Posts

New SMA Release Updates OpenSSL Library, Includes Key Security Features

As part of SonicWall’s commitment to performance, security and usability, we are introducing SMA 100 Series release 10.2.1.7.

SonicWall Secure Mobile Access (SMA) 100 Series is a unified secure access gateway that allows organizations to offer remote users virtual private network (VPN) access to their corporate applications. SMA 100 Series release 10.2.1.7 includes several key security features that protect the operating system from potential attack as well as updates to the OpenSSL Library.

SonicWall has taken the approach of incorporating security enhancements in their products, such as the SMA 100 series, which helps identify potentially compromised devices by performing several checks at the operating system level and baselining normal operating system state. In addition, SonicWall sends anonymous encrypted data to backend servers, including device health data, to detect and confirm security events and release new software to correct the issue.

SMA 100 Security Enhancements with NIST 800-61

SMA 100 10.2.1.7 follows the NIST incident response playbook of detection and analysis, containment, eradication, and recovery.

Detection & Analysis: The SMA 100 10.2.1.7 continuously monitors the operating system (also called firmware) for any anomalous behavior and deviations from normal operations. Further analysis is done to determine if these aberrations represent actual security incidents. If a security incident is discovered on the local system, additional diagnostic metadata is collected from the operating system to determine the root cause of the incident.

Containment: After detecting a potentially malicious event, it is important to contain the intrusion before an adversary can access more resources and cause further damage. If the SMA 100 is deemed to have deviated from normal behavior, short-term containment is performed. This involves restricting specific network communications from the SMA 100 to avoid communications to malicious servers.

Figure: SMA 100 Incident Response Methodology
Eradication: If SMA 100 has been deemed to be compromised, eradication is the process of trying to eliminate the root cause of the incident and either evict the adversary or mitigate the vulnerability that may have enabled the adversary to enter the environment. To achieve this, suspicious processes are terminated, and unauthorized files are removed from the operating system.

Recovery: This phase involves bringing an affected SMA 100 back to normal operations to avoid future incidents. When the SMA 100 has a confirmed security incident after our internal analysis, customers are notified by SonicWall support. SonicWall will work with the affected customers to upgrade them to newer firmware.

Hygiene: While not part of the incident response playbook, good security hygiene and following industry security practices is important in staying proactive against cyber threats. SMA 100 10.2.1.7 also checks to see if the end customer is following security best practices, such as ensuring password expiration and multi-factor authentication and enabling web application firewalling to secure the SMA 100. If these have not been enabled, the customer is prompted to do so using proactive messages on the administrative user interface.

SMA 100 gets updated OpenSSL library

SMA 100 leverages the OpenSSL Library to offer SSL-VPN connection security. We are updating the OpenSSL Library to the 1.1.1t version to patch third-party OpenSSL vulnerability documented in ‘CVE-2022-4304: A timing-based side channel exists in the OpenSSL RSA Decryption implementation.

SonicWall recommends all SMA 100 customers upgrade to 10.2.1.7 by logging in to MySonicWall or by following the guidance in the following resources.

  1. Knowledge Base
  2. Upgrade Guide
  3. Administrative Guide
  4. Release Notes

Everything Old Is New Again: Remote Access Comes Full Circle

The shift to Zero-Trust Network Architecture is recent — but not the ideas behind it.

As an old timer who’s been in the Remote Access (RA) space since the mid-’90s, I see the current wave of evolution in SASE/SDP/ZTA more of a devolution. It takes us back to providing RA as a service (RaaS), replacing dedicated i386 appliances with virtual images akin to the early days of micro services on Unix. For example, this is how Aventail, a pioneer in RaaS, launched — as a service; the appliance came some years later.

When the RaaS (again, service is right there in the name) revolution first hit — way before the SSL VPN reboot — I was building huge NT 3.51 clusters with a spaghetti of US Robotics Courier modems hanging out the back. This service was offered to customers as the Common Office environment bundle and built on the premise that we could not trust incoming user traffic.

Over the proceeding 25+ years, much has changed. But the core principle of distrust remains. One of my favorite vintage marketing tag lines simplifies this message of zero trust to “Detect – Protect – Connect.”

