D-Link NetDefend DFL-210 User Manual page 240

6.2.9. The TLS ALG
Advantages of Using NetDefendOS for TLS Termination
TLS can be implemented directly in the server to which clients connect, however, if the servers are
protected behind a D-Link Firewall, then NetDefendOS can take on the role of the TLS endpoint.
NetDefendOS then performs TLS authentication, encryption and unencryption of data to/from
clients and the transfer of unencrypted data to/from servers. The advantages of this approach are:
• TLS support can be centralized in the D-Link Firewall instead of being set up on individual
servers.
• Certificates can be managed centrally in the D-Link Firewall instead of on individual servers.
Unique certificates (or one wildcard certificate) does not needed to be present on each server.
• The encryption/decryption processing overhead required by TLS can be offloaded to the D-Link
Firewall. This is be sometimes referred to as SSL acceleration. Any processing advantages that
can be achieved can, however, vary and will depend on the comparative processing capabilities
of the servers and the D-Link Firewall.
• Decrypted TLS traffic can be subject to other NetDefendOS features such as traffic shaping or
looking for server threats with IDP scanning.
• TLS can be combined with NetDefendOS server load balancing to provide a means to spread
traffic across servers.
Enabling TLS
The steps to take to enable TLS in NetDefendOS are as follows:
1. Upload the host and root certificates to be used with TLS to NetDefendOS if not done already.
2. Define a new TLS ALG object and associate the appropriate host and root certificates with the
ALG. If the certificate is self-signed then the root and host certificate should both be set to the
same certificate.
3. Create a new custom Service object based on the TCP protocol.
4. Associate the TLS ALG object with the newly created service object.
5. Create a NAT or Allow IP rule for the targeted traffic and associate the custom service object
with it.
240
Chapter 6. Security Mechanisms