SSL decryption to IDS

Hi Al,

 

 

Is it an IDS or IPS? Does it need to be deployed inline or could it just receive a copy of the traffic?

 

 

If it's an IDS and does not need to manage the traffic you could configure a clone pool (SOL8573 - Click here) to send a copy of the VIPs traffic to the IDS.

 

 

Aaron

Hi There..

 

 

Jumping in on this thread... as the above is exactly what I want to acheive. I want to be able to inspect the decrypted SSL traffic with a traditional PASSIVE IDS, prior to it bein rencrypted to the back end server.

 

 

As far as I understnd Cloning and Interface Mirroring... Interface Mirroring simply sends all Server and Client traffic which hits a certain port out of another port, fine for passive IDS, but no good as the traffic is still encrypted. Then there's cloning, which sends either client or server side to an IP address, which again is no good as the traffic is still encrypted, and the IDS doesn't have an IP address anyway.

 

 

So can this be done? Effectivly send the traffic to IDS, decrypted, prior to any traffic management decission having taken place?

 

 

Thanks

 

 

Phil

Hi Phil,

 

 

I'm not sure there is a way to send decrypted traffic to an IDS if the VIP uses a server SSL profile. You might try opening a case with F5 Support to check this. If you get an answer, could you reply here?

 

 

Thanks,

 

Aaron

So any update on this? I'm looking to do the exact same thing for a DLP sensor for our OWA and ActiveSync virtual servers

This is possible.. I just did a similar thing at a customer site not so long ago. You'll need two route domains, one externally facing and one internally facing. The external route-domain has a VS with the client-ssl profile to decrypt the packet. This virtual server is tied to a pool with a member that is the IP address of a second VS that exists on the Internal route-domain. The VS on the Internal side has no client-ssl profile, but has a server SSL profile (if you want to re-encrypt..) and is tied to a pool of the resource that you'd actually like to hit.

 

 

As an example, external route-domain would be defined at %10 and your internal route-domain would be %20. External IP 192.168.10.10 and the Internal networks would be in the 10.10.10.0/24 space. Using these networks and route domains, you'd have something like:

 

 

external_vs - 192.168.10.10%10 on port 443

 

external_pool - 10.10.10.100%10 on port 80

 

internal_vs - 10.10.10.100%20 on port 80

 

internal_pool - 10.10.10.50%20 on port 443

 

 

Doing something like that and putting an L2 IPS/IDP/packet counter sniffer thingy on the wire between the External_pool and the Internal_vs, you end up getting a good solid look at anything that might pass through.

 

 

Couple of notes:

 

- You'll obviously need self ip's for the appropriate networks in each route-domain.

 

- SNAT is your friend.

 

- By using overlapping space between internal/external route domains, you save yourself some routing work. It could certainly be accomplished using separate networks, but your routing table gets a little more complex.

 

- I'm writing this from memory, so I'm certain I've forgotten some critical detail that will make this fail. :-) I'll try to monitor this post and lend a hand as time permits.

 

 

Good luck.

 

 

-brent

I wrote this solution up and released as a tech tip:

 

 

https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1090535/Divert-Unencrypted-Traffic-through-an-IPS-with-Local-Traffic-Manager.aspx