[Oisf-users] IDS policy in the network

[Christophe Vandeplas]

Hello All,

I was wondering how you and your organisation worked with the
challenge of encrypted network traffic. (non https)

Let's say you do have an IDS in your DMZ that has rules specific to
email traffic. (email addresses for example).
Email communication between your mailrelays and your LAN happens often
over an unencrypted smtp connection, however it could also happen over
TLS encrypted smtp connections.

How do you manage this with your IDS deployment?
I do see multiple options, and I'd like to know your approach and ideas:

1/ force the DMZ devices to talk unencryptedly (which is less secure)

2/ make a policy that obliges the private keys of mailservers/relays
to be given to you, so that you can configure your IDS to decrypt the
traffic

3/ rely _only_ on other detection techniques like email logs to do
your email-related detection.

Thanks for sharing your experiences.

Regards
Christophe