07-24-2008 05:33 AM - edited 03-10-2019 04:12 AM
hi,
Query on SSL termination. Following is the logical path,
The encrypted traffic hits the router -> hits the ASA IPS -> and then hits the VIP for load balancing via ACE.
The SSL encrypted traffic should terminate on the ACE load balancer. However, the IPS scan can only be performed on a decrypted traffic.
How can we re-encrypt the traffic to terminate on the load balancer. Or is it a bad idea due to performance issues ?
Regards.
Solved! Go to Solution.
08-06-2008 02:19 AM
Yes your understanding is spot on. Both IPS/CSC need decrypted traffic to do anything meaningful.
Regards
Farrukh
08-06-2008 10:53 PM
This does not apply to your design. The VPN will be encr/decr on the edge ASA device. For inbound traffic (from the outside) it will be decrypted by the edge ASA, processed by the CSC, then by the second ASA+IPS and then it will reach the LAN host/server. In the opposite directon, it will be procesed by ASA+IPS, then ASA+CSC then encrypted by the ASA 'outside' interface and finally go out.
Regards
Farrukh
07-30-2008 02:32 PM
SSL termination occurs when the ACE, acting as an SSL proxy server, terminates an SSL connection from a client and then establishes a TCP connection to an HTTP server. When the ACE terminates the SSL connection, it decrypts the ciphertext from the client and transmits the data as clear text to an HTTP server.
08-03-2008 05:39 AM
Ok. But if the Cisco ASA IPS module is placed before the ACE, how will the SSL be handled. Will the ciphertext be decrypted for IPS checking and then re-encrypted for termination at the ACE. Is it possible and is it the right way to go about it ?
08-03-2008 06:16 PM
No SSL decryption is not supported on the Cisco IPS. McAfee claim to support such a feature AFAIR (however still you need to load some keys on the IPS to make this happen, this is usually not possible for servers out of your control).
Regards
Farrukh
08-06-2008 12:24 AM
So in other words it means that the traffic should be decrypted before Cisco IPS is hit.
The relevant design is; the incoming traffic hits
1) ASA with CSC-SSM, then it hits
2) ASA with AIP (IPS), then it hits
3) Cisco ACE
So, if the decryption should take place before IPS, then it can only be on Cisco ASA (CSC-SSM). Please confirm.
Regards
08-06-2008 12:29 AM
Even if there is no second ASA (with CSC), the first ASA (with IPS) can decrypt the trafic and send it to the IPS module installed on it.
Regards
Farrukh
08-06-2008 01:44 AM
Farrukh, if I am not mistaken then the CSC module also requires decrypted traffic for virus checking. So in this design, the traffic will have to be decrypted at the internet edge device i.e Cisco ASA with CSC module. Right ?
Regards.
08-06-2008 02:19 AM
Yes your understanding is spot on. Both IPS/CSC need decrypted traffic to do anything meaningful.
Regards
Farrukh
08-06-2008 09:32 PM
You had mentioned in earlier post that Cisco ASA IPS module doesn't have the ability to re-encrypt the trafffic. Is the same applicable to Cisco ASA CSC module as well.
Regards.
08-06-2008 10:53 PM
This does not apply to your design. The VPN will be encr/decr on the edge ASA device. For inbound traffic (from the outside) it will be decrypted by the edge ASA, processed by the CSC, then by the second ASA+IPS and then it will reach the LAN host/server. In the opposite directon, it will be procesed by ASA+IPS, then ASA+CSC then encrypted by the ASA 'outside' interface and finally go out.
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: