Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
448
Views
0
Helpful
5
Replies

HTTPS termination on ACE

new_networker
Level 1
Level 1

‎11-17-2008 10:26 AM

For internet applications, Cisco ACE is ideal for SSL offloading for e.g. (https://www.ebay.com). However, one of the drawback is that the intermediate ASA IPS and Content Security do not deliver their best as they cannot scan https traffic.

So what alternative would you suggest instead of ACE to be placed before ASA which could offload the SSL traffic and then forward traffic to ASA for scan performed by Cisco IPS and content security(anti-x) modules.

Labels:
0 Helpful
5 Replies 5

Syed Iftekhar Ahmed
Level 8
Level 8

‎11-17-2008 11:05 AM

If traffic is encrypted, its encrypted there is no workaround. Only option is to decrypt it and send it for further analysis.

Multiple contexts in ACE gives you an easy option as you can simply dedicate one context for this purpose if needed.

Another option could be to use IPS down the line just before the server farm. The parameter IPS will take care of non-encrypted traffic and the encrypted traffic will be analyzed just before the serverfarm (after being offloaded by ACE).

Syed

0 Helpful

new_networker
Level 1
Level 1
In response to Syed Iftekhar Ahmed

‎11-17-2008 11:39 AM

In a hosting space within data center where high-speed internet connectivity is provided, is it feasible to plug the internet line directly into the ACE 4710 i.e. hits the VIP first. So SSL offloading happens on the ACE and while on the way to Rservers, ASA IPS and Content Security is deployed for one-stop decrypted traffic scan. Following the scan it hits the designated Rserver.

Topology

Internet -> ACE -> ASA with IPS -> ASA with Anti-X -> Rserver

Is this a good alternative ?

0 Helpful

Syed Iftekhar Ahmed
Level 8
Level 8
In response to new_networker

‎11-17-2008 06:10 PM

With ASA-IPS solution the maximum throughput you get is 650Mbps (If you are using ASA 5540 with SSM-40 card in it). ACE-Appliance's throughput (1, 2, or 4 Gbps) is much more than that.

I am not sure what are your expected throughputs but When Higher throughput is desired then ACE Appliance + ASA IPS is not a scalable/valid solution.

With higher throughput you need ACE Module (options: 16 Gbps, 8 Gbps, and 4 Gbps) and IPS 42xx appliances that give you up to 4Gbps throughput.

Again the problem is If the traffic is encrypted then there is no way you can analyze packets before they are decrypted. You need to decrypt it using some SSL-offloader (like ACE)and only then IPS will be able to analyze the data in the packets.

HTH

Syed Iftekhar Ahmed

0 Helpful

new_networker
Level 1
Level 1
In response to Syed Iftekhar Ahmed

‎11-19-2008 11:02 AM

So in the given topology if ACE becomes the internet edge device i.e. first device exposed to internet, wouldn't it be security risk. Because ACE configuration would have IP and other details of the all Rservers. And if the ACE is hacked, all server information would be visible to the intruder. So is it secure ?

0 Helpful

Syed Iftekhar Ahmed
Level 8
Level 8
In response to new_networker

‎11-19-2008 11:19 AM

You dont need to place ACE as the internet facing edge device. You can use an ASA context in front of ACE.

Syed

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents