ACE end to end encryption with IDSM

jesrobbie — Wed, 17 Aug 2011 16:10:26 GMT

We want to provide an end to encryption service using an ACE02 in a CAT 6509E. This is covered in the ACE config guide so should be OK.

The issue is that we want to include traffic inspection using an IDSM2 so we need to seperate the decrypt and encryption stages and send cleartext traffic to the IDMS2.

The Security and Virtualization in the Data Center pdf page 18/19 suggests that it might be possible. The design depicted there though is only doing SSL termination, then sending the clear text onto a WAF, and onto IPS but it does say end-to-end encryption is also possible.

So in essence what we want to do is have traffic from clients destined for the server farm decrypted by the ACE and sent to the IDS. We then want the traffic to return from the IDS to the ACE to be encrypted and sent onto the server farm.

I'm sure that others have come across this as it must be a pretty common requirement so I'm really looking for some firm guidance or documentation that might cover this.

Any ideas or thoughts would be very much appreciated.

ACE end to end encryption with IDSM

mwinnett — Fri, 26 Aug 2011 11:11:42 GMT

I don't think this is a common requiremement. I've not seen it in almost 2 years of TAC. I don't think that you can get it to work using a single context, but I see no reason why it shouldn't work using 2 contexts. Terminate ssl on the frontend context, send it out to a rserver (which will be a vip on the backend context) via the IDSM (bridging 2 vlans together). The backend context will encrypt and send to the real rservers. I haven't tested it, but I don't see what would prevent it from working. You can do the load balancing and/or cookie insert etc on either context.

Matthew

topic ACE end to end encryption with IDSM in Application Networking

ACE end to end encryption with IDSM

ACE end to end encryption with IDSM