There was a good article recently on PaulDotCom related to bypassing an IDS using SSL. This is a common problem with any IPS/IDS.

Lets first understand how an Intrusion Detection System can inspect SSL traffic. There are two primary ways vendors have implemented SSL decryption.

The first way is through the use of a dedicated appliance; such as a Netronome device. In this scenario the traffic is redirected to the offload appliance and decrypted. The decrypted traffic is then sent to the IPS/IDS for inspection.

The second method is where the traffic is decrypted on the intrusion prevention appliance.

Both of these scenarios have their benefits and drawbacks but they both require access to the private key of the certificate for the site being access. The certificate is loaded on the device and then traffic can be decrypted. This presents a problem when you do not have access to the private and is why the example from PaulDotCom works so well. This is also why attackers will encrypt their outbound traffic and easily evade IPS/IDS devices.

To counter this threat companies can you other solutions such as web gateways to redirect all SSL traffic to a web gateway where a certificate is installed on system to allow decryption of outbound traffic, think “man-in-the-middle” attack but performed by your company.

We will release some videos in the future showing how to do this.