As part of SonicWall’s commitment to performance, security and usability, we are introducing SMA 100 Series release 10.2.1.7.
SonicWall Secure Mobile Access (SMA) 100 Series is a unified secure access gateway that allows organizations to offer remote users virtual private network (VPN) access to their corporate applications. SMA 100 Series release 10.2.1.7 includes several key security features that protect the operating system from potential attack as well as updates to the OpenSSL Library.
SonicWall has taken the approach of incorporating security enhancements in their products, such as the SMA 100 series, which helps identify potentially compromised devices by performing several checks at the operating system level and baselining normal operating system state. In addition, SonicWall sends anonymous encrypted data to backend servers, including device health data, to detect and confirm security events and release new software to correct the issue.
SMA 100 Security Enhancements with NIST 800-61
SMA 100 10.2.1.7 follows the NIST incident response playbook of detection and analysis, containment, eradication, and recovery.
Detection & Analysis: The SMA 100 10.2.1.7 continuously monitors the operating system (also called firmware) for any anomalous behavior and deviations from normal operations. Further analysis is done to determine if these aberrations represent actual security incidents. If a security incident is discovered on the local system, additional diagnostic metadata is collected from the operating system to determine the root cause of the incident.
Containment: After detecting a potentially malicious event, it is important to contain the intrusion before an adversary can access more resources and cause further damage. If the SMA 100 is deemed to have deviated from normal behavior, short-term containment is performed. This involves restricting specific network communications from the SMA 100 to avoid communications to malicious servers.
Figure: SMA 100 Incident Response Methodology
Eradication: If SMA 100 has been deemed to be compromised, eradication is the process of trying to eliminate the root cause of the incident and either evict the adversary or mitigate the vulnerability that may have enabled the adversary to enter the environment. To achieve this, suspicious processes are terminated, and unauthorized files are removed from the operating system.
Recovery: This phase involves bringing an affected SMA 100 back to normal operations to avoid future incidents. When the SMA 100 has a confirmed security incident after our internal analysis, customers are notified by SonicWall support. SonicWall will work with the affected customers to upgrade them to newer firmware.
Hygiene: While not part of the incident response playbook, good security hygiene and following industry security practices is important in staying proactive against cyber threats. SMA 100 10.2.1.7 also checks to see if the end customer is following security best practices, such as ensuring password expiration and multi-factor authentication and enabling web application firewalling to secure the SMA 100. If these have not been enabled, the customer is prompted to do so using proactive messages on the administrative user interface.
SMA 100 gets updated OpenSSL library
SMA 100 leverages the OpenSSL Library to offer SSL-VPN connection security. We are updating the OpenSSL Library to the 1.1.1t version to patch third-party OpenSSL vulnerability documented in ‘CVE-2022-4304: A timing-based side channel exists in the OpenSSL RSA Decryption implementation.’
SonicWall recommends all SMA 100 customers upgrade to 10.2.1.7 by logging in to MySonicWall or by following the guidance in the following resources.