Defining SSL filter policies

As soon as the remote server's certificate has been verified, the domain associated with the requested URL will be compared against all the rules in the SSL filter policy.

  • An SSL filter rule describes the action that the SSL proxy needs to perform for a certain category of URLs or specific certificates. For example, you may choose to block all URLs that belong to the Games category.
  • An SSL filter policy is a set of rules that the firewall will read sequentially.

Creating SSL filter policies

  1. Log on to the web administration interface.
  2. Select the Configuration > Security policy > SSL Filtering menu, and select a filter policy, for example SSLFilter_00. Two rules are already configured by default. In the first, certain URL-CNs are allowed to pass without decryption. The second rule specifies that all other rules need to be decrypted.
  3. If you are filtering WITHOUT decrypting SSL traffic, delete both of the default rules.
  4. Click on Add all predefined categories.
    A list of categories will appear, corresponding to your URL database (embedded URL database or Extended Web Control).
  5. Delete all the categories to which you do not wish to apply SSL filtering.
  6. For the remaining categories, in the Action column, choose the action that the firewall must perform on each URL-CN category. Refer to the section Best practices for filtering for help on which choices to make.

    Example of SSL filtering

    • Block without decrypting: The firewall will deny access to the requested URL-CN without performing any prior SSL analysis. Choose this action for all categories that you wish to block (e.g., weapons, violence, pornography, peer-to-peer, etc).
    • Pass without decrypting: The firewall will allow access to the requested URL-CN without performing any prior SSL analysis. Choose this action for categories that you are not legally allowed to decrypt (e.g. websites containing private data) and for those that you consider trustworthy.
    • Decrypt: The firewall will decrypt SSL traffic before allowing or denying access to the requested URL-CN. Use this action only if you have chosen filtering WITH SSL traffic decryption.
  7. In the URL-CN column, select the URL category or certificate group (CN) concerned, for example Violence. If any categories are missing, you can create them through the menu Configuration > Objects >URL> URL tab, then click Add a customized category. For more information, please refer to the section Customized categories.
    Click on Add to create the other rules you would need in your policy and arrange them by using the Up and Down buttons or copy and paste them. To find out how to classify them, refer to the section Rule sequence.
  8. Double-click in the Status column to enable the rules that have been created.

  9. Click on Apply.

The SSL filter policy must then be associated with the security policy. For further information, refer to the section Creating SSL inspection rules in the filter policy.

Best practices for filtering

Refer to best practices for filtering whenever you build an SSL filter policy.

Legislation

As the decryption of private data is governed by law in most countries, SSL filtering must take such legislation into account. This means that websites that must not be decrypted must be excluded by applying the Pass without decrypting action. In France, the legal aspects of SSL decryption are set out in the appendix of the ANSSI's (French Net- work and Information Security Agency) document "Recommandations de sécurité concernant l’analyse des flux HTTPS" (in French).

Customized categories

If the website categories that were predefined by your URL database do not exactly meet your needs, you can add categories available by default on the firewall, or create your own categories.

For example, in the category proxyssl_bypass you will find the list of certificates that Stormshield advises you to allow through without decryption. This is because these servers will detect that the SSL proxy is generating a fake certificate and may reject connections as a result.

You can also create the following categories to make it easier to build SSL filter rules:

  • A whitelist category (sslproxy_whitelist) containing all the URLs that you deem trustworthy. For example, websites that legislation does not allow you to decrypt, your internal websites and system and software upgrade websites (e.g., Microsoft, antivirus etc.). Apply the action Pass without decrypting to this new category.
  • A blacklist category (sslproxy_blacklist) containing URLs that you deem malicious and which you are unable to find in the predefined categories. Apply the action Block without decrypting to this new category.

Create your new categories through the Configuration > Objects > URL > Certificate Name (CN) tab > Add a customized category button. For more information, refer to the Administration and configuration guide.

Rule sequence

The SSL proxy runs through the list of rules from top to bottom. There are two ways in which you can organize your rules:

  • Itemize authorized categories: Create a rule for each authorized category with the action Pass without decrypting or Decrypt. The last rule must block all other categories by specifying the action Block without encrypting for the URL-CN Any.
  • Itemize categories to be blocked: Create a rule for each undesirable category with the action Block without decrypting. The last rule must allow all other categories by specifying the action Pass without encrypting or Decrypt for the URL-CN Any.

Do also note that in the Extended Web Control URL database, URL-CNs are sometimes listed under several categories, so pay close attention to the alphabetical order of categories. For example, if a website falls under two categories such as Entertainment and Nudity, and you wish to block Nudity while allowing Entertainment, ensure that the category Nudity comes before Entertainment in the list of SSL filter rules. Otherwise, the website in question, which falls under the Entertainment category, will be allowed.