Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
668
Views
0
Helpful
1
Replies

How to host 300+ secure websites using a couple of public IP's on an ASA5520 with AIP SSM-20 and with as few certificates as possible?

mbookham
Level 1
Level 1

‎06-23-2011 01:44 PM - edited ‎03-11-2019 01:49 PM

How can we host 300+ secure (https) websites using a couple of public IP's on an ASA5520 with AIP SSM-20 and with as few certificates as possible?

Summary of set-up:

We currently host a number of websites using an ASA5520 and use host headers, so have 6 servers with around 40 hosted URL's.

The number of websites is due to double very soon and we will need to use more of our public IP's. We can see that we will will run out of public IP's very soon especially as there is a project in the pipeline that has a likely requirement to host an additional 200+ websites.

Each of these websites are required to use https and therefore each must have a certificate which will be very expensive. PCI DSS (payment card industry data security standard) is causing us issues because we had hoped to post the certificates on the firewall (one for each physical server) and then run the data un-encrypted from the firewall to the relevant web servers, so that we could use one certificate for lots of websites and therefore reduce our certificate costs, however is not best practice to do this due to the data being unencrypted within the firewall and on the DMZ network and therefore potentially open to compromise. I doubt that we could install 200+ certificates on a 5520 and then re-encrypt the data to the web servers especially seeing as we also have an IPS card that is already running at around 70-80% util due to the performance overhead.

BTW - We also have an in-line Breach WAF which will be required to inspect the packets (certificates to be installed on the WAF to allow this).

Thanks.

Labels:
0 Helpful
1 Reply 1

stojanr
Level 1
Level 1

‎06-24-2011 02:38 AM

CIsco ASA does not support SSL termination for such purposes. You will require a Cisco ACE appliance or a module to perform SSL termination for client's HTTPS requests. Such HTTPS requests can terminate on the ACE, and you can then forward HTTP requests to the backend servers.

You will still require the same number of SSL certificates though, depending on the number of websites you're hosting.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card