Figure 6.7. TLS Termination
Advantages of Using NetDefendOS for TLS Termination
TLS can be implemented directly in the server to which clients connect, however, if the servers are
protected behind a NetDefend Firewall, then NetDefendOS can take on the role of the TLS
endpoint. NetDefendOS then performs TLS authentication, encryption and unencryption of data
to/from clients and the transfer of unencrypted data to/from servers. The advantages of this approach
are:
•
TLS support can be centralized in the NetDefend Firewall instead of being set up on individual
servers.
•
Certificates can be managed centrally in the NetDefend Firewall instead of on individual servers.
Unique certificates (or one wildcard certificate) does not need to be present on each server.
•
The encryption/decryption processing overhead required by TLS can be offloaded to the
NetDefend Firewall. This is sometimes referred to as SSL acceleration. Any processing
advantages that can be achieved can, however, vary and will depend on the comparative
processing capabilities of the servers and the NetDefend Firewall.
•
Decrypted TLS traffic can be subject to other NetDefendOS features such as traffic shaping or
looking for server threats with IDP scanning.
•
TLS can be combined with NetDefendOS server load balancing to provide a means to spread
traffic across servers.
Enabling TLS
The steps to take to enable TLS in NetDefendOS are as follows:
1.
Upload the host and root certificates to be used with TLS to NetDefendOS if not done already.
2.
Define a new TLS ALG object and associate the appropriate host and root certificates with the
ALG. If the certificate is self-signed then the root and host certificate should both be set to the
same certificate.
3.
Create a new custom Service object based on the TCP protocol.
6.2.10. The TLS ALG
Chapter 6. Security Mechanisms
323
Содержание NetDefend DFL-1660
Страница 28: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 28 ...
Страница 88: ...2 6 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 88 ...
Страница 166: ...3 10 DNS Chapter 3 Fundamentals 166 ...
Страница 254: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 254 ...
Страница 268: ...5 4 IP Pools Chapter 5 DHCP Services 268 ...
Страница 368: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 368 ...
Страница 390: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 390 ...
Страница 414: ...8 3 Customizing Authentication HTML Pages Chapter 8 User Authentication 414 ...
Страница 490: ...9 8 6 Specific Symptoms Chapter 9 VPN 490 ...
Страница 528: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 528 ...
Страница 544: ...11 7 HA Advanced Settings Chapter 11 High Availability 544 ...
Страница 551: ...12 3 5 Limitations Chapter 12 ZoneDefense 551 ...
Страница 574: ...Default 512 13 9 Miscellaneous Settings Chapter 13 Advanced Settings 574 ...
Страница 575: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 575 ...