IPS tab

This screen will allow you to confirm the activation of the SSL protocol through the firewall.

Certain options allow reinforcing this protocol’s security. For example, negotiations of cryptographic algorithms that are deemed weak can be prohibited, or software applications that use SSL to bypass filter policies can be detected (SKYPE, HTTPS proxy, etc).

 

Automatically detect and inspect the protocol If this protocol is enabled, the inspection function will automatically apply to discover corresponding traffic that filter rules allow.

TLS v1.3

Allow 0-RTT

When this checkbox is selected, the IPS engine allows TLS requests that use 0-RTT (Zero Round Trip Time), which reduces the handshake to zero exchanges in order to improve performance for TLS traffic.
0-RTT allows the client to send application data from the first exchange when the client and server share a pre-shared key, either imported manually or calculated during an earlier handshake.

Unknown values/extensions

Select the type of TLS values or extensions to allow:

  • RFC TLS 1.3, GREASE (Generate Random Extensions And Sustain Extensibility) or unknown values/extensions,
  • RFC TLS 1.3 and GREASE values/extensions,
  • RFC TLS 1.3 and unknown values/extensions (except GREASE),
  • Only RFC TLS 1.3 values/extensions.
Enable server certificate analysis

When this option is selected, the intrusion prevention engine will attempt to retrieve the server certificate for every TLS v1 traffic stream that passes through the firewall so that any potential security flaws relating to this certificate can be analyzed.

NOTE
To optimize the analysis of server certificates, a cache mechanism makes it possible to avoid retrieving a certificate when the intrusion prevention engine already knows it. This mechanism can be configured in the Global configuration of the SSL protocol, in the IPS tab.

When the certificate type is wrong

Select the action applied to analyzed TLS traffic when the retrieved server certificate displays an anomaly:

  • Continue analysis: the intrusion prevention engine continues to analyze the certificate and the protocol analyses on the TLS 1.3 traffic in question.
  • Block traffic: the certificate is rejected, the firewall raises an alarm and blocks the TLS 1.3 traffic in question by shutting down the connection.
When the SNI is missing

Select the action applied to analyzed TLS traffic when the certificate does not have an SNI (Server Name Indication):

  • Continue analysis: the intrusion prevention engine continues to analyze the certificate and the protocol analyses on the TLS 1.3 traffic in question.
  • Block traffic: the certificate is rejected, the firewall raises an alarm and blocks the TLS 1.3 traffic in question by shutting down the connection.
When the CA is not trustworthy

Select the action applied to TLS traffic when the CA that signed the server certificate is not in the list of trusted CAs:

  • Continue analysis: the intrusion prevention engine continues to analyze the certificate and the protocol analyses on the TLS 1.3 traffic in question.
  • Block traffic: the certificate is rejected, the firewall raises an alarm and blocks the TLS 1.3 traffic in question by shutting down the connection.
When the certificate is self-signed

These certificates are used internally and signed by your local server. They allow guaranteeing the security of your exchanges and authenticating users, among other functions.

Select the action to perform when you encounter self-signed certificates:

  • Continue analysis: the intrusion prevention engine continues to analyze the certificate and the protocol analyses on the TLS 1.3 traffic in question.
  • Block traffic: the firewall rejects these certificates and matching traffic is blocked.
When the validity date is wrong

The certificates to which this field applies have a validity date before or after the current date, and are therefore not “valid”.

Select the action to perform when you encounter certificates with validity dates that are wrong:

  • Continue analysis: the intrusion prevention engine continues to analyze the certificate and the protocol analyses on the TLS 1.3 traffic in question.
  • Block traffic: the firewall rejects these certificates and matching traffic is blocked.
When the CRL verification fails

Select the action to perform when the automatic verification of the CRL is unsuccessful.

  • Continue analysis: the intrusion prevention engine continues to analyze the certificate and the protocol analyses on the TLS 1.3 traffic in question.
  • Block traffic: the firewall rejects these certificates and matching traffic is blocked.
When the CRL is invalid

Select the action to perform when the CRL to verify has expired:

  • Continue analysis: the intrusion prevention engine continues to analyze the certificate and the protocol analyses on the TLS 1.3 traffic in question.
  • Block traffic: the firewall rejects these certificates and matching traffic is blocked.
Address used for certificate verification

Select the object that represents the IP address of the firewall to be used for submitting certificate verification requests.

