Download
Share
Print this page
SonicWALL SMA 100 Series User Manual
  1. Manuals
  2. Brands
  3. SonicWALL Manuals
  4. Security System
  5. SMA 100 Series
  6. User manual

SonicWALL SMA 100 Series User Manual

Hide thumbs Also See for SMA 100 Series:

Advertisement

Quick Links

Download this manual
SonicWall® SMA 100 Series
Security Best Practice Guide
January 2021
Overview
Welcome to the SonicWall® SMA 100 Series Security Best Practice Guide. This Best Practice Guide is a
reference guide for owners and administrators of the SonicWall SMA 100 series. It presents best practice and
industry recognized hardening suggestions for SMA 100 series product line.
Topics:
Critical Multi-Factor Authentication (MFA) and One-Time Password (OTP) Configuration
Additional Configuration Recommendations for Security Best Practices
General Considerations
SonicWall Support
For additional information on any of the features referenced in this guide, please refer to the
10.0 Administration
Guide.
NOTE:
This guide will be periodically reviewed and updated for accuracy.
SMA 200/400
SMA 210/410
SMA 500v for ESXi
SMA 500v for Hyper-V
SMA 500v for AWS
SMA 500v for Azure
SonicWall SMA 100 Series
Security Best Practice Guide
SMA 100 Series
1

Advertisement

loading
Need help?

Need help?

Do you have a question about the SMA 100 Series and is the answer not in the manual?

Questions and answers

Related Manuals for SonicWALL SMA 100 Series

Summary of Contents for SonicWALL SMA 100 Series

  • Page 1 January 2021 Overview Welcome to the SonicWall® SMA 100 Series Security Best Practice Guide. This Best Practice Guide is a reference guide for owners and administrators of the SonicWall SMA 100 series. It presents best practice and industry recognized hardening suggestions for SMA 100 series product line.

