
Only policy stands between it and open access. And if you have a policy,
you at least need to be able to monitor to prove your policy is
enforced. And I can't even detect OpenVPN.
The only way I can think of to detect something specifically written to
remain hidden would be by traffic analysis techniques - looking for
long-term HTTPS sessions/etc. Trouble is, 99% of sites cannot justify
(money, time, administration, personnel) changing their network usage
patterns in order to make such techniques actually practical. (i.e. if
your network allows almost any type of traffic internally [like ours -
we write network services amongst other things], then how can you define
what is "known" traffic and therefore what isn't?). We certainly run our
proxies as "allow all sites except those we don't" - compared with
firewall "block everything except that we allow". To flip the proxy
security principle would be impossible: we have 2500 employees in a
variety of roles - how do you define what sites they're allowed to go
to? Who decides? And how to manage the allowed sites list - it'd change
on a minutely basis?!?!? Gah. Maybe sites (i.e. those not in the
software dev industry) can define their Internet access totally via
whitelists - I know we can't.
Fun, fun, fun. That's why I like this work :-)
This discussion isn't leading anywhere - but I'm enjoying it. That's
why I'm keep CC'ing the Snort IDS list. Like myself, they are interested
in knowing about everything on their networks (we're twisted like that)
- and OpenVPN appears "unknowable".
More information about the Snort-users