D-Link DFL-800 Product Manual - Page 290
TLS Termination, Advantages of Using NetDefendOS for TLS Termination, Enabling TLS
UPC - 790069282133
View all D-Link DFL-800 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 290 highlights
6.2.10. The TLS ALG Chapter 6. Security Mechanisms Figure 6.7. TLS Termination Advantages of Using NetDefendOS for TLS Termination TLS can be implemented directly in the server to which clients connect, however, if the servers are protected behind a NetDefend Firewall, then NetDefendOS can take on the role of the TLS endpoint. NetDefendOS then performs TLS authentication, encryption and unencryption of data to/from clients and the transfer of unencrypted data to/from servers. The advantages of this approach are: • TLS support can be centralized in the NetDefend Firewall instead of being set up on individual servers. • Certificates can be managed centrally in the NetDefend Firewall instead of on individual servers. Unique certificates (or one wildcard certificate) does not needed to be present on each server. • The encryption/decryption processing overhead required by TLS can be offloaded to the NetDefend Firewall. This is be sometimes referred to as SSL acceleration. Any processing advantages that can be achieved can, however, vary and will depend on the comparative processing capabilities of the servers and the NetDefend Firewall. • Decrypted TLS traffic can be subject to other NetDefendOS features such as traffic shaping or looking for server threats with IDP scanning. • TLS can be combined with NetDefendOS server load balancing to provide a means to spread traffic across servers. Enabling TLS The steps to take to enable TLS in NetDefendOS are as follows: 1. Upload the host and root certificates to be used with TLS to NetDefendOS if not done already. 2. Define a new TLS ALG object and associate the appropriate host and root certificates with the ALG. If the certificate is self-signed then the root and host certificate should both be set to the same certificate. 3. Create a new custom Service object based on the TCP protocol. 290