EMAIL SUPPORT

dclessons@dclessons.com

LOCATION

AF

Implementing Cisco SD-WAN SSL and TLS Proxy​

Implementing Cisco SD-WAN SSL and TLS Proxy​

Implementing Cisco SD-WAN SSL and TLS Proxy​

TLS Proxy—Traffic Flow

Trusted, third-party Certificate Authorities (CAs) are responsible for signing web server certificates. The clients and servers must trust these CAs to establish trust. TLS proxy acts as man-in-the-middle and runs a CA to issue proxy certificates for the connections dynamically.

Here is an example of a typical TLS traffic flow:

  1. The Client establishes a TCP connection with the TLS proxy. The TLS proxy establishes a TCP connection with the server.
  2. The Cisco SD-WAN device sends the Client hello packet to the UTD engine to evaluate the need for decryption.
  3. Based on the UTD verdict, one of these actions takes place:
  • Drop: The device drops the hello packet and resets the connection.
  • Do-not-decrypt: The device forwards the hello packet without decryption.
  • Decrypt: The WAN Edge router will forward the hello packet to the destination.

    4. Here is a set of actions that TLS Proxy will perform over the packet:

  1. TCP optimization for optimization of traffic.
  2. The decryption of encrypted traffic through TLS proxy.
  3. Threat inspection through UTD.
  4. Re-encryption of decrypted traffic through TLS proxy.

Certificate Authority (CA) Options

Once a network administrator configures a CA for TLS proxy, the CA issues signing certificates to the TLS proxy device. The device then securely stores the subordinate CA keys and dynamically generates and signs the proxy certificates.

Here is the list of CA options for configuring TLS proxy:

  • Cisco vManage as CA
  • Cisco vManage as Intermediate CA
  • Enterprise CA
  • Enterprise CA with Simple Certificate Enrollment Protocol (SCEP) enabled

Cisco vManage as CA

It is best to use this option if the organization does not have its own CA and issues trust certificates through Cisco vManage. The Cisco vManage, CA's certificate, must be installed in the client's trust store to use the vManage CA's certificates.

The vManage as CA option offers the benefits of certificate deployment and renewal automatization and monitoring, tracking, and validation through Cisco vManage.

Cisco vManage as Intermediate CA

You may use this option in conjunction with an internal enterprise CA. In this case, Cisco vManage acts as an intermediate CA to issue and manage subordinate CA certificates. Such a design introduces some complexity, especially with Cisco vManage clusters. The network administrator will manually deploy this design and manage two CAs.

The vManage as Intermediate CA option offers the same benefits as the vManage as CA option, with reduced risk of compromised certificates. The network administrator must install only the Enterprise CA root CA chain into the client trust store.

Enterprise CA

Use this option to issue certificates through an Enterprise CA or the organization's own internal CA. The network administrator will perform manual enrollment for Enterprise CA that does not support SCEP. Manual enrollment involves downloading a Certificate Signing Request (CSR) for your device, getting it signed by your CA, and uploading the signed certificate to the device through Cisco vManage.


Comment

    You are will be the first.

LEAVE A COMMENT

Please login here to comment.