Configuration guideline for Sonicwall NSv Next Generation Firewall - Mitigate Instant Security Check Tests
High Level Test Overview - Matching Features
High Level View of Licensing and Required Features for Mitigation:
Browser Security - Local Browser Configuration - https://support.google.com/chrome/answer/95472?co=GENIE.Platform%3DDesktop&hl=en
Network Access Protection - NGFW
Block access to adult website - Web Filtering
Block websites in embargoed countries - Geo IP
Block access to anonymizing websites - Web Filtering
Cross-Site Scripting Scanning Attempt via http, get - IPS
Cross-Site Scripting Scanning Attempt via https, get - IPS
JS Cryptojacking via http, get - IPS
JS Cryptojacking via https, get - IPS
SQL Injection in GET request via http - IPS
SQL Injection in GET request via https - IPS
Data Encryption - Local Browser Configuration and HTTPS Inspection
Certificate Validation
Broken Cryptography
Domain Security Policies
SSL inspection
Online Privacy - Local Browser Configuration - Do Not track Option -https://support.google.com/chrome/answer/114836?co=GENIE.Platform%3DDesktop&hl=en
Malware Protection - NGTP
Download EICAR file via http - Anti Virus
Download EICAR file via https - Anti Virus + SSLi
Download EICAR text file via http - Ant iVirus
Download EICAR text file via https - Anti Virus + SSLi
Download EICAR text file inside zip via http - Anti Virus
Download EICAR text file inside zip via https - Anti Virus + SSLi
Download EICAR file zipped 2 times via http - Anti Virus
Download EICAR file zipped 2 times via https - Anti Virus + SSLi
Download EICAR file zipped 5 times via http - Anti Virus
Download EICAR file zipped 5 times via https - Anti Virus + SSLi
Download EICAR file zipped with '123456' password via http - Anti Virus
Download EICAR file zipped with '123456' password via https - Anti Virus + SSLi
Download EICAR file zipped with 'password' password via http - Anti Virus
Download EICAR file zipped with 'password' password via https - Anti Virus + SSLi
Data Protection - DLP
SSN codes leak via https - DLP +SSLi
SSN codes leak via http - DLP
Local Country SSN code leak via https - DLP +SSLi
Local Country SSN code leak via http - DLP
Credit card numbers leak via https - DLP +SSLi
Credit card numbers leak via http - DLP
Source code (C) leak via https - DLP +SSLi
Source code (C) leak via http - DLP
SSH private key leak via https - DLP +SSLi
SSH private key leak via http - DLP
Not all protections are covered by default configuration or signatures!
For SSL/HTTPS tests you would need to have HTTPS Inspection configured
Configuration for Sonicwall NSv
Set-up a basic installation following the documentation here.
Make sure to activate the features below and check that you have the correct licensing as follows:
Gateway Anti-malware/Intrusion Prevention/App Control
Content Filtering Service
Capture Advanced Threat Protection
In order to have the checks for HTTPS websites we would need to first configure HTTPS Inspection
References:
Login to your Sonicwall Management GUI
Navigate to Policy| Deep Packet Inspection| On the Client SSL page, check Enable SSL Client Inspection. Once DPI-SSL Client Inspection is enabled, SonicWall will seamlessly and transparently decrypt all SSL traffic passing through it. You will be able to apply Security Services on the clear-text portion of the SSL encrypted payload passing through it.
Before enabling SSL Client Inspection to make sure you have imported the client DPI-SSL Certificate on all the protected computers otherwise the network may be impacted as all HTTPS websites will start showing a Certificate Error.
Make sure to export the CA certificate by clicking the Download Link. You can also import a certificate from your own CA but this needs to have the ability to create other certificates and sign them. Import the downloaded certificate into either “AD” Trusted Root or each local host Trusted Root certificate store.
For Chrome/Mozilla the procedure is a bit different and will be discussed in a dedicated article.
Once HTTPS Inspection is active you can check any HTTPS Site’s certificate when passing the Security Gateway. It should look like it was signed by the CA of the Sonicwall NSv Firewall.
On the firewall go to Policy | Deep Packet Inspection | SSL Client Deployment | Certificate page, click on the (download) link to download the Default SonicWall DPI-SSL Certificate Authority (CA) Certificate.
Make sure to have Decryption policy enabled in order to inspect HTTPS traffic. This could be configured for specific source subnets or hosts as needed.
In the case of Sonicwall NSv the Decryption tab is in Device > Settings > Decryption (DPI-SSL).
Here you need to enable SSL Client Inspection in the General tab and export the Inspection Certificate from the Certificate tab.
Adding a Decryption rule:
Mitigation for Specific Tests
Network Access Protection - NGFW
Create a specific policy with all protections enabled
Navigate to Policy > Rules and Policies > Security Policy
Add a Rule to allow outbound DNS.
Add a Rule to Drop QUIC Protocol. QUIC needs to be defined as a Service object with UDP/443. You would need to define the QUIC Port/Service as it does not exist by default.
Note: DISCARD would silently drop the packet while DENY would show a captive portal with the message that the traffic was dropped. Please choose DISCARD
Add a Rule to Filter Outbound traffic with all Protections enabled. Make sure to attach a Security Profile to the rule
It should look like this:
Check the Match Operation is OR and select App Category Group and Web Category.
Attach a Web Category to this rule by browsing to the APP/URL/Custom Match Tab. Add a new Web Category group. Make sure to add Adult/Mature Content, Malware, Pornography and Hacking/Proxy Avoidance Systems
Attach an App Category Group to this rule. Add a new App Category Group. Select High Risk Apps, MINERS, Severe Risk Apps and VPN categories:
Final rule should look like this:
Click on Add to apply the rules.
Block Websites in embargoed countries - Geo IP
Add an additional Discard rule on Top of the previous rules.
Select User & countries and create a new Country group. Attach desired countries to be blocked (i.e Democratic People’s Republic of Korea and Iran.
Block Cross-Site Scripting Scanning Attempt, SQL Injection and other Intrusion Attempts - IPS
Make sure that the Security Profile assigned to the block rule has IPS Enabled.
Block Malware Downloads - Anti Virus
Make sure that the Security Profile assigned to the block rule has Anti Virus Enabled, and especially Enable detection of EICAR Test Virus.
Certificate Validation and Broken Cryptography - SSLi
SSL Client Inspection protections need to be enabled especially from Policy > Rules and Policies >Settings > Decryption (DPI-SSL)
Always authenticate server for decrypted connections and Always authenticate server before applying exclusion policy to mitigate situations where the upstream certificate is either insecure or untrusted
Domain Security Policies - mitigated
Online Privacy
Data Leak Protection
Sonicwall NSv only supports full DLP features in correlation with Advanced Licenses for Sonicwall Cloud App Security
References:
https://www.sonicwall.com/products/cloud-security/cloud-app-security/
The NSv or NSG version do support file based restrictions:
Results after configuration is according to this guide:
Comments
0 comments
Please sign in to leave a comment.