Table of Contents
Advertisement
The following table describes the fields in this screen.
Table 161 Security Service > SSL Inspection > Profile
LABEL
General Settings
Server Signed
Certificate Key
Mode
Statistics
Profile Management
Add
Chapter 22 SSL Inspection
DESCRIPTION
With SSL inspection, the Zyxel Device acts as a 'man-in-the-middle' between a client and
a remote server, when the client and server are communicating using an SSL-encrypted
session. Every time the client and server send data to each other, the Zyxel Device
decrypts the sender's encrypted data, scans the plain data for threats, re-encrypts the
data, and then sends the encrypted data to the receiver.
•
For outgoing sessions from the client to the remote server, the Zyxel Device creates a
virtual server to decrypt data and a virtual client to re-encrypt data.
•
For incoming sessions from the remote server to the client, the Zyxel Device creates a
virtual client to decrypt data, and a virtual server to re-encrypt data.
To perform SSL Inspection for clients using SSL (HTTPS, SSH, SMTP) through the Zyxel
Device, the Zyxel Device must check that the server's certificate with corresponding
public key are valid and were issued by a Certificate Authority (CA) listed in the Zyxel
Device's list of trusted CAs. According to the selected key mode RSA 1024, RSA 2048,
ECDSA-RSA-1024 or ECDSA-RSA-2048, the Zyxel Device will construct the corresponding
self-signed certificate for the virtual server.
RSA is a public-key cryptosystem used for data encryption or signing messages. For data
encryption, the encryption key is public and the decryption key is private. For signing
messages, the signing key is private and the verification key is public. Elliptic Curve
Cryptography (ECC) is a public-key cryptosystem based on elliptic curve theory, and
more efficient than RSA. ECC allows smaller keys compared to RSA to provide
equivalent security. For example, a 224-bit elliptic curve public key should provide
comparable security to a 2048-bit RSA public key.
•
ECDSA-RSA-1024 indicates Zyxel Device support for clients that support both ECDSA-
256 and RSA-1024 with ECDSA-256 having higher priority, that is ECDSA-256 is used by
the virtual server, if a client supports both ECDSA-256 and RSA-1024.
•
ECDSA-RSA-2048 indicates Zyxel Device support for clients that support both ECDSA-
256 and RSA-2048 with ECDSA-256 having higher priority, that is ECDSA-256 is used by
the virtual server, if a client supports both ECDSA-256 and RSA-2048.
Select a mode that the client's browser, FTP client, or mail client supports. The Zyxel
Device will use different keys (cryptosystems) for each client according to the client's
support list.
For example, if there are three clients behind a Zyxel Device with the following key
mode support:
•
Client 1 - RSA-1024
•
Client 2 - RSA-2048 and RSA-1024
•
Client 3 - ECDSA-256 and RSA-2048.
If you set the key mode to ECDSA-RSA-1024, then the following will be used by each
client:
•
Client 1 - RSA-1024
•
Client 2 - RSA-1024
•
Client 3 - ECDSA-256.
If you set the key mode to ECDSA-RSA-2048, then the following will be used by each
client:
•
Client 1 - sessions will not be processed (pass) by SSL inspection
•
Client 2 - RSA-2048
•
Client 3 - ECDSA-256.
Enable this to have the Zyxel Device collect SSL inspection statistics.
Click Add to create a new profile.
USG FLEX H Series User's Guide
322
Advertisement
Table of Contents
Troubleshooting
