cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19682
Views
35
Helpful
35
Replies

ASA Firepower ssl decryption

Vahid Tavajjohi
Level 1
Level 1

hi everyone

is Firepower support ssl decryption or should have sourcefire beside ASA?

 

thanks

35 Replies 35

hi marvin,

thanks for this info! +5

i guess the cisco engineer i worked with was right.

anyways, it's just a POC and i'm just getting output data to present to management.

i'll do firepower probably next month. i hope you guys would be around if i post any questions.

You are great help.Really I wish there were more cooperating tech profoessionals like you.:) On cisco docs it said WAS wouldn't not support "server cert" on appliance, only "root" it makes sense if setup is for outgoing connections for which there are far many ssl connection points, in my case I have only web server / application and concern is from clients coming externally should the server certificate option be more viable.

Asad,

For inspection of incoming https traffic, it's a different story. Assuming you own the server and its certificate, you can put a copy on your inspection engine (WSA or FirePOWER appliance).

In that use case, it has the legitimate certificate of the target server and can, for the purposes of terminating SSL session to inspect the content, act as if it is the server itself.

This is not unlike what we do with Application Delivery controllers (aka load balancers such as Citrix Netscaler or F5 BigIP) when they front for an SSL server farm. In those cases we often pass the traffic to the real servers unencrypted (this is desirable as the modern ADCs have purpose-built hardware and optimized software for SSL offload thus allowing the backend servers to devote more resources to application server tasks vs. encryption/decryption); but they all have the option of re-encrypting as well.

(EDIT - note this feature is for IPS only, e.g. FirePOWER appliances.)

Thanks Marvin,

That's interesting you mentioned the big-names in load-balancing tech e.g F5 and others, I researched F5 for a few hours and the term they used to describe the concept of "decrypt-inspect-re-encrypt" as ssl-bridging. Now, what I know it requires two profile at least client and server side to ensure complete end-to-end encryption.

In your last post, you mentioned for incoming ssl inspection a copy of server certificate and key would be fine, but it was my mistake I forgot to ask what about the need to re-encrypt once it is done with inspection like does the concept of ssl-briding holds true on WCSA and firepower as well. I remember you said in another post that "YES it does that", but then it makes me confused about use of certificates, for CWSA to act as ssl client to target server it needs a certificate / key as well. Where would that comes from? The certificate from server /key we copied on appliance would do fine to act as "client profile" allowing to act like a server but what about the other half of journey (appliance to target server)

Sorry for confusion

Asad,

For the "appliance to target server" use case, you don't need a certificate-key pair on the appliance for that backend communications link. The target server(s) have the necessary pair. Remember for that link, the appliance is the client and no more needs its own certificate than you do when you browse to any "https" URL via SSL/TLS.

Netscaler (which I'm most familiar with) calls this "SSL Offloading with End-to-End Encryption". SSL bridging is something else - not decrypting the SSL at all. As described here, it doesn't require a certificate on the appliance at all.

Marvin,

 

Thanks for giving much needed clarity on the subject. However, I'm stuck on something which I'm not able to locate in CWSA datasheets, this is in regard to how for e.g inbound ssl mode web-attack such sql injection will be handled / absorbed by the appliance , is there an ips engine running inside CWSA which does that?I'm mean where the signatures for such actions comes from. Thanks.

 

[UPDATE] For e.g in macage ngfw, for inbound ssl inspection, I have the ability through defining a "policy" which features set to apply from ips signatures, anti-malware etc. Does the same concept applies in case of cwsa?

Asad,

Sorry but I believe I misspoke earlier in saying that we could inspect the content for incoming SSL with the WSA. That is a feature specific to the IPS appliances.

My apologies for that. I noted the error in my post.

Marvin, It's okay no problem at all.To err is human:). So, what any cisco ips would do inbound ssl inspection or esp class like firepower intrgerated module. Can you point to exact ips that enables this feature?

I'm referring to the Cisco FIrePOWER Next Generation IPS (NGIPS) appliances specifically. That would include the 3D7000, 3D8000 and AMP series of hardware.

It would not be supported (currently - as of 5.4 software) on any of the ASA FirePOWER modules, including the hardware module on the 5585-X. It is also not supported on the virtual FirePOWER appliance.

I believe it is supported on the ASA CX IPS; although that is also end of sales.

It is not supported on any of the legacy Cisco IPS appliances.

You've mentioned the the FirePOWER (software) may implement SSL inspection capabilities once version 6 is out. 

Is there a timeline for date of release of version 6? If I would be able to perform SSL decryption with an ASA 5506-X in the near future, I would consider purchasing it for my home lab rather than a Palo Alto PA-200.

Cisco doesn't typically announce release date until they are actually shipping the code.

The best projection they were sharing publicly at Cisco Live earlier this summer was "Fall 2015". They also caveat that you will take quite a performance hit by doing the SSL decryption in software, especially in the lower end boxes.

Thank you for the information.

My home lab is a way for me to practice enterprise architecture and security on a micro-scale. It won't be at my home internet perimeter, but will be used to segregate my home lab network from my home recreation network. There won't be too much lab traffic crossing the firewall unless I'm hairpinning, so I'm not too worried about the performance hit.

The PA-200's also take a significant performance hit when they enable inspection.

 

Marvin,


Have you heard any work yet for SSL decryption on the ASA's yet.  I still can't find anything on it.

Austin

Austin,

We still expect it in 6.0 on the ASA FirePOWER modules. It should be out in the next month or two. 

6.0 FirePOWER code was released and is already posted on CCW. Here are the release notes that indicate support for SSL decryption. 

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/relnote/firepower-system-release-notes-version-600.html

Thank you for rating helpful posts!

Review Cisco Networking for a $25 gift card