Configuring Secure Connections in ScreenOS Devices Using NSM Overview

Secure Sockets Layer (SSL) is a set of protocols that can provide a secure connection between a Web client and a Web server communicating over a TCP/IP network. SSL consists of the SSL Handshake Protocol (SSLHP), which enables a client and server to authenticate each other and negotiate an encryption method, and the SSL Record Protocol (SSLRP), which provides basic security services to higher level protocols such as HTTP. Using certificates, SSL authenticates the server (the security device), and then encrypts the traffic sent during the session. Juniper Networks supports authentication only of the server (the security device), not the client (the device administrator); the device authenticates itself to the device administrator, but the device administrator does not use SSL to authenticate to the device. However, the device administrator must connect using a Web browser with SSL version 3 compatibility (not version 2). Netscape Communicator 4.7x and later and Internet Explorer 5.x and later are SSL version 3 compatible.

During the SSL handshake, the security device sends the device administrator its self-signed certificate. The device admin encrypts a random number with the public key contained in the certificate and sends the number back to the device, which uses its private key to decrypt the number. Both participants then use the shared random number and a negotiated secret key cipher (3DES, DES, RC4, or RC4-40) to create a shared secret key, which they use to encrypt traffic between themselves. They also use an agreed-upon compression method (PKZip or gzip) to compress data and an agreed-upon hash algorithm (SHA-1, SHA-2, or MD5) to generate a hash of the data to provide message integrity.

Additionally, the device administrator must use a permitted IP address to initiate an HTTP connection to the device, and the SSL service option must be enabled for the interface that the device administrator connects to on the device.

By default, SSL is disabled. To ensure that all HTTP connections to the Web UI are secure, you should enable this option. When enabled, the device automatically redirects administrative traffic using HTTP (default port 80) to HTTPs (SSL, default port 443) and authenticates using the local certificate. For a device running ScreenOS 5.1 and later, SSL uses the autogenerated, self-signed certificate on the device.

You can change the SSL configuration by editing the SSL settings as described in Table 33.

Table 33: SSL Settings

SSL Settings

Your Action

Redirect HTTP to HTTPS

You can enable HTTP redirection for SSL troubleshooting, if desired.

Certificate

By default, the security device uses an auto-generated self-signed certificate for SSL. To change the certificate used for SSL, select a certificate from the list of available certificates.

Port

The default port for SSL connections is 443; to change this default, enter a different port number.

Cipher

Select an encryption algorithm for SSL:

  • RC4-40 with 40-bit keys
  • RC4 with 128-bit keys
  • DES: Data Encryption Standard with 56-bit keys
  • 3DES: Triple DES with 168-bit keys

    The RC4 algorithms are paired with MD5; DES and 3DES with SHA-1.

Authentication

Select an authentication method for SSL:

  • Message Digest version 5 (MD5)—128-bit keys
  • Secure Hash Algorithm version 1 (SHA-1)—160-bit keys
  • Secure Hash Algorithm version 2 (SHA-2)—256-bit keys

While SSL is enabled, any device administrator can connect to the security device using the SSL port. When administrative connections use SSL, in the Web browser URL field, the device admin must enter the https (instead of http) before the IP address used to manage the device. If you changed the default SSL port from 443, the device administrator must also append a colon and the SSL port number to the IP address. For example, to connect to the 5.5.5.5 interface and SSL port 1443, the device administrator must enter https://5.5.5.5:1443.

To use HTTP without SSL, disable SSL by clearing the Enable SSL check box. The device no longer redirects HTTP connections to SSL, and no authentication occurs for the connection.

Related Documentation