Table of Contents
Advertisement
End Point Control (EPC)
Traditional VPN solutions typically provide access only from the relative safety of an IT‐managed device. In that
environment, the major security concern is unauthorized network access. Because an SSL VPN enables access
from any Web‐enabled system, it may bring the additional risk of computers in untrusted environments, such as
a kiosk at an airport or hotel, or an employee‐owned computer.
The appliance's EPC configuration options give you granular control over VPN access using profiles and zones to
protect sensitive data and ensure that your network is not compromised:
• A device profile is a set of attributes that characterize the device requesting the connection, such as a
Windows domain name, the presence of a certain software program, a registry entry, or other unique
characteristics.
• An application access zone is a set of attributes used to establish a trust relationship with a client iOS or
Android device.
• An End Point Control zone classifies a connection request based on the presence or absence of a device
profile. The zone in which a device is then placed controls the provisioning of data protection
components and can be used to determine which resources are available. A device can be placed in a
Standard zone, a Quarantine zone (with instructions on installing the required security programs), or in a
Deny zone, where the user is denied access to the network.
SSL and Encryption
The SonicWall SMA appliance encrypts information using the Secure Sockets Layer (SSL) protocol. SSL protocol is
an authentication and encryption protocol that uses a key exchange method to establish a secure environment
in which all data exchanged is encrypted to protect it from eavesdropping and alteration.
The appliance uses SSL certificates to validate the appliance's identity to connecting users, and to provide a
public key to secure information that the client computer sends to the server. The appliance requires a
minimum of two SSL certificates:
• The appliance services use a certificate to secure user traffic.
• The Appliance Management Console (AMC) uses a certificate to secure management traffic.
There are two types of certificates: self‐signed and commercial. With a self‐signed SSL certificate, the appliance
identifies itself with a certificate that has not been signed by a commercial CA, and the associated private key
data is encrypted using a password. AMC uses a self‐signed certificate.
A self‐signed certificate can also be a wildcard certificate, allowing it to be used by multiple servers which share
the same IP address and certificate, but have different FQDNs. For example, a wildcard certificate such as
*.company.com could be used for iPhone access at and for VPN access at vpn.company.com.
You can also configure an authentication server to trust an intermediate CA. For example, you could create a
root certificate signing authority on a system that is not connected to the corporate network. You can then issue
a set of trusted intermediate signing authority certificates to be deployed in various sectors of the network
(often by department or organizational unit).
Although a self‐signed SSL certificate is secure, you may want to secure user traffic with a certificate from a
commercial certificate authority (CA) such as VeriSign.
When deciding which type of certificate to use for the servers, consider who will be connecting to the appliance
and how they will use resources on your network:
• If business partners are connecting to Web resources through the appliance, they will likely want some
assurance of your identity before performing a transaction or providing confidential information. In this
case, you would probably want to obtain a certificate from a commercial CA for the appliance.
SonicWall SMA Connect Tunnel 12.0 Deployment Planning Guide
About SonicWall SMA Connect Tunnel
9
Advertisement
Table of Contents
