IPS 4200 Encrypted traffic inspection

Unanswered Question
Mar 15th, 2007

hi,

I read an interesting statement on http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_data_sheet0900aecd801e6a45.html:

• Unique network collaboration-Enhances scalability and resiliency through network collaboration, including efficient traffic capture techniques, load-balancing capabilities, and visibility into encrypted traffic.

mcafee does ssl inspection [http://www.mcafee.com/us/local_content/white_papers/wp_encr_th_prot.pdf] by pushing a copy of the https server's prv key to the sensor & decrypting incoming ssl traffic. i don't see any such procedure for the 4200 devices. am i missing something? no cisco SE's seem to respond.

->

anurag

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mhellman Fri, 03/16/2007 - 06:14

I'm not aware of any such functionality, even with V6. I also don't think it can do "load balancing".

AnuragKhare Fri, 03/16/2007 - 07:57

thanks for your input - i'm pretty on the sure side that no such thing exists at the mo but i'd like an official word from the cisco folks.

most likely we're talking inspecting esp pkts' outer ip header [not the encrypted payload] - either that's it & the clarification should be posted in the docs or a retraction is due.

and forget true loadbalancing; you can simply chain multiple idsm-2 modules into a 6500/7600 but still remain with a single point of failure.

->

anurag

zubair-shaikh Tue, 03/24/2009 - 05:17

Hi Anurag

IPS don't support inspection of Encrypted traffic it is only for headers...Thanks

Please see below...

:Encrypted traffic cannot be inspected. Inspection must occur before encryption or after decryption. This rule applies to both IPsec and Secure Sockets Layer (SSL) VPN encryption. You can apply both Cisco IPS AIM and encryption simultaneously on one router and in one data flow in cases where branch-office devices are granted direct Internet access and do not cross a corporate WAN where IPS is applied.

http://www.cisco.com/en/US/prod/collateral/modules/ps2641/solution_overview_cisco_ips_aim.html

mhellman Tue, 03/24/2009 - 06:01

you probably missed this, but the original post is 2 years old, and is a discussion about the 4200 series appliances. Inspection is possible on a device that does both IDS/IPS and is an encryption endpoint (think ASA with IPS module). This is not the case with the 4200 series IPS appliances.

zubair-shaikh Tue, 04/14/2009 - 02:24

Hi Buddy

you are correct buddy..it was pretty old post..

I am fresh on cisco forum and Just started replying to various post...any way thanks for that info i will take care of it next time :-)

It is good to see that you have collected good number of points..

fsebera Wed, 05/12/2010 - 07:24

I have searched through the many posts on Cisco's site and google searches as well. The google search lead me to this post! Yes I know this post is old but Cisco fails to date their documents so it makes it hard to determine what is new and what is old. (thanks for the cheese ;)........

Just for clarification purpose:

Please someone correct me if I am incorrect.

It appears the Cisco IPS module can inspect SSL and IPSec traffic ONLY *****IF****** the encrypted session terminates on the Cisco ASA or a Cisco router configured for SSL/IPSec sessions. The ASA or router will decrypt the encrypted packet(s) and pass these unencrypted packets to the IPS for inspection. I would think the IPS could be an internal module on the ASA/Cisco router or an external appliance.

If the SSL/IPSec session if between a client and server, where the encrypted traffic passes through an ASA and or router to reach one another - client/server, the ASA or router do not play a role in the encryption session, but merely act as a traffic validation and routing point, then NO SSL or IPSec traffic can be inspected by the ASA or Router. I see this as pretty simile to understand as intermediary devices do not have the "KEY" to unlock the encryption. If the ASA or Cisco router could decrypt the session, the Internet would be completely useless, we would have to go back to point-to-point links everywhere.

In the above scenario, if the ASA/router terminated both client and server sessions

(Clients <-----encryption-----> ASA/Router--IPS---ASA/Router <----encryption--> Server)

the end-to-end session could be encrypted and inspected real-time.

Tks

Frank

Actions

This Discussion