GRE Tunnels and intrusion detection/prevention

liven · April 2008

By default GRE is not encrypted correct?

Even so it is encapsulated correct?

So how does this effect Gre tunnels passing through an IDS/IPS sensor?

liven · May 2008

anyone anyone?

Sie · May 2008

liven wrote:

By default GRE is not encrypted correct?

Correct

liven wrote:

Even so it is encapsulated correct?

Correct

liven wrote:

So how does this effect GRE tunnels passing through an IDS/IPS sensor?

I believe it really depends on the IDS/IPS ability to decode the GRE packet to access the encapsulated data.

darkuser · May 2008

that shouldnt be a problem

ssl / ipsec is though ....

liven · May 2008

THANKS FELLAS!!!

I don't have time to lab this up and try it for my self.

But some folks where I work are arguing about it big time....

Just wanted to see if anyone has done it and can attest that it will work.

Ahriakin · May 2008

Sie wrote:

I believe it really depends on the IDS/IPS ability to decode the GRE packet to access the encapsulated data.

Yup, encrypted or not the data still needs to be either deep-analysed in place by something that understand GRE encapsulation or completely decapsulated as it entersm processed and then re-encapsulated as it leaves. I haven't checked other vendors but Sourcefire claim they can handle it http://investor.sourcefire.com/phoenix.zhtml?c=204582&p=irol-newsArticle&ID=1132604&highlight= about midway down.

GRE Tunnels and intrusion detection/prevention

Comments