Firewall > SSL Control
496
SonicOS Enhanced 4.0 Administrator Guide
Key Concepts to SSL Control
• SSL- Secure Sockets Layer (SSL) is a network security mechanism introduced by
Netscape in 1995. SSL was designed “to provide privacy between two communicating
applications (a client and a server) and also to authenticate the server, and optionally the
client.” SSL’s most popular application is HTTPS, designated by a URL beginning with
https:// rather than simply http://, and it is recognized as the standard method of encrypting
web traffic on the Internet. An SSL HTTP transfer typically uses TCP port 443, whereas a
regular HTTP transfer uses TCP port 80. Although HTTPS is what SSL is best known for,
SSL version, Cipher
Strength, and Certificate
Validity Control
SSL Control provides additional management of SSL sessions
based on characteristics of the negotiation, including the ability to
disallow the potentially exploitable SSLv2, the ability to disallow
weak encryption (ciphers less than 64 bits), and the ability to
disallow SSL negotiations where a certificate’s date ranges are
invalid. This enables the administrator to create a rigidly secure
environment for network users, eliminating exposure to risk
through unseen cryptographic weaknesses, or through disregard
for or misunderstanding of security warnings.
Zone-Based Application SSL Control is applied at the zone level, allowing the administrator
to enforce SSL policy on the network. When SSL Control is
enabled on the zone, the SonicWALL looks for Client Hellos sent
from clients on that zone through the SonicWALL will trigger
inspection. The SonicWALL then looks for the Server Hello and
Certificate that is sent in response for evaluation against the
configured policy. Enabling SSL Control on the LAN Zone, for
example, will inspect all SSL traffic initiated by clients on the LAN
to any destination zone.
Configurable Actions
and Event Notifications
When SSL Control detects a policy violation, it can log the event
and block the connection, or it can simply log the event while
allowing the connection to proceed.
Feature Benefit