1

Is is possible for a AIP module within a Cisco 5510 ASA to decrypt and inspect SSL traffic?

I have asked my local vendor (who placed the devices of which I speak) and they say that the AIP module is incapable of reviewing encrypted content. I work with web application firewalls fairly commonly thus familiar with the ability to install a web certificate on a appliance to allow it to see into the SSL traffic. Is that impossible on an ASA w/ a IPS module?

moniker
  • 85
  • 5

1 Answers1

2

Correct. The ASA does not perform SSL termination (beyond that required for WebVPN and AnyConnect VPN), so it is unable to provide a decrypted data stream for the AIP to inspect. You would need to position something else in front of the ASA that can perform SSL termination, such as a Web application firewall, as you mentioned. Some load-balancing products (e.g. Cisco CSM-SSL) can do this as well.

James Sneeringer
  • 6,835
  • 24
  • 27