Is it recommended to scan SSL traffic

Depends on your company policy and provision of services
If you are in a highly regulated industry where web use is pinned down to work use only then yes you should be.
If you allow different devices on your network that arent managed it can be an issue deploying the intermediate certs needed
In more liberal working environments it can create staff "privacy" issues if you are intercepting their banking transactions, facebook posts and amazon purchases

We are using McAfee web filtering devices, where I have the option of scanning SSL traffic, I know and understand the SSL technology but still have a question in my mind, so it is better to get some suggestions. 
 Any suggestions will be highly appreciated.
This topic first appeared in the Spiceworks Community

Similar Messages

  • ACE Best Sticky Method for SSL Traffic

    Hi, With ACE 4710 running serverfarms primarily running SSL traffic, what is the best method for configuring stickiness. Here are some parameters:
    1) low volume sites, 2 real servers
    2) ACE _will not_ do SSL offloading
    3) Balancing HTTPS requests
    4) Many versions of HTTP clients
    5) Currently running ACE A1 code
    I am thinking of:
    1) TCP Header | HostID inspection
    2) SSL-session ID (not good if re-key often though)
    3) Any suggestions?
    many thx,
    WR

    Hi Will,
    You can see a comple configured example for your perusal in this regard for
    Configure ACE Module for End to End SSL Termination
    http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
    And Many more here regarding
    Data Center Application Services Configuration Examples:
    http://docwiki.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples
    Hope these configuration examples will be useful to you.
    Sachin Garg

  • Cisco CSS as non-HTTPS SSL-traffic terminator

    Hi!
    Does anybody know is it real to use Cisco CSS as SSL-traffic terminator. I need to terminate non-HTTPS SSL-traffic on this device (i.e. SSL-encrypted sessions of any particular TCP-based application-layer protocol, not https)? If not, is there any CISCO device capable of doing such a job?
    Regards, Amir

    Hi!
    Thank you very much for your reply.
    I know about the S model - as per my post - but unfortunately I have realized after making the purchase.
    Can you please help me with the following issue: my unit is not able to boot from FTP, even if I follow up the CISCO official documentation for that version (I issue all the commands as in the manual). More than that, if I setup the Primary Boot Configuration and then I want to check it up there is nothing in that field. The Secondary Boot Configuration keeps its settings and after the Primary failure it will try the Network Booting but with Failed status - returning me to the OffDM.
    I mention that I am using the OffDM because the unit I bought has no Flash Card.
    Also I am not sure how can I have a "network mounted filesystem" and in the meantime to use the FTP protocol;  setting up a NFS server wont provide me with Windows style absolute path like k:/.... as per CISCO official guide. Is that a plain-ftp generically called as Network File System??? "First, create these subdirectories on the FTP server, then copy the files from the boot image to the subdirectories"
    Is this linked with the fact that I am using a Linux box for my FTP Server? Can you please help me to understand what the following line from CISCO official guide means "A network boot is not supported on UNIX workstations"
    Thank you!

  • URL filtering ACE after description of SSL traffic

    We currently have a Cisco CSS11501 which we have configured with SSL offloading.
    We offload the SSL traffic and after description of the ssl traffic we perform URL filtering.
    Can the Ace 4710 Appliance do the same?
    I have attached the current configuration of the css.
    Regards,
    Richard

    With the below config
    Traffic matching 10.10.10.10:443 will be SSL offloaded and then
    will be loadbalanced using rservers in Serverfarm "APP1-SFARM" if
    the request includes "/matchthis".
    ssl-proxy service APP1-SSL-PROXY
    key default-key.pem
    cert default-cert.pem
    class-map match-all APP1-443-VIP
    2 match virtual-address 10.10.10.10 tcp eq https
    class-map type http loadbalance match-any APP1-URLMAP
    2 match http url /matchthis.*
    policy-map type loadbalance first-match APP1-Policy
    class APP1-URLMAP
    serverfarm APP1-SFARM
    policy-map multi-match VIPS-VLAN79
    class APP1-443-VIP
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    loadbalance policy APP1-Policy
    ssl-proxy server APP1-SSL-PROXY
    HTH
    Syed iftekhar Ahmed

  • Failing PCI Compliance Scan - SSL Weak...

