IPS tab
This screen will allow you to confirm the activation of the SSL protocol through the firewall.
Certain options allow reinforcing this protocol’s security. For example, negotiations of cryptographic algorithms that are deemed weak can be prohibited, or software applications that use SSL to bypass filter policies can be detected (SKYPE, HTTPS proxy, etc).
Automatically detect and inspect the protocol | If this protocol has been enabled, it will automatically be used for discovering corresponding packets in filter rules. |
SSL negotiation
Allow unsupported encryption methods | Select this option if the encryption algorithm that you wish to use is not supported by the SSL protocol. |
Allow unencrypted data after an SSL negotiation | This option allows sending data in plaintext after an SSL negotiation. WARNING |
Authorize signaling cipher (SCSV) | TLS fallback attacks consist of intercepting communications and imposing the weakest cryptographic variant possible. By enabling this option, the firewall will announce a cryptographic pseudo-algorithm that would allow reporting an attempt to launch a fallback attack (RFC 7507). |
Encryption levels allowed | The stronger the encryption algorithm used and the more complex the password, the higher the level of security. EXAMPLE Three choices of encryption levels can be authorized:
|
Unencrypted data detection (plaintext traffic)
Detection method |
|
Support
Disable IPS | When this option is selected, the scan of the SSL protocol will be disabled and traffic will be authorized if the filter policy allows it |
Log every SSL query | Enables or disables the logging of SSL requests. |