OK, you guys are now in Smoking Crack Land. ;) You could include the NIDS in the loop just by making it an IPSec gateway and having each end negotiate separate IPSec tunnels with the NIDS and look at the traffic as it got routed between tunnel interfaces. Snort and S/Wan should do fine. That would be crazy, though, because the correct way to do it is just to put the NIDS somewhere before the encryption boundary. You could also use a separately negotiated SSH (or something) link between the IPSec gateway and the NIDS to feed the NIDS all the IPSec session keys once they were negotiated. Sort of like real-time escrow. That would be INSANE, though, because it puts hooks into the protocol that really _really_ shouldn't be there. You can't just MitM an IPSec connection with dsniff and arpspoof, if that's what you're thinking. Cheers, -- Ben Nagy Network Security Specialist Marconi Services Australia Pty Ltd Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 > -----Original Message----- > From: Michael Jinks [mailto:mjinks@saecos.com] > Sent: Thursday, June 07, 2001 7:33 AM > To: Jose Nazario > Cc: firewalls@lists.gnac.net > Subject: Re: Encryption vs. inspection. > > > Jose Nazario wrote: > > > > > alternatively, and i haven't seen this done, include the NIDS in the > > crypto negotiation via some secure key passing mechanism > > > might dsniff or one of its components fit well here? > > - > [To unsubscribe, send mail to majordomo@lists.gnac.net with > "unsubscribe firewalls" in the body of the message.] > - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.]