ā04-24-2017 06:13 AM - edited ā03-12-2019 02:15 AM
Hi
I want to know if firewall can decrypt encrypted traffic.
If so, which firewall can do so.
Solved! Go to Solution.
ā04-24-2017 06:28 AM
Hi kyisoethin,
No, Cisco ASA's have ability to decrypt encrypted traffic but Cisco ASA 5500-x series firewall with firepower modules has the ability to decrypt and inspect the SSL traffic. Follow the link for more information.
https://www.a10networks.com/blog/ssl-inspection-decryption-cisco-asa-firepower
But other vendors firewalls like PALO ALTO can do. Follow the link for more information.
https://www.paloaltonetworks.com/features/decryption
If this is helpful, please give it a thumbs up.
ā04-24-2017 06:35 AM
Hi,
Ordinary firewalls which perform firewalling functions only such as ASA can deycrpt IPSec traffic only which is encrypted. SSL can't be decrypted with ordinary firewalls.
The next Gen firewalls can decrypt ssl traffic and intercept it. This needs lot of processing power which isn't present in ordinary firewalls.
ā04-24-2017 06:28 AM
Hi kyisoethin,
No, Cisco ASA's have ability to decrypt encrypted traffic but Cisco ASA 5500-x series firewall with firepower modules has the ability to decrypt and inspect the SSL traffic. Follow the link for more information.
https://www.a10networks.com/blog/ssl-inspection-decryption-cisco-asa-firepower
But other vendors firewalls like PALO ALTO can do. Follow the link for more information.
https://www.paloaltonetworks.com/features/decryption
If this is helpful, please give it a thumbs up.
ā04-24-2017 08:02 PM
Thank you for your annswer.
I have more question about it.
If firewall can decrypt Ipsec or ssl, how can this be ?
How do they get decryption encryption key ?
ā04-24-2017 09:56 PM
For IPSec, the common deployment is using Pre-Shared key which needs to be configured at both firewall ends. This is the key used conceptually to encrypt/decrypt. You can look for exact way of encryption/decryption as IPSec IKEv1 goes through phase 1 and phase 2. During this negotiation, it will extract the actual encryption key, authentication key and nounce.
For SSL, it is based on cryptography. The user will authenticate the firewall certificate using its trusted root CA. After successful verification, they will use public key/private key to exchange session-key which will be used during the session life for encryption/decryption. This is the case for client and client-less.
You can lookup more online to get the details about how this happens as its lengthy process
ā04-25-2017 07:22 AM
Thank.
I get it.
For SSL, I think firewall proxy the communcation. It send client its own certificate and client verifies it.After then, firewall create SSL connection to the other client.So there are two SSL connection.
Am I right?
ā04-25-2017 07:23 AM
Correct.
ā04-24-2017 06:35 AM
Hi,
Ordinary firewalls which perform firewalling functions only such as ASA can deycrpt IPSec traffic only which is encrypted. SSL can't be decrypted with ordinary firewalls.
The next Gen firewalls can decrypt ssl traffic and intercept it. This needs lot of processing power which isn't present in ordinary firewalls.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide