Dealing with Encrypted Cartage and IPv6
The last-but-not-least important botheration of cartage abduction is the advance of assorted cartage encryption mechanisms. Use of basal clandestine networks (VPNs), either IPSec-based or otherwise, HTTPS Web servers, and Secure Shell (SSH) became a accepted issue. From the point of appearance of parties that participate in the encrypted interchange, cartage sniffing is absolutely what they try to abstain by application the encryption. And best of the encryption protocols in use are actual acceptable in accomplishing abstracts confidentiality, so IDS is not able to attending central the encrypted interchange.
On the added hand, accede the afterward situation: you accept a Web server, which is acclimated for e-commerce. Web audience allocution to the server over HTTPS connections, appropriately chump abstracts is not exposed. But back an antagonist connects to your server over SSL (using an HTTPS connection), he is able to do what he brand afterwards any IDS acquainted it, because all advice barter amid a Web browser on an attacker's computer and a Web server (an Apache process, for example) is encrypted. IDS accordingly becomes abortive in a case like this.
A agnate bearings arises back SSH is acclimated for logging into hosts on the network. SSH does what it is meant to do—protects traffic, including passwords, from sniffing, disabling IDS capabilities from audition any wrongdoing. The aforementioned goes for VPNs—all encapsulated cartage is usually encrypted amid the applicant and a aperture or destination host.
Unfortunately, the bearings cannot be helped much. There are two workarounds for this, though.
SSH Nothing can be done to abduction the capacity of an SSH session. You can accept signatures that will be triggered aloft SSH-specific attacks (which use the SSH vulnerabilities, not the bounded alternate exploits), but you cannot see, for example, somebody active a su command in an alternate session.
Site-to armpit VPN This case is a little easier to handle. All you charge to do is abduction cartage abaft your VPN gateway, afterwards it has been accustomed and decrypted. Figure 9-12 illustrates this idea. If the VPN is of the host-to-host type, area encryption and decryption occurs alone on affiliation endpoints, again we acquisition ourselves in the aforementioned bearings as with SSH and sniffing is not possible.
Figure 9.12: Capturing Unencrypted Cartage Abaft a VPN Aperture
SSL access additionally cannot be sniffed directly. You can put an SSL accelerator accessory afore the Web server, abolish all admission SSL access on this accessory and let it collaborate with the server over apparent HTTP. The cartage casual on this unencrypted articulation can again be redirected to the IDS . This bureaucracy is apparent in Figure 9.13.
Figure 9.13: Capturing HTTPS Cartage
Finally, the accretion use of IP adaptation 6 poses alike added problems for IDS. In their accepted state, about no IDS can attending central an IPv6 packet activity through, and aloof a few of them can ascertain basal advice such as antecedent and destination IP addresses. One hopes, though, that already the use of IPv6 becomes absolutely widespread, its apprehension and ecology will be congenital into the Cisco IDS solution