What is Max stream offset to check for SSL client-hello resemblance?
Description
What is Check SSL Client Hello Resemble Stream Depth ?
In SonicWall, the configuration option known as "Max Stream Offset to Check for SSL Client Hello Resemblance," also referred to as "Check SSL Client Hello Resemble Stream Depth," is a configuration option related to SSL/TLS traffic inspection, particularly for deep packet inspection (DPI) of encrypted SSL/TLS traffic.
What is "SSL Client Hello"?
When a client (like a browser) initiates an HTTPS connection, the first message it sends is called the Client Hello. This message is part of the TLS handshake and includes:
- Supported TLS versions
- Cipher suites
- Server Name Indication (SNI)
- Compression methods
- Extensions
This is unencrypted, so firewalls and DPI systems can inspect it to make decisions (e.g., block, allow, inspect deeper).
What Does “Check SSL Client Hello Resemble Stream Depth” Mean?
The setting, "Check SSL Client Hello Resemble Stream Depth," determines how much of the data stream SonicWall will inspect to detect the presence of this crucial SSL Client Hello message. The "Stream Depth" itself is defined as the number of bytes into the connection that SonicWall will search for the Client Hello packet. This parameter allows administrators to fine-tune how aggressively SonicWall scans for hidden or delayed handshakes.
Why Is This Necessary?
This capability is necessary because in some situations, the Client Hello message might not appear immediately at the start of the connection stream. This could be due to factors like packet fragmentation or potentially even attempts to disguise or delay the handshake.SonicWall might need to look deeper into the data stream to detect SSL traffic correctly. So this setting ensures SonicWall doesn’t miss encrypted connections just because the initial handshake is delayed or disguised.
By adjusting the "Stream Depth," SonicWall might need to look deeper into the data stream to correctly identify the traffic as SSL.The setting, which defines the Stream Depth as the number of bytes into the connection that SonicWall will search for this Client Hello packet, ensures that SonicWall doesn’t miss encrypted connections even if the initial handshake (marked by the Client Hello) is delayed or disguised.
If the stream depth is too shallow could result in SonicWall missing deeply embedded handshakes, while setting it too deep could negatively impact performance by requiring more data buffering and analysis.
Use Case:
A threat actor attempting to hide a malicious payload inside a TLS tunnel might deliberately delay or obscure the Client Hello. To detect such threats, SonicWall needs the ability provided by this setting to "look ahead" in the stream to see the real handshake. Finding the Client Hello signal allows SonicWall to recognize the stream as SSL/TLS and then apply DPI-SSL to inspect the potentially malicious content within the encrypted tunnel.
Locating the Option:
To locate this option, please navigate to the diagnostic (diag) page of the firewall. For detailed instructions on how to access the diag page in SonicWall, kindly refer to the knowledge base (KB) article provided below.
How can I access the internal settings of the firewall?
Once you have accessed the diag page, you will find the option under the DPI-SSL Settings section. Please see the screenshot below for both GEN7 and GEN6 visual guidance.
NOTE: The default setting for the Max Stream Offset to Check for SSL Client Hello Resemblance in the firewall is 512 bytes.If the stream depth is too shallow could result in SonicWall missing deeply embedded handshakes, while setting it too deep could negatively impact performance by requiring more data buffering and analysis.. Therefore, it is essential to strike the right balance tailored to your network's specific requirements.
Conclusion:
In summary, "Max Stream Offset to Check for SSL Client Hello Resemblance" is a configuration designed to enhance SonicWall's ability to identify SSL/TLS traffic by controlling how deeply it searches for the unencrypted Client Hello message. This is vital for applying security inspections like DPI-SSL, especially when the handshake is not immediately present, whether due to technical reasons like fragmentation or malicious intent like obscuration to hide.