Data encryption between two computers or devices is vital. What is SSL Interception? How does it work in data security?
What Is SSL Interception?
Broadly speaking, SSL is about encryption and decryption. Encrypting and decrypting data is much like a puzzle. The encryption algorithm will take some input data and output the encrypted results. Decryption will take the result of encryption and produce the original input data.
The puzzle is to have a key that can be used to encrypt and decrypt the data. The matching key must be used in both encryption and decryption processes. If the key matches, then the encrypted results can be decrypted back to the original input data.
There are two parties in an SSL transaction:
1) The client sends its plaintext, then uses the server’s public key to encrypt the plaintext into ciphertext.
2) The client uses its private key on the ciphertext to get back to plaintext.
You can find many tools that are designed for data capture, such as tshark from Wireshark.
Intrusion Detection Systems
The intrusion detection system is a computer network security monitoring system. This inspects all traffic on a network segment to detect malicious activity. It is commonly used for perimeter defense.
But can also be used to monitor important servers such as domain controllers. Intrusion detection systems are different from intrusion prevention systems. These are designed to stop an attack in progress or an active response system that reacts to an attack.
Intrusion detection systems are complementary to honeypot systems. These are intended to lure attackers and then study their techniques. They are not usually applied in real-time on high-volume traffic.
The IDS monitors all traffic on a network segment looking for a set of predefined attacks based on protocols, ports, or other criteria. An IDS may report anomalies detected in the traffic but it cannot interpret them by itself. It is up to a human analyst to decide whether an event is an attack or normal traffic.
The analyst must be able to understand the IDS alerts and decide whether they indicate an actual attack or just normal network activity. Anomaly detection systems are often built upon a statistical model trained on past network behavior.
Specific Packet Sequences
Several signature schemes can be used to detect known attacks. These schemes term detection of an attack as “detection”. However, this is different from prevention. A true IDS will not block an attack, because it is not its purpose.
Detection of known attacks can be done by looking for specific packet sequences that are known to be part of an attack. Also, this is by looking for a specific vulnerability in the targeted system. So, to detect unknown attacks, a statistical model of normal network activity is used.
This statistical model is trained on past traffic behavior. So, the model is periodically retrained as new data arrives and the detection engine compares it to the model. When something happens that is significantly different from past traffic patterns, an alert is generated.
The alert may indicate that a new type of attack has been discovered. Also, a signature has been added to the detection engine, or there is a network performance issue. This needs to be looked into by a human analyst.