Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Common configurations to protect against Ransomware

10/14/2021 1,054 People found this article helpful 122,687 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    The following article outlines common configurations for defending networks against Ransomware exploits. Ransomware has evolved heavily over the past few years to include several new network exploits, including modified polymorphic front end, and zero-day worm propagation techniques.

    On May 12, 2017, a variant of Ransomware known as WannaCry was successful in infecting more than 200,000 systems in over 150 countries. Preventing Ransomware and other zero-day exploits is achievable, however, requires steadfast security monitoring and network configurations.

    The following is a brief guide to configuration SonicWall Network Security Appliances (Firewalls) to prevent Ransomware.

    Please note that many of the steps included in this article are also relevant with many of other security recommendations that organizations should be deploying to inspect traffic and prevent breaches.

    SonicWall Capture Advanced Threat Protection is available on TZ 300 and higher.

    Resolution

    Resolution for SonicOS 7.X

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

    Security Services Subscription

    For all SonicWall appliances it is highly recommend to include the Essential Protection Service Suite, which includes active subscriptions for Gateway Anti-Virus, Intrusion Prevention, Anti-Spyware, Content Filtering, Botnet Filter, Geo IP Filter, Application Firewall, DPI-SSL, DPI-SSH, and Capture. If this subscription is not active then updates and configurations will not be possible.


    Enable Gateway Anti-Virus

    • Make sure that GAV is updated with latest signatures.
    • Enable GAV.
    • Enable Cloud GAV.
    • Enable Inspection on Inbound and Outbound for all HTTP, FTP, IMAP, SMTP, POP3, CIFS/NetBIOS, and TCP Stream.

      Image

    • Inside the Protocol Settings of the protocols make sure that you have enabled the option to block.




    • Restrict Transfer of password-protected ZIP files.
    • Restrict Transfer of MS-Office type files containing macros (VBA 5 and above).
    • Restrict Transfer of packed executable files (UPX, FSG, etc).

      Image

    • Click  Configure Gateway AV Settings.
    • Enable the option to Block files with multiple levels of zip/zip compression.

      Image


    Enable Intrusion Prevention
    Many of today's modified Ransomware exploits include malicious Trojans and worm elements, exploiting network communications, and impacting systems. Intrusion Prevention is an essential cornerstone of preventing these attacks in networks.

    • Make sure that the SonicWall has the latest signature updates from the SonicWall Capture Labs.
    • Enable the IPS Service.
    • Enable Prevention for (at a minimum) of High and Medium Threats, but may need to include Low Priority based on additional requirement and compliance regulations based on the network being deployed.
    • Enable Intrusion Detection if log data of intrusion information is required. SonicWall Intrusion Detection is responsible for providing the log event of Intrusions. If not selected log data will not be created.

      Image



    Enable Geo-IP Filter

    Geo-IP Filter is able to control traffic to and from various countries, and is a core component of the CGSS/AGSS security subscription.

    • Enable Geo-IP Filter
    • This can be setup on All Connections or Firewall Rule Based.
    • All Connections will include all traffic, but default rules would be to exclude Firewall Subnets.
    • Firewall Rule Based requires enabling the service on individual rules within Firewall Access Rules. If this method is applied, any rules for WAN to WAN, WAN to LAN, and LAN to  WAN should be enabled.

      Image

    • Make sure that traffic to Anonymous Proxy / Private IP is selected at a minimum from the country list.
    • Make sure that Block all UNKNOWN countries is also enabled.

      Image


    Enable Botnet Filter

    Botnet Filter is able to prevent traffic to or from known malicious hosts that act as Botnet networks.

    Enable Botnet Filter

    • This can be setup on All Connections or Firewall Rule Based.
    • All Connections will include all traffic, but default rules would be to exclude Firewall Subnets.
    • Firewall Rule Based requires enabling the service on individual rules within the Firewall Access Rules. If this method is applied, any rules for WAN to WAN, WAN-> Internal or Internet->WAN should be enabled.

      Image



    Enable DPI-SSL Client Inspection


    The DPI-SSL Feature of the firewall delivers the ability to inspect within encrypted communications on multiple protocols and applications. DPI-SSL enables the firewall to act as a proxy to inspect encrypted communications such as Webmail, social media, and other web contact leveraging HTTPS connections. The settings for DPI-SSL specifically as it applies to this article is relatively simple. For questions on the setup and deployment of DPI-SSL please consult the Where Can I Learn More About DPI-SSL?.

    • Enable SonicWall DPI-SSL on the firewall.
    • Ensure that the services is enabled for all sub-functions including.
      • Intrusion Prevention
      • Gateway Anti-Virus
      • Gateway Anti-Spyware
      • Application Firewall
      • Content Filter

             Image



    Configure Content Filtering Service
    The Content Filtering rules outlined here apply to configurations for Firmware 6.2.7.1, and are based on CFS v4.0. For the purposes of preventing Ransomware, it is recommended to block access to the following categories: Malware, Hacking / Proxy Avoidance, and Not Rated.

