-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
MITM Man-in-the-middle attack or HTTP Strict Transport Security (HSTS) recommendations
04/29/2021 
5 People found this article helpful
462,872 Views
Description
Is SMA1000 vulnerable to HTTP Strict Transport Security (HSTS) attacks
Cause
HTTP Strict Transport Security (HSTS) is an security enhancement that is specified by a web application through the use of a special response header.
Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will
instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.
Resolution
SonicWall SMA1000 devices are recommended to be placed behind Firewall and only Specific Ports to be allowed for VPN access:
- 443 SSL Tunneling
- 4500 UDP for ESP Tunneling
- 53 UDP/DNS
- Any Custom Defined URL Ports.
- SonicWall does not recommend to have AMC access over Internet. AMC access on Port 8443 is recommended to be accessed internally with proper certificate assigned for AMC access.
Securing VPN Access:
-MA Device are to be applied with below CEM Value(s) Note: Recommended to get this applied under Support Guidance.
1. Log in to AMC.
2. Click on Maintenance in the left-hand navigation menu.
3. In the URL, append "?advanced=1", and hit return.
4. Click on Configure under the new section Configuration extensions.
5. Click New
6. For the Key field, put in EW_ENABLE_HSTS
7. For the Value field, put in true
8. Click OK.
9. Click Save,
10. Apply Changes (this will force an apply-all, making the changes take effect).
Note: For CMS Deployment CEM Values could be pushed to Management Appliances.
1. Log in to AMC.
2. Click on Maintenance in the left-hand navigation menu.
3. In the URL, append "?advanced=1", and hit return.
4. Click on Configure under the new section Configuration extensions
On policy synchronization, overwrite all CEMs on the managed appliances with CEMs on the CMS
Note:
- Post Save and apply pending changes would restart services. Such changes would impact Connected users.
- Management Console Access and Workplace are to be with Valid and Trusted Certificates
- Management Console Access is always recommended from Internal Trusted Network.
- Management Console to be accessed or tied with External Auth-Server or 2FA.
- Scans run against Management console are false positive and does not affect SMA1000 devices.
Related Articles
- How do I integrate Ianum with a SonicWall SMA?
- SMA 8200v Azure/AWS Deployment Guidelines
- SMA 1000: SAML Identity Provider Service Configuration Guide
YES
NO