cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


481
Views
0
Helpful
1
Replies
Highlighted
Beginner

How to host 300+ secure websites using a couple of public IP's on an ASA5520 with AIP SSM-20 and with as few certificates as possible?

How can we host 300+ secure (https) websites using a couple of public IP's on an ASA5520 with AIP SSM-20 and with as few certificates as possible?

Summary of set-up:

We currently host a number of websites using an ASA5520 and use host headers, so have 6 servers with around 40 hosted URL's.

The number of websites is due to double very soon and we will need to use more of our public IP's. We can see that we will will run out of public IP's very soon especially as there is a project in the pipeline that has a likely requirement to host an additional 200+ websites.

Each of these websites are required to use https and therefore each must have a certificate which will be very expensive. PCI DSS (payment card industry data security standard) is causing us issues because we had hoped to post the certificates on the firewall (one for each physical server) and then run the data un-encrypted from the firewall to the relevant web servers, so that we could use one certificate for lots of websites and therefore reduce our certificate costs, however is not best practice to do this due to the data being unencrypted within the firewall and on the DMZ network and therefore potentially open to compromise. I doubt that we could install 200+ certificates on a 5520 and then re-encrypt the data to the web servers especially seeing as we also have an IPS card that is already running at around 70-80% util due to the performance overhead.

BTW - We also have an in-line Breach WAF which will be required to inspect the packets (certificates to be installed on the WAF to allow this).

Thanks.

1 REPLY 1
Beginner

How to host 300+ secure websites using a couple of public IP's o

CIsco ASA does not support SSL termination for such purposes. You will require a Cisco ACE appliance or a module to perform SSL termination for client's HTTPS requests. Such HTTPS requests can terminate on the ACE, and you can then forward HTTP requests to the backend servers.

You will still require the same number of SSL certificates though, depending on the number of websites you're hosting.