How to host 300+ secure websites using a couple of public IP's on an ASA5520 with AIP SSM-20 and with as few certificates as possible?
How can we host 300+ secure (https) websites using a couple of public IP's on an ASA5520 with AIP SSM-20 and with as few certificates as possible?
Summary of set-up:
We currently host a number of websites using an ASA5520 and use host headers, so have 6 servers with around 40 hosted URL's.
The number of websites is due to double very soon and we will need to use more of our public IP's. We can see that we will will run out of public IP's very soon especially as there is a project in the pipeline that has a likely requirement to host an additional 200+ websites.
Each of these websites are required to use https and therefore each must have a certificate which will be very expensive. PCI DSS (payment card industry data security standard) is causing us issues because we had hoped to post the certificates on the firewall (one for each physical server) and then run the data un-encrypted from the firewall to the relevant web servers, so that we could use one certificate for lots of websites and therefore reduce our certificate costs, however is not best practice to do this due to the data being unencrypted within the firewall and on the DMZ network and therefore potentially open to compromise. I doubt that we could install 200+ certificates on a 5520 and then re-encrypt the data to the web servers especially seeing as we also have an IPS card that is already running at around 70-80% util due to the performance overhead.
BTW - We also have an in-line Breach WAF which will be required to inspect the packets (certificates to be installed on the WAF to allow this).
How to host 300+ secure websites using a couple of public IP's o
CIsco ASA does not support SSL termination for such purposes. You will require a Cisco ACE appliance or a module to perform SSL termination for client's HTTPS requests. Such HTTPS requests can terminate on the ACE, and you can then forward HTTP requests to the backend servers.
You will still require the same number of SSL certificates though, depending on the number of websites you're hosting.
Hello! I run 184.108.40.206.When I click download updates in ASDM I get:Download updates failed: Peer certificate cannot be authenticated with known CA certificates I have 3 identical devices and all of them have the same problem.. How can I fix ...
You would like to use the ASA Firewall Umbrella Connector to enforce DNS policy with Umbrella. However you would also like to exclude certain IP addresses or subnets from using this policy. I recently had the need to do this, had a bit of tro...
Hi Everyonem Just wondering if anyone knows why I am getting an error that says "Cryptographic algorithms required by the secure gateway do not match those supported by AnyConnect. Please contact your network administrator.". See attached...
The Cisco 2020 CISO Benchmark Report provides valuable takeaways and data on the most pressing topics: the impact of vendor consolidation, cybersecurity fatigue, outsourcing, top causes of downtime, the most impactful threats, and more. The repo...
Hi, Has anyone run into the "Channel down" issue when updating the identity certificate on the Stealthwatch SMCv and SFCv. I'm doing a POC for a client and every time I go an update the identity cert the SMC says "it could save the configuration" and...