MSS FW Best Practices: Security Services

CAUTION: These documents are intended to provide partners with firewall configuration recommendations ONLY. They contain examples and caution should be exercised when making changes to your firewall as unplanned changed could result in downtime based on the complexity of the environment and/or configuration. 

---

MSS Recomended SonicWall Firewall Best Practices Index

Excluding Devices from Security Services

• Each security service has a spot to specify an “Exclusion Group”.
• There are 2 ways to exclude local devices from Security Services:
  • Create a “Security Exclusion Group” and exclude it from all security services.
  • Create an “Address Object Exclusion Group” for each security service and exclude them from the applicable security service. (This is recommended as it’s more secure and retains the most control)

• Only exclude devices if absolutely necessary.
• Excluded devices will NOT be protected.

Security Services Enhanced Security Setting

All generation 7 firewalls come set to Performance Optimized by default which is the recommended setting.

1. To enable what was formally known in Gen 6/6.5 as Maximum Security, enable Enhanced Security (Not recommended).

Gateway Anti-Virus (GAV)

GAV best practices and recommended configuration

1. Under the Gateway Anti-Virus tab:
   1. Enable all options.
   2. Note on TCP Stream: If you do not enable, DPI will only scan listed protocols (HTTP, FTP, SMTP, etc.) on default port(s)

2. Under the Cloud Anti-Virus tab:
   1. Enable Cloud Anti-Virus Database

3. Click Configure for each protocol (HTTP, FTP, etc.):
   1. Enable: Restrict Transfer of password-protected ZIP files
   2. Enable: Restrict Transfer of MS-Office type files containing macros (VBA 5 and above)
   3. Enable: Restrict Transfer of packed executable files (UPX, FSG, etc.)

4. Keep in mind this might cause challenges or inconveniences for users.

To report False Positives to SonicWall: How can I report false positives or Virus/Trojan/Malware samples to the Gateway AntiVirus team? | SonicWall

---

Anti-Spyware

Anti-Spyware best practices and recommended configuration

1. Enable all options.

Intrusion Prevention Service (IPS)

IPS best practices and recommended configuration

1. For High & Medium Priority Attacks
   1. Enable Prevent + Detect boxes.
2. For Low Priority Attacks
   1. Don’t enable either..
3. Ensure Log Redundancy Filter is set for 60 Seconds for each signature group.

Botnet Filter

Botnet Filter best practices and recommended configuration

• DO NOT use the “Default GEO IP & Botnet Filter Exclusion Group”! Always create your own!

1. Enable “Block connections to/from Botnet Command and Control Servers”
2. Enable “Dynamic Botnet List”
3. Enable “Logging”

App Control

App Control best practices and recommended configuration

1. Enable “App Control”
2. Enable “Logging for all Apps”
3. Ensure that the Global Log Redundancy Filter Interval is set to 60.

4. Block & Disable Logging for MSS Recommended App Signatures below:

Content Filtering (CFS)

CFS best practices and recommended configuration

To view SonicWall’s rating for a URL: SonicWALL Content-Filter Website Rating Review

On the Content Filter page under the “Security Service” page:

Enable Content Filtering Service

Disable Exclude Administrator

Below are Best Practices/Recommendations when it comes to configuring your individual CFS policies on the Content Filter page under the “Profile Objects” page:

Capture ATP (If purchased):

CATP best practices and recommended configuration

Under the Basic tab:

Enable Capture ATP

Select all under FILE TYPES FOR CAPTURE ATP ANALYSIS

Under the Advanced tab:

Select “Block file download until a verdict is returned”

This may cause delays in download times for my users and may require users to retry the download.

DNS Security (If purchased):

Introducing the latest enhancement to SonicOS – centralized DNS management powered by DNS proxy, featuring advanced DNS security functionalities such as DNS Filtering, DNS Sinkhole service, and DNS Tunnel Detection. While bearing a resemblance to the Content Filtering Service (CFS), it's important to note that CFS relies on the completion of the full firewall inspection process before taking action. In contrast, DNS Security operates at the DNS layer, intercepting and halting malicious domains even before they reach the firewall, let alone undergo inspection.

