Solved: How to terminate SSL encryption on ACE following IPS scan

cisco_realm · ‎07-24-2008

hi,

Query on SSL termination. Following is the logical path,

The encrypted traffic hits the router -> hits the ASA IPS -> and then hits the VIP for load balancing via ACE.

The SSL encrypted traffic should terminate on the ACE load balancer. However, the IPS scan can only be performed on a decrypted traffic.

How can we re-encrypt the traffic to terminate on the load balancer. Or is it a bad idea due to performance issues ?

Regards.

Farrukh Haroon · ‎08-06-2008

Yes your understanding is spot on. Both IPS/CSC need decrypted traffic to do anything meaningful.

Regards

Farrukh

View solution in original post

Farrukh Haroon · ‎08-06-2008

This does not apply to your design. The VPN will be encr/decr on the edge ASA device. For inbound traffic (from the outside) it will be decrypted by the edge ASA, processed by the CSC, then by the second ASA+IPS and then it will reach the LAN host/server. In the opposite directon, it will be procesed by ASA+IPS, then ASA+CSC then encrypted by the ASA 'outside' interface and finally go out.

Regards

Farrukh

View solution in original post

hadbou · ‎07-30-2008

SSL termination occurs when the ACE, acting as an SSL proxy server, terminates an SSL connection from a client and then establishes a TCP connection to an HTTP server. When the ACE terminates the SSL connection, it decrypts the ciphertext from the client and transmits the data as clear text to an HTTP server.

cisco_realm · ‎08-03-2008

Ok. But if the Cisco ASA IPS module is placed before the ACE, how will the SSL be handled. Will the ciphertext be decrypted for IPS checking and then re-encrypted for termination at the ACE. Is it possible and is it the right way to go about it ?

Farrukh Haroon · ‎08-03-2008

No SSL decryption is not supported on the Cisco IPS. McAfee claim to support such a feature AFAIR (however still you need to load some keys on the IPS to make this happen, this is usually not possible for servers out of your control).

Regards

Farrukh

cisco_realm · ‎08-06-2008

So in other words it means that the traffic should be decrypted before Cisco IPS is hit.

The relevant design is; the incoming traffic hits

1) ASA with CSC-SSM, then it hits

2) ASA with AIP (IPS), then it hits

3) Cisco ACE

So, if the decryption should take place before IPS, then it can only be on Cisco ASA (CSC-SSM). Please confirm.

Regards

Farrukh Haroon · ‎08-06-2008

Even if there is no second ASA (with CSC), the first ASA (with IPS) can decrypt the trafic and send it to the IPS module installed on it.

Regards

Farrukh

cisco_realm · ‎08-06-2008

Farrukh, if I am not mistaken then the CSC module also requires decrypted traffic for virus checking. So in this design, the traffic will have to be decrypted at the internet edge device i.e Cisco ASA with CSC module. Right ?

Regards.

Farrukh Haroon · ‎08-06-2008

Yes your understanding is spot on. Both IPS/CSC need decrypted traffic to do anything meaningful.

Regards

Farrukh

cisco_realm · ‎08-06-2008

You had mentioned in earlier post that Cisco ASA IPS module doesn't have the ability to re-encrypt the trafffic. Is the same applicable to Cisco ASA CSC module as well.

Regards.

Farrukh Haroon · ‎08-06-2008

This does not apply to your design. The VPN will be encr/decr on the edge ASA device. For inbound traffic (from the outside) it will be decrypted by the edge ASA, processed by the CSC, then by the second ASA+IPS and then it will reach the LAN host/server. In the opposite directon, it will be procesed by ASA+IPS, then ASA+CSC then encrypted by the ASA 'outside' interface and finally go out.

Regards

Farrukh