topic Re: How to terminate SSL encryption on ACE following IPS scan in Network Security

How to terminate SSL encryption on ACE following IPS scan

cisco_realm — Sun, 10 Mar 2019 11:12:47 GMT

hi,

Query on SSL termination. Following is the logical path,

The encrypted traffic hits the router -> hits the ASA IPS -> and then hits the VIP for load balancing via ACE.

The SSL encrypted traffic should terminate on the ACE load balancer. However, the IPS scan can only be performed on a decrypted traffic.

How can we re-encrypt the traffic to terminate on the load balancer. Or is it a bad idea due to performance issues ?

Regards.

Re: How to terminate SSL encryption on ACE following IPS scan

hadbou — Wed, 30 Jul 2008 21:32:36 GMT

SSL termination occurs when the ACE, acting as an SSL proxy server, terminates an SSL connection from a client and then establishes a TCP connection to an HTTP server. When the ACE terminates the SSL connection, it decrypts the ciphertext from the client and transmits the data as clear text to an HTTP server.

Re: How to terminate SSL encryption on ACE following IPS scan

cisco_realm — Sun, 03 Aug 2008 12:39:15 GMT

Ok. But if the Cisco ASA IPS module is placed before the ACE, how will the SSL be handled. Will the ciphertext be decrypted for IPS checking and then re-encrypted for termination at the ACE. Is it possible and is it the right way to go about it ?

Re: How to terminate SSL encryption on ACE following IPS scan

Farrukh Haroon — Mon, 04 Aug 2008 01:16:54 GMT

No SSL decryption is not supported on the Cisco IPS. McAfee claim to support such a feature AFAIR (however still you need to load some keys on the IPS to make this happen, this is usually not possible for servers out of your control).

Regards

Farrukh

Re: How to terminate SSL encryption on ACE following IPS scan

cisco_realm — Wed, 06 Aug 2008 07:24:49 GMT

So in other words it means that the traffic should be decrypted before Cisco IPS is hit.

The relevant design is; the incoming traffic hits

1) ASA with CSC-SSM, then it hits

2) ASA with AIP (IPS), then it hits

3) Cisco ACE

So, if the decryption should take place before IPS, then it can only be on Cisco ASA (CSC-SSM). Please confirm.

Regards

Re: How to terminate SSL encryption on ACE following IPS scan

Farrukh Haroon — Wed, 06 Aug 2008 07:29:19 GMT

Even if there is no second ASA (with CSC), the first ASA (with IPS) can decrypt the trafic and send it to the IPS module installed on it.

Regards

Farrukh

Re: How to terminate SSL encryption on ACE following IPS scan

cisco_realm — Wed, 06 Aug 2008 08:44:26 GMT

Farrukh, if I am not mistaken then the CSC module also requires decrypted traffic for virus checking. So in this design, the traffic will have to be decrypted at the internet edge device i.e Cisco ASA with CSC module. Right ?

Regards.

Re: How to terminate SSL encryption on ACE following IPS scan

Farrukh Haroon — Wed, 06 Aug 2008 09:19:32 GMT

Yes your understanding is spot on. Both IPS/CSC need decrypted traffic to do anything meaningful.

Regards

Farrukh

Re: How to terminate SSL encryption on ACE following IPS scan

cisco_realm — Thu, 07 Aug 2008 04:32:08 GMT

You had mentioned in earlier post that Cisco ASA IPS module doesn't have the ability to re-encrypt the trafffic. Is the same applicable to Cisco ASA CSC module as well.

Regards.

Re: How to terminate SSL encryption on ACE following IPS scan

Farrukh Haroon — Thu, 07 Aug 2008 05:53:42 GMT

This does not apply to your design. The VPN will be encr/decr on the edge ASA device. For inbound traffic (from the outside) it will be decrypted by the edge ASA, processed by the CSC, then by the second ASA+IPS and then it will reach the LAN host/server. In the opposite directon, it will be procesed by ASA+IPS, then ASA+CSC then encrypted by the ASA 'outside' interface and finally go out.

Regards

Farrukh