This document describes about the problem where IPS is not able to decrypt/encrypt the packet for monitoring purpose.
This can be done by the new "native" way of inspecting SSL-traffic with the use of ASA-CX:
ASA CX Context- Aware Security:
Cisco ASA CX Context-Aware Security is a modular security. Under Cisco ASA CX Context-Aware Security, ASA platform is extended with remarkable visibility and control. In order to gain end-to-end network intelligence from the local network using Cisco AnyConnect Secure Mobility and Cisco TrustSec, and to gain near-real-time global threat information from Cisco Security Intelligence Operation (SIO) Cisco SecureX Framework is used in this service. As a result, Cisco ASA CX Context-Aware Security goes beyond the capabilities of “next generation” firewalls by delivering phenomenal network intelligence and granular control.
Unprecedented Network Visibility
Cisco ASA CX Context-Aware Security gives security administrators a unique level of visibility regarding the traffic flowing through the network. It includes:
The users connecting to the network
The devices used
Applications and websites that are accessed.
Detailed information is provided on the type and location of a mobile device by Cisco AnyConnect before it can access the network. ASA CX also uses global threat intelligence from Cisco Security Intelligence Operations (SIO) to provide zero-day malware protection.
User, Device Control & Granular Application:
Port and protocol-hopping applications such as Skype and other peer-to-peer applications can be blocked by Cisco ASA CX . More effective security can be achieved by writing fewer policies.Rich language is also used in it so that policies can be written based on a wide range of :
Deeper social networking controls are used in ASA CX than other next-generation firewalls. ASA CX is capable of recognizing more than 1000 applications and 75,000 micro applications aiding organization to provide access to specific components of an application while disabling other unwanted components. Policies can be written for individual and group-based access control of these application components. ASA CX displays the specific type of device trying to gain access to the network, the operating system it is running, and its location. Admin can allow a number of documents with confidence to access the network while maintaining high levels of network protection and control.
It provides access control based on user and user role. It also supports common identity mechanisms such as Active Directory agent, LDAP, Kerberos, and NT LAN Manager.
Effective control on the traffic for the internet can be enabled by Enterprise-class, full-featured URL filtering solution.
It uses Cisco security deployments for exhaustive network protection. Cisco SIO delivers regularly updated threat intelligence feeds for near-real-time safety from zero-day malware.
Stateful firewall capabilities:
It provides extensive support for Layer 3 and Layer 4 stateful firewall features, which includes access control, network address translation and stateful inspection.
Intuitive management solution:
Pre-loaded with Cisco Prime Security Manager, management solution which simplify the management of context-aware firewalls.
The ASA CX SSP-10 and SSP-20 are supported on Cisco ASA 5585-X platforms that run Cisco ASA Software Release 8.4.4 and higher. The solution can be handled using Cisco Prime Security Manager.
I have a site-to-site VPN tunnel between two sites both running Cisco ASA on 9.8(4)10 code. The tunnel has about 5 prefixes on A side and 3 from Z side. I can see phase 1 and 2 are established with no error. However, it appears I can onl...
My customer is receiving alerts for the PkgCatalog.z file. The customer is telling me it is a McAfee file. I cannot create a Clean List for this file since the hash is always changing. I am attempting to use IAB so I can trust the file and eliminate the f...
Hi, Our ISE is in a HA setup (primary and secondary). Which one do we shut down (reboot) first? Second, is there a reboot button the ISE web interface to initialize the reboot or is it a CLI command only? Is there any documentation that explain this ...
Greetings, Due to a bug we will we reformatting and upgrading from 2.3 to 2.4. During the process I was planning to update the CIMC and BIOs to more current versions as the one is currently flash based. My question is, The system is currently fi...
We have had an issue a few times now so it is becoming an emergency. We had a domain controller reboot cause an issue with the policy node saying that a domain is unusable. We are running ISE 2.4 patch 8. Here are some key points:Domain Control...