Table 1 Features Description
Feature
|
Description
|
Back-end Encryption
|
With back-end encryption, the SSL Services Module accepts incoming SSL sessions from external clients and initiates SSL sessions to a back-end real server without sacrificing the ability of the content switch to make intelligent Layer 5 to Layer 7 local load-balancing decisions.
End-to-end encryption allows all the benefits of SSL acceleration and content-based switching services without sacrificing the security of client-to-server SSL.
|
Client Authentication
|
Client authentication allows you to configure the option to request and authenticate the client certificate when the SSL Services Module acts as a SSL server. The SSL Services Module automatically authenticates the server certificate when it acts as an SSL client. The feature specifies a set of trusted certificate authorities and the scope of validation for each proxy service.
|
Client Certificates
|
SSL certificates are used during the SSL handshake (an exchange of certificates between the server and client that occurs during an SSL session).
|
SSL V2.0 Forwarding
|
SSL forwarding allows you to configure the SSL Services Module to forward SSLv2 connections to another server. When you configure the SSLv2 server IP address, the SSL Services Module transparently forwards all SSLv2 connections to that server.
|
Certificate Revocation List (CRL) Lookup
|
SSL Services Module downloads a CRL from a certificate authority only if there is a demand to lookup the CRL. The CRL is deleted when it expires.
|
Hot Standby Router Protocol (HSRP) Redundancy
|
You can configure HSRP to provide redundancy when the SSL Services Module is used in a standalone configuration (using policy-based routing). Among other benefits, HSRP protocol provides an active/active (load sharing) model on top of the typical active/standby model. It allows users to configure multiple HSRP groups across two or more redundant systems and to implement redundancy independently in each group.
|
URL Rewrite
|
URL rewrite may be needed when a customer offloads SSL processing. The SSL accelerator converts HTTPS sessions into HTTP sessions. In some cases, the server application overlooks that the session with the client should be encrypted. We support URL rewrite feature in this release for redirects only an dnot for embedded links. It can also be used to indicate cipher suite in use, which can be used in a load balancing decision. Client IP/port information is used to keep track of clients.
|
Header Insertion
|
Header insertion is another method by which the SSL card can indicate to the real server that the connection it is processing is a SSL connection. The application on the real server uses the information inserted as headers to respond to the client.
|
Simple Network Management Protocol (SNMP) Support
|
Cisco Catalyst 6500 Series SSL Services Module Software Version 2.1(1) supports the following objects and operations:
Global configuration—Version string, Federal Information Processing Standard mode, and cipher suites supported
Proxy service configuration—Name, type, addresses, ports, administrative status and operation status
Proxy service policy configuration—Policy names assigned for each proxy service, NULL string if none
Global counters—SSL, SSL 3.0, Transport Layer Security (TLS) 1.0 and SSL errors
CPU information—Name and usage in percentage over a period of time
Public key infrastructure (PKI)—Key and certificate configuration per proxy service
Traps—Proxy service up/down and certificate expiring, disabled by default
|
Wildcard Proxy
|
Wildcard proxy aggregates many servers behind a single gateway.
|
Password Recovery
|
If users forget one or more passwords (for instance, the nonprivileged user password or the enable mode password), they are unable to log in to the Cisco IOS® Software console.
A special mode of the running image bypasses the password checking and allows users to reset or change the passwords on bootup.
|
PKI—Access Control List (ACL)
|
Certificates can be used to identity an entity and, using fields within the certificate, to associate attributes with that entity. The certificate includes fields used to determine if the entity is authorized to perform a specified action. ACLs based on fields within the certificate are used to create a certificate-based ACL. The certificate-based ACL specifies one or more fields within the certificate and an acceptable value for each specified field.
|
Certificate Caching
|
Validating the certificate is a CPU intensive operation. It is beneficial if certificate data is cached which avoids validating every time a certificate is received. When the certificate is received for the first time, validate it and cache the certificate data so that the entire validation process is unnecessary when the same certificate is received later. The cache entries are deleted when aged.
|
Certificate Expiration Warning
|
Enabling certificate expiration warnings means that the SSL Services Module checks every 30 minutes for expiration information. The SSL Services Module logs warning messages and sends SNMP traps when certificates have expired or will expire within a specified amount of time.
|
