Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3322
Views
4
Helpful
1
Replies

ASA capable of SSL offloading?

bsisco
Level 1
Level 1

‎12-12-2007 09:51 AM - edited ‎03-12-2019 05:49 PM

It was suggested to me that the ASA (5510 v.7.2(2)) was capable of offloading SSL encryption (like a proxy might do).

The intention is to take port 443 SSL traffic and decrypt using a certificate on the ASA then pass the unencrypted port 80 traffic back to the webserver.

Thanks!

Labels:
0 Helpful
1 Reply 1

richf
Level 1
Level 1

‎12-12-2007 10:52 AM

I have not heard of the ASA doing that type of SSL offloading. I think that the person was thinking about SSL VPN where the traffic past the ASA would be unencrypted. My recommendation for SSL offloading for web servers would be a CSS. the 11501 is cheap, robust, and offers SSL offloading. You can also configure it to use a weaker cipher strength on the backend so it is still encrypted but only at 40 or 56 bit.

For the scanning of SSL traffic I have not heard of the ASA being able to do it yet but I suspect if they do not do it now they eventually will. That would involve decrypting the traffic on the ASA, scanning it for malicious traffic, and then reencrypting it for the rest of the path. These methods usually involve the middle device (in this case the ASA) issuing a self signed cert to you and intercepting the public cert from the target site. The traffic will not flow past the ASA unencrypted.

If I am mistaken on the abilities of the ASA I would like to know.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card