topic Re: HTTPS inspection in Network Security

HTTPS inspection

harisapkota123 — Tue, 26 Mar 2019 00:45:51 GMT

Dear all,

I want to block some social networking sites using ASA 5510-CSC-SSM, As I searched and come to know that ASA 5510 can't inspect and intercept for https traffic because it is encrypted while traversing throught the ASA. I want the ASA to make functioning for https too, not only http. Can i perform this task by updating any software on existing device?? Any response will be appreciated.

Thanks in Advance

Hari,

Re: HTTPS inspection

Jennifer Halim — Fri, 25 Feb 2011 06:29:39 GMT

No, there is no software update on CSC module that will allow that because to be able to unencrypt the HTTPS traffic and inspect it, you will be required to perform man-in-the-middle as the packet is encrypted, and CSC-module is not capable of doing that.

Re: HTTPS inspection

Pavel Pokorny — Fri, 25 Feb 2011 13:55:22 GMT

HI,

I am afraid the only one thing you can do, is http inspection with uri orl url regex and then appropriate action.

Nice document to this : https://supportforums.cisco.com/docs/DOC-1268

HTH

Pavel

Hellohttp inspection working;

DAVID THORNTON — Wed, 20 Aug 2014 14:36:12 GMT

Hello

http inspection working; but https gets me to the page i am trying to hide..

i can block

http://xxx.whatever.com/somewhere_i_want_to_hide/page.html

using the documents referenced above

owever; if i prepend the url with https:// this bypasses the http inspection on the ASA (V9)

now i understand "deep packet" inspection is not possible due to encryption under SSL but why cant the ASA block the access to the page seeing as the top level url is not actually anything but clear text?

this is my code snippet that works ok to block the http with "webservices" in it

i need to do the same for https:// {blah-webservices-blah}

regex blockex1 ".*webservices.*\.svc"

class-map inspection_default

match default-inspection-traffic

class-map type inspect http match-any block-url-class

match request uri regex blockex1

policy-map type inspect http block-url-policy

parameters

class block-url-class

drop-connection log

policy-map global_policy

description inspect and block specific http URI requests

class inspection_default

inspect http block-url-policy

service-policy global_policy global

thanks

dave

Hi,I'm afraid, when used

Pavel Pokorny — Wed, 20 Aug 2014 18:42:09 GMT

Hi,

I'm afraid, when used protocol is https (and not http), so http inspection won't work.

You can try this:

http://www.tunnelsup.com/using-just-a-cisco-asa-to-block-specific-websites

HTH,

Pavel