Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: In a world of encrypted traffic, where is the NIDS ? - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
In a world of encrypted traffic, where is the NIDS ?

Last Sunday, I read a fascinating paper by Charles Wright on how to deduct the language spoken in a phone conversation of which only encrypted VoIP (Voice-over-IP) traffic can be observed.  The paper presents a couple of funny conclusions, like the result that "Hungarian has false positives on speakers of Arabic, Czech, Spanish, Swahili, Tamil, and Vietnamese" - all languages which not even share a common root but seem to "look similar" in an encrypted stream.  But what really made me think is whether this form of analysis is all that will be left for a NIDS (network IDS) to do, once everything on the Network is wrapped in to SSL or encrypted otherwise.  It sounds as if we'll soon be back to reading the application and security logs on the various servers themselves, because that's where the "observable" portion of an attack is. Of course "reading logs" nowadays is called "host based intrusion detection with event correlation", but basically it still is: checking the logs.  Another area of the security profession that just seems to be destined to circle back to its early years...


385 Posts
ISC Handler
Mar 18th 2008

Sign Up for Free or Log In to start participating in the conversation!