SonicOS 5.9 One Touch Configuration Guide

Transcription

1 SonicOS 5.9 One Touch Configuration Guide 1

2 Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your system. CAUTION: A CAUTION indicates potential damage to hardware or loss of data if instructions are not followed. WARNING: A WARNING indicates a potential for property damage, personal injury, or death Dell Inc. Trademarks: Dell, the DELL logo, SonicWALL, SonicWALL GMS, SonicWALL Analyzer, Reassembly-Free Deep Packet Inspection, Dynamic Security for the Global Network, SonicWALL Clean VPN, SonicWALL Clean Wireless, SonicWALL Comprehensive Gateway Security Suite, SonicWALL Mobile Connect, and all other SonicWALL product and service names and slogans are trademarks of Dell Inc P/N Rev. C

3 One-Touch Configuration Overrides Document Scope This solutions document describes how to understand and implement the One-Touch Configuration Override feature. This document contains the following sections: Feature Overview on page 3 Configuring One-Touch Configuration Override on page 7 Feature Overview This section provides an introduction to the One-Touch Configuration Override feature. This section contains the following subsections: What is One-Touch Configuration Override? on page 3 Benefits of One-Touch Configuration Override on page 4 How Does One-Touch Configuration Override Work? on page 5 Supported Platforms on page 7 What is One-Touch Configuration Override? The One-Touch Configuration Override feature can be thought of us as a quick tune-up for your Dell SonicWALL appliance s security settings. With a single click, One-Touch Configuration Override applies over sixty configuration settings over sixteen pages of the SonicOS management interface to implement Dell SonicWALL s recommended best practices. These settings ensure that your appliance is taking advantage of the security features in SonicOS. There are two sets of One-Touch Configuration Override settings: DPI and Stateful Firewall Security For network environments with Deep Packet Inspection (DPI) security services enabled, such as Gateway Anti-Virus, Intrusion Prevention, Anti-Spyware, and App Rules. Stateful Firewall Security For network environments that do not have DPI security services enabled, but still want to employ Dell SonicWALL s stateful firewall security best practices. 3

4 Both of the One-Touch Configuration Override deployments implement the following configurations: Configure Administrator security best practices Enforce HTTPS login and disables ping Configure DNS Rebinding Configure Access Rules best practices Configure Firewall Settings best practices Configure Firewall Flood Protection best practices Configure VPN Advanced settings best practices Configure Log levels Enable Flow Reporting and Visualization The DPI and Stateful Firewall Security deployment also configures the following DPI-related configurations: Enable DPI services on all applicable zones Enable App Rules Configure Gateway Anti-Virus best practices Configure Intrusion Prevention best practices Configure Anti-Spyware best practices The full list of configuration settings is described in How Does One-Touch Configuration Override Work? on page 5. Caution Be aware that the One-Touch Configuration Override may change the behavior of your Dell SonicWALL security appliance. Review the list of configurations before applying One-Touch Configuration Override. In particular, the following configurations may affect the experience of the administrator: - Administrator password requirements on the System > Administration page. - Requiring HTTPS management. - Disabling HTTP to HTTPS redirect. - Disabling Ping management. Benefits of One-Touch Configuration Override The One-Touch Configuration Override provides the following benefits: Dell SonicWALL-recommended configuration Best Practices Applies a number of the most important security settings across sixteen pages of the SonicOS management interface, ensuring that the appliance is taking advantage of many of Dell SonicWALL s most powerful security features. Ease of Use Saves times and avoids mistakes by applying a large number of configuration settings with a single click. 4 One-Touch Configuration Override

