Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
358
Views
0
Helpful
1
Replies

unencrypting HTTPS using the STE

darin.marais
Level 4
Level 4

‎08-26-2004 07:34 AM

I am posting this question again as it appears the original posting may have been at the wrong forum.

I have to admit that I am new to the concepts of the CSM and the SSL terminating engine (STE) and I have just began to learn what this combination of modules can and cannot do.

Is it possible to unencrypted SSL/HTTPS traffic using SSL Services Module and (or) the CSM for the Cisco Catalyst 6500 Series Switch? To rephrase the question can encrypted traffic be decrypted and sent in clear text past the interface of a 4250-SX NIDS sensor appliance for inspection before the traffic is sent to a web server?

The sensor needs to see unencrypted data in order to detect events. In the following stick diagram, the sensor is connected a gig port on the 6509 with a span session that will copy the unencrypted HTTP traffic to that gig port.

Internet/HTTPS-----CSM--STE –NIDS_Sensor--HTTP/WebServer

Can anyone confirm that this is possible and does anyone have configuration examples on how this can be achieved?

Thanks in advance

Labels:
0 Helpful
1 Reply 1

jfoerster
Level 4
Level 4

‎08-26-2004 08:56 PM

HI,

if you have all informations of the certificate used for the HTTPS session the SSL-Module can terminate the HTTPS session. The keychain and so on has to be imported to the SSL-Module. In regards of the NIDS I do not know much but if this is kind of a IDS than I think that the NIDS is either listening on a spanport or is accessed directly like a transparent proxy.

Regarding the setup:

The CSM detects if the servers are accessed via HTTP or HTTPS. If it is HTTPS it forwards the traffic towards the SSL-Module. This module decrypts the traffic and might either send the traffic directly to one server or again to the CSM. The CSM will than distribute the requests to the existing webservers.

If you do not need loadbalancing across multiple servers / SSL blades the CSM might be left out but as there is a nice bundle available (WS-SVC-SSL-CSM-K9=

) I would use both modules as loadbalancing (scalability) or intelligent failover is kicking in earlier as one might imagine.

Hope this answers your question..

Regards,

Joerg

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card