    Hello,
    I currently use the WRVS4400n v2 (latest update) for my small business. I store and transmit data that contains credit card information and need to be PCI compliant. Regardless of which settings I change on the router, like turning off remote management, I keep failing the scan. ControlScan uses Nessus and the results are below (2 vulnerabilities).
    I did some research and spent some time with Cisco Sales Chat and they recommended a ASA5500 only to realize that it too had the same vulnerabilities. I did more research and it seemed that the SA520w (I need wireless) would do it but I found a thread on this forum saying that a client who had the SA520w did not pass the scan failed due to SSL vulerability (need v3+ ?). The thread is at https://supportforums.cisco.com/thread./2060512
    Question: What router/appliance should I use to be PCI compliant? Three has to be something, we're talking, this is Cisco.
    Thank you in advance for your help,
    Christophe
    Threat ID: 126928
    Details:
    IP Address: XX.XXX.X.XXX
    Host: XX.XXX.X.XXX
    Path:
    THREAT REFERENCE
    Summary:
    SSL Weak Cipher Suites Supported
    Risk: High (3)
    Type: Nessus
    Port: 60443
    Protocol: TCP
    Threat ID: 126928
    Information From Target:
    Here is the list of weak SSL ciphers supported by the remote server :
    Low Strength Ciphers (< 56-bit key)
    SSLv2
    EXP-RC2-CBC-MD5            Kx=RSA(512)   Au=RSA     Enc=RC2(40)      Mac=MD5    export    
    EXP-RC4-MD5                Kx=RSA(512)   Au=RSA     Enc=RC4(40)      Mac=MD5    export    
    The fields above are :
    {OpenSSL ciphername}
    Kx={key exchange}
    Au={authentication}
    Enc={symmetric encryption method}
    Mac={message authentication code}
    {export flag}
    Solution:
    Reconfigure the affected application if possible to avoid use of weak
    ciphers.Details:
    The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.
    Threat ID: 142873
    Details:
    IP Address: XX.XXX.X.XXX
    Host: XX.XXX.X.XXX
    Path:
    THREAT REFERENCE
    Summary:
    SSL Medium Strength Cipher Suites Supported
    Risk: High (3)
    Type: Nessus
    Port: 60443
    Protocol: TCP
    Threat ID: 142873
    Information From Target:
    Here are the medium strength SSL ciphers supported by the remote server :
    Medium Strength Ciphers (>= 56-bit and < 112-bit key)
    SSLv2
    DES-CBC-MD5                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=MD5   
    SSLv3
    DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=SHA1  
    TLSv1
    DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=SHA1  
    The fields above are :
    {OpenSSL ciphername}
    Kx={key exchange}
    Au={authentication}
    Enc={symmetric encryption method}
    Mac={message authentication code}
    {export flag}
    Solution:
    Reconfigure the affected application if possible to avoid use of
    medium strength ciphers.Details:
    The remote host  supports the use of SSL ciphers that offer medium strength encryption,  which we currently regard as those with key  lengths at least 56 bits  and less than 112 bits.

    Chris,
    As i understand right now none of the Small Business router are PCI compliance ever since PCI 3.0 was released. How you overcome this; you'll need to forward any ports you are failing on to a ghost IP.. Ghost ip (any ip address that isn 't being used) If you are using those ports , then you will lose that service as the router isn't PCI 3.0 compliant.
    Jason
    I do believe the ASA5505 are PCI 3.0 Compliant.

  • SSL traffic management

    I am trying to setup a CSS w/SSL module for a company with 1 public IP and 3 internal Web servers (Time Management, Exchange and a employee portal) that require SSL connections. I am NATing all 443 traffic to a CSS VIP which is referencing a SSL-PROXY-LIST (frontend and backend ssl) Does anyone have a network setup like this working?
    I am having an issue with URL filtering on the unencrypted clear text traffic/second content rule lookup from the SSL module to the CRM during the Backend SSL setup. Any ideas .. This should be possible ..Correct?
    Thanks in advance ...

    Got it working ...

  • Can I set up multiple instances on iPlanet on one server, one to handle clear-text traffic, and one to handle SSL traffic?

    Long story, but the iPlanet version is 4.1 SP9. We will be filtering users coming in remotely (via internet VPN or dialup) to the SSL implementation, the internal intranet users to the clear-text implementation... thanks!

    Hi,
    you can run more then one instance in iWS.
    like one for http://www.test.com:80(for TEXT) and other for https://www.test.com:6000
    (Note: you couldn't not able to use same port for different instance). I hope this may answer your question.
    Thanks,
    Daks.

  • Prevent HTTPS proxy from intercepting SSL traffic

    We have a Flex + BlazeDS+Spring application built which runs on WebSphere6.1.
    We use the AMF secure protocol (SSL) for Communication. Inspite of using SSL ,tools like charles proxy are able to decrypt
    the communication and debug the AMF messages. How can we prevent the HTTPS proxies like charles proxy to avoid such Interceptions.

    Got it working ...

  • I have been having problems with e-mails coming through to my 3g iphone recently, my e-mail provider recommended diabling the SSL as a default option but im not sure where to find this on the phone can anyone help?told

    Please can you advise how to disable the SSL on my iphone, i am not sure where the setting is.
    Thanks
    Tania

    Go to Settings/Mail, Contacts, Calendars.  Tap the name of the email account. If you don't see a bar labeled "Advance" near the bottom,  Tap Account.  Tap Advanced.   Under Incoming Settings, there should be an option to Use SSL.  If it is ON, tap it to turn it off.

  • Otv filtering ssl traffic?

    Hi
    We are running otv across 2 sites. The sites have a nas device and 2 nodes at each site. The nas device can communicate with the 2 nodes fine on its local site but when trying to access the nodes on the remote site using https over port 8443, the connection fails.
    ALL devices can long each other and we have even seen an established connection the FIN sent between the two devices.
    I don't see any issue with the network here but am just asking if anyone knows of any issues that can be caused by otv when trying to connect using ssl?
    Thanks
    Ps. There are no other devices such as firewalls, proxy, etc in the way. The topology consists of the nexus 7ks, dark fibre, and the end devices.

