"visibility into encrypted traffic" > A marketing gag?

Unanswered Question
Nov 5th, 2008

Dear Cisco Community,

As I know, an IPS/IDS can't inspect encrypted traffic by default. Am I able to configure the keys and the IPS/IDS can decrypt the traffic and encrypt it again after the traffic was inspected?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
rhermes Thu, 11/06/2008 - 08:42

No, that isn't a feature on Cisco's sensors.

It would take a pretty hefty performance hit if it was.

adosedla Mon, 11/10/2008 - 07:22

Hello Rhermes,

Agree, it's important to closely monitor performance. I assume, inspect SSL traffic on the host is another way to implement inspection of SSL.

Best regards,

Alex

Farrukh Haroon Mon, 11/10/2008 - 05:39

The Cisco IPS does not support this AFAIK. I think it can be done on the McAfee IPS. It can be useful if you host your own SSL servers etc. (because you have their keys available to you).

Blue Coat also does it at the proxy level I think.

Regards

Farrukh

adosedla Mon, 11/10/2008 - 07:18

Hello Farrukh,

Thank you for your response, I really appreciate it. I believe, there are several ways how I could inspect SSL. Either with another vendor NIPS or on the host with HIPS.

Have a nice day.

Cheers Alex

Farrukh Haroon Mon, 11/10/2008 - 22:38

Yes there are several workarounds for this. For example on a Cisco IPS you could keep the sensor inline for all traffic and additionally setup a SPAN port on the switch for this SSL based server so that the IPS can monitor the traffic when its unencrypted.

Please rate if helpful.

Regards

Farrukh

adosedla Mon, 11/10/2008 - 23:34

Hello Farrukh,

Thank you for your response. I've planned to inspect all traffic (as you propose, as well) after it enters the FW on the outside interface and again as it exits the FW, just after the FW outside interface. If I understood you right, you propose to inspect the traffic before the traffic exits the FW outside interface. Indeed, that has some advantages over my idea. What I don't understand is your idea about the SPAN port on the Switch. Would you mind and explain your idea a little further?

Thank you in advance.

Farrukh Haroon Tue, 11/11/2008 - 00:00

On most networks placing the sensor 'outside' the firewall is not a good idea due to throughput limitations.

You can also use Host-based IPS sensors on the respected servers to look for intrusions before the traffic is encrypted.

After giving it a second though, the SPAN workaround would not work because the traffic would already be encrypted from the server itself.

Regards

Farrukh

adosedla Tue, 11/11/2008 - 00:08

Hi Farrukh,

Fully Agree. By the way, we do not plan to inspect traffic before it enters the FW but after but just after the FW and again after the traffic left the FW towards inside. To be honest, I would realy like to see, we would add HIPS to our solution.

Thank you, you helped me a lot with this kind of conversation.

Have a nice day.

Cheers Alex

Actions

This Discussion