I was wondering how "IPS" systems process and react to the AES encrypted data than the DES
Asked
Active
Viewed 52 times
1 Answers
2
I assume that by IPS, you mean "Intrusion Prevention System", that is, a system that monitors traffic and looks for 'suspicious traffic', that is, traffic that would appear to be an attack.
Well, such an IPS system would react to AES encrypted data just like it does to any other encrypted data (including DES), usually one of the following:
Try to man-in-the-middle it; that is, try to negotiate with both sides, and so be able to inspect the encrypted traffic. This can be expensive (especially if the keys on both sides have to be different, which means that all traffic has to be decrypted and then reencrypted), and requires cooperation with at least one of the two sides - however, this certainly is done. It does assume that the IPS system knows the protocol the two sides use (usually TLS).
Inspect the unencrypted metadata that precedes the encrypted traffic, and make a determination based on that. This option is less viable in TLS 1.3 (there's not that much usable unencrypted traffic, but there is some); it can be an option in earlier versions of TLS.
Let the traffic through unencrypted.
Block all encrypted data; that's rude, but that may be an option if you have to be safe.
One option that is never considered (even for DES) is doing a brute-force search for the encryption keys; even for DES, that is far too much work to perform for every traffic stream...
poncho
- 147,019
- 11
- 229
- 360