A key distinction lies in the frequency of database updates – CFS databases are refreshed every 12-24 hours, whereas DNS updates occur every few minutes. This real-time update advantage positions DNS filtering as a proactive measure against potential risks. Acting as a critical shield, it intercepts users' DNS requests, cross-referencing them with a database of known malicious domains. This preemptive approach effectively blocks users from accessing suspicious websites, ensuring protection from potential harm.

Furthermore, DNS filtering delivers a positive impact on network performance. By preventing access to unnecessary or undesirable websites, it reduces bandwidth consumption and optimizes internet speeds. This proves particularly advantageous in corporate environments where inadvertent access to sites can compromise both network performance and security.

In conclusion, supported by robust SonicWall capabilities, DNS filtering emerges as a cornerstone in maintaining a secure and productive online environment. Its role in safeguarding against malicious websites, filtering inappropriate content, and enhancing network performance positions DNS filtering as a valuable asset for individuals and organizations alike.

DNS Filtering

Neustar is a public DNS Server which has intelligence of domain name categorization. By integrating Neustar DNS service with SonicWall firewall, we obtain domain categorization service along with DNS for SonicWall customers. SonicWall support profiles to take different actions on different categories, then the DNS Packet will process according to the action. Neustar support 19 pre-defined categories and SonicWall support 4 actions. For more information, see: About DNS Filtering

It is important to note that this feature requires you to point network client’s DNS server to the firewall. The firewall will act as the network’s DNS server in this case.

DNS Filtering best practices and recommended configuration:

Prerequisite

To use DNS Filtering, user has to do the following configurations:

Ensure DNS Filtering is licensed under Gateway Services in the license page

Add/Edit/Delete DNS policy manually in the Policy > Rules and Polices > DNS Rules. For more information on adding DNS policy, refer to the SonicOS Rules and Policies guide

Add/Edit/Delete DNS Profile in the Object > Profile Objects> DNS Filtering. For more information on adding DNS policy, refer to the SonicOS Objects guide

Set the DHCP DNS Server Lease Scopes interface as the interface IP of firewall in the Dynamic Range Configuration. For more information on adding Dynamic, refer to the SonicOS system guide

Enable Enforce DNS Proxy For All DNS Requests at DNS Proxy settings in the Network > DNS > DNS Proxy

To configure Global settings

Navigate to POLICY | DNS Security > Settings.

Hover over to the DNS Filtering tab.

Click the Global Settings tab. Enable the option Enable White List.

White List can be used for both DNS Sinkhole Service and DNS Filtering.

Configure both Forged IPv4 Address and Forged IPv6 Address.

Click Accept.

To configure Custom Domain

Navigate to POLICY | DNS Security > Settings.

Hover over to the DNS Filtering tab.

Click the Custom Domain tab.

Under Category Information, you can find the different type of categories and the categories explanation.

For each domain name you want to add as a custom domain name under the Config Custom Domain section:

Click +Add. The Add DNS filter Custom Domain dialog displays.

Enter the custom domain name in the Domain Name field.

Select the category type from the drop-down in the Category field.

Click Save.

DNS Sinkhole Service

A DNS sinkhole also known as a sinkhole server, Internet sinkhole, or Blackhole DNS — is a DNS server that gives out false information to prevent the use of the domain names it represents. DNS sinkholes are effective at detecting and blocking malicious traffic, and used to combat bots and other unwanted traffic.

SonicOS provides the ability to configure a sinkhole with black- and whitelists.

DNS Sinkhole Service best practices and recommended configuration:

To configure DNS Sinkhole settings

Navigate to POLICY | DNS Security > Settings.

Hover over to the DNS Sinkhole Service tab.

Select Enable DNS Sinkhole Service under the Settings tab. This option is not selected by default.

Click the Global Settings tab. Enable the option Enable White List.

From the Action drop-down menu, select what the service should do:

Dropping with Logs

Dropping with Negative DNS reply to Source

Dropping with DNS reply of Forged IP

Ensure the IPv4 address and IPv6 address, Current Detection, and Malicious Domain in the fields.

