Solved: SSL Encrytped packets

clark white · ‎05-10-2016

Dears,

I have some question below please answer,

firepower does antivirus blocking ??
do https/ssl packets are inspected by firepower IPS without ssl policy enabled, if anybody is sending a encrypted packets with virus or spyware are they will blocked by ips rules ??
if a file is downloaded by the https:// site which is encrypted and contains malware such types of malware affected files will be blocked by malware file policy??

yogdhanu · ‎05-10-2016

Hi Clark,

Yes if the url is not blocked by either SI or URL filtering or malware based DNS signatures , the connection will be allowed.

SSL decryption should not be enabled for all the traffic. It does have performance impact on firepower. Almost 80% reduction in throughput so use it only for specific traffic and also depends on what model you use.

Use URL filtering and SI to block most of the malware categories.

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200202-Configuration-of-an-SSL-Inspection-Polic.html

Hope it helps.

Yogesh

View solution in original post

yogdhanu · ‎05-10-2016

Hi

>Yes firepower does anti-virus blocking using IPS signatures.

>All the traffic is inspected by firepower if configured. its just that encrypted content will be inspected but firepower ( or any other device for that matter) won't be able to see anything in there without decryption it. If there is virus which is encrypted and there is no SSL policy , its likely to pass.

>Again the same answer if the download is using encrypted method and there is no SSL policy to decrypt the traffic , file will pass.

Please also note there are some websites which are https but when files are downloaded , they are server over regular http connection which firepower would be able to see and take action. But if its encrypted connection then SSL policy is required.

Rate if helps.

Yogesh

clark white · ‎05-10-2016

Dear yogdhanu,

thanks for the replies

So from your replies what I understand is most of the urls on the internet are https and most of the user is accessing the https url on the internet so without SSL policy enabled their traffic is passed and if they try to access a HTTPS urls which is malicious website then It will open the webpage which can affect my PC, if that URL is not identified by security intelligence. Please correct me if I m wrong.

If I enable a SSL decryption what will be impact on the performance ??? and as per design perspective which SSL traffic should be decrypted if i decrypt every internet traffic (https) it will affect the performance of the firepower ???? and it is good design ???

thanks

yogdhanu · ‎05-10-2016

Hi Clark,

Yes if the url is not blocked by either SI or URL filtering or malware based DNS signatures , the connection will be allowed.

SSL decryption should not be enabled for all the traffic. It does have performance impact on firepower. Almost 80% reduction in throughput so use it only for specific traffic and also depends on what model you use.

Use URL filtering and SI to block most of the malware categories.

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200202-Configuration-of-an-SSL-Inspection-Polic.html

Hope it helps.

Yogesh

clark white · ‎05-10-2016

Dear yogdhanu,

I have ASA 5525-X with firepower SSD, I was planning to use ssl decryption for the below please suggest on which I should enabled.

SSL decryption for users internet traffic
Outlook Web Access server (OWA) which is access from outside for the corporate users it I will be use when the users will upload a attachment to the OWA server so that it will be decrypted scanned and uploaded to the server, is it make sense. ???

apart from the above any suggestion that can be a best practice from cisco.

thanks

yogdhanu · ‎05-10-2016

Hi Clark,

I would suggest to enable SSL in a phased manner so you know what effect it has on your network.

Enable the ssl on OWA traffic for a start and monitor the performance.

If there is encrypted backup which does not need to be inspected , bypass it from firepower or create a trust rule to save resources.

If all goes fine and there is no high CPU or memory alerts , then enable SSL for user traffic as well and monitor.

Hope it helps.

Yogesh

crusier2015 · ‎11-16-2016

Hi Yogesh,

Can we share with us, what usually do you configure on your ssl policy? Do you enable for all HTTPS traffic, or normally for application only, like OWA?

Tks