SSL

“IPS” tab

This screen will allow you to confirm the activation of the SSL protocol through the firewall.

Certain options allow reinforcing this protocol’s security. For example, negotiations of cryptographic algorithms that are deemed weak can be prohibited, or software applications that use SSL to bypass filter policies can be detected (SKYPE, HTTPS proxy, etc).

WARNING

The SSL (Secure Sockets Layer) protocol, which became Transport Layer Security (TLS) in 2001, is supported in version 3 (1996). Sites that use an older version (which may present security flaws) or that do not support the start of a negotiation in TLS will be blocked.

Internet Explorer in version 7 or 8 does not enable by default, support for the protocol TLS 1.0. For security reasons, you are advised to enable TLS 1.0 support via an Active Directory object that defines host configurations (group policy object or GPO).

An ICAP server’s validation of HTTPS requests decrypted by the SSL proxy is not supported.

 

Automatically detect and inspect the protocol

If this protocol has been enabled, it will automatically be used for discovering corresponding packets in filter rules.

SSL negotiation

Allow unsupported encryption methods

Select this option if the encryption algorithm that you wish to use is not supported by the SSL protocol.

Allow unencrypted data after an SSL negotiation

This option allows sending data in plaintext after an SSL negotiation.

WARNING

Allowing data transmission in plaintext poses a security risk.

Authorize signaling cipher (SCSV)

TLS fallback attacks consist of intercepting communications and imposing the weakest cryptographic variant possible. By enabling this option, the firewall will announce a cryptographic pseudo-algorithm that would allow reporting an attempt to launch a fallback attack (RFC 7507).

Encryption levels allowed

The stronger the encryption algorithm used and the more complex the password, the higher the level of security.

 

Example

The AES encryption algorithm with a strength of 256 bits, associated with a password of about ten characters made up of letters, numbers and special characters.

 

Three choices of encryption levels can be authorized:

 

  • Low, medium, high: for example, DES (64 bits), CAST128 (128 bits) and AES. Regardless of the password’s security level, the encryption level will be allowed.
  • Medium and high: Only medium-security and high-security algorithms will be tolerated.
  • Only high: Only strong algorithms and passwords with a high level of security will be tolerated.

Unencrypted data detection (plaintext traffic)

Detection method
  • Do not detect: unencrypted data will not be scanned.
  • Inspect all traffic: all packets received will be scanned by the SSL protocol in order to detect plaintext traffic.
  • Sampling (7168 bytes): only the first 7168 bytes of the traffic will be analyzed in order to detect plaintext traffic.

Support

Disable intrusion prevention

When this option is selected, the scan of the SSL protocol will be disabled and traffic will be authorized if the filter policy allows it

Log every SSL query

Enables or disables the logging of SSL requests.

“Proxy” tab

Connection

Keep original source IP address

When a request is made by a web client (browser) to the server, the firewall will intercept it and check that the request complies with URL filter rules and then relays the request.

 

If this option is selected, the new request will use the original source IP address of the web client that sent the packet. Otherwise, the firewall’s address will be used.

Content inspection

Self-signed certificates

This option will determine the action to perform when self-signed certificates are presented: you can either Block them or Continue analysis by accepting them.

 

These certificates are used internally and signed by your local server. They allow guaranteeing the security of your exchanges and authenticating users, among other functions.

Expired certificates

This option will determine the action to perform when expired certificates are presented: you can either Block them or Continue analysis by ignoring them.

 

Expired certificates have validity dates that have lapsed and are therefore not valid. To fix this problem, they must be renewed by a certificate authority

WARNING

Expired certificates may pose a security risk. After the expiry of a certificate, the CA that issued it will no longer be responsible for it if it is used maliciously.

Unknown certificates

This option will determine the action to perform when unknown certificates are presented: you can either Block them or Continue analysis by ignoring them.

Wrong certificate type

This test validates the certificate’s type. This option makes it possible, for example, to authorize traffic in the event the type of certificate presented does not comply.

NOTE

A certificate is deemed compliant if it is used in the context defined by its signature. Therefore, a user certificate used by a server does not comply.

Certificate with incorrect FQDN

This option will determine the action to perform when certificates with an invalid domain name are encountered: you may choose to Block the traffic or to Continue analysis and ignoring the error.

When the FQDN of the certificate is different from the SSL domain name

This option will determine the action to perform when you encounter certificates with domain names (FQDN) that are different from the expected SSL domain: you can either Block traffic or Continue analysis by ignoring the difference.

Allow IP addresses in SSL domain names

This option allows or denies access to a site based on its IP addresses instead of its SSL domain name.

Support

If decryption fails

This option will determine the action to perform when decryption fails: you can choose to Block traffic or Pass without decrypting. Traffic will not be inspected if the second option is selected.

If classification of certificate fails

The choice is either Pass without decrypting or Block. If a certificate has not been listed in a certificate category, this action will determine whether the traffic will be authorized.