Re: OT: SSL Inspection in Firewall from Carlos G Mendioroz on 2014-05-02 (Ccielab archives 05/2014)

From: Carlos G Mendioroz <tron_at_huapi.ba.ar>
Date: Fri, 02 May 2014 09:17:41 -0300

Cristian,
do you have a link to a document that describes this procedure ?
That youd need an RA certificate for the ASA, right ? Those should be
expensive I guess :)

TIA,
-Carlos

Cristian Matei @ 01/05/2014 17:37 -0300 dixit:
> Hi,
>
> If you speak about ASA-CX module, if based on policies the ASA decides to
> decrypt for inspection the HTTPS session, what ends up happening is that
> there will be two SSL/TLS tunnel: one between client and ASA, one between
> ASA and server. The interesting part is how do you fix the possible
> certificate issues; the ASA needs a Root Type of certificate because what
> it does is that it gets the certificate from the server and
> builds/generates a certificate on-the-fly to match the server9s
> certificate attributes. So from the client perspective, the only
> difference between the HTTPS session being decrypted or not, is the
> server9s certificate issuer: if session is decrypted by the ASA, the
> server9s certificate issuer will be ASA.
>
> Regards,
> Cristian Matei, 2 x CCIE #23684 (R&S/SC)
> cmatei_at_INE.com
>
> Internetwork Expert, Inc.
> http://www.INE.com
>
>
>
>
> On 01/05/14 15:31, "R.B. Kumar" <seekumarin_at_gmail.com> wrote:
>
>> Hi Experts- I am curious to understand how the SSL/HTTPS inspection is
>> designed to be handled in Cisco ASA Firewall.
>>
>> What all I know is that, for SSL inspection the firewall has to de-crypt
>> and again encrypt the traffic passing thru the firewall. Does this require
>> the Server's Private key need to be imported into the firewall for
>> De-cryption and Public key for encrypting?
>>
>>
>>
>> Thanks in advance
>>
>> RBK
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>

-- 
Carlos G Mendioroz  <tron_at_huapi.ba.ar>  LW7 EQI  Argentina
Blogs and organic groups at http://www.ccie.net

Received on Fri May 02 2014 - 09:17:41 ART

This archive was generated by hypermail 2.2.0 : Tue Jun 10 2014 - 13:43:09 ART