HTTPS termination on ACE

Unanswered Question
Nov 17th, 2008
User Badges:

For internet applications, Cisco ACE is ideal for SSL offloading for e.g. ( However, one of the drawback is that the intermediate ASA IPS and Content Security do not deliver their best as they cannot scan https traffic.

So what alternative would you suggest instead of ACE to be placed before ASA which could offload the SSL traffic and then forward traffic to ASA for scan performed by Cisco IPS and content security(anti-x) modules.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Syed Iftekhar Ahmed Mon, 11/17/2008 - 11:05
User Badges:
  • Blue, 1500 points or more

If traffic is encrypted, its encrypted there is no workaround. Only option is to decrypt it and send it for further analysis.

Multiple contexts in ACE gives you an easy option as you can simply dedicate one context for this purpose if needed.

Another option could be to use IPS down the line just before the server farm. The parameter IPS will take care of non-encrypted traffic and the encrypted traffic will be analyzed just before the serverfarm (after being offloaded by ACE).


new_networker Mon, 11/17/2008 - 11:39
User Badges:

In a hosting space within data center where high-speed internet connectivity is provided, is it feasible to plug the internet line directly into the ACE 4710 i.e. hits the VIP first. So SSL offloading happens on the ACE and while on the way to Rservers, ASA IPS and Content Security is deployed for one-stop decrypted traffic scan. Following the scan it hits the designated Rserver.


Internet -> ACE -> ASA with IPS -> ASA with Anti-X -> Rserver

Is this a good alternative ?

Syed Iftekhar Ahmed Mon, 11/17/2008 - 18:10
User Badges:
  • Blue, 1500 points or more

With ASA-IPS solution the maximum throughput you get is 650Mbps (If you are using ASA 5540 with SSM-40 card in it). ACE-Appliance's throughput (1, 2, or 4 Gbps) is much more than that.

I am not sure what are your expected throughputs but When Higher throughput is desired then ACE Appliance + ASA IPS is not a scalable/valid solution.

With higher throughput you need ACE Module (options: 16 Gbps, 8 Gbps, and 4 Gbps) and IPS 42xx appliances that give you up to 4Gbps throughput.

Again the problem is If the traffic is encrypted then there is no way you can analyze packets before they are decrypted. You need to decrypt it using some SSL-offloader (like ACE)and only then IPS will be able to analyze the data in the packets.


Syed Iftekhar Ahmed

new_networker Wed, 11/19/2008 - 11:02
User Badges:

So in the given topology if ACE becomes the internet edge device i.e. first device exposed to internet, wouldn't it be security risk. Because ACE configuration would have IP and other details of the all Rservers. And if the ACE is hacked, all server information would be visible to the intruder. So is it secure ?

Syed Iftekhar Ahmed Wed, 11/19/2008 - 11:19
User Badges:
  • Blue, 1500 points or more

You dont need to place ACE as the internet facing edge device. You can use an ASA context in front of ACE.



This Discussion