Filtering methods for HTTPS
There are two possible methods for filtering HTTPS connections: with or without SSL traffic decryption. Both of these methods can be combined depending on various criteria such as authentication or the source IP network.
In this method, undesirable HTTPS websites can be blocked by verifying only their certificates without decrypting traffic. Certificates therefore do not need to be installed on all browsers on all workstations.
However, this method does not allow HTTPS connections to be analyzed with application protections such as anti-virus, sandboxing, Google SafeSearch, etc.
Furthermore, when a website is blocked, a message indicating that the certificate is invalid will appear, and the block page cannot be customized.
With this type of filtering, SNS firewalls are compatible with SNI (Server Name Indication) extensions, allowing you to provide a clear description of the host with which a TLS session is being negotiated.
This method makes it possible to block undesirable HTTPS websites and analyze HTTPS connections with an anti-virus, sandboxing, Google SafeSearch, etc. You can also customize the block page that appears on the workstation whenever an HTTPS website is blocked.
Since the SNS firewall decrypts SSL traffic, it will generate a self-signed certificate that the browser cannot consider trustworthy. An error message will be displayed on users' browsers, indicating that the source of the certificate presented by the SNS firewall is suspicious. To avoid seeing this type of message, you need to deploy the firewall's self-signed authority on browsers so that it will be recognized.
Ensure that you also compile a clear list of HTTPS websites and/or categories of HTTPS websites that you are not allowed to decrypt (e.g. banking websites in France), in order to let them pass through without decryption.
The table below shows the characteristics of each filtering method:
|Without decryption||With decryption|
|Blocking of HTTPS websites||X||X|
|Anti-virus analysis, sandboxing, SafeSearch, etc.||X|
|Display of customized block pages||X|
|A certificate must be installed on every workstation||X|
|Do not decrypt unauthorized websites and/or website categories||N/A||X|
|Access possible for devices without certificates (BYOD)||X|