Click Accept.

To configure Custom Malicious Domain Name List

Navigate to POLICY | DNS Security > Settings.

Hover over to the DNS Sinkhole Service tab.

Click the Custom Malicious Domain Name tab.

For each domain name you want to add as a malicious domain name:

Click +Add. The Add One Domain Name dialog displays.

Enter the malicious domain name in the Domain Name field.

Click Save.

Deleting Entries in the Custom Malicious Domain Name List

Navigate to POLICY | DNS Security > Settings.

Hover over to the DNS Sinkhole Service tab.

Click the Custom Malicious Domain Name tab.

Select an entry to delete or select the top checkbox next to the Domain Name column to select all of the items in the list.

Click Delete.

DNS Tunnel Detection

DNS tunneling is a method of bypassing security controls and exfiltrating data from a targeted organization. A DNS tunnel can be used as a full remote-control channel for a compromised internal host. Capabilities include Operating System (OS) commands, file transfers, or even a full IP tunnel.

SonicOS provides the ability to detect DNS tunneling attacks, displays suspicious clients, and allows you to create white lists for DNS tunnel detection.

When DNS tunneling detection is enabled, SonicOS logs whenever suspicious DNS packets are dropped.

DNS Tunneling settings can be made at the group or unit level.

DNS Tunnel Detection best practices and recommended configuration:

To configure DNS tunnel detection

Navigate to POLICY | DNS Security > Settings.

Click the DNS Tunnel Detection tab.

Under Settings, select Enable DNS Tunnel Detection to enable DNS tunnel detection.

To block all the DNS traffic from the detected clients, select Block All the Clients DNS Traffic.

Click Accept.

Detected Suspicious Client Information

SonicOS displays information about all hosts that have established a DNS tunnel in the Detected Suspicious Clients Info table.

Navigate to POLICY | DNS Security > Settings.

Hover over to the DNS Tunnel Detection tab.

Click on the Detected Suspicious Clients Info tab.

This table is populated only if DNS tunnel detection is enabled. Hosts are dropped only if blocking clients DNS traffic is enabled.

Creating White list for DNS Tunnel Detection

You can create white lists for IP address you consider safe. If a detected DNS tunnel IP address matches an address in the white list, DNS tunnel detection is bypassed.

Navigate to POLICY | DNS Security > Settings.

Hover over to the DNS Tunnel Detection tab.

Click on the White List for DNS Tunnel Detection tab.

For each IP address you want to add to the white list:

Click +Add. The Add One White Entry dialog displays.

In the IP Address field, enter the IP address of the domain to be added to the whitelist.

Click Save.

Deleting White List Entries for DNS Tunnel Detection

Navigate to POLICY | DNS Security > Settings.

Hover over to the DNS Tunnel Detection tab.

Click on the White List for DNS Tunnel Detection tab.

Select an entry to delete or select the top checkbox next to the IP Address column to select all of the items.

Click Delete.

White List

DNS Security White List best practices and recommended configuration:

You can create white lists for IP address you consider safe.

The default URLs on White List is deleted by design. Now it displays No data as default.

To create a white list

Navigate to POLICY | DNS Security > Settings.

Click the White List tab.

For each domain name you want to add to the white list:

Click +Add. The Domain Name dialog displays.

In the Domain Name field, enter the white list domain name.

Click Save.

To delete all white list

Navigate to POLICY | DNS Security > Settings.

Click the White List tab.

Select an entry to delete or select the top checkbox next to the IP Address column to select all of the items.

Click Delete.

---

Geo IP

Geo-IP best practices and recommended configuration

• DO NOT use the “Default GEO IP & Botnet Filter Exclusion Group”! Always create your own!

• If you need to exclude local hosts (private IPs behind the firewall) from Geo-IP, see the following SonicWall KB: How can I exclude hosts behind SonicWall from Geo-IP Filter using firewall access rules? | SonicWall

1. Enable “Block connections to/from countries selected in the Countries tab”
2. Enable “Logging”

3. In the Countries tab:
4. Enable “Block all Unknown countries”
5. Block MSS Recommended Countries below: