IPS tab

This screen will allow you to confirm the activation of the SSL protocol through the firewall.

Certain options allow reinforcing this protocol’s security. For example, negotiations of cryptographic algorithms that are deemed weak can be prohibited, or software applications that use SSL to bypass filter policies can be detected (SKYPE, HTTPS proxy, etc).

 

Automatically detect and inspect the protocol If this protocol is enabled, the inspection function will automatically apply to discover corresponding traffic that filter rules allow.

TLS v1.3

Allow 0-RTT

When this checkbox is selected, the IPS engine allows TLS requests that use 0-RTT (Zero Round Trip Time), which reduces the handshake to zero exchanges in order to improve performance for TLS traffic.
0-RTT allows the client to send application data from the first exchange when the client and server share a pre-shared key, either imported manually or calculated during an earlier handshake.
Unknown values/extensions

Select the type of TLS values or extensions to allow:

  • RFC TLS 1.3, GREASE (Generate Random Extensions And Sustain Extensibility) or unknown values/extensions,
  • RFC TLS 1.3 and GREASE values/extensions,
  • RFC TLS 1.3 and unknown values/extensions (except GREASE),
  • Only RFC TLS 1.3 values/extensions.

SSL negotiation

Allow unsupported encryption methods Select this option if the encryption algorithm that you wish to use is not supported by the SSL protocol.
Allow unencrypted data after an SSL negotiation This option allows sending data in plaintext after an SSL negotiation.

WARNING
Allowing data transmission in plaintext poses a security risk.
Authorize signaling cipher (SCSV) TLS fallback attacks consist of intercepting communications and imposing the weakest cryptographic variant possible. By enabling this option, the firewall will announce a cryptographic pseudo-algorithm that would allow reporting an attempt to launch a fallback attack (RFC 7507).
Encryption levels allowed The stronger the encryption algorithm used and the more complex the password, the higher the level of security.

EXAMPLE
The AES encryption algorithm with a strength of 256 bits, associated with a password of about ten characters made up of letters, numbers and special characters.


Three choices of encryption levels can be authorized:
  • Low, medium, high: for example, DES (64 bits), CAST128 (128 bits) and AES. Regardless of the password’s security level, the encryption level will be allowed.
  • Medium and high: Only medium-security and high-security algorithms will be tolerated.
  • Only high: Only strong algorithms and passwords with a high level of security will be tolerated.

Manage SSL extensions

Named extensions tab

This table makes it possible to allow/prohibit the named TLS v1.3 protocol extensions.
All known named extensions (see the IANA’s list of TLS extensions) are listed by default: a line in the table therefore contains the ID (between 0 and 56 inclusive), the name of the extension and the action applied to it.

You can:

  • Allow or prohibit extensions individually by clicking on their associated action,
  • Allow or prohibit a selection of extensions (hold down the Shift key and select consecutive lines or hold down the Ctrl key and select separated lines) and apply a common action to them using Allow selection and Prohibit selection.
  • Select all extensions with the Select all button and apply a common action to them using Allow selection and Prohibit selection.

A search field also makes it possible to filter the display of extensions.

Blacklisted ranges tab

This table contains the known TLS v1.3 extensions to prohibit other than the ones defined in the Named extensions tab. The ID of these extensions must be between 57 and 65535 inclusive.

Defined extensions can be added (Add button) or deleted (Delete button after selecting the line concerned) individually using their IDs (e.g. 59) or extension ranges (e.g. 59-62, 92-1001).

A search field also makes it possible to filter the display of blacklisted IDs.

Unencrypted data detection (plaintext traffic)

Detection method
  • Do not detect: unencrypted data will not be scanned.
  • Inspect all traffic: all packets received will be scanned by the SSL protocol in order to detect plaintext traffic.
  • Sampling (7168 bytes): only the first 7168 bytes of the traffic will be analyzed in order to detect plaintext traffic.

Support

Disable IPS When this option is selected, the scan of the SSL protocol will be disabled and traffic will be authorized if the filter policy allows it
Log every SSL query Enables or disables the logging of SSL requests.