topic The reverse proxy doesn't in Network Security

ASA-NG IPS Inspect Encrypted Traffic

bahmanjafari — Sun, 10 Mar 2019 13:17:07 GMT

We Are Buy ASA 5525-X with IPS for We Network . We have a number of servers that provide Web services Applications .

We have a big problem at setup ASA This is We can not use Inspect ASA and IPS features Because above 80% Traffic Through Encrypted .

Thank you tell me how can I solve this problem.

I know that a solution use HTTPS Proxy in ASA but For some reason, this solution can not be implemented.

Thanks.

If you want to protect you

Karsten Iwen — Sun, 23 Nov 2014 16:58:43 GMT

If you want to protect you own Webservers from attacks from the internet. you can't use the HTTPS-Decryption of the ASA-CX as the internet-clients don't have your CX-certificate.

The typical way to solve this is to place a reverse-proxy into a DMZ and do the SSL/TLS-handling there. The reverse-proxy sends plain HTTP through the ASA and the IPS can inspect that and protect your servers.

Thanks for your answerI Can

bahmanjafari — Mon, 24 Nov 2014 05:07:59 GMT

Thanks for your answer

I Can implement reverse proxy with ASA5525-X ?

If the answer is negative

Please help me in selecting the best practice for implement reverse proxy.

Do not use Cisco Agent Security for this Solutions ?

Best

The reverse proxy doesn't

Karsten Iwen — Mon, 24 Nov 2014 06:55:05 GMT

The reverse proxy doesn't have anything to do with the ASA:

In a DMZ you have a host acting as a reverse proxy. I prefer a Linux-box with nginx for that. This host gets the HTTPS-requests from the internet and forwards them as HTTP to the real server (inside or in another DMZ)
On the outside interface you allow HTTPS to the reverse proxy and also add a coresponding NAT for that system
On the interface where the reverse-proxy is, you allow HTTP to the real web-server. In addition to that you make sure that your MPF sends this traffic to the IPS-module.

HiThanks for your Complete

bahmanjafari — Wed, 26 Nov 2014 09:56:26 GMT

Thanks for your Complete answer.

Excuse me, I have a question. Is it possible to use ASA to Act https proxy servers Similar CSC to the previous generation ?

No, the ASA can't do that.

Karsten Iwen — Wed, 26 Nov 2014 10:47:08 GMT

No, the ASA can't do that. You need an external device for that.

Thank you Which Device Can

bahmanjafari — Wed, 03 Dec 2014 07:04:31 GMT

Thank you

Which Device Can use For This Solutions ?