With the 2000s came the SSL VPN revolution, which at its heart messaged “VPN is dead” and “clientless remote access rules.” We’re seeing this again today with SASE/SDP messaging, but what does it really mean?

It comes down to crypto, packet encapsulation and routing — aka “when do I route direct,” “when do I proxy” and “when do I backhaul tunnel.” These are all questions of trust. There is no one-size-fits-all answer to this; thus, to build a highly resilient and scalable service, you must do all three and often together within a single session using JIT logic.

Injecting a bit of humor, let’s look at this piece of Aventail marketing I pulled from the web. (The internet forgets nothing!)

Image Describing A new Reference Architecture – The Inverted Network

FYI: Aventail lives on today — it is the SSL VPN startup company SonicWall purchased in 2007, which has evolved into today’s SonicWall SMA 1000 series.

With no change to the core of the slide, just updating the terminology buzzwords to current standard, we can see ZTA ideals have been around for a lot longer than you may think.

So why, then, if solution architects like me have been singing the praises of a Zero Trust Architecture (ZTA) approach for 20 years, has there been such a slow adoption? Well, unpicking a flat network is hard work, and often in a large enterprise, you just don’t know who needs access to exactly which apps and data. However, you have to start somewhere — and with many years of experience, we’ve learned a thing or two about the best way to peel that particular onion.

COVID has changed this landscape, and today I see what was considered a “good enough” remote access implementation no longer cutting it. RA overhaul projects are again in the CIO’s Top 3, the common driver being ZTA to support the home worker revolution. So the chickens have finally come home to roost, and my years of banging the drum of inverted networks and shrunken perimeters becoming the mainstay have paid off.

Image Describing Access Control Engine

A final thought: A modern RAS needs more than just a complex ACL table to be a robust, reliable ZTA service. The ACE (Access Control Engine) at the core of the SonicWall SMA 1000 may be what your security team is pushing for, but as a CIO, that alone will not help you appease the business or provide a highly reliable, most critical service.

Business continuity thinking has replaced disaster recovery thinking to achieve service uptimes of nearly 100%. This needs consideration for parallel live infra demarcations with a roll forward N+1 strategy, SPOG central configuration change scheduling, mix-mode physical and virtual termination nodes salt-and-peppered between private and public datacenters, redundant app-data paths … which all come from experience.

Connecting and Protecting the Remote Islands of Corporate IT – BYOD and Mobility

How Dell and SonicWall’s SMA and Next-Generation Firewall solution builds secure virtual bridges for today’s fragmented environments

As employees are no longer restricted to the physical structures of their company headquarters, what and how they connect to their corporate network presents a multitude of challenges. Corporate IT environments consist of a seemingly uncontrollable combination of devices, operating systems, and geographic locations. Securely connecting all of these is one of the most crucial IT initiatives companies are faced with as Gartner reports that 70% of mobile professionals will conduct their work on personal smart devices by 2018.

As we are all well aware, all endpoints pose significant threats to network security. Specifically, BYOD consumer devices are usually the most difficult to manage and secure. Data loss or leakage and unauthorized access or transmission are a constant concern. Mobile devices can also retain sensitive or proprietary data while wirelessly connected to the corporate network. White-listing apps for distribution on IOS and Android platforms help lock down mobile devices, but unmanaged laptops require greater endpoint control via the VPN.

What can you do to protect it all?

Dell and SonicWall’s VPN and Next-Generation Firewall solution delivers a layered defense strategy to ensure employees have the access they need while providing the security the company requires.

Components of a VPN and Next-Generation Firewall Solution:

  • Secure Mobile Access (SMA) Appliances – Provide mobility and secure access for up to 20,000 concurrent users from a single, powerful, and granular access control engine.
  • Next-Generation Firewalls – Network security, control, and visibility through sandboxing, SSL inspection, intrusion prevention, anti-malware, application identification, and content filtering.
  • Remote Access Management & Reporting – Powerful, web-based remote IT management platform to streamline appliance management and provide extensive reporting.
  • VPN Clients/Mobile Connect – Simple, policy-enforced secure access to mission-critical applications and data for iOS, OS X, Android, Chrome OS, Kindle Fire, and Windows mobile devices.

