Wow...
from the ASA-CX user guide:
Configuring Decryption Settings
Before you can implement decryption policies on ASA CX , you must enable
them and identify the Certificate Authority (CA) certificate that the
ASA CX will use to managed decrypted traf fic flows. The CA certificate
is used to issue temporary replacement certificates for each site that
is visited by a client application. The temporary certificate is used in
place of the real server certificates in the secure (SSL or TLS) session
between the client and ASA CX . Meanwhile, the real server certificate
is used in the secure session between ASA CX and the server . This
approach enables ASA CX to decrypt the content coming in to the device
from either side, and then re-encrypt it before relaying it.
Neat. Given that this breaks the (wrongly) pressumed end to end
confidenciality by any one having a (white listed CA derived) CA cert,
I just don't quite grasp the consecuences in the Snowden era...
-Carlos
Cristian Matei @ 02/05/2014 10:24 -0300 dixit:
> Hi,
>
> You need ay type of certificate which allows you to generate
> certificates, like Root, CA, Sub-CA, etc. ASA-CX is basically the Ironport
> platform code, which runs on the ASA in hardware for bigger platforms or
> software in lower platforms. I9m not sure if it explicitly tells you what
> type of certificate you need in the documentation (I9m sure it tells you
> in the IronPort knowledge base), but it tells you implicitly based on ten
> behaviour/functionality.
>
>
> Regards,
>
> Cristian Matei, 2 x CCIE #23684 (R&S/SC)
> cmatei_at_INE.com
>
> Internetwork Expert, Inc.
> http://www.INE.com
>
>
>
> On 02/05/14 08:17, "Carlos G Mendioroz" <tron_at_huapi.ba.ar> wrote:
>
>> Cristian,
>> do you have a link to a document that describes this procedure ?
>> That youd need an RA certificate for the ASA, right ? Those should be
>> expensive I guess :)
>>
>> TIA,
>> -Carlos
>>
>> Cristian Matei @ 01/05/2014 17:37 -0300 dixit:
>>> Hi,
>>>
>>> If you speak about ASA-CX module, if based on policies the ASA decides
>>> to
>>> decrypt for inspection the HTTPS session, what ends up happening is that
>>> there will be two SSL/TLS tunnel: one between client and ASA, one
>>> between
>>> ASA and server. The interesting part is how do you fix the possible
>>> certificate issues; the ASA needs a Root Type of certificate because
>>> what
>>> it does is that it gets the certificate from the server and
>>> builds/generates a certificate on-the-fly to match the server9s
>>> certificate attributes. So from the client perspective, the only
>>> difference between the HTTPS session being decrypted or not, is the
>>> server9s certificate issuer: if session is decrypted by the ASA, the
>>> server9s certificate issuer will be ASA.
>>>
>>> Regards,
>>> Cristian Matei, 2 x CCIE #23684 (R&S/SC)
>>> cmatei_at_INE.com
>>>
>>> Internetwork Expert, Inc.
>>> http://www.INE.com
>>>
>>>
>>>
>>>
>>> On 01/05/14 15:31, "R.B. Kumar" <seekumarin_at_gmail.com> wrote:
>>>
>>>> Hi Experts- I am curious to understand how the SSL/HTTPS inspection is
>>>> designed to be handled in Cisco ASA Firewall.
>>>>
>>>> What all I know is that, for SSL inspection the firewall has to
>>>> de-crypt
>>>> and again encrypt the traffic passing thru the firewall. Does this
>>>> require
>>>> the Server's Private key need to be imported into the firewall for
>>>> De-cryption and Public key for encrypting?
>>>>
>>>>
>>>>
>>>> Thanks in advance
>>>>
>>>> RBK
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>> --
>> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
-- Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina Blogs and organic groups at http://www.ccie.netReceived on Fri May 02 2014 - 11:46:28 ART
This archive was generated by hypermail 2.2.0 : Tue Jun 10 2014 - 13:43:09 ART