Is it recommended to scan SSL traffic
Depends on your company policy and provision of services
If you are in a highly regulated industry where web use is pinned down to work use only then yes you should be.
If you allow different devices on your network that arent managed it can be an issue deploying the intermediate certs needed
In more liberal working environments it can create staff "privacy" issues if you are intercepting their banking transactions, facebook posts and amazon purchases
We are using McAfee web filtering devices, where I have the option of scanning SSL traffic, I know and understand the SSL technology but still have a question in my mind, so it is better to get some suggestions.
Any suggestions will be highly appreciated.
This topic first appeared in the Spiceworks Community
Similar Messages
-
ACE Best Sticky Method for SSL Traffic
Hi, With ACE 4710 running serverfarms primarily running SSL traffic, what is the best method for configuring stickiness. Here are some parameters:
1) low volume sites, 2 real servers
2) ACE _will not_ do SSL offloading
3) Balancing HTTPS requests
4) Many versions of HTTP clients
5) Currently running ACE A1 code
I am thinking of:
1) TCP Header | HostID inspection
2) SSL-session ID (not good if re-key often though)
3) Any suggestions?
many thx,
WRHi Will,
You can see a comple configured example for your perusal in this regard for
Configure ACE Module for End to End SSL Termination
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
And Many more here regarding
Data Center Application Services Configuration Examples:
http://docwiki.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples
Hope these configuration examples will be useful to you.
Sachin Garg -
Cisco CSS as non-HTTPS SSL-traffic terminator
Hi!
Does anybody know is it real to use Cisco CSS as SSL-traffic terminator. I need to terminate non-HTTPS SSL-traffic on this device (i.e. SSL-encrypted sessions of any particular TCP-based application-layer protocol, not https)? If not, is there any CISCO device capable of doing such a job?
Regards, AmirHi!
Thank you very much for your reply.
I know about the S model - as per my post - but unfortunately I have realized after making the purchase.
Can you please help me with the following issue: my unit is not able to boot from FTP, even if I follow up the CISCO official documentation for that version (I issue all the commands as in the manual). More than that, if I setup the Primary Boot Configuration and then I want to check it up there is nothing in that field. The Secondary Boot Configuration keeps its settings and after the Primary failure it will try the Network Booting but with Failed status - returning me to the OffDM.
I mention that I am using the OffDM because the unit I bought has no Flash Card.
Also I am not sure how can I have a "network mounted filesystem" and in the meantime to use the FTP protocol; setting up a NFS server wont provide me with Windows style absolute path like k:/.... as per CISCO official guide. Is that a plain-ftp generically called as Network File System??? "First, create these subdirectories on the FTP server, then copy the files from the boot image to the subdirectories"
Is this linked with the fact that I am using a Linux box for my FTP Server? Can you please help me to understand what the following line from CISCO official guide means "A network boot is not supported on UNIX workstations"
Thank you! -
URL filtering ACE after description of SSL traffic
We currently have a Cisco CSS11501 which we have configured with SSL offloading.
We offload the SSL traffic and after description of the ssl traffic we perform URL filtering.
Can the Ace 4710 Appliance do the same?
I have attached the current configuration of the css.
Regards,
RichardWith the below config
Traffic matching 10.10.10.10:443 will be SSL offloaded and then
will be loadbalanced using rservers in Serverfarm "APP1-SFARM" if
the request includes "/matchthis".
ssl-proxy service APP1-SSL-PROXY
key default-key.pem
cert default-cert.pem
class-map match-all APP1-443-VIP
2 match virtual-address 10.10.10.10 tcp eq https
class-map type http loadbalance match-any APP1-URLMAP
2 match http url /matchthis.*
policy-map type loadbalance first-match APP1-Policy
class APP1-URLMAP
serverfarm APP1-SFARM
policy-map multi-match VIPS-VLAN79
class APP1-443-VIP
loadbalance vip inservice
loadbalance vip icmp-reply active
loadbalance policy APP1-Policy
ssl-proxy server APP1-SSL-PROXY
HTH
Syed iftekhar Ahmed -
Failing PCI Compliance Scan - SSL Weak...
Hello,
I currently use the WRVS4400n v2 (latest update) for my small business. I store and transmit data that contains credit card information and need to be PCI compliant. Regardless of which settings I change on the router, like turning off remote management, I keep failing the scan. ControlScan uses Nessus and the results are below (2 vulnerabilities).
I did some research and spent some time with Cisco Sales Chat and they recommended a ASA5500 only to realize that it too had the same vulnerabilities. I did more research and it seemed that the SA520w (I need wireless) would do it but I found a thread on this forum saying that a client who had the SA520w did not pass the scan failed due to SSL vulerability (need v3+ ?). The thread is at https://supportforums.cisco.com/thread./2060512
Question: What router/appliance should I use to be PCI compliant? Three has to be something, we're talking, this is Cisco.
