MSS Managed Firewall Best Practice Configuration

Description

Table of Contents

Description

The configuration options outlined below are part of MSS’s Firewall Best Practices and align with the Cysurance Cyber Warranty Mitigating Requirements.

Device > Settings > AdministrationLogin / Multiple Administrators > Login security

Option

Best Practice Value

Default Value

Requirement Category

Password must be changed every (days)

90

Disabled

Cysurance Requirement

Change password after (hours)

1

1

Cysurance Requirement

Bar repeated passwords for this many changes

4

Disabled

Cysurance Requirement

New password must contain 8 characters different from the old password

Enable

Disabled

Cysurance Requirement

Enforce a minimum password length of

12

8

Cysurance Requirement

Enforce password complexity

Alphanumeric and symbolic characters

None

Cysurance Requirement

Complexity Requirement - Upper Case Characters

2

0

Cysurance Requirement

Complexity Requirement - Lower Case Characters

2

0

Cysurance Requirement

Complexity Requirement - Number Characters

2

0

Cysurance Requirement

Complexity Requirement - Symbolic Characters

2

0

Cysurance Requirement

Log out the Admin after inactivity of (mins)

20

5

Cysurance Requirement

Failed login attempts before lockout

5

3

Cysurance Requirement

Admin/user lockout

Enable

Disabled

Cysurance Requirement

Local admin/user account lockout

Enable

Disabled

Cysurance Requirement

Device > Settings > Administration > Management > Web Management Settings

Option

Required Value

Default Value

Requirement Category

Allow Management via HTTP

Disabled

Disabled

Cysurance Requirement

HTTPS Port

Other than 443

443

Cysurance Requirement

Device > Diagnostics > Tech Support Report

Option

Required Value

Default Value

Requirement Category

Periodic secure diagnostic reporting for support purposes

Enabled

Enabled

Cysurance Requirement

Device > Users > Settings > Authentication

Option

Best Practice Value

Default Value

Requirement Category

Display user login info since last login

Enabled

Disabled

Cysurance Requirement

Device > Users > Local Users & Groups > Local Groups > SSLVPN Services Group

Option

Best Practice Value

Default Value

Requirement Category

One-time password method

TOTP

Disabled

Cysurance Requirement

Device > AppFlow > Flow Reporting > Settings

Option

Best Practice Value

Default Value

Requirement Category

Enable AppFlow To Local Collector

Enabled

Disabled

SonicSentry Best Practice

Device > Log > Settings

Option

Best Practice Value

Default Value

Requirement Category

Logging Level

Inform

Warning

SonicSentry Best Practice

Alert Level

Error

Alert

SonicSentry Best Practice

Device > Log > Name Resolution

Option

Best Practice Value

Default Value

Requirement Category

Name Resolution Method

DNS

None

SonicSentry Best Practice

Network > SSLVPN > Server Settings

Option

Best Practice Value

Default Value

Requirement Category

Inactivity Timeout (minutes)

60

10

SonicSentry Best Practice

Mouse Inactivity Check

Enabled

Disabled

SonicSentry Best Practice

Network > SSLVPN > Server Settings

Option

Best Practice Value

Default Value

Requirement Category

SSL VPN Port

Other than 4433

4433

Cysurance Requirement

Network > SSLVPN > Portal Settings

Option

Best Practice Value

Default Value

Requirement Category

Disable Virtual Office on Non-LAN Interfaces

Enabled

Disabled

SonicSentry Best Practice

Network > Firewall > Advanced > Settings

Option

Best Practice Value

Default Value

Requirement Category

Enable Stealth Mode

Enabled

Disabled

SonicSentry Best Practice

Randomize IP ID

Enabled

Disabled

SonicSentry Best Practice

Decrement IP TTL for forwarded traffic

Enabled

Disabled

SonicSentry Best Practice

Never generate ICMP Time-Exceeded packets

Enabled

Disabled

SonicSentry Best Practice

Network > Firewall > Flood Protection > TCP > Layer 3 SYN Flood Protection - SYN Proxy

