Transparently Decrypting SSL for Existing Applications
The Netronome SSL Inspector Appliance can be deployed adjacent to existing security and networking appliances in-line, as a “bump-in-the-wire,” or in a passive mode, where the SSL Inspector is installed off a tap, span port or mirrored interface, receiving a copy of all network traffic for classification, flow identification and decryption. In both configurations, the SSL Inspector is a fully transparent proxy, eliminating the need for costly reconfiguration of network elements, clients and servers.
In-line Mode
When deployed in-line, the SSL Inspector supports adjacent appliances that want to control the passage of the original SSL flow through the SSL Inspector Appliance, typically the case for a firewall or IPS appliance. In this mode, SSL is decrypted and forwarded to the IPS with packet headers as they were received. If the packet or flow passes security policies on the filtering node, the plaintext flow is returned to the SSL Inspector by the adjacent appliance and triggers the release of the original (recrypted) SSL traffic.
Passive Mode
In passive mode, the SSL Inspector is deployed off a span port, tap or mirrored interface, where the appliance is receiving a copy of all network traffic for classification, flow identification and decryption. Packets are classified and based on policy and forwarded to an adjacent packet capture security appliance, such as an IDS or network forensics appliance. In passive configuration, no data is ever forwarded back toward the network; the SSL Inspector and adjacent security appliance are capturing traffic for analysis.