Thank you in advance for your help,
Christophe
Threat ID: 126928
Details:
IP Address: XX.XXX.X.XXX
Host: XX.XXX.X.XXX
Path:
THREAT REFERENCE
Summary:
SSL Weak Cipher Suites Supported
Risk: High (3)
Type: Nessus
Port: 60443
Protocol: TCP
Threat ID: 126928
Information From Target:
Here is the list of weak SSL ciphers supported by the remote server :
Low Strength Ciphers (< 56-bit key)
SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Solution:
Reconfigure the affected application if possible to avoid use of weak
ciphers.Details:
The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.
Threat ID: 142873
Details:
IP Address: XX.XXX.X.XXX
Host: XX.XXX.X.XXX
Path:
THREAT REFERENCE
Summary:
SSL Medium Strength Cipher Suites Supported
Risk: High (3)
Type: Nessus
Port: 60443
Protocol: TCP
Threat ID: 142873
Information From Target:
Here are the medium strength SSL ciphers supported by the remote server :
Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
SSLv3
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
TLSv1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Solution:
Reconfigure the affected application if possible to avoid use of
medium strength ciphers.Details:
The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.Chris,
As i understand right now none of the Small Business router are PCI compliance ever since PCI 3.0 was released. How you overcome this; you'll need to forward any ports you are failing on to a ghost IP.. Ghost ip (any ip address that isn 't being used) If you are using those ports , then you will lose that service as the router isn't PCI 3.0 compliant.
Jason
I do believe the ASA5505 are PCI 3.0 Compliant. -
I am trying to setup a CSS w/SSL module for a company with 1 public IP and 3 internal Web servers (Time Management, Exchange and a employee portal) that require SSL connections. I am NATing all 443 traffic to a CSS VIP which is referencing a SSL-PROXY-LIST (frontend and backend ssl) Does anyone have a network setup like this working?
I am having an issue with URL filtering on the unencrypted clear text traffic/second content rule lookup from the SSL module to the CRM during the Backend SSL setup. Any ideas .. This should be possible ..Correct?
Thanks in advance ...Got it working ...
-
Long story, but the iPlanet version is 4.1 SP9. We will be filtering users coming in remotely (via internet VPN or dialup) to the SSL implementation, the internal intranet users to the clear-text implementation... thanks!
Hi,
you can run more then one instance in iWS.
like one for http://www.test.com:80(for TEXT) and other for https://www.test.com:6000
(Note: you couldn't not able to use same port for different instance). I hope this may answer your question.
Thanks,
Daks. -
Prevent HTTPS proxy from intercepting SSL traffic
We have a Flex + BlazeDS+Spring application built which runs on WebSphere6.1.
We use the AMF secure protocol (SSL) for Communication. Inspite of using SSL ,tools like charles proxy are able to decrypt
the communication and debug the AMF messages. How can we prevent the HTTPS proxies like charles proxy to avoid such Interceptions.Got it working ...
-
Please can you advise how to disable the SSL on my iphone, i am not sure where the setting is.
Thanks
TaniaGo to Settings/Mail, Contacts, Calendars. Tap the name of the email account. If you don't see a bar labeled "Advance" near the bottom, Tap Account. Tap Advanced. Under Incoming Settings, there should be an option to Use SSL. If it is ON, tap it to turn it off.
-
Otv filtering ssl traffic?
Hi
We are running otv across 2 sites. The sites have a nas device and 2 nodes at each site. The nas device can communicate with the 2 nodes fine on its local site but when trying to access the nodes on the remote site using https over port 8443, the connection fails.
ALL devices can long each other and we have even seen an established connection the FIN sent between the two devices.
I don't see any issue with the network here but am just asking if anyone knows of any issues that can be caused by otv when trying to connect using ssl?
Thanks
Ps. There are no other devices such as firewalls, proxy, etc in the way. The topology consists of the nexus 7ks, dark fibre, and the end devices.Hi Bilal
I dont remember the solution but it was an error relating to the NAS device, not network.
Anthony -
IDS, detection of encrypted packets within non-SSL traffic streams?
All...
Here's the scenario:
There's a host on the internal network that has a reverse shell to the outside world, and the packets being sent back to the attacker are encrypted, over a standard web (TCP/80) port - which is allowed by Websense or URL filter of choice.
Can a custom signature be created to alert on the detection of encrypted packets / data streams over non-encrypted transmissions? We've found other IDS/IPS systems that we're able to build custom sigs to detect and alert on these streams, but are wondering if we can do that in within Cisco IDS/IPS?
Please be specific if possible...let's assume the organization is using the latest version of Cisco IDS software.
Thanks in advance...Have you got Sig 11233 series enabled? It does, BTW, appear to exclude "WEBPORTS." Maybe a copy could be made to exclude only TCP 443.
