Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1634
Views
0
Helpful
1
Replies

Cisco FTD & IPS SSL Decryption

Devlin Thornicroft
Level 1
Level 1

‎07-25-2017 06:38 AM - edited ‎03-10-2019 06:53 AM

Hi all

Hoping someone can help shed some light on this, which to be fair may be even more fundamental and not necessarily FTD-related.

We're still a long way off purchasing a Cisco FTD (4110) but are looking at all the capabilities it has to offer. We have a requirement to provide IPS where the traffic flowing through the box will be encrypted. Am I right in thinking that in order to successfully decrypt the traffic we will need to import onto the FTD the target server's certificate + private key to allow the FTD to effectively as act man-in-the-middle?

Any other considerations we need to take into account, specifically for this platform, that may cause us issues as it relates to IPS and encrypted traffic?

Thank you.

Labels:
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-25-2017 08:21 AM

That is one way to decrypt - typically used for incoming traffic where you own the SSL certificate in question.

For outbound traffic it's more problematic since you have to have a PKI and a trusted sub-CA type certificate to the FTD device that is both trusted by all of your clients and able to decrypt Internet-bound traffic. Also some sites and applications will not work with this as they use certificate pinning.

In either case, SSL decryption causes a significant performance hit - about 75-80% - as the current platforms do not decrypt in hardware.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card