Deploying a SonicWall VPN and Next-Generation Firewall solution provides multi-layered protection that can authorize, decrypt, and remove threats from SSL VPN traffic before it enters the network environment. The dual protection of a SonicWall SMA and Next-Generation Firewall is critical to ensuring the security of both VPN access and traffic. SonicWall’s remote access management and reporting also allows organizations to view, define, and enforce how application and bandwidth assets are used.

Securely connecting your workforce, partners, and customers has never been more important. Reach out today to your Dell and SonicWall contacts today to learn what implementing a SonicWall VPN and Next-Generation Firewall solution can mean for the future of your company.

SonicWall SMA OS 8.6 Delivers Seamless Remote Access Using Web-based Access Methods

Smartphones, laptops and internet connectivity have become necessities of life. We move around with powerful computing devices in our pockets or backpacks. This “on-the-go” lifestyle has transformed the way we work. Employees today want on demand access to resources and the ability to be productive from anywhere.  Organizations too are embracing cloud and mobile, and allowing employees to use their personal devices for work. This is a win-win situation for employees and organizations but also a big challenge for IT departments. IT has the daunting task of providing secure access to corporate resources without exposing risks such as:

  • Unauthorized users gaining access to company networks and systems from lost or stolen devices
  • Malware and ransomware infected devices acting as a conduit to infect company systems
  • Interception of company data in-flight on unsecured public WiFi networks
  • Loss of business data stored on devices if rogue personal apps or unauthorized users gain access to that data
  • The ability to react as quickly as possible to minimize the window of exposure before an attacker can potentially cripple the organization

To address these risks and empower IT, SonicWall Access Security (SMA) solutions with policy-enforced SSL VPN deliver seamless remote access with the highest standards of security. SMA OS 8.6 expands the feature set on the Secure Mobile Access (SMA) 100 Series appliances with enhanced security and intuitive features that deliver the best experience for remote access.

  • Microsoft RD Web Access integration – Admins can now select to offload applications on the RD Web Access portal, onto any web browser. This new feature provides users with seamless access to remote desktops and applications through web browsers.
  • Enhanced security – SMA uses an in-house connect agent to establish a secure connection for RD Web Access without needing to set up a VPN tunnel. The agent has no dependency on Java or Active X.
  • Driverless printer redirection –Print files from remote desktops seamlessly, just like printing a local file. Files on remote desktops can be published as a PDF on your local machine and can be printed locally.
  • Modernized UI – A refreshed UI that is even more intuitive for users and admins. The firmware conforms to the new SonicWall branding guidelines.

Customers with an active support contract can download SonicWall SMA OS 8.6  from mysonicwall.com.

Mobile Workers and BYOD are Here to Stay: Is Your Data Secure

The way business professionals work has changed dramatically over the last several years, and continues to at an ever-growing rate. They are on the go and working from different locations across all hours using many devices to allow for a work/life balance. We have become an “always-on” society.

Workers are also doing more work remotely, whether it be at a coffee shop, on the train to work, or on a business trip from a hotel room. People want to stay in touch wherever they are and whenever they need to. They also want to use the device they like, whether it is a smartphone, tablet or laptop. In addition, they also need access to the applications they choose to use, some from their work, others of their own. And most importantly, they need access to the data required to do their jobs, whether it is online through the Internet or behind their company’s firewall on the intranet.

Companies clearly need to find a way to provide their mobile workers secure access to any data from any device at any time. That said, companies’ IT organizations need to understand the risks they are opening themselves up to if they don’t take necessary precautions including data loss, malware, device proliferation, rogue applications, lost and stolen devices with data onboard, credential theft, etc.

Today, IT can implement a number of solid mobile workforce management and mobile security management tools to help secure mobile data and devices, such as:

  • Mobile Device Management (MDM)
  • Mobile Application Management (MAM)
  • Secure Sockets Layer Virtual Private Network (SSL VPN)
  • Network Access Control (NAC)

Learn more about what the industry is seeing around providing secure mobile access over BYOD by reading our executive brief, “Ready or not, mobile workers and BYOD are here to stay.”