SonicWALL SonicWALL UTM Appliance Welding System User Manual


 
31
ever decreasing cost and complexity of SSL, however, has also spurred the growth of more dubious
applications of SSL, designed primarily for the purposes of obfuscation or concealment rather than security.
An increasingly common camouflage is the use of SSL encrypted Web-based proxy servers for the purpose
of hiding browsing details, and bypassing content filters. While it is simple to block well-known HTTPS proxy
services of this sort by their IP address, it is virtually impossible to block the thousands of privately-hosted
proxy servers that are readily available through a simple Web-search. The challenge is not the ever-
increasing number of such services, but rather their unpredictable nature. Since these services are often
hosted on home networks using dynamically addressed DSL and cable modem connections, the targets are
constantly moving. Trying to block an unknown SSL target would require blocking all SSL traffic, which is
practically infeasible. SSL Control provides a number of methods to address this challenge by arming the
security administrator with the ability to dissect and apply policy based controls to SSL session establishment.
While the implementation (as of this writing, SonicOS 5.2) does not decode the SSL application data, it does
allow for gateway-based identification and disallowance of suspicious or undesirable SSL traffic.
Configuring a SSL Blacklist and Whitelist
An SSL blacklist and whitelist allows the administrator to define strings for matching common names in SSL
certificates. Entries are case-insensitive, and will be used in pattern-matching fashion, for example:
A. 67.115.118.67 is currently the IP address to which sslvpn.demo.sonicwall.com resolves, and that site
uses a certificate issued to sslvpn.demo.sonicwall.com. This will result in a match to “sonicwall.com”
since matching occurs based on the common name in the certificate.
B. This is the decimal notation for the IP address 63.208.219.44, whose certificate is issued to
www.megaproxy.com
.
C. www.freeproxy.ru will not match “prox” since the common name on the certificate that is currently
presented by this site is a self-signed certificate issued to “-“. This can, however, easily be blocked by
enabling control of self-signed or Untrusted CA certificates.