IPS tab

This screen will allow you to confirm the activation of the SSL protocol through the firewall.

Certain options allow reinforcing this protocol’s security. For example, negotiations of cryptographic algorithms that are deemed weak can be prohibited, or software applications that use SSL to bypass filter policies can be detected (SKYPE, HTTPS proxy, etc).

 

Automatically detect and inspect the protocol If this protocol has been enabled, it will automatically be used for discovering corresponding packets in filter rules.

SSL negotiation

Allow unsupported encryption methods Select this option if the encryption algorithm that you wish to use is not supported by the SSL protocol.
Allow unencrypted data after an SSL negotiation This option allows sending data in plaintext after an SSL negotiation.

WARNING
Allowing data transmission in plaintext poses a security risk.
Authorize signaling cipher (SCSV) TLS fallback attacks consist of intercepting communications and imposing the weakest cryptographic variant possible. By enabling this option, the firewall will announce a cryptographic pseudo-algorithm that would allow reporting an attempt to launch a fallback attack (RFC 7507).
Encryption levels allowed The stronger the encryption algorithm used and the more complex the password, the higher the level of security.

EXAMPLE
The AES encryption algorithm with a strength of 256 bits, associated with a password of about ten characters made up of letters, numbers and special characters.


Three choices of encryption levels can be authorized:
  • Low, medium, high: for example, DES (64 bits), CAST128 (128 bits) and AES. Regardless of the password’s security level, the encryption level will be allowed.
  • Medium and high: Only medium-security and high-security algorithms will be tolerated.
  • Only high: Only strong algorithms and passwords with a high level of security will be tolerated.

Unencrypted data detection (plaintext traffic)

Detection method
  • Do not detect: unencrypted data will not be scanned.
  • Inspect all traffic: all packets received will be scanned by the SSL protocol in order to detect plaintext traffic.
  • Sampling (7168 bytes): only the first 7168 bytes of the traffic will be analyzed in order to detect plaintext traffic.

Support

Disable IPS When this option is selected, the scan of the SSL protocol will be disabled and traffic will be authorized if the filter policy allows it
Log every SSL query Enables or disables the logging of SSL requests.