Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

HTTPS through IPS

Hi,

Have a question regarding HTTPS traffic going through IPS (AIP-SSM). I understand that Cisco IPS cannot monitor encrypted traffic except monitoring the headers and trailers. So,

- Does it mean there's no use of sending HTTPS traffic to AIP-SSM (unless the purpose is to monitor HTTPS headers and trailers)?

- What kind of protection can be expected by just looking at headers and trailers?

Is there any recommendation whether HTTPS traffic should be sent to AIP-SSM or not?

3 REPLIES
New Member

HTTPS through IPS

we had a similar problem - we solved it by using a F5 as reverse proxi and terminate the HTTPS/SSL session on the F5 and run un-encrypted from there - and pass the traffic through their ASM module which is similar to the IPS module - and in fact afterwards we also pass the traffic through a ASA and IPS module - but now un-encrypted...

New Member

HTTPS through IPS

Thank you tiwang but it's not a problem for me to not send HTTPS traffic through AIP-SSM. I am fine with not sending HTTPS traffic to AIP-SSM if there's no real use of it as it will be encrypted. So, as I had asked earlier, I just want to know:

- Does it mean there's no use of sending HTTPS traffic to AIP-SSM (unless the purpose is to monitor HTTPS headers and trailers)?

- What kind of protection can be expected by just looking at headers and trailers of HTTPS?

Is there any recommendation whether HTTPS traffic should be sent to AIP-SSM or not?

VIP Purple

HTTPS through IPS

To evaluate what you get by inspecting the encrypted traffic, you can look at the signatures. These Signatures have "HTTPS" in the name. Of course there are even more signatures that work in general on TCP and so on:

But at least the "Malformed Handshake" Signature caused lots of false positives in my environment.

I don't really have any general recommendations for that. With limited time to work on the sensor I wouldn't care about HTTPS, but if you have some time to implement it, it won't hurt and will give you a little bit better protection.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
782
Views
0
Helpful
3
Replies