SSL Encrytion/decryption 5555-X

Sheraz.Salim · ‎07-29-2017

Hi all.

kindly please advise, we doing a firewall project where we are bringing in 5555-X with firepower module. we wanted the SSL encrytion/decryption. but our supplier advise this is not a good idea. better to leave this as it will degrade the perfomance. however, if we do ssl encrytion with selected categories it should not make a difference.

kindly please advise, if its a good idea to drop SSL on 5555-X. if so than why cisco giving the techonolgy that should not be implement in production network.

please do not forget to rate.

Marvin Rhoads · ‎07-29-2017

SSL decryption is useful for incoming traffic where you have the server certificate and key.

It is not so useful for outgoing traffic as it requires a PKI and all clients must trust the issuing CA. Also, many modern applications and an increasing number of websites have technologies like certificate pinning in place to block man-in-the-middle interception as is done by SSL decryption. That's in addition to the significant (up to 75-80%) performance hit you get when doing SSL decryption.

A better solution for this latter use case is to use endpoint-based tools like Cisco AMP for Endpoints and/or Cisco Umbrella that provide superior protection after the data comes out of the SSL tunnel.