Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3011
Views
0
Helpful
6
Replies

Send HTTPS/SSL traffic to Firesight IPS sensors with no decryption?

Go to solution
Ralphy006
Level 1
Level 1

‎01-24-2017 12:26 PM - edited ‎03-12-2019 06:15 AM

Hi guys,

I'm not interested in doing SSL decryption. However, I believe if I send https traffic to the Firesight IPS sensors, the sensors can still stop certain vulnerabilities from being exploited (ie Heartbleed) WITHOUT decryption.

Am I wrong? Do most people not even send encrypted HTTPS/SSL traffic to the sensors?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Claudiu Cismaru
Cisco Employee
Cisco Employee
In response to Ralphy006

‎01-31-2017 12:42 AM

It's Claudiu, not Claudia :)

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Application_Layer_Preprocessors.html#ID-2244-00000cfc

See

Stop inspecting encrypted traffic.

By default, the option is set to not inspect encrypted data.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎01-24-2017 01:06 PM

The common procedure is to send all traffic (https included) to the sensor. Even if you do not want to decrypt SSL, there are a bunch of other checks that it does, for example destination ip address in Global Blacklist (Security intelligence). I guess this adds some layer of protection to the traffic even if you can't see all parts of it.

0 Helpful

Go to solution
Claudiu Cismaru
Cisco Employee
Cisco Employee
In response to Rahul Govindan

‎01-25-2017 06:00 AM

Ralphy, you're correct.

Even with encrypted traffic, the base URL is extracted from the SSL flow so you'll be able to have URL based Access Control, have granularity on the HTTPS access based on users, apply SSL vulnerability rules on the SSL flows and more.

The device is smart enough to have the HTTPS portion of the traffic, which is encrypted, to not be analyzed and thus minimizing the CPU impact of this traffic.

0 Helpful

Go to solution
Ralphy006
Level 1
Level 1
In response to Claudiu Cismaru

‎01-31-2017 12:42 AM

Thanks Claudiu.

Do you have this documented anywhere? "The device is smart enough to have the HTTPS portion of the traffic, which is encrypted, to not be analyzed and thus minimizing the CPU impact of this traffic."

0 Helpful

Go to solution
Claudiu Cismaru
Cisco Employee
Cisco Employee
In response to Ralphy006

‎01-31-2017 12:42 AM

It's Claudiu, not Claudia :)

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Application_Layer_Preprocessors.html#ID-2244-00000cfc

See

Stop inspecting encrypted traffic.

By default, the option is set to not inspect encrypted data.

0 Helpful

Go to solution
Ralphy006
Level 1
Level 1
In response to Claudiu Cismaru

‎01-31-2017 10:49 AM

Thanks Claudiu.

So indeed have the SSL preprocessor enabled and the "Stop inspecting encrypted traffic"/"Server side data is trusted" checked within my network analysis policy.

However, I'm confused whether or not the non-encrypted portion will be inspected for intrusions and URL filtering. ie the stuff you mentioned:

Even with encrypted traffic, the base URL is extracted from the SSL flow so you'll be able to have URL based Access Control, have granularity on the HTTPS access based on users, apply SSL vulnerability rules on the SSL flows and more.

The device is smart enough to have the HTTPS portion of the traffic, which is encrypted, to not be analyzed and thus minimizing the CPU impact of this traffic.

Also, I'm guessing it's recommended to enable the "SSL Preprocessor Rules" GID 137?

Please confirm, thanks!

0 Helpful

Go to solution
Claudiu Cismaru
Cisco Employee
Cisco Employee
In response to Ralphy006

‎02-01-2017 06:30 AM

Non-encrypted portion is not actually non-encrypted. If it's part of the SSL protocol, the SSL preprocessor will analyze it and URL filtering is performed based on the URL generated from the SNI from the Client Hello or CN of the Server Cert.

If you need those rules active, you can enable them as well. It solely depends on your use case.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card