How should I repair a firewall that cannot process HTTPS addresses?
Our Internet network uses a Zywall70 firewall to filter gambling, pornographic, chat and other non-business sites. I found that this firewall cannot filter or log the sites whose address begins with HTTPS. How should we fix this, if the firewall is in fact the reason why it's not working properly?
It sounds like your firewall
is not performing HTTPS
proxying. The difference between HTTP and HTTPS, of course, is that HTTPS traffic is encrypted when passed over the network. If HTTPS proxying is not in use, the firewall cannot decrypt the contents of the HTTPS session. Since it cannot read the URL from the encrypted
network stream, it is not possible for the firewall to perform content filtering on the connection. It's not a problem with your firewall; it's the desired behavior of HTTPS, since such a protocol prevents eavesdropping.
If you must perform content filtering on encrypted traffic, you have a couple of options. You may wish to consider partially or fully blocking HTTPS traffic with your firewall, limiting the traffic to business-critical uses. Alternatively, you can set up an HTTPS proxy server for your organization and use it to implement content filtering.
This was first published in September 2006