cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
817
Views
0
Helpful
1
Replies

ACE end to end encryption with IDSM

jesrobbie
Level 1
Level 1

We want to provide an end to encryption service using an ACE02 in a CAT 6509E. This is covered in the ACE config guide so should be OK.

The issue is that we want to include traffic inspection using an IDSM2 so we need to seperate the decrypt and encryption stages and send cleartext traffic to the IDMS2.

The Security and Virtualization in the Data Center pdf page 18/19 suggests that it might be possible. The design depicted there though is only doing SSL termination, then sending the clear text onto a WAF, and onto IPS but it does say end-to-end encryption is also possible.

So in essence what we want to do is have traffic from clients destined for the server farm decrypted by the ACE and sent to the IDS. We then want the traffic to return from the IDS to the ACE to be encrypted and sent onto the server farm.

I'm sure that others have come across this as it must be a pretty common requirement so I'm really looking for some firm guidance or documentation that might cover this.

Any ideas or thoughts would be very much appreciated.

1 Accepted Solution

Accepted Solutions

mwinnett
Level 3
Level 3

I don't think this is a common requiremement. I've not seen it in  almost 2 years of TAC. I don't think that you can get it to work using a  single context, but I see no reason why it shouldn't work using 2  contexts. Terminate ssl on the frontend context, send it out to a  rserver (which will be a vip on the backend context) via the IDSM  (bridging 2 vlans together). The backend context will encrypt and send  to the real rservers. I haven't tested it, but I don't see what would  prevent it from working. You can do the load balancing and/or cookie  insert etc on either context.

Matthew

View solution in original post

1 Reply 1

mwinnett
Level 3
Level 3

I don't think this is a common requiremement. I've not seen it in  almost 2 years of TAC. I don't think that you can get it to work using a  single context, but I see no reason why it shouldn't work using 2  contexts. Terminate ssl on the frontend context, send it out to a  rserver (which will be a vip on the backend context) via the IDSM  (bridging 2 vlans together). The backend context will encrypt and send  to the real rservers. I haven't tested it, but I don't see what would  prevent it from working. You can do the load balancing and/or cookie  insert etc on either context.

Matthew

Review Cisco Networking for a $25 gift card