    Hi Bilal
    I dont remember the solution but it was an error relating to the NAS device, not network.
    Anthony

  • IDS, detection of encrypted packets within non-SSL traffic streams?

    All...
    Here's the scenario:
    There's a host on the internal network that has a reverse shell to the outside world, and the packets being sent back to the attacker are encrypted, over a standard web (TCP/80) port - which is allowed by Websense or URL filter of choice.
    Can a custom signature be created to alert on the detection of encrypted packets / data streams over non-encrypted transmissions? We've found other IDS/IPS systems that we're able to build custom sigs to detect and alert on these streams, but are wondering if we can do that in within Cisco IDS/IPS?
    Please be specific if possible...let's assume the organization is using the latest version of Cisco IDS software.
    Thanks in advance...

    Have you got Sig 11233 series enabled?  It does, BTW, appear to exclude "WEBPORTS."  Maybe a copy could be made to exclude only TCP 443.

  • Office 365 - Outlook 2013 - Messages constantly get stuck in Outbox

    We are using McAfee web filtering devices, where I have the option of scanning SSL traffic, I know and understand the SSL technology but still have a question in my mind, so it is better to get some suggestions. 
     Any suggestions will be highly appreciated.

    العملاق للصيانة بمصر
    اكبر مركز صيانة بيكو
    35699066 || 01023140280 || 35710008
    01154008110 ||01223179993
    توكيل بيكو ، توكيل بيكو ، توكيل بيكو ، توكيل بيكو
    توكيل بيكو ، توكيل بيكو ، توكيل بيكو ، توكيل بيكو
    توكيل بيكو ، توكيل بيكو، توكيل بيكو ، توكيل بيكو
    صيانة بيكو ، صيانة بيكو ، صيانة بيكو ، صيانة بيكو ،
    نبذه عن تاريخ الشركة :
    رائدون فى صيانة الاجهزة المنزلية جميع الماركات ( ثلاجات نوفرست _ غسالات فول اتومتيك _غسالات اطباق _ تكيفات _ ايس ميكر _ ديب فريزر نوفرست _دراير _ نشافة_ غسالات هيفى ديوتى _ غسالات باب امامى _لاندرى _ مجفف
    ، beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko...

  • Network traffic decryption for SSL Inspection

    Hi,
    Can ASA5545-IPS support network traffic decryption for SSL Inspection?
    Regards,
    Jhun

    When we inspect SSL traffic (on the CX module), the ASA acts as a proxy and has an SSL key of its own that is trusted by the user (i.e. issued by a CA in the user's Trusted Certificate store). That allows it to intercept, decrypt, inspect and re-encrypt the traffic.
    Here is a link to the User Guide section explaining in more detail.

  • How many ssl modules are needed for a redundant configuration?

    Hi, apologies but I can't seem to find a definite answer for this question. I have two css 11506's set up using vip/virtual interface redundancy (active/standby). Each css 11506 has a single ssl module.
    Is this adequate for ssl redundancy? I've read in this forum that if an ssl module fails, the css will reboot causing failover to the standby css so ssl connections will simply reset and as long as I have ASR set up on the back end http content, users will not notice the failover.
    Am I correct in this thinking or do you recommend using two ssl modules in each css? Thinking there is that if one ssl module fails, there will still be a 2nd module to handle ssl traffic and the css's will not failover.
    Thanks
    -Dan

    there is no need for 2 modules.
    You would use 2 modules if you need more power [handle more connections].
    However, your assumption is incorrect.
    Nowadays, there is no device in the worl [cisco and non-cisco] that can do SSL ststeful failover.
    In other words, upon failure, all SSL users will have to restart their connection.
    Gilles.

  • How to verify that SSL(HTTPS) is implemented on JBOSS or not?

    Hi Everybody,
    I had recently implemented SSL(HTTPS) on JBOSS-4.0.3 server. My application is working perfectly fine with HTTPS. Now my query is how I can ensure that it is working on HTTPS except from viewing the "https://" in the URL.
    Is there any other way to check whether HTTPS is implemented or not.
    Any help will be highly appreciated.
    Regards
    Rinku Garg

    hat about trying to connect a client that is configured to only
     support SSLv3?
    -> Can provide more insight on this?
    here are also many third party tools (even scripts) that allow for scanning SSL on your server. 
    -> I saw that there is openssl, but it is not that friendly on Windows. Need to install dependencies before it works.
    You could also use network monitor (or wireshark or alike) to capture some network traffic and check the
    SSL handshake. The server HELO will contain information on the supported protocol and ciphers.
    -> i have tried both wireshark and Network Monitor and it seems that i can view SSL handshake on wireshark,
    but not on Network Monitor. but it could be that I do not know the filter to search. Do you know of any filter that I should use?
    Thanks and best regards, Kim Seng This posting is provided &quot;AS IS&quot; with no warranties or guarantees , and confers no rights.

Maybe you are looking for