Configuring SSL Control

Before configuring SSL Control, ensure your firewall supports IPv6. You can confirm this by using the IPv6 Advanced Configurations option under Network > Firewall > Advancedpage.

SSL Control is located under Network > Firewall > SSL Control. SSL Control has a global setting, as well as a per-zone setting. By default, SSL Control is not enabled at the global or zone level. The individual page controls are as follows (refer Key Concepts to SSL Control for more information on terms used in this section).

General Settings

The General Settings section allows you to enable or disable SSL control:

• Enable SSL Control – The global setting for SSL Control. This must be enabled for SSL Control applied to zones to be effective. This option is not selected by default.

Action

The Action section is where you choose the action to be taken when an SSL policy violation is detected; either:

• Log the event – If an SSL policy violation, as defined within the Configuration section below, is detected, the event is logged, but the SSL connection is allowed to continue. This option is not selected by default.
• Block the connection and log the event – In the event of a policy violation, the connection is blocked and the event is logged. This option is selected by default.

Configuration

The Configuration section is where you specify the SSL policies to be enforced:

• Enable Blacklist – Controls detection of the entries in the blacklist, as configured in Custom Lists. This option is selected by default.
• Enable Whitelist – Controls detection of the entries in the whitelist, as configured in the Configure Lists section below. Whitelisted entries take precedence over all other SSL control settings. This option is selected by default.
• Detect Weak Ciphers – Controls the detection of SSL sessions negotiated with symmetric ciphers less than 64 bits, commonly indicating export cipher usage. This option is not selected by default.
• Detect Expired Certificates – Controls detection of certificates whose start date is before the current system time, or whose end date is beyond the current system time. Date validation depends on the firewall’s System Time. Make sure your System Time is set correctly, preferably synchronized with NTP, on the Device > Settings > Time page. This option is not selected by default.

• Detect Weak Digest Certificates – Controls detection of certificates created using MD5 or SHA1. Both MD5 or SHA1 are not considered safe. This option is not selected by default.

  It is common practice for legitimate sites secured by SSL to use certificates issued by well-known certificate authorities, as this is the foundation of trust within SSL. It is almost equally common for network appliances secured by SSL (such as SonicWall security appliances) to use self-signed certificates for their default method of security. So while self-signed certificates in closed-environments are not suspicious, the use of self-signed certificates by publicly or commercially available sites is. A public site using a self-signed certificate is often an indication that SSL is being used strictly for encryption rather than for trust and identification. While not absolutely incriminating, this sometimes suggests that concealment is the goal, as is commonly the case for SSL encrypted proxy sites. The ability to set a policy to block self-signed certificates allows you to protect against this potential exposure. To prevent discontinuity of communications to known/trusted SSL sites using self-signed certificates, use the whitelist feature for explicit allowance.

• Detect Self- signed Certificates – Controls the detection of certificates where the issuer’s certificate is not in the firewall’s Device > Settings > Certificates trusted store. This option is selected by default.

• Detect Certificates signed by an Untrusted CA – Controls the detection of certificates where the issuer’s certificate is not in the firewall’s Device > Settings > Certificates trusted store. This option is selected by default.

  Similar to the use of self-signed certificates, encountering a certificate issued by an untrusted CA is not an absolute indication of disreputable obscuration, but it does suggest questionable trust. SSL Control can compare the issuer of the certificate in SSL exchanges against the certificates stored in the SonicWall firewall where most of the well-known CA certificates are included. For organizations running their own private certificate authorities, the private CA certificate can easily be imported into the SonicWall's whitelist to recognize the private CA as trusted.

• Detect SSLv2 – Controls detection and blocking of SSLv2 exchanges. SSLv2 is known to be susceptible to cipher downgrade attacks because it does not perform integrity checking on the handshake. Best practices recommend using SSLv3 or TLS in its place. This option is selected by default. It is also dimmed and cannot be changed.
• Detect SSLv3 – Controls detection and blocking of SSLv3 exchanges. This option is not selected by default.
• Detect TLSv1 – Controls the detection and blocking of TLSv1 exchanges. This option is not selected by default.