Symantec Network Security does not detect encrypted or compressed attacks

Article:TECH112566  |  Created: 2004-01-21  |  Updated: 2005-01-05  |  Article URL http://www.symantec.com/docs/TECH112566
Article Type
Technical Solution


Issue



This document explains why Symantec Network Security 7100 Series and Symantec Network Security 4.0 do not detect attacks when those attacks are compressed or are encrypted with protocols like IPSEC, SSL, or SSH.


Solution



Security products that inspect network traffic and packet payload data do not analyze encrypted or compressed traffic. To detect attacks in encrypted or compressed traffic, security products must have the ability to access the data in a non-encrypted and non-compressed form. This function requires access to the encryption key or to the compression algorithm.

Risk mitigation
To mitigate risks from encrypted and compressed traffic, deploy a host based intrusion detection system (HIDS) on the network. A HIDS product operates at the level of the client computers and server computers, rather than at the level of the network. In many cases, a HIDS product can detect attacks after the packet payload has been decrypted or decompressed and before an application processes the payload.

For SSL Web servers, some specific intrusion detection products are designed to perform this function for Web servers.

In addition, protect all computers on the network by installing a real time antivirus product and keep it maintained with the latest definitions.



Technical Information
Analysis of encrypted traffic

Most encryption happens at the transport layer and above, such as at the IPsec, SSH, and SSL layers. In this situation, the packet payload (data) is encrypted and is not accessible. Though the security product may be able to confirm whether the connection follows the protocol, the security product cannot examine the data.

Network intrusion detection products can detect and analyze other types of attacks on an SSL or an SSH server. For instance, they may detect and analyze attacks that involve a specific exchange of packets, specific packet flags, known detectable exploits, and similar threats.

Access to encrypted data
Security products generally do not have access to encryption keys. This lack happens because the access may require placing the private key for every server on your network onto the same computer that has the security product. This requirement adds all the keys to one location, which then becomes an inviting target for attackers.

Other methods to access encrypted data require that the keys be distributed to other locations. After they are distributed, traffic is passed back and forth for detection, decryption, and then forwarded. These methods may require a lot of bandwidth and may slow the performance of the network.

Access to compressed data
Some security products, such as some antivirus programs, uncompress the data, reassemble it, inspect it, and then forward it. These products use the upper layers of the OSI model.

Network intrusion detection products tend to work at the lower layers of the OSI model. These layers are below the level of the decompression function. Such products rely on other products for this function.

Types of security products
Security products include intrusion detection products, firewall products, antivirus products, and content filtering products.

Symantec Network Security 7100 Series and Symantec Network Security 4.0 are network intrusion detection products. Intrusion detection products operate at the computer level (which are host based) or at the network level. Each type of security product provides some protections that is unavailable with the other type. A good security system deploys both host based and network based intrusion detection products.



Legacy ID



2004092109181853


Article URL http://www.symantec.com/docs/TECH112566


Terms of use for this information are found in Legal Notices