     NOTE:  Blocking the category 'Not Rated' can be management intensive as not all websites that specific networks use has been rated. Submissions for Not Rated Sites can be submitted online at Report Issues.

    •  Ensure that default and custom policies for user groups are all set to Block Malware, Hacking / Proxy Avoidance, and Not Rated.


      Image



    Enable Application Firewall Rules
    In order to safeguard against common methods of newer generation of obfuscation leveraging traditional applications, it is recommended to enable various Application Firewall Rules. In order to prevent malware such as Ransomware from being able to circumvent enforced communications, it is advised to build rules to restrict DNS, SSH, and Proxy-Access Applications.


    • While DNS is typically TCP/UDP 53, the DNS protocol can be used on non-standard ports. Malicious applications will leverage DNS Cache Poisoning, or redirect traffic to illegitimate sites. It is advised to lock down not only access rules to specify TrustedDNS Hosts, but to also create an Address Object and Application Rule to restrict the DNS protocol to only the Trusted DNS Host.
    • This security mechanism can also be applied with SonicWall's DNS Proxy configuration as an alternative, however this will still require application and access rules to restrict DNS to untrusted sources.

      Image

    • The last Application Firewall policy that should be created is the prevention of all Proxy-Access Applications.

      Image


    • By blocking this entire category there is the potential for legitimate applications to also break or cease to function properly. It is advised that these applications be reviewed and exceptions be created where applicable for the source and destination specific information for those specific applications.

    Enable Capture

    Given the dynamic and constant creation of new malware, it is highly advised that the SonicWall Capture solution. Be advised this requires the Essential Protection service Suite License.

    • Enable Capture, and ensure that Gateway Anti-Virus is enabled on all services.
    • Ensure that all file types are selected for inspection.
    • It is recommended to enable Capture to 'Block until verdict'. This will prevent malware from passing through the system until properly tested.


    Additional suggestions to prevent Ransomware exploits may include, but not limited to.

    • Installing end-point Anti-Virus software and keeping it updated with the latest signatures.
    • Updating host Operating Systems, browsers, and browser Plugin with the latest security patches.
    • Performing regular offline (cold) system back-ups.
    • Educating users on the dangers of opening unknown files from unknown sources, etc.



    Resolution for SonicOS 6.5

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.


    Security Services Subscription

    For all SonicWall appliances it is highly recommend to include the Advanced Gateway Security Suite (AGSS), which includes active subscriptions for Gateway Anti-Virus, Intrusion Prevention, Anti-Spyware, Content Filtering, Botnet Filter, Geo IP Filter, Application Firewall, DPI-SSL, DPI-SSH, and Capture. If this subscription is not active then updates and configurations will not be possible.


    Enable Gateway Anti-Virus

    • Make sure that GAV is updated with latest signatures.
    • Enable GAV.
    • Enable Cloud GAV.
    • Enable Inspection on Inbound and Outbound for all HTTP, FTP, IMAP, SMTP, POP3, CIFS/NetBIOS, and TCP Stream.
      Image

    • Inside the Settings of the protocols make sure that you have enabled the option to block.
    • Restrict Transfer of password-protected ZIP files.
    • Restrict Transfer of MS-Office type files containing macros (VBA 5 and above).
    • Restrict Transfer of packed executable files (UPX, FSG, etc).
      Image


    • Click  Configure Gateway AV Settings.
    • Enable the option to Block files with multiple levels of zip/zip compression.
      Image

    Enable Intrusion Prevention
    Many of today's modified Ransomware exploits include malicious Trojans and worm elements, exploiting network communications, and impacting systems. Intrusion Prevention is an essential cornerstone of preventing these attacks in networks.

    • Make sure that the SonicWall has the latest signature updates from the SonicWall Capture Labs.
    • Enable the IPS Service.
    • Enable Prevention for (at a minimum) of High and Medium Threats, but may need to include Low Priority based on additional requirement and compliance regulations based on the network being deployed.
      Image

    • Enable Intrusion Detection if log data of intrusion information is required. SonicWall Intrusion Detection is responsible for providing the log event of Intrusions. If not selected log data will not be created.


    Enable Geo-IP Filter

    Geo-IP Filter is able to control traffic to and from various countries, and is a core component of the CGSS/AGSS security subscription.

    • Enable Geo-IP Filter
      • This can be setup on All Connections or Firewall Rule Based.
      • All Connections will include all traffic, but default rules would be to exclude Firewall Subnets.
      • Firewall Rule Based requires enabling the service on individual rules within Firewall Access Rules. If this method is applied, any rules for WAN to WAN, WAN to LAN, and LAN to  WAN should be enabled.

        Image

    • Make sure that traffic to Anonymous Proxy / Private IP is selected at a minimum from the country list.
    • Make sure that Block all UNKNOWN countries is also enabled.
       Image

    Enable Botnet Filter
    Botnet Filter is able to prevent traffic to or from known malicious hosts that act as Botnet networks.

