SonicWALL SMA 100 Series User manual
SonicWall SMA 100 Series
1
Security Best Practice Guide
SonicWall® SMA 100 Series
Security Best Practice Guide
SMA 200/400
SMA 210/410
SMA 500v for ESXi
SMA 500v for Hyper-V
SMA 500v for AWS
SMA 500v for Azure
January 2021
Overview
Welcome to the SonicWall® SMA 100 Series Security Best Practice Guide. This Best Practice Guide is a
reference guide for owners and administrators of the SonicWall SMA 100 series. It presents best practice and
industry recognized hardening suggestions for SMA 100 series product line.
Topics:
•Critical Multi-Factor Authentication (MFA) and One-Time Password (OTP) Configuration
•Additional Configuration Recommendations for Security Best Practices
•General Considerations
•SonicWall Support
For additional information on any of the features referenced in this guide, please refer to the SMA 100 Series
10.0 Administration Guide.
NOTE:
This guide will be periodically reviewed and updated for accuracy.
SonicWall SMA 100 Series
2
Security Best Practice Guide
Multi-Factor Authentication
Multi-factor authentication (MFA), sometimes referred to as two-factor authentication or 2FA, is an
electronic authentication method in which a computer user is granted access to a website or application only
after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism:
knowledge (something only the user knows), possession (something only the user has), and inherence
(something only the user is). MFA protects the user from an unknown person trying to access their data such
as personal ID details or financial assets.
There are three basic factors to authentication:
•Something you know: This could be a PIN code, the answers to your security questions, or your
password
•Something you have: This generally refers to a physical object, such as a security token, smart card, or
phone.
•Something you are: This refers to biometric data, and usually comes in the form of your fingerprint or
facial scan — such as with Apple’s Touch ID
Utilizing more than one factor is one of the best methods for keeping connectivity into a network safe. Most
hackers that breach networks do so by obtaining the username and password of individuals. They can
compromise your credentials, and even manipulate their connections to make the authenticating device
“think” it is you. However, when a secondary factor is introduced, the hacker would not have access to this
information and therefore would be denied access immediately and their session logged.
SonicWall’s SMA 100 series incorporates multiple types of factoring functions, that when combined, can
ensure the authenticity of the end user. Turning on these features are considered *critical* in the security of
your network and should always be your number one priority when setting up remote connectivity appliances
or software.
NOTE: Due to the critical importance of 2FA, we are providing detailed instructions on the
setup of this feature.
One of the most secure (and highly recommended) methods for secondary authentication is using a provider
that supports SAML (Security Assertion Markup Language), or a TOTP (Time-Based One-Time Password)
provider. SonicWall’s SMA 100 series has support for both types of factoring providers – Please reference the
SonicWall Feature guide for detailed walkthrough on how to setup these features with different providers.
https://www.sonicwall.com/techdocs/pdf/sma-10-2-feature-guide.pdf
Two popular and commonly used solutions for secondary factor-based authentication are the Microsoft
Authenticator and Google Authenticator. To enable 2FA using Google or Microsoft Authenticator, please refer
to the following knowledge base article: https://www.sonicwall.com/support/knowledge-base/how-can-i-
configure-time-based-one-time-password-totp-in-sma-100-series/180818071301745/
SonicWall SMA 100 Series
3
Security Best Practice Guide
Enable One-Time Password (OTP) Using Phone or
Email
If you do not have the ability to use one of the above highly recommended solutions for secondary factor
authentication, SonicWall’s SMA 100 series does offers a One Time Password (OTP) option that can be used as
a secondary factor (2FA). This token can be sent to the requesting individual via email or SMS text.
To get started with the OTP setup, you should be prepared to choose the method that suites your
organizations need the best. A User can be given the option to choose any of the three if the admin desires to
allow this.
Configuring One-Time Passwords for Email
c
NOTE: Email is sent as a relayed message from the SonicWall SMA 100 series through a mail host. You
must ensure your mail host can accept the relay. Most mail hostswill allow this with password
authentication and using special designated port. Some require specific types of transport methods in
order to relay. Please have this information ready prior to proceeding with the below instructions.
1. In the left menu, navigate to Log > Settings.
2. Navigate to the Event Logging and Alerts section.
3. In the Mail Server field, enter the mail server that the appliance will send the relay request to.
Example: smtp.office365.com
4. In the SMTP Port field, enter the recipient port details for relay requests. Example: Port 587
5. In the Mail from Address field, enter the sender’s email address. This will be the display email
address from which the emails are sent. Please note, some email relay services require this address to
be a valid account. If you do not wish to have your email displayed, then consider adding an
additional email user to your account with the appropriate name you wish to use here.
6. Enable SMTP Authorization. Most mail relays require authentication. If you know your organization
does NOT require this – then do not enable this field. However, if you are unsure, or are sure they do
require, then please enable this setting.
7. If SMTP Authorization is enabled, now enter the username and password used to log into your email
server.
