Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1226
Views
0
Helpful
6
Replies

SSL Encrytped packets

Go to solution
clark white
Level 2
Level 2

‎05-10-2016 09:14 AM - edited ‎03-12-2019 06:00 AM

Dears,

I have some question below please answer,

  • firepower does antivirus blocking ??
  • do https/ssl packets are inspected by firepower IPS without ssl policy enabled, if anybody is sending a encrypted packets with virus or spyware are they will blocked by ips rules ??
  • if a file is downloaded by the https:// site which is encrypted and contains malware such types of malware affected files will be blocked by malware file policy??

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
yogdhanu
Cisco Employee
Cisco Employee
In response to clark white

‎05-10-2016 10:36 AM

Hi Clark,

Yes if the url is not blocked by either SI or URL filtering or malware based DNS signatures , the connection will be allowed.

SSL decryption should not be enabled for all the traffic. It does have performance impact on firepower. Almost 80% reduction in throughput so use it only for specific traffic and also depends on what model you use.

Use URL filtering and SI to block most of the malware categories.

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200202-Configuration-of-an-SSL-Inspection-Polic.html

Hope it helps.

Yogesh

View solution in original post

0 Helpful
6 Replies 6

Go to solution
yogdhanu
Cisco Employee
Cisco Employee

‎05-10-2016 09:25 AM

Hi

>Yes firepower does anti-virus blocking using IPS signatures.

>All the traffic is inspected by firepower if configured. its just that encrypted content will be inspected but firepower ( or any other device for that matter) won't be able to see anything in there without decryption it. If there is virus which is encrypted and there is no SSL policy , its likely to pass.

>Again the same answer if the download is using encrypted method and there is no SSL policy to decrypt the traffic , file will pass.

Please also note there are some websites which are https but when files are downloaded , they are server over regular http connection which firepower would be able to see and take action. But if its encrypted connection then SSL policy is required.

Rate if helps.

Yogesh

0 Helpful

Go to solution
clark white
Level 2
Level 2
In response to yogdhanu

‎05-10-2016 10:20 AM

Dear yogdhanu,

thanks for the replies

So from your replies what I understand is most of the urls on the internet are https and most of the user is accessing the https url on the internet so without SSL policy enabled their traffic is passed and if they try to access a HTTPS urls which is malicious website then It will open the webpage  which can affect my PC, if that URL is not identified by security intelligence. Please correct me if I m wrong. 

If I enable a SSL decryption what will be impact on the performance ???  and as per design perspective which SSL traffic should be decrypted if i decrypt every internet traffic (https) it will affect the performance of the firepower ???? and it is good design ???

thanks

0 Helpful

Go to solution
yogdhanu
Cisco Employee
Cisco Employee
In response to clark white

‎05-10-2016 10:36 AM

Hi Clark,

Yes if the url is not blocked by either SI or URL filtering or malware based DNS signatures , the connection will be allowed.

SSL decryption should not be enabled for all the traffic. It does have performance impact on firepower. Almost 80% reduction in throughput so use it only for specific traffic and also depends on what model you use.

Use URL filtering and SI to block most of the malware categories.

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200202-Configuration-of-an-SSL-Inspection-Polic.html

Hope it helps.

Yogesh

0 Helpful

Go to solution
clark white
Level 2
Level 2
In response to yogdhanu

‎05-10-2016 12:53 PM

Dear yogdhanu,

I have ASA 5525-X with firepower SSD, I was planning to use ssl decryption  for the below please suggest on which I should enabled.

  • SSL decryption for users internet traffic
  • Outlook Web Access server (OWA) which is access from outside for the corporate users it I will be use when the users will upload a attachment to the OWA server so that it will be decrypted scanned and uploaded to the server, is it make sense. ???

apart from the above any suggestion that can be a best practice from cisco.

thanks

0 Helpful

Go to solution
yogdhanu
Cisco Employee
Cisco Employee
In response to clark white

‎05-10-2016 09:27 PM

Hi Clark,

I would suggest to enable SSL in a phased manner so you know what effect it has on your network.

Enable the ssl on OWA traffic for a start and monitor the performance.

If there is encrypted backup which does not need to be inspected , bypass it from firepower or create a trust rule to save resources.

If all goes fine and there is no high CPU or memory alerts , then enable SSL for user traffic as well and monitor.

Hope it helps.

Yogesh

0 Helpful

Go to solution
crusier2015
Level 1
Level 1
In response to yogdhanu

‎11-16-2016 05:58 PM

Hi Yogesh,

Can we share with us, what usually do you configure on your ssl policy? Do you enable for all HTTPS traffic, or normally for application only, like OWA? 

Tks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card