Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
769
Views
7
Helpful
8
Replies

"visibility into encrypted traffic" > A marketing gag?

adosedla
Level 1
Level 1

‎11-05-2008 11:54 PM - edited ‎03-10-2019 04:22 AM

Dear Cisco Community,

As I know, an IPS/IDS can't inspect encrypted traffic by default. Am I able to configure the keys and the IPS/IDS can decrypt the traffic and encrypt it again after the traffic was inspected?

Labels:
0 Helpful
8 Replies 8

rhermes
Level 7
Level 7

‎11-06-2008 08:42 AM

No, that isn't a feature on Cisco's sensors.

It would take a pretty hefty performance hit if it was.

adosedla
Level 1
Level 1
In response to rhermes

‎11-10-2008 07:22 AM

Hello Rhermes,

Agree, it's important to closely monitor performance. I assume, inspect SSL traffic on the host is another way to implement inspection of SSL.

Best regards,

Alex

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni

‎11-10-2008 05:39 AM

The Cisco IPS does not support this AFAIK. I think it can be done on the McAfee IPS. It can be useful if you host your own SSL servers etc. (because you have their keys available to you).

Blue Coat also does it at the proxy level I think.

Regards

Farrukh

0 Helpful

adosedla
Level 1
Level 1
In response to Farrukh Haroon

‎11-10-2008 07:18 AM

Hello Farrukh,

Thank you for your response, I really appreciate it. I believe, there are several ways how I could inspect SSL. Either with another vendor NIPS or on the host with HIPS.

Have a nice day.

Cheers Alex

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to adosedla

‎11-10-2008 10:38 PM

Yes there are several workarounds for this. For example on a Cisco IPS you could keep the sensor inline for all traffic and additionally setup a SPAN port on the switch for this SSL based server so that the IPS can monitor the traffic when its unencrypted.

Please rate if helpful.

Regards

Farrukh

0 Helpful

adosedla
Level 1
Level 1
In response to Farrukh Haroon

‎11-10-2008 11:34 PM

Hello Farrukh,

Thank you for your response. I've planned to inspect all traffic (as you propose, as well) after it enters the FW on the outside interface and again as it exits the FW, just after the FW outside interface. If I understood you right, you propose to inspect the traffic before the traffic exits the FW outside interface. Indeed, that has some advantages over my idea. What I don't understand is your idea about the SPAN port on the Switch. Would you mind and explain your idea a little further?

Thank you in advance.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to adosedla

‎11-11-2008 12:00 AM

On most networks placing the sensor 'outside' the firewall is not a good idea due to throughput limitations.

You can also use Host-based IPS sensors on the respected servers to look for intrusions before the traffic is encrypted.

After giving it a second though, the SPAN workaround would not work because the traffic would already be encrypted from the server itself.

Regards

Farrukh

adosedla
Level 1
Level 1
In response to Farrukh Haroon

‎11-11-2008 12:08 AM

Hi Farrukh,

Fully Agree. By the way, we do not plan to inspect traffic before it enters the FW but after but just after the FW and again after the traffic left the FW towards inside. To be honest, I would realy like to see, we would add HIPS to our solution.

Thank you, you helped me a lot with this kind of conversation.

Have a nice day.

Cheers Alex

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card