Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

"visibility into encrypted traffic" > A marketing gag?

Dear Cisco Community,

As I know, an IPS/IDS can't inspect encrypted traffic by default. Am I able to configure the keys and the IPS/IDS can decrypt the traffic and encrypt it again after the traffic was inspected?

8 REPLIES
Gold

Re: "visibility into encrypted traffic" > A marketing gag?

No, that isn't a feature on Cisco's sensors.

It would take a pretty hefty performance hit if it was.

New Member

Re: "visibility into encrypted traffic" > A marketing gag?

Hello Rhermes,

Agree, it's important to closely monitor performance. I assume, inspect SSL traffic on the host is another way to implement inspection of SSL.

Best regards,

Alex

Re: "visibility into encrypted traffic" > A marketing gag?

The Cisco IPS does not support this AFAIK. I think it can be done on the McAfee IPS. It can be useful if you host your own SSL servers etc. (because you have their keys available to you).

Blue Coat also does it at the proxy level I think.

Regards

Farrukh

New Member

Re: "visibility into encrypted traffic" > A marketing gag?

Hello Farrukh,

Thank you for your response, I really appreciate it. I believe, there are several ways how I could inspect SSL. Either with another vendor NIPS or on the host with HIPS.

Have a nice day.

Cheers Alex

Re: "visibility into encrypted traffic" > A marketing gag?

Yes there are several workarounds for this. For example on a Cisco IPS you could keep the sensor inline for all traffic and additionally setup a SPAN port on the switch for this SSL based server so that the IPS can monitor the traffic when its unencrypted.

Please rate if helpful.

Regards

Farrukh

New Member

Re: "visibility into encrypted traffic" > A marketing gag?

Hello Farrukh,

Thank you for your response. I've planned to inspect all traffic (as you propose, as well) after it enters the FW on the outside interface and again as it exits the FW, just after the FW outside interface. If I understood you right, you propose to inspect the traffic before the traffic exits the FW outside interface. Indeed, that has some advantages over my idea. What I don't understand is your idea about the SPAN port on the Switch. Would you mind and explain your idea a little further?

Thank you in advance.

Re: "visibility into encrypted traffic" > A marketing gag?

On most networks placing the sensor 'outside' the firewall is not a good idea due to throughput limitations.

You can also use Host-based IPS sensors on the respected servers to look for intrusions before the traffic is encrypted.

After giving it a second though, the SPAN workaround would not work because the traffic would already be encrypted from the server itself.

Regards

Farrukh

New Member

Re: "visibility into encrypted traffic" > A marketing gag?

Hi Farrukh,

Fully Agree. By the way, we do not plan to inspect traffic before it enters the FW but after but just after the FW and again after the traffic left the FW towards inside. To be honest, I would realy like to see, we would add HIPS to our solution.

Thank you, you helped me a lot with this kind of conversation.

Have a nice day.

Cheers Alex

244
Views
7
Helpful
8
Replies