cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1161
Views
0
Helpful
7
Replies

Cisco ASA 5525 Firepower (firesight 5.4) SSL Decryption a option?

newtonpara
Level 1
Level 1

I am getting ready to dump the cisco cx module on a asa 5525-x for the cisco asa firepower. I been using the cx module ssl decryption in order to get sight into ssl traffic.

 

Reading the release notes for Firesight 5.4 it seems cisco has now included SSL decryption as a onboard feature without the need for a dedicated ssl decryption appliance (i know performance is bad for compared to a appliance). 

 

Cisco can be kind of vague in release notes. Can someone confirm that now the asa firepower module does indeed support ssl decryption on asa 5525? 

1 Accepted Solution

Accepted Solutions

Version 6.0 will be the next major release. From what Cisco was saying publicly at Cisco Live this summer, it should be out this fall.  

The target mentioned then was to include SSL decpryption for FirePOWER modules; but that depends on everything going well enough in development and beta testing for it to make the final cut of included features.

The roadmap is most definitely the FirePOWER modules. When a given account is ready to move to that depends of course on the required feature set. If you need SSL decryption, the answer is not quite yet.

Beyond that, they don't publicly release roadmap details. If the specifics are of particular concern to your organization, you can contact your partner or Cisco account manager and request details under NDA.

As SSL becomes an increasingly large part of the overall traffic mix, it is going to be harder and harder to rely on any software-based solution. The majority of customers will not tolerate the 80-90% performance hit necessary to decrypt and re-encrypt every SSL frame in software. Add to that things like not being able to push an enterprise CA trusted key into all devices in a heavily BYOD situation such as many enterprises are now or are moving toward.

View solution in original post

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

I can confirm that it does not.

As of 5.4.x, SSL decryption is only supported on the dedicated FirePOWER appliances (i.e., 3D series and AMP series).

Based on reading some of the responses in the forums it seems Cisco wont include that feature till version 6.0 of firepower module for ASA. Any idea when that might be and is this correct?

Which brings me to my next question. What is Cisco's solution for those of us that have invested in the Cisco ASA-X platform and the CX? Since SSL decryption is possible on the CX what is the roadmap solution from cisco? Is buying the ssl decryption appliance the only option?

 

Thank you for responding. 

Version 6.0 will be the next major release. From what Cisco was saying publicly at Cisco Live this summer, it should be out this fall.  

The target mentioned then was to include SSL decpryption for FirePOWER modules; but that depends on everything going well enough in development and beta testing for it to make the final cut of included features.

The roadmap is most definitely the FirePOWER modules. When a given account is ready to move to that depends of course on the required feature set. If you need SSL decryption, the answer is not quite yet.

Beyond that, they don't publicly release roadmap details. If the specifics are of particular concern to your organization, you can contact your partner or Cisco account manager and request details under NDA.

As SSL becomes an increasingly large part of the overall traffic mix, it is going to be harder and harder to rely on any software-based solution. The majority of customers will not tolerate the 80-90% performance hit necessary to decrypt and re-encrypt every SSL frame in software. Add to that things like not being able to push an enterprise CA trusted key into all devices in a heavily BYOD situation such as many enterprises are now or are moving toward.

Out in the fall is good (were in fall). Thank you for your detailed responses.

 

I understand the PKI infrastructure issue some organizations will face. I do not have that issue.

In regards to the performance hit by software ssl decryption. This is accurate in my own experience with the CX and others. However I have relatively low traffic sub-100mb and even less SSL traffic. How well does firepower integrate with 3rd party ssl decryption?

Thank you for the details.

 

 

mdreelan
Level 1
Level 1

I seriously doubt 6.0 or 7.0 or any other version will ever be able to do SSL Decryption at rates that are required on networks today -- maybe for some small SMB users.  For most clients they need to re-architect inbound and outbound traffic with the right solution set.  This can be ASA + SRF for outbound (excluding SSL decryption) but inbound will need to be decrypted in order to see what you are allowing in your network. and the same thing goes for outbound SSL traffic.  And you will need to be abe to distinguish between banking sites and non-banking sites if you ae going to properly deal with user privacy.

ssl decrytion is still better to go offload. but if you take a look cisco FP9300, you will see they are planing something to make it work.

I will reverse my judgement until the release of version 6.0 which tested on 5545. There will be a performance hit for sure. I just don’t think it will be as bad as you might think. In my case most of my HTTPS traffic is going to 3 particular websites which can be excluded. Correctly tuned I think you can acceptable performance which is better then nothing. 

Speaking to membersof the firepower team it sounded like the decryption performance is far better than anything the CX did.

 

Review Cisco Networking for a $25 gift card