Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
666
Views
3
Helpful
4
Replies

SSL termination and inspection discussion using cisco technology

Go to solution
asad ali
Level 1
Level 1

‎07-31-2015 01:27 AM - edited ‎02-21-2020 05:32 AM

 

I want to know what options exists in cisco platforms for following scenario

 

 "We are looking to update the infra which currently houses a linux box working as reverse proxy and mod sec which does application layer inspection.  The box later re-encrypts traffic when it leaving the box to be sent to actual targeted server. So, this one box is configured to perform termination and inspection of traffic both.

The new hardware , we are looking for must have an option which is equivalent in purpose (termination and inspection) but improved itself in terms of sec high end performance and also gives more attack coverage.

So the requirements are to perform:-

  • termination and inspection on single box (preferably)
  • provides wide attack coverage capability as far layer 7 traffic is concerned
  • Ideally all units involved in solution be CISCO"

 

Please let me know if more explanation is required and how I can improve my question if required.

 

Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to asad ali

‎07-31-2015 07:30 AM

In both cases, the Cisco products use a trusted certificate issued by a private Certificate Authority to terminate the SSL sessions requested by the clients. It re-encrypts the flow as it passes to the target servers.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-31-2015 06:29 AM

There are two available Cisco solutions for this in the current portfolio (not including the discontinued ASA CX module add-on NGFW):

1. Cisco Web Security Appliance (WSA).

2. Cisco FirePOWER appliance (only the hardware appliances - not the FirePOWER modules on ASA (yet)).

Go to solution
asad ali
Level 1
Level 1
In response to Marvin Rhoads

‎07-31-2015 07:24 AM

Thanks Marvin,

 

In both the above solution, would I have the ability to re-encrypt traffic as well, or is decrypt - inspect and forward only. Thanks.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to asad ali

‎07-31-2015 07:30 AM

In both cases, the Cisco products use a trusted certificate issued by a private Certificate Authority to terminate the SSL sessions requested by the clients. It re-encrypts the flow as it passes to the target servers.

0 Helpful

Go to solution
asad ali
Level 1
Level 1
In response to Marvin Rhoads

‎07-31-2015 12:04 PM

Thanks for being so responsive. Sounds great the solutions you mentioned. I will read more about it now. I know Juniper srx does something similar but the inspection capabilities is not at par it seems. Does cisco have a competition in this solution. The inspection engine in above solutions is at of same or comparable specs to dedicated ips sensors or ssp or aip modules comes with integrated cisco asa.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card