-
Office 365 - Outlook 2013 - Messages constantly get stuck in Outbox
We are using McAfee web filtering devices, where I have the option of scanning SSL traffic, I know and understand the SSL technology but still have a question in my mind, so it is better to get some suggestions.
Any suggestions will be highly appreciated.العملاق للصيانة بمصر
اكبر مركز صيانة بيكو
35699066 || 01023140280 || 35710008
01154008110 ||01223179993
توكيل بيكو ، توكيل بيكو ، توكيل بيكو ، توكيل بيكو
توكيل بيكو ، توكيل بيكو ، توكيل بيكو ، توكيل بيكو
توكيل بيكو ، توكيل بيكو، توكيل بيكو ، توكيل بيكو
صيانة بيكو ، صيانة بيكو ، صيانة بيكو ، صيانة بيكو ،
نبذه عن تاريخ الشركة :
رائدون فى صيانة الاجهزة المنزلية جميع الماركات ( ثلاجات نوفرست _ غسالات فول اتومتيك _غسالات اطباق _ تكيفات _ ايس ميكر _ ديب فريزر نوفرست _دراير _ نشافة_ غسالات هيفى ديوتى _ غسالات باب امامى _لاندرى _ مجفف
، beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko beko... -
Network traffic decryption for SSL Inspection
Hi,
Can ASA5545-IPS support network traffic decryption for SSL Inspection?
Regards,
JhunWhen we inspect SSL traffic (on the CX module), the ASA acts as a proxy and has an SSL key of its own that is trusted by the user (i.e. issued by a CA in the user's Trusted Certificate store). That allows it to intercept, decrypt, inspect and re-encrypt the traffic.
Here is a link to the User Guide section explaining in more detail. -
How many ssl modules are needed for a redundant configuration?
Hi, apologies but I can't seem to find a definite answer for this question. I have two css 11506's set up using vip/virtual interface redundancy (active/standby). Each css 11506 has a single ssl module.
Is this adequate for ssl redundancy? I've read in this forum that if an ssl module fails, the css will reboot causing failover to the standby css so ssl connections will simply reset and as long as I have ASR set up on the back end http content, users will not notice the failover.
Am I correct in this thinking or do you recommend using two ssl modules in each css? Thinking there is that if one ssl module fails, there will still be a 2nd module to handle ssl traffic and the css's will not failover.
Thanks
-Danthere is no need for 2 modules.
You would use 2 modules if you need more power [handle more connections].
However, your assumption is incorrect.
Nowadays, there is no device in the worl [cisco and non-cisco] that can do SSL ststeful failover.
In other words, upon failure, all SSL users will have to restart their connection.
Gilles. -
How to verify that SSL(HTTPS) is implemented on JBOSS or not?
Hi Everybody,
I had recently implemented SSL(HTTPS) on JBOSS-4.0.3 server. My application is working perfectly fine with HTTPS. Now my query is how I can ensure that it is working on HTTPS except from viewing the "https://" in the URL.
Is there any other way to check whether HTTPS is implemented or not.
Any help will be highly appreciated.
Regards
Rinku Garghat about trying to connect a client that is configured to only
support SSLv3?
-> Can provide more insight on this?
here are also many third party tools (even scripts) that allow for scanning SSL on your server.
-> I saw that there is openssl, but it is not that friendly on Windows. Need to install dependencies before it works.
You could also use network monitor (or wireshark or alike) to capture some network traffic and check the
SSL handshake. The server HELO will contain information on the supported protocol and ciphers.
-> i have tried both wireshark and Network Monitor and it seems that i can view SSL handshake on wireshark,
but not on Network Monitor. but it could be that I do not know the filter to search. Do you know of any filter that I should use?
Thanks and best regards, Kim Seng This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Maybe you are looking for
-
Crystal Report problem with J2EE - OutOfMemory
Dear All, I am having a problem about generating PDF from J2EE (Tomcat, Java 1.4) WebApplication by Crystal report. When generating a PDF it sometimes got an out of memory error. However the Web Application is still working fine, just when regenerat
-
I'm just wondering how this works
-
Hi, I am loading flat file data using web. After giving url i am getting the foll error: BSP error in ICF node Certain ICF nodes must be released in transaction SICF for the BSP extension HTMLB Check the following ICF nodes as described in SAP Note
-
Hi. In the Photoshop SDK, is it possible to iterate through each character of a "text object" and query for it's absolute position in the image file? Also, is it possible to extract the font information, ie. font name, point size, etc. I've never use
-
What do I do if my mackeeper app says my computer has issues?
Ok so I was a little worried cause my cousin was visiting "innapropriate" websites on my computer and I wanted to make sure my mac was clean so I dowloaded mackeeper (I haven't bought the full version yet) anyway it said that my computer had approx.1