"visibility into encrypted traffic" > A marketing gag?

Unanswered Question
Nov 5th, 2008
User Badges:

Dear Cisco Community,


As I know, an IPS/IDS can't inspect encrypted traffic by default. Am I able to configure the keys and the IPS/IDS can decrypt the traffic and encrypt it again after the traffic was inspected?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
rhermes Thu, 11/06/2008 - 08:42
User Badges:
  • Gold, 750 points or more

No, that isn't a feature on Cisco's sensors.

It would take a pretty hefty performance hit if it was.

adosedla Mon, 11/10/2008 - 07:22
User Badges:

Hello Rhermes,


Agree, it's important to closely monitor performance. I assume, inspect SSL traffic on the host is another way to implement inspection of SSL.


Best regards,

Alex



Farrukh Haroon Mon, 11/10/2008 - 05:39
User Badges:
  • Red, 2250 points or more

The Cisco IPS does not support this AFAIK. I think it can be done on the McAfee IPS. It can be useful if you host your own SSL servers etc. (because you have their keys available to you).


Blue Coat also does it at the proxy level I think.


Regards


Farrukh

adosedla Mon, 11/10/2008 - 07:18
User Badges:

Hello Farrukh,


Thank you for your response, I really appreciate it. I believe, there are several ways how I could inspect SSL. Either with another vendor NIPS or on the host with HIPS.


Have a nice day.


Cheers Alex

Farrukh Haroon Mon, 11/10/2008 - 22:38
User Badges:
  • Red, 2250 points or more

Yes there are several workarounds for this. For example on a Cisco IPS you could keep the sensor inline for all traffic and additionally setup a SPAN port on the switch for this SSL based server so that the IPS can monitor the traffic when its unencrypted.


Please rate if helpful.


Regards


Farrukh

adosedla Mon, 11/10/2008 - 23:34
User Badges:

Hello Farrukh,


Thank you for your response. I've planned to inspect all traffic (as you propose, as well) after it enters the FW on the outside interface and again as it exits the FW, just after the FW outside interface. If I understood you right, you propose to inspect the traffic before the traffic exits the FW outside interface. Indeed, that has some advantages over my idea. What I don't understand is your idea about the SPAN port on the Switch. Would you mind and explain your idea a little further?


Thank you in advance.

Farrukh Haroon Tue, 11/11/2008 - 00:00
User Badges:
  • Red, 2250 points or more

On most networks placing the sensor 'outside' the firewall is not a good idea due to throughput limitations.


You can also use Host-based IPS sensors on the respected servers to look for intrusions before the traffic is encrypted.


After giving it a second though, the SPAN workaround would not work because the traffic would already be encrypted from the server itself.


Regards


Farrukh

adosedla Tue, 11/11/2008 - 00:08
User Badges:

Hi Farrukh,


Fully Agree. By the way, we do not plan to inspect traffic before it enters the FW but after but just after the FW and again after the traffic left the FW towards inside. To be honest, I would realy like to see, we would add HIPS to our solution.


Thank you, you helped me a lot with this kind of conversation.


Have a nice day.


Cheers Alex

Actions

This Discussion