SMA 1000: Best Practices - Securing the Network Configuration on SMA & CMS

This document describes best practices related to the network configuration to ensure secure access to the SMA & CMS appliances.

Configuring the Appliance to Use Dual Interfaces 

When configuring the appliance in dual-homed configuration, services should be split between the interfaces so that management services such as the AMC & CMC are only exposed to trusted networks on the internal interface, whereas public services such as access services & workplaces required for the client VPN are exposed on the external, public facing interface.  A firewall should be used to limit the ports required for VPN access on the external interface.  For a complete list of ports required for VPN access and/or those needed for more complex architectures, such as when operating in a GTO cluster, see What are the SMA 1000 Series Default Assigned Ports.

Configuring the Appliance to Use a Single Interface

When configuring the appliance in single-homed configuration, it is highly recommended to use a firewall capable of filtering access to the AMC & CMC so only trusted networks can access either.  Access to the administrative consoles over the public internet is highly discouraged, rather public facing traffic should be limited to ports and protocols required to facilitate user and authentication access. For a complete list of ports required for VPN access and/or those needed for more complex architectures, such as when operating in a GTO cluster, see What are the SMA 1000 Series Default Assigned Ports.

SSH Access 

If both network interfaces are active, the Secure Shell (SSH) service will listen on both. To enhance security, ensure that SSH access is restricted to the IP addresses of trusted management workstations or, at a minimum, to the internal network's address range.

SNMP Service

If both network interfaces are enabled, Simple Network Management Protocol (SNMP) listens on both interfaces. Restrict SNMP service access to the IP addresses of trusted management workstations or, at a minimum, the address range of the internal network.

By default, the SNMP configuration in AMC sets the string your network management tool uses to query the SMA appliance in the Community string field to public. Be sure to change this to a secure passphrase.

ICMP

If both network interfaces are enabled, activating Internet Control Message Protocol (ICMP) can expose the appliance to discovery from the Internet. The most secure approach is to disable ICMP entirely or restrict it to the internal interface. If ICMP must be enabled, it is recommended to suppress ICMP Echo Request traffic through a firewall or other network security device.

NTP

Synchronize with an external Network Time Protocol (NTP) server to ensure accurate timestamps in the system logs, and to ensure that time-based security checks—such as password and certificate expiration—occur properly.

Server Certificates

Ensure that the appliance server certificate is securely stored and inaccessible to unauthorized individuals. Always encrypt the associated private key with a strong password. If attackers gain access to the certificate and key, they could identify the associated host and potentially decrypt sensitive data.

NTP

Synchronize with an external Network Time Protocol (NTP) server to ensure accurate timestamps in the system logs, and to ensure that time-based security checks—such as password and certificate expiration—occur properly.