If no objects are selected, time the IP address of the interface Firewall_out will be used.

SSL negotiation

Allow unsupported encryption methods Select this option if the encryption algorithm that you wish to use is not supported by the SSL protocol.
Allow unencrypted data after an SSL negotiation This option allows sending data in plaintext after an SSL negotiation.

WARNING
Allowing data transmission in plaintext poses a security risk.

Authorize signaling cipher (SCSV) TLS fallback attacks consist of intercepting communications and imposing the weakest cryptographic variant possible. By enabling this option, the firewall will announce a cryptographic pseudo-algorithm that would allow reporting an attempt to launch a fallback attack (RFC 7507).
Encryption levels allowed The stronger the encryption algorithm used and the more complex the password, the higher the level of security.

EXAMPLE
The AES encryption algorithm with a strength of 256 bits, associated with a password of about ten characters made up of letters, numbers and special characters.


Three choices of encryption levels can be authorized:
  • Low, medium, high: for example, DES (64 bits), CAST128 (128 bits) and AES. Regardless of the password’s security level, the encryption level will be allowed.
  • Medium and high: Only medium-security and high-security algorithms will be tolerated.
  • Only high: Only strong algorithms and passwords with a high level of security will be tolerated.

Manage SSL extensions

Named extensions tab

This table makes it possible to allow/prohibit the named TLS v1.3 protocol extensions.
All known named extensions (see the IANA’s list of TLS extensions) are listed by default: a line in the table therefore contains the ID (between 0 and 56 inclusive), the name of the extension and the action applied to it.

You can:

  • Allow or prohibit extensions individually by clicking on their associated action,
  • Allow or prohibit a selection of extensions (hold down the Shift key and select consecutive lines or hold down the Ctrl key and select separated lines) and apply a common action to them using Allow selection and Prohibit selection.
  • Select all extensions with the Select all button and apply a common action to them using Allow selection and Prohibit selection.

A search field also makes it possible to filter the display of extensions.

Blacklisted extension ranges tab

This table contains the known TLS v1.3 extensions to prohibit other than the ones defined in the Named extensions tab. The ID of these extensions must be between 57 and 65535 inclusive.

Defined extensions can be added (Add button) or deleted (Delete button after selecting the line concerned) individually using their IDs (e.g. 59) or extension ranges (e.g. 59-62, 92-1001).

A search field also makes it possible to filter the display of blacklisted IDs.

Unencrypted data detection (plaintext traffic)

Detection method
  • Do not detect: unencrypted data will not be scanned.
  • Inspect all traffic: all packets received will be scanned by the SSL protocol in order to detect plaintext traffic.
  • Sampling (7168 bytes): only the first 7168 bytes of the traffic will be analyzed in order to detect plaintext traffic.

Support

Disable IPS When this option is selected, the scan of the SSL protocol will be disabled and traffic will be authorized if the filter policy allows it
Log every SSL query Enables or disables the logging of SMTP requests.

Application-Layer Protocol Negotiation (ALPN)

Application-Layer Protocol Negotiation (ALPN) is an extension of the Transport Layer Security (TLS) protocol, which negotiates the protocol of the application layer during the TLS handshake.

IANA ALPN tab

In this grid, protocols registered with the IANA and included in the ALPN extension as described in RFC 7301 can be allowed/prohibited.

You can:

  • Allow or prohibit protocols individually by clicking on their associated action,
  • Select all protocols with the Select all button and apply a common action to them using Allow and Block.

A search field also makes it possible to filter the display of protocols.

ALPN EXCEPTIONS tab

In this grid, ALPN extension protocols that must be excluded from the SSL/TLS protocol analysis can be defined.

You can:

  • Add a protocol to be deleted by using the Add button.
  • Select all excluded protocols and delete them from the grid by using the Select all then Remove buttons.

A search field also makes it possible to filter the display of protocols.