Option

Best Practice Value

Default Value

Requirement Category

SYN Flood Protection Mode

Proxy WAN client connections when attack is suspected

Watch and report possible SYN floods

Cysurance Requirement

Network > Firewall > Flood Protection > UDP

Option

Best Practice Value

Default Value

Requirement Category

Default UDP Connection Timeout

60

30

Cysurance Requirement

Enable UDP Flood Protection

Enabled

Disabled

Cysurance Requirement

Network > Firewall > Flood Protection > ICMP

Option

Best Practice Value

Default Value

Requirement Category

Enable ICMP Flood Protection

Enabled

Disabled

Cysurance Requirement

Network > VoIP > Settings

Option

Best Practice Value

Default Value

Requirement Category

Enable consistent NAT

Enabled

Disabled

SonicSentry Best Practice

Policy > Security Services > Gateway Anti-Virus

Option

Best Practice Value

Default Value

Requirement Category

Enable Gateway Anti-Virus

Enabled

Disabled

SonicSentry Best Practice

PROTOCOLS - FTP Inbound & Outbound Inspection

Enabled

Disabled

SonicSentry Best Practice

PROTOCOLS - HTTP Inbound & Outbound Inspection

Enabled

Disabled

SonicSentry Best Practice

PROTOCOLS - IMAP Inbound Inspection

Enabled

Disabled

SonicSentry Best Practice

PROTOCOLS - POP3 Inbound Inspection

Enabled

Disabled

SonicSentry Best Practice

PROTOCOLS - SMTP Inbound & Outbound Inspection

Enabled

Disabled

SonicSentry Best Practice

PROTOCOLS - TCP STREAM Inbound & Outbound Inspection

Enabled

Disabled

SonicSentry Best Practice

Policy > Security Services > Anti-Spyware

Option

Best Practice Value

Default Value

Requirement Category

Enable Anti-Spyware

Enabled

Disabled

Cysurance Requirement

SIGNATURE GROUPS - High Priority Spyware PREVENT & DETECT ALL

Enabled

Disabled

Cysurance Requirement

SIGNATURE GROUPS - Medium Priority Spyware PREVENT & DETECT ALL

Enabled

Disabled

Cysurance Requirement

SIGNATURE GROUPS - Low Priority Spyware PREVENT & DETECT ALL

Enabled

Disabled

Cysurance Requirement

PROTOCOLS - Enable Inbound Instpection for:

  • HTTP
  • FTP
  • IMAP
  • SMTP
  • POP3

Enabled

Disabled

Cysurance Requirement

Enable Inspection of Outbound Spyware Communication

Enabled

Disabled

Cysurance Requirement

Policy > Security Services > Intrusion Prevention

Option

Best Practice Value

Default Value

Requirement Category

Enable IPS

Enabled

Disabled

Cysurance Requirement

Signature Groups - High Priority Attacks
  • PREVENT ALL - Enabled
  • DETECT ALL - Enabled

Disabled

Cysurance Requirement

Signature Groups - Medium Priority Attacks PREVENT & DETECT ALL
  • PREVENT ALL - Enabled
  • DETECT ALL - Enabled

Disabled

Cysurance Requirement

Signature Groups - Low Priority Attacks PREVENT & DETECT ALL
  • PREVENT ALL - Disabled
  • DETECT ALL - Enabled

Disabled

Cysurance Requirement

Policy > Security Services > Intrusion Prevention > Signatures

Option

Best Practice Value

Default Value

Requirement Category

Category: WEB-ATTACKS
  • PREVENT ALL - Enabled
  • DETECT ALL - Enabled

Disabled

Cysurance Requirement

Policy > Capture ATP > Settings > Basic

Option

Best Practice Value

Default Value

Requirement Category

Enable Capture ATP

Enabled

Disabled

SonicSentry Best Practice

File types for Capture ATP analysis:

  • Executables (PE, Mach-O, and DMG)
  • PDF
  • Office 97-2003(.doc , .xls ,etc.)
  • Office (.docx , .xlsx ,etc.)
  • Archives (.jar, .apk, .rar, .bz2, .bzip2, .7z, .xz, .gz, and .zip)

Enabled

Disabled

SonicSentry Best Practice

Policy > Capture ATP > Settings > Advanced

Option

Best Practice Value

Default Value

Requirement Category

Custom Blocking Behavior: File sent to Capture ATP cloud service for analysis

Block file download until a verdict is returned

Allow file download while awaiting a verdict

SonicSentry Best Practice

Policy > Security Services > Geo-IP Filter

Option

Best Practice Value

Default Value

Requirement Category

Block connections to/from countries selected in the Countries tabs

Enabled

Disabled

Cysurance Requirement

Enable Logging

Enabled

Disabled

Cysurance Requirement

Block all Unknown countries

Enabled

Disabled

Cysurance Requirement

Countries:

  • Belarus
  • Central African Republic
  • Congo
  • Cuba
  • Ethiopia
  • Haiti
  • Iran, Islamic Republic of
  • Iraq
  • Lebanon
  • Libya
  • Mali
  • Nicaragua
  • Korea, Democratic People’s Republic
  • Russian Federation
  • Somalia
  • Sudan
  • Syrian Arab Republic
  • Ukraine
  • Venezuela
  • Yemen
  • Zimbabwe

Blocked

Allowed

Cysurance Requirement

Policy > Security Services > Botnet Fiter

Option

Best Practice Value

Default Value

Requirement Category

Block connections to/from Botnet Command and Control Servers

Enabled

Disabled

Cysurance Requirement

Enable Logging

Enabled

Disabled

Cysurance Requirement

Policy > Security Services > App Control

Option

Best Practice Value

Default Value

Requirement Category

Enable App Control

Enabled

Disabled

SonicSentry Best Practice

Enable Logging for All Apps

Enabled

Disabled

SonicSentry Best Practice

Policy > Security Services > App Control > Signatures

Option

Best Practice Value

Default Value

Requirement Category

Categories:

  • APP-UPDATE
  • BROWSING-PRIVACY
  • FILETYPE-DETECTION
  • IM
  • INFRASTRUCTURE
  • MISC-APPS
  • MOBILE-APPS
  • MULTIMEDIA
  • PROTOCOLS
  • VoIP-APPS
  • WEB-BROWSER
  • WEB-CONFERENCING

No Logging

 

SonicSentry Best Practice

Categories:

  • GAMING
  • MINERS
  • P2P

Log & Block

No Logging or Blocking

SonicSentry Best Practice

 

Related Articles

  • NDR: Integration Guide
    Read More
  • NDR: Windows Server Agent
    Read More
  • Getting Started with MPSS
    Read More

Categories

Managed Security Services
Firewall Monitoring and Management
not finding your answers?
Ask the Community