6.2.9. The TLS ALG
6.
Optionally, a SAT rule can be created to change the destination port for the unencrypted traffic.
Alternatively an SLB_SAT rule can be used to do load balancing (the destination port can also
be changed through a custom service object).
URLs Delivered by Servers
It should be noted that using NetDefendOS for TLS termination will not change URLs in webpages
delivered by servers which lie behind the D-Link Firewall.
What this means is that if a client connects to a webserver behind the D-Link Firewall using the
https:// protocol then any web pages delivered back containing absolute URLs with the http://
protocol (perhaps to refer to other pages on the same site) will not have these URLs converted to
https:// by NetDefendOS. The solution to this issue is for the servers to use relative URLs instead of
absolute ones.
Cipher Suites Supported by NetDefendOS TLS
NetDefendOS TLS supports the following cipher suites:
1.
TLS_RSA_WITH_3DES_EDE_CBC_SHA.
2.
TLS_RSA_WITH_RC4_128_SHA.
3.
TLS_RSA_WITH_RC4_128_MD5.
4.
TLS_RSA_EXPORT_WITH_RC4_56_SHA (certificate key size up to 1024 bits).
5.
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (certificate key size up to 1024 bits).
6.
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (certificate key size up to 1024 bits).
7.
TLS_RSA_WITH_NULL_MD5.
8.
TLS_RSA_WITH_NULL_SHA.
NetDefendOS TLS Limitations
As discussed above, NetDefendOS TLS provides support for server side termination only. The other
limitations that should be noted.
•
Client authentication is not supported (where D-Link Firewall authenticates the identity of the
client).
•
Renegotation is not supported.
•
Sending server key exchange messages is not supported which means the key in the certificate
must be sufficiently weak in order to use export ciphers.
•
The certificate chain used by NetDefendOS can contain at most 2 certificates.
241
Chapter 6. Security Mechanisms