Cisco FTD IPS and PFS Ciphers

Devlin Thornicroft · ‎10-07-2017

Hi all

When a client and server use PFS ciphers as part of the TLS session setup, what consideration(s), if any, should be given to an IPS system such as the FTD deployed in the middle to inspect the traffic?

My understanding of this whole topic is limited but if the session keys are ultimately not derived from the servers public key then what does this say about using the servers private key on the IPS to decrypt the traffic?

Thank you.

yogdhanu · ‎10-08-2017

Hello,

It would really depend on what type of traffic you would like to inspect. You would need SSL policy on FTD to inspect the encrypted traffic.

If its decrypt-known-key, than you have the private key with you. If its decrypt and resign than FTD would by default use client-hello modification (if your software is on or above 6.1) to modify the client-hello packet its supported cipher types.

Basically, you just need to configure SSL policy and check if FTD is able to decrypt the traffic or no. and move forward from there.

Thanks

yogesh

Devlin Thornicroft · ‎10-16-2017

Hi yogesh

First off apologies for not responding sooner. I am slightly more familiar now with the FTD, only slightly, particularly with the concepts you have mentioned below. However, I'm not sure this answers my question? As this is inbound traffic targeting our servers we do have access to the server's private key. However, does this mean that if the server is configured to only choose a PFS cipher (DHE/ECDHE) that we will have issues doing the decrypt-known-key function on the FTD?

Thanks again.