Pages

Saturday, July 27, 2013

Using the One-Touch DPI and Stateful Firewall high security applies the following configurations to the system. A system restart is then required for the updates to take full effect.

 

System>Administration

  1. Password must be changed every 90 days
  2. Bar repeated password changes for 4 changes
  3. Enforce password complexity: Require alphabetic, numeric and symbolic characters
  4. Apply the above password constraints for: all user categories
  5. Enable administrator/user lockout
  6. Failed Login attempts per minute before lockout: 7
  7. Enable inter-administrator messaging
  8. Inter-administrator Messaging polling interval (seconds): 10

Network>Interfaces

  1. Any interface allowing HTTP management is replaced with HTTPS Management
  2. Any setting to 'Add rule to enable redirect from HTTP to HTTPS' is disabled
  3. Ping Management is disabled on all interfaces

Network>Zones

  1. Intrusion Prevention is enabled on all applicable default Zones
  2. Gateway Anti-Virus protection is enabled on all applicable default Zones
  3. Anti-Spyware protection is enabled on all applicable default Zones
  4. App Rules is enabled on all applicable default Zones
  5. SSL Control is enabled on all default Zones

Network>DNS

  1. Enable DNS Rebinding protection
  2. DNS Rebinding Action: Log Attack & Drop DNS Reply

Firewall>Access Rules

  1. Any Firewall policy with an Action of Deny, the Action is changed Discard
  2. Source IP Address connection limiting with a threshold of 128 connections is enabled for all firewall policies

Firewall>App Rules

  1. If licensed, the Enable App Rules setting is turned on

Firewall Settings>Advanced

  1. Turn on Enable Stealth Mode
  2. Turn on Randomize IP ID
  3. Turn off Decrement IP TTL for forwarded traffic
  4. Connections are set to: DPI Connections (DPI services enabled with additional performance optimizations)
  5. Turn on Enable IP header checksum enforcement
  6. Turn on Enable UDP checksum enforcement

Firewall Settings>Flood Protection

  1. Turn on Enforce strict TCP compliance with RFC 793 and RFC 1122
  2. Turn on Enable TCP handshake enforcement
  3. Turn on Enable TCP checksum enforcement
  4. Turn on Enable TCP handshake timeout
  5. SYN Flood Protection Mode: Always proxy WAN client connections

Firewall Settings>SSL Control

  1. Turn on Enable SSL Control
  2. Set Action to: Block connection and log the event
  3. For Configuration, enable all categories

VPN>Advanced

  1. Turn on Enable IKE Dead Peer Detection
  2. Turn on Enable Dead Peer Detection for Idle VPN sessions
  3. Turn on Enable Fragmented Packet Handling
  4. Turn on Ignore DF (Dont Fragment) Bit
  5. Turn on Enable NAT Traversal
  6. Turn on Clean up Active tunnels when Peer Gateway DNS name resolves to a different address
  7. Turn on Preserve IKE port for Pass Through Connections

Security Services>Gateway Anti-Virus

  1. If licensed, Enable Gateway Antivirus
  2. Configure Gateway AV Settings: Turn on Disable SMTP Responses
  3. Configure Gateway AV Settings: Turn off Disable detection of EICAR test virus
  4. Configure Gateway AV Settings: Turn on Enable HTTP Byte-Range requests with Gateway AV
  5. Configure Gateway AV Settings: Turn on Enable FTP REST request with Gateway AV
  6. Configure Gateway AV Settings: Turn off Enable HTTP Clientless Notification Alerts

Security Services>Intrusion Prevention

  1. If licensed, Enable IPS
  2. Turn on Prevent All and Detect All for High Priority Attacks
  3. Turn on Prevent All and Detect All for Medium Priority Attacks
  4. Turn on Prevent All and Detect All for Low Priority Attacks

Security Services>Anti-Spyware

  1. If licensed, Enable Anti-Spyware
  2. Turn on Prevent All and Detect All for High Priority Attacks
  3. Turn on Prevent All and Detect All for Medium Priority Attacks
  4. Turn on Prevent All and Detect All for Low Priority Attacks
  5. Configure Anti-Spyware Settings: Turn on Disable SMTP Responses
  6. Configure Anti-Spyware Settings: Turn off Enable HTTP Clientless Notification Alerts

AppFlow>Flow Reporting

  1. Turn on Send AppFlow To Local Collector
  2. Turn on Enable Real-Time Data Collection

Log>Log Monitor

  1. Set Logging Level: Debug

Log>Name Resolution

  1. Set Name Resolution Method to: DNS then NetBIOS

Internal Settings

  1. Turn on Protect against TCP State Manipulation DoS
  2. Turn on Apply IPS Signatures Bidirectionally
  3. Allow launching of AppFlow Monitor in a stand-alone browser frame
  4. Enable Visualization UI for Non-Admin/Config users

 

Source

http://www.sonicwall-sales.com/help-and-advice/sonicwall-one-touch-configuration.html

No comments: