How to host 300+ secure websites using a couple of public IP's on an ASA5520 with AIP SSM-20 and with as few certificates as possible?
How can we host 300+ secure (https) websites using a couple of public IP's on an ASA5520 with AIP SSM-20 and with as few certificates as possible?
Summary of set-up:
We currently host a number of websites using an ASA5520 and use host headers, so have 6 servers with around 40 hosted URL's.
The number of websites is due to double very soon and we will need to use more of our public IP's. We can see that we will will run out of public IP's very soon especially as there is a project in the pipeline that has a likely requirement to host an additional 200+ websites.
Each of these websites are required to use https and therefore each must have a certificate which will be very expensive. PCI DSS (payment card industry data security standard) is causing us issues because we had hoped to post the certificates on the firewall (one for each physical server) and then run the data un-encrypted from the firewall to the relevant web servers, so that we could use one certificate for lots of websites and therefore reduce our certificate costs, however is not best practice to do this due to the data being unencrypted within the firewall and on the DMZ network and therefore potentially open to compromise. I doubt that we could install 200+ certificates on a 5520 and then re-encrypt the data to the web servers especially seeing as we also have an IPS card that is already running at around 70-80% util due to the performance overhead.
BTW - We also have an in-line Breach WAF which will be required to inspect the packets (certificates to be installed on the WAF to allow this).
How to host 300+ secure websites using a couple of public IP's o
CIsco ASA does not support SSL termination for such purposes. You will require a Cisco ACE appliance or a module to perform SSL termination for client's HTTPS requests. Such HTTPS requests can terminate on the ACE, and you can then forward HTTP requests to the backend servers.
You will still require the same number of SSL certificates though, depending on the number of websites you're hosting.
Hi There,Is there a relationship between the hardware of the Cisco ASA 5505 FWs (V02) and the 9.x software version? Multiple ASA have been successfully updated with the same software. The ASAs that have been updated without any problems are V06 versi...
Dear Cisco Customers and Partners,
We know that the Cisco Identity Services Engine (ISE) is a critical element of your network security and so stability is of paramount importance. As a result, many of you asked us for a suggested release given sev...
Over 100-year-old Yokogawa Engineering Asia deploys Cisco Advanced Malware Protection (AMP) to shield itself against cyber attacks. With Cisco Talos threat intelligence, it stays ahead of the latest malicious behavior on the Internet. Learn more at http:/...
Learn how Cisco’s new approach to cybersecurity will simplify your experience, accelerate your success, and secure your future.
Why Cisco Firewalls?
Cisco Security Virtual Summit
Get the BIG picture
I am hoping the attached spreadsheet can help folks create their own simple custom profiles in bulk. For anyone who has to create dozens of profiles at once, it can get pretty time consuming doing it through the GUI. Shout out to Craig Hyps who created th...