[Oisf-users] IDS policy in the network
Christophe Vandeplas
christophe at vandeplas.com
Thu Apr 25 07:40:20 UTC 2013
Hello All,
I was wondering how you and your organisation worked with the
challenge of encrypted network traffic. (non https)
Let's say you do have an IDS in your DMZ that has rules specific to
email traffic. (email addresses for example).
Email communication between your mailrelays and your LAN happens often
over an unencrypted smtp connection, however it could also happen over
TLS encrypted smtp connections.
How do you manage this with your IDS deployment?
I do see multiple options, and I'd like to know your approach and ideas:
1/ force the DMZ devices to talk unencryptedly (which is less secure)
2/ make a policy that obliges the private keys of mailservers/relays
to be given to you, so that you can configure your IDS to decrypt the
traffic
3/ rely _only_ on other detection techniques like email logs to do
your email-related detection.
Thanks for sharing your experiences.
Regards
Christophe
More information about the Oisf-users
mailing list