The Tls Alg; Tls Termination - D-Link NetDefend DFL-210 User Manual

6.2.9. The TLS ALG

• Comment: Allow the Gateway to communicate with the Gatekeeper connected to the Head Office
3. Click OK
6.2.9. The TLS ALG
Overview
Transport Layer Security (TLS) is a protocol that provides secure communications over the public
Internet between two end points through the use of cryptography as well as providing endpoint
authentication.
Typically in a TLS client/server scenario, only the identity of the server is authenticated before
encrypted communication begins. TLS is very often encountered when a web browser connects with
a server that uses TLS such as when a customer accesses online banking facilities. This is
sometimes referred to as an HTTPS connection and is often indicated by a padlock icon appearing in
the browser's navigation bar.
TLS can provide a convenient and simple solution for secure access by clients to servers and avoids
many of the complexities of other types of VPN solutions such as using IPsec. Most web browsers
support TLS and users can therefore easily have secure server access without requiring additional
software.
The Relationship with SSL
TLS is a successor to the Secure Sockets Layer (SSL) but the differences are slight. Therefore, for
most purposes, TLS and SSL can be regarded as equivalent. In the context of the TLS ALG, we can
say that the D-Link Firewall is providing SSL termination since it is acting as an SSL end-point.
Regarding the SSL and TLS standards supported, NetDefendOS provides termination support for
SSL 3.0 as well as TLS 1.0, with RFC 2246 defining the TLS 1.0 support (with NetDefendOS
supporting the server side part of RFC 2246).
TLS is Certificate Based
TLS security is based on the use of digital certificates which are present on the server side and sent
to a client at the beginning of a TLS session in order to establish the server's identity and then be the
basis for encryption. Certificates which are Certificate Authority (CA) signed can be used on the
server in which case a client's web browser will automatically recognize the validity of the
certificate.
Self-signed certificates can be used instead of CA signed certificates on the server. With self-signed
certificates, the client's web browser will alert the user that the certificate's authenticity is not
recognized and the user will have to explicitly tell the browser to accept the certificate and continue.
Figure 6.5. TLS Termination
Note
There is no need to specify a specific rule for outgoing calls. NetDefendOS monitors
the communication between "external" phones and the Gatekeeper to make sure that it
is possible for internal phones to call the external phones that are registered with the
gatekeeper.
239
Chapter 6. Security Mechanisms