8. If your mail service requires a secure transport to sign in, please select it next to the SMTP Secure
Protocol. Most mail services will require TLS to authenticate and relay. Some services will allow SSL
but is less frequent and less secure.
9. Click Accept.If successful, you will receive a green bar at the top indicating your settings have been
saved.
SonicWall SMA 100 Series
4
Security Best Practice Guide
Configuring One-Time Passwords for SMS
You can use this feature to send short message with a one-time password (OTP) code to the users to log in to
the appliance.
SonicWall SMA 100 series offers the ability to communicate with two different SMS service providers:
•AliSMS : Connect to the World with Alibaba Cloud SMS
•Twilio: Communication APIs for SMS, Voice, Video and Authentication
Note: for the purpose of this example, Twilio will be used.
To add an SMS Template:
1. To add a policy, navigate to the Services > SMS Templates screen within the Secure Mobile Access
management interface and select SMS Templates.
2. Click Add SMS Template.
3. Select the SMS Provider. The two providers are Aliyun and Twilio. You can add multiple provider
templates in the appliance and use them in different domains or user levels.
4. Enter a template Name.
SonicWall SMA 100 Series
5
Security Best Practice Guide
5. Enter Description for the SMS Template. Select the International check box, if applicable.
6. Enter Account SID.
7. Enter Auth Token.
8. Type in the message your text message will say when the user receives the code. Please Note: you
MUST include the %Code% in your body, or you will NOT receive the code.
9. Enter the phone number of your SMS service account. This is the number that will SEND the text
message. You must enter “+” and then the country code, followed by a space. Please ensure that your
employees do not block this number on their mobile device.
10. Enter a test number that can be used to receive an SMS text. Enter your number like this example
(using USA country code: +1 4045551234)
11. Once the test is successful and you receive a green success banner.
12. Click Accept to confirm the changes.
Enabling One-Time Password
Now that you successfully have setup your method(s) for receiving your second factor, you can now enable
this feature in your users’ accounts. This setup must be done per user and is unavailable in the group setting.
1. Navigate to User and then choose Local users
2. Choose the user that you wish to enable OTP
3. Next to that user, click Edit. (pencil icon)
SonicWall SMA 100 Series
6
Security Best Practice Guide
4. Click the tab labeled Login Policies.
5. Choose how to deliver the token:
a. Users discretion: This will display all three methods as options. You may choose which ones
you wish to display for the user by ensuring a check mark is next to each one.
b. Use Email: This will enable the token to be sent via email. The users email address will need
to be entered into their user info under the general tab
c. Use App: This will allow you to use Google or Microsoft Authenticator, Duo, or any RADIUS
BASED 2FA product that you have setup following the directions in the KB referenced above
for 2FA
d. Use Short Message: This will enable the SMS text message option
c
NOTE:Y
ou will need to enable this first in order to select the SMS template and enter the
users phone number (Mobile device capable of receiving a text message) then you may
choose user discretion as noted above
SonicWall SMA 100 Series
7
Security Best Practice Guide
2FA and OTP User Experience
When the user attempts to log into the Virtual office, or if they attempt to log in via the NetExtender Client,
they will be presented with the second factor (2FA) challenge question.
SonicWall SMA 100 Series
8
Security Best Practice Guide
If you are using a 3rd party 2FA application, such as Duo or RSA, you must enter the password plus the PIN.
User Backup Codes
A user can create a backup code after successfully logging in the first time. This option is only available if 2FA is
setup. The backup code is designed as a failsafe option in the event the user misplaces the 2FA device / token
or is unable to receive it due to their location. Examples would be while in flight where SMS messages may not
function properly or where the user can only have one device connected to the wireless network.
1. After successful login to the virtual office, click on the circle with your initials in the upper right
corner.
2. Choose Settings.
3. Choose Generate Backup Keys.
SonicWall SMA 100 Series
9
Security Best Practice Guide
4. After clicking the Generate Backup Key button, a text file will be downloaded to your computer. This
text file will contain the backup keys that can be used. These are a 1 time use only key. Do not lose
them. If you press the button more than once, it will generate additional text files, however only the
last set of numbers will be valid for use.
SonicWall SMA 100 Series
10
Security Best Practice Guide
Additional Configuration
Recommendations for Security Best
Practices
•Prohibit Saving Username and Password
•Hide Domain List on Portal Login Page
•Enable HTTP Strict Transport Security (HSTS) for SMA
•Enforce Login Uniqueness
•Enforce Client Source Uniqueness
•Enable “Login Schedule”
•Enable “Logout Schedule”
•Enforce Password Complexity
•Enable Client Certificate Enforcement (Advanced Security Feature)
•Restrict Request Headers
•Use a Public Certificate
•Allow Touch ID and Face ID on Mac, Apple IOS and Android Devices
•Disconnection on Inactivity Timeout
•Disable the Default Admin Account
•Allow Policy Match Logging
•Setup Connection Policies
•Device Registration
•End Point Control
•GEO IP Fencing
•Capture ATP for the SMA 100 Series
SonicWall SMA 100 Series
11
Security Best Practice Guide
Prohibit Saving Username and Password
While this can be a convenience to the individual user, saving the username and password on a workstation
can be dangerous.
