Sniffing SSL Traffic with your IDS

As far as evading IDS/IPS/Network Forensic Analysis, the days of using techniques outlined in the 1998 Ptacek and Newsham paper aren’t exactly dead, but Snort addresses these techniques in its Frag3 and Stream5 preprocessors. These days however, the easiest way to evade any network-based IDS or IPS is to fire up an SSL tunnel and enjoy the wonderful shield of data encryption. That is, unless your security team is packing some serious gear to handle the decryption on the fly at line speed. At a Snort Conference, I checked out the Netronome SSL Inspector™ Transparent SSL Proxy, and wow does it do the job.

You have two options with The Transparent SSL Proxy:

1. Run off of a tap – copy your server’s certificates and private keys over to the Transparent Proxy so that it can decrypt your SSL traffic. *NOTE* You will only be able to decrypt traffic that you have certificates for.
2. Run in-line – The Transparent Proxy will terminate the SSL traffic and resign with it’s own certificate. Distribute this certificate to all of your corporate machines as a trusted CA, and this will remain transparent to the user community. If you have any smart policy violators that are using SSL to bypass your IDS, they will probably notice that they have been man-in-the-middled, but at that point you have all of the relevant data. Additionally,with the in-line any SSL encrypted traffic coming from bots on your network or other malicious traffic, you can now analyze with your security devices.

Excellent, I have been looking for this for a long time, but how efficient is it I asked? The accelerator card has 4 1 Gbps ethernet interfaces that it can sniff at, and it can handle a sustained rate of 1 Gbps of SSL traffic with a latency of less than 40 ns. Pretty impressive. Sign me up!

On a side-note, when I asked about what else their accelerator cards can do, they said that due to direct user-space memory access along with 6 cores on the NIC, they have been able to hit the 10 Gbps mark for throughput. Nice.