topic SSL decryption is useful for in Network Security https://community.cisco.com/t5/network-security/ssl-encrytion-decryption-5555-x/m-p/3096887#M1014977 <P>SSL decryption is useful for incoming traffic where you have the server certificate and key.</P> <P>It is not so useful for outgoing traffic as it requires a PKI and all clients must trust the issuing CA. Also, many modern applications and an increasing number of websites have technologies like certificate pinning in place to block man-in-the-middle interception as is done by SSL decryption. That's in addition to the significant (up to 75-80%) performance hit you get when doing SSL decryption.</P> <P>A better solution for this latter use case is to use endpoint-based tools like Cisco AMP for Endpoints and/or Cisco Umbrella that provide superior protection after the data comes out of the SSL tunnel.</P> Sat, 29 Jul 2017 14:01:34 GMT Marvin Rhoads 2017-07-29T14:01:34Z SSL Encrytion/decryption 5555-X https://community.cisco.com/t5/network-security/ssl-encrytion-decryption-5555-x/m-p/3096886#M1014956 <P>Hi all.</P> <P>kindly please advise, we doing a firewall project where we are bringing in 5555-X with firepower module. we wanted the SSL encrytion/decryption. but our supplier advise this is not a good idea. better to leave this as it will degrade the perfomance. however, if we do ssl encrytion with selected categories it should not make a difference.</P> <P></P> <P>kindly please advise, if its a good idea to drop SSL on 5555-X. if so than why cisco giving the techonolgy that should not be implement in production network.</P> Tue, 12 Mar 2019 13:28:26 GMT https://community.cisco.com/t5/network-security/ssl-encrytion-decryption-5555-x/m-p/3096886#M1014956 Sheraz.Salim 2019-03-12T13:28:26Z SSL decryption is useful for https://community.cisco.com/t5/network-security/ssl-encrytion-decryption-5555-x/m-p/3096887#M1014977 <P>SSL decryption is useful for incoming traffic where you have the server certificate and key.</P> <P>It is not so useful for outgoing traffic as it requires a PKI and all clients must trust the issuing CA. Also, many modern applications and an increasing number of websites have technologies like certificate pinning in place to block man-in-the-middle interception as is done by SSL decryption. That's in addition to the significant (up to 75-80%) performance hit you get when doing SSL decryption.</P> <P>A better solution for this latter use case is to use endpoint-based tools like Cisco AMP for Endpoints and/or Cisco Umbrella that provide superior protection after the data comes out of the SSL tunnel.</P> Sat, 29 Jul 2017 14:01:34 GMT https://community.cisco.com/t5/network-security/ssl-encrytion-decryption-5555-x/m-p/3096887#M1014977 Marvin Rhoads 2017-07-29T14:01:34Z