Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1726
Views
0
Helpful
2
Replies

Noob Query - Does the ASA55xx & AIP SSM support HTTPS or SSL inspection?

Go to solution
andrewboggs
Level 1
Level 1

‎12-15-2010 11:32 AM - edited ‎03-10-2019 05:12 AM

So far, all I can find on the ASA is an Application Inspection Match Criteria for the HTTP CONNECT request that carries you into the world of HTTPS (SSL).  Vendors who can inspect SSL generally brag about it and have to devote at least one chapter in the User Guide to Certificate Management and Key Rings.  Right now I am guessing that unless the Ingress traffic is from an SSL VPN Client, there isn't going to be much inspection going on.  THX

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎12-15-2010 03:47 PM

The reason why there isn't much on HTTPS inspection is because the device needs to be performing man-in-the-middle to be able to inspect the HTTPS encrypted traffic. Typically vendor that inspects for HTTPS traffic would have the device certificate presented to the user in order to be able to inspect the HTTPS traffic, not the end web server certificate.

Both Cisco Ironport WSA and Cisco ScanSafe supports inspection of HTTPS web traffic for anti malware, anti spyware and web filtering.

Hope that answers your question.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎12-15-2010 03:47 PM

The reason why there isn't much on HTTPS inspection is because the device needs to be performing man-in-the-middle to be able to inspect the HTTPS encrypted traffic. Typically vendor that inspects for HTTPS traffic would have the device certificate presented to the user in order to be able to inspect the HTTPS traffic, not the end web server certificate.

Both Cisco Ironport WSA and Cisco ScanSafe supports inspection of HTTPS web traffic for anti malware, anti spyware and web filtering.

Hope that answers your question.

0 Helpful

Go to solution
andrewboggs
Level 1
Level 1
In response to Jennifer Halim

‎12-15-2010 05:01 PM

Thanks for the pointers on IronPort WSA and ScanSafe.  This customer's scenario is inbound to their SSL Web Server and they are under the impression that the AIP-SSM is doing IPS inside of the SSL stream to that Web Server.  With no Man-In-The-Middle and no Keyring, I am afraid the best they can hope for is header checks during the SSL negotiations.  I like to double check before I deliver bad news.  THX.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card