Solved: Is it possible to decrypt SSL with a external appliance and feed it into ASA Firepower/Sourcefire

newtonpara · ‎12-07-2015

I am looking right now at dedicated ssl decryption appliances that will allow me to decrypt ssl stream and feed into a number of systems. Mainly a Cisco ASA with firepower module and a dedicated ips.

I am running into a problem as to how to feed the decrypted ssl traffic to my Sourcefire module on the asa. Since the sourcefire on the asa is almost like a virtual module it not possible to connect in-line after the asa goes though the traffic (as it currently seems). Since the ASA redirect the traffic internally to the module.

Because of that I am looking at a solution from A10 that decrypts the traffic prior to it reaching the ASA/Sourcefire and IPS so those units don’t see a https traffic but insisted treat it as regular http.

My question is if its possible to place a decryption appliance AFTER the ASA and have it feed back into sourcefire module on the asa vs placing a appliance BEFORE the ASA and having it decrypt all traffic.

Marvin Rhoads · ‎12-08-2015

No - that's not possible just for SSL decryption. There's no provision for doing that with a service-policy.

The only thing close is when we can send the traffic to a URL filtering service (like a WSA) using WCCP. The WSA can have a decryption policy for use in inspecting the traffic content.

View solution in original post

Aastha Bhardwaj · ‎12-07-2015

Hi,

Sourcefire has seperate hardware appliancesand SSL appliances like 1500/2000 series which can decrypt the traffic.

Refer : https://supportforums.cisco.com/discussion/12425001/cisco-asa-sourcefire-ssl-inspection

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Aastha Bhardwaj · ‎12-07-2015

Hi,

So ASA sourcefire 6.0 will be able to decrypt the traffic .So you can place the appliance before the ASA and have it decrypt the traffic.

Regards,

Aastha Bhardwaj

newtonpara · ‎12-07-2015

Your response doesn’t completely make sense. I am looking at a dedicated appliance for decryption only. i do not want to use the built 6.0 sourcefire on-box decryption because it has terrible performance.

I want to know if my only option i have is to decrypt traffic before it hits the ASA/Sourcefire combo.

Marvin Rhoads · ‎12-07-2015

Sure. The FirePOWER module will inspect traffic that the service-policy sends to it.

If the traffic has been decrypted and is plaintext http vs. ciphertext (encrypted) https then all the better - the module can look deeper into the stream.

Typically your architecture would have to be designed so as not to break the overall https flow from client to server; but as long as you do that you should be fine.

newtonpara · ‎12-08-2015

I am asking if its possible to redirect traffic using the service-policy to a outside SSL decryption device and then feed that back into the ASA to be checked by Firepower module.

Insisted of having to decrypt all the traffic before it hits the asa.

Marvin Rhoads · ‎12-08-2015

No - that's not possible just for SSL decryption. There's no provision for doing that with a service-policy.

The only thing close is when we can send the traffic to a URL filtering service (like a WSA) using WCCP. The WSA can have a decryption policy for use in inspecting the traffic content.

newtonpara · ‎12-09-2015

In that case i will have to put the decryption in front of the firewall. I have used WCCP in the past for transparent proxy purposes. It worked well enough but would rather not deal with it again. Thanks

Vikram Rajpoot · ‎01-20-2016

Hi Aastha,

Is the decryption applicable for ASA servers only. We have a DC 750 and two sensors 8130 appliances and planning to upgrade to 6.0 version. Will the decryption work for me as well???

Regards

Vikram

deshaw · ‎09-15-2016

Yes you can do it in a crude way .. by using an SSL 1500 appliance + a Copper/Fiber TAP .

We are doing it for a SSL1500+ Sourcefire implementation.