  • Page 2: Multi-Factor Authentication

    SAML (Security Assertion Markup Language), or a TOTP (Time-Based One-Time Password) provider. SonicWall’s SMA 100 series has support for both types of factoring providers – Please reference the SonicWall Feature guide for detailed walkthrough on how to setup these features with different providers.
  • Page 3 If you do not have the ability to use one of the above highly recommended solutions for secondary factor authentication, SonicWall’s SMA 100 series does offers a One Time Password (OTP) option that can be used as a secondary factor (2FA). This token can be sent to the requesting individual via email or SMS text.
  • Page 4 You can use this feature to send short message with a one-time password (OTP) code to the users to log in to the appliance. SonicWall SMA 100 series offers the ability to communicate with two different SMS service providers: •...
  • Page 5 This setup must be done per user and is unavailable in the group setting. 1. Navigate to User and then choose Local users 2. Choose the user that you wish to enable OTP 3. Next to that user, click Edit. (pencil icon) SonicWall SMA 100 Series Security Best Practice Guide...
  • Page 6 You will need to enable this first in order to select the SMS template and enter the users phone number (Mobile device capable of receiving a text message) then you may choose user discretion as noted above SonicWall SMA 100 Series Security Best Practice Guide...
  • Page 7 When the user attempts to log into the Virtual office, or if they attempt to log in via the NetExtender Client, they will be presented with the second factor (2FA) challenge question. SonicWall SMA 100 Series Security Best Practice Guide...
  • Page 8 1. After successful login to the virtual office, click on the circle with your initials in the upper right corner. 2. Choose Settings. 3. Choose Generate Backup Keys. SonicWall SMA 100 Series Security Best Practice Guide...
  • Page 9 These are a 1 time use only key. Do not lose them. If you press the button more than once, it will generate additional text files, however only the last set of numbers will be valid for use. SonicWall SMA 100 Series Security Best Practice Guide...
  • Page 10 Disable the Default Admin Account • Allow Policy Match Logging Setup Connection Policies • • Device Registration • End Point Control GEO IP Fencing • Capture ATP for the SMA 100 Series • SonicWall SMA 100 Series Security Best Practice Guide...
  • Page 11 Prohibit Saving Username and Password While this can be a convenience to the individual user, saving the username and password on a workstation can be dangerous. SonicWall SMA 100 Series Security Best Practice Guide...
  • Page 12 Hide Domain List on Portal Login Page By hiding the domain name, this makes it more difficult for a threat actor to attempt unauthorized access. Your users should know the domain name of the organization. SonicWall SMA 100 Series Security Best Practice Guide...
  • Page 13 This feature forces the connection to be HTTPS and does not allow HTTP connections. Without this, a user could connect to the portal using an HTTP connection to authenticate, then the appliance would convert the session to HTTPS. SonicWall SMA 100 Series Security Best Practice Guide...
  • Page 14 This means the users first session would be disconnected immediately • Confirm Logout of existing session This would require the user to confirm that my proceeding, their original session will be terminated Either choice can be used to effectively enhance security. SonicWall SMA 100 Series Security Best Practice Guide...
  • Page 15 Remote connectivity to a network should only be allowed from one device at a time. This setting will only allow once unique device to connect at a time. Trying to connect with a second device using the same username would deny access to the second device attempting to connect. SonicWall SMA 100 Series Security Best Practice Guide...
  • Page 16 If your organization has normal office hours, and your users should only be connecting during those hours, then why risk allowing someone to connect before or after. With Login Schedule, you can deny access through the SMA 100 series during off hours. SonicWall SMA 100 Series...
  • Page 17 This adds feature offers additional security to your network. SonicWall SMA 100 Series Security Best Practice Guide...
  • Page 18 Common is 8 characters with upper case and numbers. Uncommon would be 12 or more characters with forced upper case and lower case, numbers, and special characters – as an example. SonicWall SMA 100 Series Security Best Practice Guide...
  • Page 19 While this is a recommended additional setting for advanced security, it is more complicated in nature. Below we are providing links to Microsoft forums, as well as SonicWall KB’s to help you in setting this feature up on your appliance if you choose to incorporate advanced security features.
  • Page 20 “dump” memory back as the reply – allowing the threat actor to possibly have access to passwords and usernames that are active. By enabling this feature, the SonicWall SMA 100 series will not allow anything except what is expected in the header – thus not allowing for injection type attacks on the webservice.
  • Page 21 Use a Public Certificate The SonicWall SMA appliance includes a self-signed certificate to provide SSL connectivity to the appliance for configuration. While this certificate can be used for normal operation of the appliance, it is highly recommended to use a public certificate from a trusted (and supported) public certificate authority. This will...
  • Page 22 “Something you are”. By allowing your users to utilize the additional security vectors incorporate in their devices, this provides additional layers of security to identify the user connecting is the intended user SMB SSL-VPN: How to enable Mobile Connect touch ID authentication • SonicWall SMA 100 Series Security Best Practice Guide...
  • Page 23 • Inactivity timeout for NetExtender SonicWall SMA 100 Series Security Best Practice Guide...
  • Page 24 As a security precaution, it is recommended to disable the default user account for login access. To do this, you must first create a NEW administrator. It is recommended to use a different username than “Admin or Administrator”. Test the new administrator login PRIOR to disabling the default admin account. SonicWall SMA 100 Series Security Best Practice Guide...
  • Page 25 Found under the Settings tab, this feature will help better track users and what they are doing. It will also allow you to see those who try and connect and go to places they are not allowed. How to enable the logs to track Access Policies matched by users • SonicWall SMA 100 Series Security Best Practice Guide...
  • Page 26 If users are only making TCP connections into your backend infrastructure, you could disable UDP protocols, which are sometimes used to deliver malicious payloads. SMA 100 Series: Information on Access Policy Hierarchy •...

  • Page 27: Device Registration

    This is a good way to ensure additional security controls in your network, and to ensure users are not changing devices or using devices such as workstations in hotels or other public places. How to restrict users based on DeviceID using Device policies. • SonicWall SMA 100 Series Security Best Practice Guide...
  • Page 28 End Point Control The SonicWall SMA 100 series incorporates advanced endpoint control functionality. While this is often an overlooked part of the product, it is a very important security addition. End Point Control allows you to make verifications of different aspects of the connecting device: •...
  • Page 29 Most threats to networks occur from outside the resident country where the appliance is located. The SMA 100 series can also add the geo location within the connectivity logs. This helps identify not only where the users are coming from (authorized users), but also helps identify where threat actors may be residing.
  • Page 30 Capture ATP for the SMA 100 Series A unique feature from SonicWall is the availability of Capture ATP. With this enabled on your SMA 100 device, clients that are connected and passing traffic into your network would have that traffic inspected by the SonicWall Capture ATP service.

  • Page 31: General Considerations

    Always use 2FA – this is a critical feature that must be enabled in all remote environments • SonicWall Support Technical support is available to customers who have purchased SonicWall products with a valid maintenance contract. The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year.

  • Page 32: About This Document

    SonicWall Inc. and/or its affiliates do not make any commitment to update the information contained in this document.

This manual is also suitable for:

Sma 200Sma 400Sma 210Sma 410Sma 500v