Five Reasons to Off-Load SSL Decryption
- Asa Ssl Decryption Software
- Cisco Asa Ssl Decryption Performance
- Cisco Asa Firepower Ssl Decryption
- Cisco Asa Ssl Decryption
Skilled threat actors are now hiding cyber attacks in SSL-encrypted traffic. Not only do their payloads avoid inbound detection, it’s also easier for them to hide outbound activity during data exfiltration. And it’s creating serious challenges for security teams across all industries.
SSL inspection basics
By the end of 2016, 67 percent of the Internet will be encrypted. In fact, popular sites (e.g., Google, Facebook) are now making SSL encryption the default. Google even ranks websites using HTTPS higher in their search algorithms. As more of the Internet shifts toward encrypted traffic, attacks hiding in SSL traffic will only grow in popularity and sophistication.
The SSL Decryption policy is bypassed for any connections that match access control rules set to trust or block if those rules: Use security zone, network, geolocation, and port only as the traffic matching criteria.
In a study,“ Hidden Threats in Encrypted Traffic: A Study of North America & EMEA,” the Ponemon Institute discovered that out of over 1,000 respondents, 80 percent had been victims of at least one cyber attack in the previous 12 months, 40 percent of which leveraged SSL encryption to bypass security.
- GreenMan IT seems like every other vendor has some sort of HTTPS decryption. Sophos XG, SonicWall, Fortinet even Cisco ASA 5506-X with FirePower all seem to be able to do this. As more traffic becomes SSL if I want to be honst to customers on features I think I have to point them back to the ASA line vs MX.
- SSL Decryption Configuration with Firepower Threat Defense 1. There are two methods of SSL traffic decryption. Decrypt - Resign for Outbound SSL traffic, is used when web server are public server such as f5.com where administrator does not have the control over server certificate and keys Decrypt - Known for Inbound SSL traffic, is used when web server is managed by the administrator.
- We have 5555-X series with firepower SFR we were very intersted to do the SSL decryption but later the recommendation came from cisco if you looking for SSL decryption that use WSA or FTD bigger box. So long story short if its production network stay out of it, if in the lab purpose yes go and try it.
- Microsoft, Google, Apple and Mozilla have all announced that their respective browsers will stop accepting SHA-1 SSL certificates by 2017. The MySQL5 hashing algorithm implements a double binary SHA-1 hashing algorithm on a users password.
A proven method for stopping these attacks is SSL decryption and inspection. On a basic level, your network and security appliances will:
- Decrypt inbound and/or outbound traffic
- Send the decrypted traffic to a security appliance for inspection and mitigation,
- Re-encrypt the traffic
- Send the safe data to its final end point
The top reason (61 percent) their organizations haven’t implemented proper SSL decryption? Concerns over performance degradation, found Ponemon.
Off-load SSL decryption
Implementing this technique onboard your appliance, however, is processor-intensive and will likely result in performance degradation. An organization can avoid these issues by off-loading SSL decryption to a dedicated appliance. Let’s take
Let’s take Cisco ASA and FirePOWER, for example. A trusted next-generation firewall (NGFW) and security service, this solution can block up 99.4 percent of intrusion events and 99.2 percent of advanced malware attacks.
Although it can execute on-board SSL decryption in smaller deployment scenarios, it’s not advisable as organizations scale regional, national or global enterprise networks. However, by integrating Cisco ASA with FirePOWER with an enterprise-grade SSL decryption solution — like A10 Thunder SSLi, for example — organizations can bolster security without affecting performance. This video explains why SSL offload is the best strategy.
Five reasons to off-load SSL decryption
As we know, each deployment scenario is different. But for most organizations, it’s best practice to off-load SSL decryption and re-encryption to dedicated, high-performance solutions. The top benefits for this approach include:
- Dedicated processing for higher performance
- Set client-specific policies to determine which traffic should and should not be decrypted (e.g., data related to PCI or HIPAA compliance)
- Increase capacity and scalability with enterprise-grade load-balancing
- Quickly decrypt and re-encrypt SSL traffic with long ciphers or high key lengths
- Integrate with leading security appliances for maximum vendor flexibility
For more information on SSL decryption and inspection with Cisco ASA with FirePOWER, download the in-depth solution brief.
KB ID 0001052
Problem
By default the Cisco ASA will allow connection via SSLv3. The POODLE exploit works by forcing SSL to fall back to SSLv3 and then decrypting that communication. However you are still not completely protected as per this Threat Validation, so the ASA platform can still be attacked via TLSv1.0. Note: At time of writing TLSv1.2 is not supported, but it is on the road-map for version 9.3(2).
So this procedure will not completely eliminate the threat, but it’s as mitigated as it’s possible to be at this time, (And TLSv1 is considered more secure than SSLv3 anyway).
Solution
1. You can check your firewall is contactable via SSLv3, here I’m on MAC OSX and I’ve got OpenSSL installed. If I try to initiate an SSLv3 connection it works.
Or if you have nmap installed you can use that as well;
2. Below you can see I’m confirming the SSL settings (i.e. it will accept SSLv3). Then I force the firewall to only accept TLSv1.0.
You can see, afterwards when I view the SSL options, only TLSv1 will be accepted.
3. If you prefer to use the ADSM, then you will find the same settings at, Configuration > Remote Access VPN > Advanced > SSL Settings;
Asa Ssl Decryption Software
The SSL version for the security appliance to negotiate as a ‘server’ = TLS V1 Only
The SSL version for the security appliance to negotiate as a ‘client’ = TLS V1 Only
4. Don’t forget to ‘Apply’ and then save the changes.
Cisco ASA Testing for SSLv3
Simply perform the tests that I did above;
Cisco Asa Ssl Decryption Performance
1. Proving the absence of SSLv3 with OpenSSL.
2. Proving the absence of SSLv3 with nmap.
Cisco Asa Firepower Ssl Decryption
Related Articles, References, Credits, or External Links
Cisco Asa Ssl Decryption
NA