Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2824
Views
0
Helpful
3
Replies

HTTPS through IPS

Hemant Sajwan
Level 1
Level 1

‎10-03-2013 06:23 AM - edited ‎03-10-2019 06:03 AM

Hi,

Have a question regarding HTTPS traffic going through IPS (AIP-SSM). I understand that Cisco IPS cannot monitor encrypted traffic except monitoring the headers and trailers. So,

- Does it mean there's no use of sending HTTPS traffic to AIP-SSM (unless the purpose is to monitor HTTPS headers and trailers)?

- What kind of protection can be expected by just looking at headers and trailers?

Is there any recommendation whether HTTPS traffic should be sent to AIP-SSM or not?

Labels:
0 Helpful
3 Replies 3

tiwang
Level 3
Level 3

‎10-03-2013 06:27 AM

we had a similar problem - we solved it by using a F5 as reverse proxi and terminate the HTTPS/SSL session on the F5 and run un-encrypted from there - and pass the traffic through their ASM module which is similar to the IPS module - and in fact afterwards we also pass the traffic through a ASA and IPS module - but now un-encrypted...

0 Helpful

Hemant Sajwan
Level 1
Level 1
In response to tiwang

‎10-04-2013 04:25 AM

Thank you tiwang but it's not a problem for me to not send HTTPS traffic through AIP-SSM. I am fine with not sending HTTPS traffic to AIP-SSM if there's no real use of it as it will be encrypted. So, as I had asked earlier, I just want to know:

- Does it mean there's no use of sending HTTPS traffic to AIP-SSM (unless the purpose is to monitor HTTPS headers and trailers)?

- What kind of protection can be expected by just looking at headers and trailers of HTTPS?

Is there any recommendation whether HTTPS traffic should be sent to AIP-SSM or not?

0 Helpful

Karsten Iwen
VIP
VIP
In response to Hemant Sajwan

‎10-04-2013 05:22 AM

To evaluate what you get by inspecting the encrypted traffic, you can look at the signatures. These Signatures have "HTTPS" in the name. Of course there are even more signatures that work in general on TCP and so on:

But at least the "Malformed Handshake" Signature caused lots of false positives in my environment.

I don't really have any general recommendations for that. With limited time to work on the sensor I wouldn't care about HTTPS, but if you have some time to implement it, it won't hurt and will give you a little bit better protection.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card