cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
813
Views
3
Helpful
4
Replies

SSL termination and inspection discussion using cisco technology

asad ali
Level 1
Level 1

 

I want to know what options exists in cisco platforms for following scenario

 

 "We are looking to update the infra which currently houses a linux box working as reverse proxy and mod sec which does application layer inspection.  The box later re-encrypts traffic when it leaving the box to be sent to actual targeted server. So, this one box is configured to perform termination and inspection of traffic both.

The new hardware , we are looking for must have an option which is equivalent in purpose (termination and inspection) but improved itself in terms of sec high end performance and also gives more attack coverage.

So the requirements are to perform:-

  • termination and inspection on single box (preferably)
  • provides wide attack coverage capability as far layer 7 traffic is concerned
  • Ideally all units involved in solution be CISCO"

 

Please let me know if more explanation is required and how I can improve my question if required.

 

Thanks.

1 Accepted Solution

Accepted Solutions

In both cases, the Cisco products use a trusted certificate issued by a private Certificate Authority to terminate the SSL sessions requested by the clients. It re-encrypts the flow as it passes to the target servers.

View solution in original post

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

There are two available Cisco solutions for this in the current portfolio (not including the discontinued ASA CX module add-on NGFW):

1. Cisco Web Security Appliance (WSA).

2. Cisco FirePOWER appliance (only the hardware appliances - not the FirePOWER modules on ASA (yet)).

Thanks Marvin,

 

In both the above solution, would I have the ability to re-encrypt traffic as well, or is decrypt - inspect and forward only. Thanks.

In both cases, the Cisco products use a trusted certificate issued by a private Certificate Authority to terminate the SSL sessions requested by the clients. It re-encrypts the flow as it passes to the target servers.

Thanks for being so responsive. Sounds great the solutions you mentioned. I will read more about it now. I know Juniper srx does something similar but the inspection capabilities is not at par it seems. Does cisco have a competition in this solution. The inspection engine in above solutions is at of same or comparable specs to dedicated ips sensors or ssp or aip modules comes with integrated cisco asa.
Review Cisco Networking for a $25 gift card