11-05-2008 11:54 PM - edited 03-10-2019 04:22 AM
Dear Cisco Community,
As I know, an IPS/IDS can't inspect encrypted traffic by default. Am I able to configure the keys and the IPS/IDS can decrypt the traffic and encrypt it again after the traffic was inspected?
11-06-2008 08:42 AM
No, that isn't a feature on Cisco's sensors.
It would take a pretty hefty performance hit if it was.
11-10-2008 07:22 AM
Hello Rhermes,
Agree, it's important to closely monitor performance. I assume, inspect SSL traffic on the host is another way to implement inspection of SSL.
Best regards,
Alex
11-10-2008 05:39 AM
The Cisco IPS does not support this AFAIK. I think it can be done on the McAfee IPS. It can be useful if you host your own SSL servers etc. (because you have their keys available to you).
Blue Coat also does it at the proxy level I think.
Regards
Farrukh
11-10-2008 07:18 AM
Hello Farrukh,
Thank you for your response, I really appreciate it. I believe, there are several ways how I could inspect SSL. Either with another vendor NIPS or on the host with HIPS.
Have a nice day.
Cheers Alex
11-10-2008 10:38 PM
Yes there are several workarounds for this. For example on a Cisco IPS you could keep the sensor inline for all traffic and additionally setup a SPAN port on the switch for this SSL based server so that the IPS can monitor the traffic when its unencrypted.
Please rate if helpful.
Regards
Farrukh
11-10-2008 11:34 PM
Hello Farrukh,
Thank you for your response. I've planned to inspect all traffic (as you propose, as well) after it enters the FW on the outside interface and again as it exits the FW, just after the FW outside interface. If I understood you right, you propose to inspect the traffic before the traffic exits the FW outside interface. Indeed, that has some advantages over my idea. What I don't understand is your idea about the SPAN port on the Switch. Would you mind and explain your idea a little further?
Thank you in advance.
11-11-2008 12:00 AM
On most networks placing the sensor 'outside' the firewall is not a good idea due to throughput limitations.
You can also use Host-based IPS sensors on the respected servers to look for intrusions before the traffic is encrypted.
After giving it a second though, the SPAN workaround would not work because the traffic would already be encrypted from the server itself.
Regards
Farrukh
11-11-2008 12:08 AM
Hi Farrukh,
Fully Agree. By the way, we do not plan to inspect traffic before it enters the FW but after but just after the FW and again after the traffic left the FW towards inside. To be honest, I would realy like to see, we would add HIPS to our solution.
Thank you, you helped me a lot with this kind of conversation.
Have a nice day.
Cheers Alex
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide