11-17-2008 10:26 AM
For internet applications, Cisco ACE is ideal for SSL offloading for e.g. (https://www.ebay.com). However, one of the drawback is that the intermediate ASA IPS and Content Security do not deliver their best as they cannot scan https traffic.
So what alternative would you suggest instead of ACE to be placed before ASA which could offload the SSL traffic and then forward traffic to ASA for scan performed by Cisco IPS and content security(anti-x) modules.
11-17-2008 11:05 AM
If traffic is encrypted, its encrypted there is no workaround. Only option is to decrypt it and send it for further analysis.
Multiple contexts in ACE gives you an easy option as you can simply dedicate one context for this purpose if needed.
Another option could be to use IPS down the line just before the server farm. The parameter IPS will take care of non-encrypted traffic and the encrypted traffic will be analyzed just before the serverfarm (after being offloaded by ACE).
Syed
11-17-2008 11:39 AM
In a hosting space within data center where high-speed internet connectivity is provided, is it feasible to plug the internet line directly into the ACE 4710 i.e. hits the VIP first. So SSL offloading happens on the ACE and while on the way to Rservers, ASA IPS and Content Security is deployed for one-stop decrypted traffic scan. Following the scan it hits the designated Rserver.
Topology
Internet -> ACE -> ASA with IPS -> ASA with Anti-X -> Rserver
Is this a good alternative ?
11-17-2008 06:10 PM
With ASA-IPS solution the maximum throughput you get is 650Mbps (If you are using ASA 5540 with SSM-40 card in it). ACE-Appliance's throughput (1, 2, or 4 Gbps) is much more than that.
I am not sure what are your expected throughputs but When Higher throughput is desired then ACE Appliance + ASA IPS is not a scalable/valid solution.
With higher throughput you need ACE Module (options: 16 Gbps, 8 Gbps, and 4 Gbps) and IPS 42xx appliances that give you up to 4Gbps throughput.
Again the problem is If the traffic is encrypted then there is no way you can analyze packets before they are decrypted. You need to decrypt it using some SSL-offloader (like ACE)and only then IPS will be able to analyze the data in the packets.
HTH
Syed Iftekhar Ahmed
11-19-2008 11:02 AM
So in the given topology if ACE becomes the internet edge device i.e. first device exposed to internet, wouldn't it be security risk. Because ACE configuration would have IP and other details of the all Rservers. And if the ACE is hacked, all server information would be visible to the intruder. So is it secure ?
11-19-2008 11:19 AM
You dont need to place ACE as the internet facing edge device. You can use an ASA context in front of ACE.
Syed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide