Document ID: RDWR-DP-V0602_UG1201
313
Appendix B – Configuring SSL-Based Protection
with AppXcel
Note:
This solution is deprecated.
DefensePro in conjunction with Radware’s AppXcel, can inspect SSL encrypted sessions and protect
SSL tunnels from attacks. When a session is encrypted using SSL, an IPS/IDS device based on
signature matching cannot inspect the secured traffic. DefensePro passively inspects SSL encrypted
sessions. SSL traffic is mirrored by DefensePro and the decrypted session is inspected.
SSL traffic is classified by the device the same way regular traffic is. Traffic is mirrored by
DefensePro and sent to AppXcel. AppXcel decrypts the HTTPS to HTTP and DefensePro then applies
its security policies on the HTTP traffic. If an attack is identified, DefensePro sends a RST packet to
the source and/or destination of the original connection.
Figure 20: SSL-based Protection Flow
1. A client initiates an HTTPS session with the server.
2. When DefensePro forwards the traffic to the server, it replicates the HTTPS session to a
preconfigured port, where an AppXcel unit is connected.
3. AppXcel operates in passive SSL mode, decrypts the HTTPS session and returns it as an HTTP
session.
4. DefensePro inspects the HTTP traffic received from AppXcel based on its policies. If an attack is
detected, DefensePro sends a Reset packet to the source and/or destination.
Note:
Bandwidth Management, DoS, SYN protection and other policies can also be applied to
the original SSL streams.
Before you configure SSL inspection, configure inspection ports in the Static Forwarding table by
setting the operating mode to Process.
When you assign the same Destination Port to more than one Source Port, you must set the
Destination Port of the traffic in the opposite direction, otherwise the traffic transmitted in that
direction is ignored. For example, if both Source Port 1 and Source Port 2 are associated with
Router
DefensePro
Web servers
AppXcel
HTTPS
RST
HTTPS
HTTP
2
3
4
RST
4
1
Summary of Contents for DefensePro 6.02
Page 1: ...DefensePro User Guide Software Version 6 02 Document ID RDWR DP V0602_UG1201 January 2012 ...
Page 2: ...DefensePro User Guide 2 Document ID RDWR DP V0602_UG1201 ...
Page 20: ...DefensePro User Guide 20 Document ID RDWR DP V0602_UG1201 ...
Page 28: ...DefensePro User Guide Table of Contents 28 Document ID RDWR DP V0602_UG1201 ...
Page 116: ...DefensePro User Guide Device Network Configuration 116 Document ID RDWR DP V0602_UG1201 ...
Page 302: ...DefensePro User Guide Real Time Security Reporting 302 Document ID RDWR DP V0602_UG1201 ...
Page 308: ...DefensePro User Guide Administering DefensePro 308 Document ID RDWR DP V0602_UG1201 ...
Page 324: ...DefensePro User Guide Troubleshooting 324 Document ID RDWR DP V0602_UG1201 ...