5 How Does One-Touch Configuration Override Work? The following table lists the configuration settings that are applied as part of One-Touch Configuration Override for both the DPI and Stateful Firewall Security deployment and the Stateful Firewall Security Deployment. DPI and Stateful Configuration Setting Firewall Security System > Administration Password must be changed every 90 days Bar repeated password changes for 4 changes Enforce password complexity: Require alphabetic, numeric and symbolic characters Apply the above password constraints for: all user categories Enable administrator/user lockout Failed Login attempts per minute before lockout: 7 Enable inter-administrator messaging Inter-administrator Messaging polling interval (seconds): 10 Network > Interfaces Any interface allowing HTTP management is replaced with HTTPS Management Any setting to 'Add rule to enable redirect from HTTP to HTTPS' is disabled Ping Management is disabled on all interfaces Network > Zones Intrusion Prevention is enabled on all applicable default Zones Gateway Anti-Virus protection is enabled on all applicable default Zones Anti-Spyware protection is enabled on all applicable default Zones App Rules is enabled on all applicable default Zones SSL Control is enabled on all default Zones Network > DNS Enable DNS Rebinding protection DNS Rebinding Action: Log Attack & Drop DNS Reply Firewall > Access Rules Any Firewall policy with an Action of Deny, the Action is changed Discard Source IP Address connection limiting with a threshold of 128 connections is enabled for all firewall policies Firewall > App Rules If licensed, the Enable App Rules setting is turned on Firewall Settings > Advanced Turn on Enable Stealth Mode Turn on Randomize IP ID Turn off Decrement IP TTL for forwarded traffic Turn on Never generate ICMP Time-Exceeded packets Connections are set to: Recommended for normal deployments with UTM services enabled Turn on Enable IP header checksum enforcement Turn on Enable UDP checksum enforcement Firewall Settings > Flood Protection Turn on Enforce strict TCP compliance with RFC 793 and RFC 1122 Turn on Enable TCP handshake enforcement Turn on Enable TCP checksum enforcement Stateful Firewall Security 5

6 Configuration Setting DPI and Stateful Firewall Security Turn on Enable TCP handshake timeout SYN Flood Protection Mode: Always proxy WAN client connections Firewall Settings > Flood Protection Turn on Enable SSL Control Set Action to: Block connection and log the event For Configuration, enable all categories VPN > Advanced Turn on Enable IKE Dead Peer Detection Turn on Enable Dead Peer Detection for Idle VPN sessions Turn on Enable Fragmented Packet Handling Turn on Ignore DF (Dont Fragment) Bit Turn on Enable NAT Traversal Turn on Clean up Active tunnels when Peer Gateway DNS name resolves to a different address Turn on Preserve IKE port for Pass Through Connections Security Services > Gateway Anti-Virus If licensed, Enable Gateway Antivirus Configure Gateway AV Settings: Turn on Disable SMTP Responses Configure Gateway AV Settings: Turn off Disable detection of EICAR test virus Configure Gateway AV Settings: Turn on Enable HTTP Byte-Range requests with Gateway AV Configure Gateway AV Settings: Turn on Enable FTP REST request with Gateway AV Configure Gateway AV Settings: Turn off Do not scan parts of files with high compression ratios Configure Gateway AV Settings: Turn off Disable HTTP Clientless Notification Alerts Security Services > Intrusion Prevention If licensed, Enable IPS Turn on Prevent All and Detect All for High Priority Attacks Turn on Prevent All and Detect All for Medium Priority Attacks Turn on Prevent All and Detect All for Low Priority Attacks Security Services > Anti-Spyware If licensed, Enable Anti-Spyware Turn on Prevent All and Detect All for High Priority Attacks Turn on Prevent All and Detect All for Medium Priority Attacks Turn on Prevent All and Detect All for Low Priority Attacks Configure Anti-Spyware Settings: Turn on Disable SMTP Responses Configure Anti-Spyware Settings: Turn off Disable HTTP Clientless Notification Alerts Log > Categories Set Logging Level: Debug Set Alert Level: Warning Log > Flow Reporting Turn on Enable Flow Reporting and Visualization Log > Name Resolution Set Name Resolution Method to: DNS then NetBIOS Internal Settings Stateful Firewall Security 6 One-Touch Configuration Override

7 Configuration Setting Turn on Protect against TCP State Manipulation DoS Turn on Apply IPS Signatures Bidirectionally DPI and Stateful Firewall Security Enable ability to launch monitor pages in stand-alone browser frames Enable Visualization UI for Non-Admin/Config users Stateful Firewall Security Supported Platforms One-Touch Configuration Override is available on all Dell SonicWALL security appliances running SonicOS release 5.9 that are licensed for the SSL VPN feature. Configuring One-Touch Configuration Override To configure One-Touch Configuration override, perform the following steps: Step 1 Step 2 Step 3 Step 4 Navigate to the System > Settings page of the SonicOS management interface. Scroll down to the One-Touch Configuration Override section. Click either the DPI and Stateful Firewall Security button or the Stateful Firewall Security button. A warning pop-up window reminds you that if you are connected over HTTP, you will have to manually reconnect using HTTPS after the appliance reboots. Click OK. Step 5 When the configuration has been apply, the Status Bar displays Restart Firewall for changes to take effect. Click Restart. Step 6 After the appliance restarts, navigate to the management URL of the appliance, ensuring that you are using HTTPS, and login to the appliance. 7

8 65