DPI-SSL Enhancements in SonicOS 6.2.5 - Overview
03/26/2020 354 People found this article helpful 482,977 Views
Description
This KB article gives an overview of the enhancements in Client DPI-SSL in SonicOS 6.2.5 firmware.
1. Inclusion/exclusion using Content Filtering Service (CFS) based categories
2. Common Name Exclusions/Inclusions
3. Built-in Exclusions:
4. Connection Failure List
5. Always authenticate server for decrypted connections
6. Always authenticate server before applying exclusion policy
7. Disable IP based exclusion cache in proxy deployments
8. TLS 1.1 and TLS 1.2 support
9. SHA-256 signature in re-signed certificates
Resolution
Inclusion/exclusion using Content Filtering Service (CFS) based categories
Hitherto, Client DPI-SSL has been a global setting which, once enabled, affected all SSL traffic passing through the UTM. To exclude certain traffic from being inspected by Client DPI-SSL, administrators must add the domain names of each website in the Common Name Exclusions list. For example, in deployments where in order to comply with privacy and legal requirements Client DPI-SSL must not inspect banking and/or health related HTTPS traffic, administrators had to know and add each such website's CN under Common Name
Exclusions.
In the current implementation, Client DPI-SSL can be configured to exclude or include websites based on their categories. For example, in order to exclude all banking and financial websites, categories 20 (Online Banking) and 21 (Online Brokerage and Trading) need to be selected for exclusion, while all other categories are included. Or, to exclude all health related websites, category 26 (Health) need to be selected for exclusion. This will ensure that all banking and health related transactions will be automatically excluded from any content decryption in the SonicWall.
Note: Selecting either category 20 or 21 will automatically result in selection of the other, ie: categories 20 and 21 go hand-in-hand.
This feature uses the CFS category list to be able to exclude specific categories from DPI-SSL inspection. The CFS categories are provided in the DPI-SSL Client page.
As in Content Filtering Service, the category / rating information related to a domain is obtained by querying an external Rating/Category Server. The domain name for which
the rating is queried is obtained from the SSL Handshake between the SonicWall and the server.
Note: As the DPI-SSL category based exclusion works in conjunction with CFS, CFS License must be active and enabled.
The CFS categories list on the Client DPI-SSL page can be configured for either Exclusion or Inclusion. If the radio button Exclude the following categories is selected, the websites which fall under the checked Categories are excluded from Client DPI-SSL inspection and those unchecked are implicitly included for Client DPI-SSL inspection.
Likewise, if the radio button Include the following categories is selected, the websites which fall under the checked Categories are included for Client DPI-SSL inspection
and those unchecked are implicitly excluded from Client DPI-SSL inspection.
Common Name Exclusions/Inclusions
In addition to Category based inclusion or exclusion, individual websites can be included for or excluded from Client DPI-SSL inspection by adding their Common Names (CN) on
the Common Name Exclusions/Inclusions page.
Muliple Common Names can be added in the text box provided in the Add Common Names pop-up. When adding a Common Name, the following actions are available to choose:
- Exclude: When this action is selected, the Common Names added are excluded from Client DPI-SSL inspection. When choosing this action, the administrator has the option to check the box, Always authenticate server before applying exclusion policy. Enabling this option can prevent an unsuspecting client from phishing or URL redirect related attacks. By default this option is unchecked.
- Skip CFS Category-based Exclusion: Choosing this action will override CFS based Category exclusion and the added domain/s will be inspected by DPI-SSL even though the associated category is configured for exclusion. This action is provided in order to create exception rules to category based exclusion. For example, the user could select the category “Health” (category # 26) to be excluded from inspection, but create an exception to this by configuring www.healthcare.gov in the “Inclusions” list. This will result in all health category related websites being excluded except www.healthcare.gov.
- Skip authenticating the server: This action is provded when connection to a server fails when the site's root CA is not present in the SonicWall's certificate store (System > Certificates page). Choose this action only if the server is trusted.
Under the Common Name tab of the Client DPI-SSL page, a list of 38 sites are provided which are by default excluded from Client DPI-SSL inspection. These excluded sites either do not work with man-in-the-middle DPI-SSL interception or they are excluded because the server is a trusted site and does not require content inspection. Administrators have the option to remove the sites from default exclusion.
Connection Failure List
The connection failure list can be viewed by clicking on the Show Connection Failures button under the Common Name tab on the DPI-SSL Client SSL page. The popup window shows the list of connection failures. Each entry shows the client IP address, server IP address, the Common Name and error message with the failure reason. The following options are available on this window:
- Exclude: This akin to the Exclude action available when adding sites for custom exclusion. Select one or more entries for Exclude action. Click on the Exclude button. Common Names are added as custom excluded Common Names. Entries will show up in the main Common Name table. Optionally, an entry's Common Name can by edited by clicking on the Edit icon before adding it to the exclusion list.
- Clear: Select one or more entries in the list and click on the Clear button to clear this entry from the list.
- Clear All: Clicking on this button will clear the list.
Always authenticate server for decrypted connections
This option is available under the General tab of the Client SSL page. This option will ensure that the server is authenticated before the connection is allowed to complete.
This can detect phishing attacks or exploit kits making https connections from client machines to untrusted/unsecured sites for malware downloads or data extraction.
Enabling this option will
1) block connections to sites with untrusted (ie. sites whose root CA is not present in the SonicWall certificate store) certificates
2) block connections to sites if the domain name in Client Hello cannot be validated against the Server Certificate.
Always authenticate server before applying exclusion policy
This option is available under the General tab of the Client SSL page. This option will ensure that the server is authenticated even if the site is excluded from DPI-SSL
Client inspection. This could prevent any exploit by an active attacker, via phishing URLs, etc, or by a passive attacker via exploit kits or java scripts that may run on
client machines.
Enabling this option will:
1) block connections to sites with untrusted (ie. sites whose root CA is not present in the SonicWall certificate store) certificates
2) block connections to sites if the domain name in Client Hello cannot be validated against the Server Certificate
Disable IP based exclusion cache in proxy deployments
In a proxy deployment, the Firewall sits between the Client and the Proxy Server. In such deployments, all server IP as seen by the Firewall will be the Proxy Server IP. In these deployments, IP based exclusion cache must be disabled by selecting the global setting in the DPI-SSL Client page: Deployments wherein the Firewall sees a single server IP for different server domains, ex: Proxy setup
TLS 1.1 and TLS 1.2 support
For SSL inspection DPI-SSL can now negotiate SSL connections on TLS 1.1 and TLS 1.2 protocols. This is in addition to TLS 1.0 and SSL 3.0 protocols. The DPI-SSL section in the diag page has the following options to select the protocol versions:
- ALL = DPI-SSL will negotiate SSL connections using TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
- TLSv1.0 = DPI-SSL will only negotiate SSL connections using TLS 1.0. Connections to servers that do not support any other version will fail.
- SSLv3.0 = DPI-SSL will only negotiate SSL connections using SSL 3.0. Connections to servers that do not support any other version will fail.
SHA-256 signature in re-signed certificates
Now that certificates signed with the vulnerable SHA-1 signature algorithm are being gradually deprecated by most browsers, DPI-SSL uses SHA-256 signature in the re-signed certificates of the websites which it intercepts.
Related Articles
Categories