IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
SSL
“IPS” tab
This screen will allow you to confirm the activation of the SSL protocol through the firewall.
Certain options allow reinforcing this protocol’s security. For example, negotiations of cryptographic algorithms that are deemed weak can be prohibited, or software applications that use SSL to bypass filter policies can be detected (SKYPE, HTTPS proxy, etc).
WARNING
The SSL (Secure Sockets Layer) protocol, which became Transport Layer Security (TLS) in 2001, is supported in version 3 (1996). Sites that use an older version (which may present security flaws) or that do not support the start of a negotiation in TLS will be blocked.
Internet Explorer in version 7 or 8 does not enable by default, support for the protocol TLS 1.0. For security reasons, you are advised to enable TLS 1.0 support via an Active Directory object that defines host configurations (group policy object or GPO).
An ICAP server’s validation of HTTPS requests decrypted by the SSL proxy is not supported.
Automatically detect and inspect the protocol |
If this protocol has been enabled, it will automatically be used for discovering corresponding packets in filter rules. |
SSL negotiation
Allow unsupported encryption methods |
Select this option if the encryption algorithm that you wish to use is not supported by the SSL protocol. |
Allow unencrypted data after an SSL negotiation |
This option allows sending data in plaintext after an SSL negotiation. WARNING Allowing data transmission in plaintext poses a security risk. |
Authorize signaling cipher (SCSV) |
TLS fallback attacks consist of intercepting communications and imposing the weakest cryptographic variant possible. By enabling this option, the firewall will announce a cryptographic pseudo-algorithm that would allow reporting an attempt to launch a fallback attack (RFC 7507). |
Encryption levels allowed |
The stronger the encryption algorithm used and the more complex the password, the higher the level of security.
Example The AES encryption algorithm with a strength of 256 bits, associated with a password of about ten characters made up of letters, numbers and special characters.
Three choices of encryption levels can be authorized:
|
Unencrypted data detection (plaintext traffic)
Detection method |
|
Support
Disable intrusion prevention |
When this option is selected, the scan of the SSL protocol will be disabled and traffic will be authorized if the filter policy allows it |
Log every SSL query |
Enables or disables the logging of SSL requests. |
“Proxy” tab
Connection
Keep original source IP address |
When a request is made by a web client (browser) to the server, the firewall will intercept it and check that the request complies with URL filter rules and then relays the request.
If this option is selected, the new request will use the original source IP address of the web client that sent the packet. Otherwise, the firewall’s address will be used. |
Content inspection
Self-signed certificates |
This option will determine the action to perform when self-signed certificates are presented: you can either Block them or Continue analysis by accepting them.
These certificates are used internally and signed by your local server. They allow guaranteeing the security of your exchanges and authenticating users, among other functions. |
Expired certificates |
This option will determine the action to perform when expired certificates are presented: you can either Block them or Continue analysis by ignoring them.
Expired certificates have validity dates that have lapsed and are therefore not valid. To fix this problem, they must be renewed by a certificate authority WARNING Expired certificates may pose a security risk. After the expiry of a certificate, the CA that issued it will no longer be responsible for it if it is used maliciously. |
Unknown certificates |
This option will determine the action to perform when unknown certificates are presented: you can either Block them or Continue analysis by ignoring them. |
Wrong certificate type |
This test validates the certificate’s type. This option makes it possible, for example, to authorize traffic in the event the type of certificate presented does not comply. NOTE A certificate is deemed compliant if it is used in the context defined by its signature. Therefore, a user certificate used by a server does not comply. |
Certificate with incorrect FQDN |
This option will determine the action to perform when certificates with an invalid domain name are encountered: you may choose to Block the traffic or to Continue analysis and ignoring the error. |
When the FQDN of the certificate is different from the SSL domain name |
This option will determine the action to perform when you encounter certificates with domain names (FQDN) that are different from the expected SSL domain: you can either Block traffic or Continue analysis by ignoring the difference. |
Allow IP addresses in SSL domain names |
This option allows or denies access to a site based on its IP addresses instead of its SSL domain name. |
Support
If decryption fails |
This option will determine the action to perform when decryption fails: you can choose to Block traffic or Pass without decrypting. Traffic will not be inspected if the second option is selected. |
If classification of certificate fails |
The choice is either Pass without decrypting or Block. If a certificate has not been listed in a certificate category, this action will determine whether the traffic will be authorized. |