SonicWall SMA 100 Series
12
Security Best Practice Guide
Hide Domain List on Portal Login Page
By hiding the domain name, this makes it more difficult for a threat actor to attempt unauthorized access.
Your users should know the domain name of the organization.
SonicWall SMA 100 Series
13
Security Best Practice Guide
Enable HTTP Strict Transport Security (HSTS) for SMA
This feature forces the connection to be HTTPS and does not allow HTTP connections. Without this, a user
could connect to the portal using an HTTP connection to authenticate, then the appliance would convert the
session to HTTPS.
SonicWall SMA 100 Series
14
Security Best Practice Guide
Enforce Login Uniqueness
As a layered security precaution, users should only be allowed to login to a single session. Allowing multiple
logins with the same username can lead to an increased risk of a security breach.
You have two options for logging the user out if they try to log in using the same username twice:
•Automatically logout existing session
oThis means the users first session would be disconnected immediately
•Confirm Logout of existing session
oThis would require the user to confirm that my proceeding, their original session will be
terminated
Either choice can be used to effectively enhance security.
SonicWall SMA 100 Series
15
Security Best Practice Guide
Enforce Client Source Uniqueness
Remote connectivity to a network should only be allowed from one device at a time. This setting will only
allow once unique device to connect at a time. Trying to connect with a second device using the same
username would deny access to the second device attempting to connect.
SonicWall SMA 100 Series
16
Security Best Practice Guide
Enable “Login Schedule”
If your organization has normal office hours, and your users should only be connecting during those hours,
then why risk allowing someone to connect before or after. With Login Schedule, you can deny access through
the SMA 100 series during off hours.
SonicWall SMA 100 Series
17
Security Best Practice Guide
Enable “Logout Schedule”
Many times, users tend to leave their remote network equipment connected, even while they are not in use.
Any network activity can keep a client “awake” and avoid disconnecting due to inactivity. Setting up a logout
schedule will automatically logout any user session that is connected during your defined time. Many times,
threat actors that have remote access to remote user equipment, such as a laptop, will wait until after hours
as not to draw attention from the user. This adds feature offers additional security to your network.
SonicWall SMA 100 Series
18
Security Best Practice Guide
Enforce Password Complexity
Users that can choose their own complex password tend to gravitate toward something they can remember.
Those passwords may be short, common names or places, and may include their phone number or social
security number. Threat actors have designed and built tools that can run through hundreds of thousands of
names and combinations within minutes to guess passwords. Forcing your employees to have a stronger
password that have additional complex characters will cause the threat actors to take years to attempt to
guess. Common is 8 characters with upper case and numbers. Uncommon would be 12 or more characters
with forced upper case and lower case, numbers, and special characters – as an example.
SonicWall SMA 100 Series
19
Security Best Practice Guide
Enable Client Certificate Enforcement (Advanced
Security Feature)
As another means of ensuring the authenticity of a user and their device, administrators can deploy client-side
certificates. With this setting enabled, the SonicWall SMA 100 series will verify the client certificate matches
what is defined within the user settings. While this is a recommended additional setting for advanced security,
it is more complicated in nature. Below we are providing links to Microsoft forums, as well as SonicWall KB’s to
help you in setting this feature up on your appliance if you choose to incorporate advanced security features.
•How can I enable client Certificate check for HTTPS management on the SonicWall?
•Client Certificate Authentication (Part 1) - Microsoft Tech Community
SonicWall SMA 100 Series
20
Security Best Practice Guide
Restrict Request Headers
A request header is an HTTP header that can be used in an HTTP request to provide information about the
request context, so that the server can tailor the response. For example, the Accept- headers indicate the
allowed and preferred formats of the response.
Threat actors attempting to gain control of websites will typically inject code into a request header. If the
website is not protected, it may “dump” memory back as the reply – allowing the threat actor to possibly have
access to passwords and usernames that are active.
By enabling this feature, the SonicWall SMA 100 series will not allow anything except what is expected in the
header – thus not allowing for injection type attacks on the webservice.
Other manuals for SMA 100 Series
1
This manual suits for next models
5
Table of contents
Other SonicWALL Security System manuals
Popular Security System manuals by other brands
Allen-Bradley
Allen-Bradley Ferrogard Series installation instructions
OPTICOM
OPTICOM KD4 - Specifications
STI
STI Exit Stopper STI-6400 Series Quick install
Linear
Linear Security DUAL 824 installation instructions
GE
GE Interlogix 60-875 Simon installation instructions
Novus
Novus NVR-6316P16-H2 user manual
