Firewall Settings > SSL Control
780
SonicOS 5.8.1 Administrator Guide
Key Concepts to SSL Control
• SSL- Secure Sockets Layer (SSL) is a network security mechanism introduced by
Netscape in 1995. SSL was designed “to provide privacy between two communicating
applications (a client and a server) and also to authenticate the server, and optionally the
client.” SSL’s most popular application is HTTPS, designated by a URL beginning with
https:// rather than simply http://, and it is recognized as the standard method of encrypting
Web traffic on the Internet. An SSL HTTP transfer typically uses TCP port 443, whereas a
regular HTTP transfer uses TCP port 80. Although HTTPS is what SSL is best known for,
Untrusted Certificate
Authority Control
Like
the use of self-signed certificates, encountering a certificate
issued by an untrusted CA is not an absolute indication of
disreputable obscuration, but it does suggest questionable trust.
SSL Control can compare the issuer of the certificate in SSL
exchanges against the certificates in the SonicWALL’s certificate
store. The certificate store contains approximately 100 well-known
CA certificates, exactly like today’s Web-browsers. If SSL Control
encounters a certificate that was issued by a CA not in its
certificate store, it can disallow the SSL connection.
For organizations running their own private certificate authorities,
the private CA certificate can easily be imported into the
SonicWALL’s certificate store to recognize the private CA as
trusted. The store can hold up to 256 certificates.
SSL version, Cipher
Strength, and Certificate
Validity Control
SSL Control provides additional management of SSL sessions
based on characteristics of the negotiation, including the ability to
disallow the potentially exploitable SSLv2, the ability to disallow
weak encryption (ciphers less than 64 bits), and the ability to
disallow SSL negotiations where a certificate’s date ranges are
invalid. This enables the administrator to create a rigidly secure
environment for network users, eliminating exposure to risk
through unseen cryptographic weaknesses, or through disregard
for or misunderstanding of security warnings.
Zone-Based Application SSL Control is applied at the zone level, allowing the administrator
to enforce SSL policy on the network. When SSL Control is
enabled on the zone, the SonicWALL looks for Client Hellos sent
from clients on that zone through the SonicWALL will trigger
inspection. The SonicWALL then looks for the Server Hello and
Certificate that is sent in response for evaluation against the
configured policy. Enabling SSL Control on the LAN zone, for
example, will inspect all SSL traffic initiated by clients on the LAN
to any destination zone.
Configurable Actions
and Event Notifications
When SSL Control detects a policy violation, it can log the event
and block the connection, or it can simply log the event while
allowing the connection to proceed.
Feature Benefit