SonicWALL SonicWALL UTM Appliance manual Blocking Https SSL Domains with SSL Control

Page 30

Blocking HTTPS (SSL) Domains with SSL Control

With Secure Socket Layer (SSL) Control it is possible to whitelist and blacklist HTTPS domains, as well as other SSL services, based on keywords in their certificate. SSL control cannot be enforced at the group/user level, only at the ZONE level. For example, if you enabled SSL control on the LAN zone, all users in the LAN would have the same enforcement policies. However, SSL Control provides an excellent means to allow legit SSL traffic while denying access to proxy sites that attempt to circumnavigate content filters or other disallowed services.

SonicOS Enhanced firmware versions 4.0 and higher include SSL Control, a system for providing visibility into the handshake of SSL sessions, and a method for constructing policies to control the establishment of SSL connections. SSL is the dominant standard for the encryption of TCP-based network communications, with its most common and well-known application being HTTPS (HTTP over SSL). SSL provides digital certificate- based endpoint identification, and cryptographic and digest-based confidentiality to network communications. Below is a diagram that outlines the process of an SSL session.

An effect of the security provided by SSL is the obscuration of all payload, including the Uniform Resource Locator (URL), for example, https://www.mysonicwall.com, being requested by a client when establishing an HTTPS session. This is due to the fact that HTTP is transported within the encrypted SSL tunnel when using HTTPS. It is not until the SSL session is established (Step 14) that the actual target resource (www.mysonicwall.com) is requested by the client. But since the SSL session is already established, no inspection of the session data by the firewall or any other intermediate device is possible. As a result, URL based content filtering systems cannot consider the request to determine permissibility in any way other than by IP address. While IP address-based filtering does not work well for unencrypted HTTP because of the efficiency and popularity of Host-header based virtual hosting, IP filtering can work effectively for HTTPS due to the rarity of Host-header based HTTPS sites. But this trust relies on the integrity of the HTTPS server operator, and assumes that SSL is not being used for deceptive purposes. For the most part, SSL is employed legitimately, being used to secure sensitive communications, such as online shopping, banking, or any session where there is an exchange of personal or valuable information. The

30

Page 29 Page 31
Image 30
Page 29 Page 31
Contents Contents Page Configuring the CA on the Active Directory Server Integrating LDAP/Active Directory with Sonicwall UTMConfiguring the SonicWALL Appliance for Ldap Importing the CA Certificate onto the SonicWALLPage Page Page Page Page Page Page Enable Radius to Ldap Relay Enables this feature Authentication Page Page Page SonicOS Options That Leverage Groups/Users Creating Firewall Rules with Ldap Groups/UsersPage Page Firewall Rules with Bandwidth Management & Logging Page Blocking Websites Domain Names for Groups/Users Blocking Domains with Firewall RulesPage Page Navigate to Firewall Access Rules Create a rule to allow Http traffic for your allowed lists Do the same for Https Create the deny rules for Http and Https Firewall rules should now look like the below picture Blocking Https SSL Domains with SSL Control Configuring a SSL Blacklist and Whitelist Page Applying Different CFS Policies to Groups Page Creating Custom CFS Policies Navigate to the Policy tab and add a new CFS policy Page Page Page Variables for Custom Block Page in SonicOS Http//$$fwinterface$$/$#SWLSTYLESCSS#$Basic Sample Code for SonicOS Advanced Sample Code for SonicOSPage Page Sample JavaScript Code for SonicOS Sample Code for SonicOS 5.1 or EarlierApplying Application Firewall Polices to Groups/Users Page Page Page Page Tightening Control over the Browsing Behavior of Users Blocking IM Traffic Categorically Applying Granular IM Policies Applying VPN Access Policies to Groups/Users Global VPN Client GVCPage SSL-VPN NetExtender Guest Services Wireless Guest Services
Top Page Image Contents