    • Enable Botnet Filter.
      • This can be setup on All Connections or Firewall Rule Based.
      • All Connections will include all traffic, but default rules would be to exclude Firewall Subnets.
      • Firewall Rule Based requires enabling the service on individual rules within the Firewall Access Rules. If this method is applied, any rules for WAN to WAN, WAN-> Internal or Internet->WAN should be enabled.
          Image


    Enable DPI-SSL Client Inspection

    The DPI-SSL Feature of the firewall delivers the ability to inspect within encrypted communications on multiple protocols and applications. DPI-SSL enables the firewall to act as a proxy to inspect encrypted communications such as Webmail, social media, and other web contact leveraging HTTPS connections. The settings for DPI-SSL specifically as it applies to this article is relatively simple. For questions on the setup and deployment of DPI-SSL please consult the Where Can I Learn More About DPI-SSL?.

    • Enable SonicWall DPI-SSL on the firewall.
    • Ensure that the services is enabled for all sub-functions including.
      • Intrusion Prevention
      • Gateway Anti-Virus
      • Gateway Anti-Spyware
      • Application Firewall
      • Content Filter
         Image

    Configure Content Filtering Service
    The Content Filtering rules outlined here apply to configurations for Firmware 6.2.7.1, and are based on CFS v4.0. For the purposes of preventing Ransomware, it is recommended to block access to the following categories: Malware, Hacking / Proxy Avoidance, and Not Rated.

     NOTE:  Blocking the category 'Not Rated' can be management intensive as not all websites that specific networks use has been rated. Submissions for Not Rated Sites can be submitted online at Report Issues.


    • Ensure that default and custom policies for user groups are all set to Block Malware, Hacking / Proxy Avoidance, and Not Rated.


    Enable Application Firewall Rules
    In order to safeguard against common methods of newer generation of obfuscation leveraging traditional applications, it is recommended to enable various Application Firewall Rules. In order to prevent malware such as Ransomware from being able to circumvent enforced communications, it is advised to build rules to restrict DNS, SSH, and Proxy-Access Applications.

    • While DNS is typically TCP/UDP 53, the DNS protocol can be used on non-standard ports. Malicious applications will leverage DNS Cache Poisoning, or redirect traffic to illegitimate sites. It is advised to lock down not only access rules to specify Trusted DNS Hosts, but to also create an Address Object and Application Rule to restrict the DNS protocol to only the Trusted DNS Host.
    • This security mechanism can also be applied with SonicWall's DNS Proxy configuration as an alternative, however this will still require application and access rules to restrict DNS to untrusted sources. 

      Image

    • The next application rule would be to restrict SSH Connections to only trusted and trained users, from only trusted sources, or to only trusted destinations.
    • It is advised to create this control as an Application Firewall rule, as it is possible to deviate from the standard SSH TCP 22 configuration. Image

    • The last Application Firewall policy that should be created is the prevention of all Proxy-Access Applications.
       Image

    • By blocking this entire category there is the potential for legitimate applications to also break or cease to function properly. It is advised that these applications be reviewed and exceptions be created where applicable for the source and destination specific information for those specific applications.

    Enable Capture

    Given the dynamic and constant creation of new malware, it is highly advised that the SonicWall Capture solution. Be advised this requires the AGSS (Advanced Gateway Security Suite) License.
     

    • Enable Capture, and ensure that Gateway Anti-Virus is enabled on all services.
    • Ensure that all file types are selected for inspection.
        Image

    • It is recommended to enable Capture to 'Block until verdict'. This will prevent malware from passing through the system until properly tested.Image


    Additional suggestions to prevent Ransomware exploits may include, but not limited to.

    • Installing end-point Anti-Virus software and keeping it updated with the latest signatures.
    • Updating host Operating Systems, browsers, and browser Plugin with the latest security patches.
    • Performing regular offline (cold) system back-ups.
    • Educating users on the dangers of opening unknown files from unknown sources, etc.



    Resolution for SonicOS 6.2 and Below

    The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.


    Security Services Subscription

    For all SonicWall appliances it is highly recommend to include the Advanced Gateway Security Suite (AGSS), which includes active subscriptions for Gateway Anti-Virus, Intrusion Prevention, Anti-Spyware, Content Filtering, Botnet Filter, Geo IP Filter, Application Firewall, DPI-SSL, DPI-SSH, and Capture. If this subscription is not active then updates and configurations will not be possible.

     Enable Gateway Anti-Virus

    • Make sure that GAV is updated with latest signatures
    • Enable GAV
    • Enable Cloud GAV
    • Enable Inspection on Inbound and Outbound for all HTTP, FTP, IMAP, SMTP, POP3, CIFS/NetBIOS, and TCP Stream.Image

    • Inside the Settings of the protocols make sure that you have enabled the option to block.
    • Restrict Transfer of password-protected ZIP files.
    • Restrict Transfer of MS-Office type files containing macros (VBA 5 and above).
    • Restrict Transfer of packed executable files (UPX, FSG, etc).
      Image

    • Click  Configure Gateway AV Settings.
    • Enable the option to Block files with multiple levels of zip/zip compression.
      Image


    Enable Intrusion Prevention

    Many of today's modified Ransomware exploits include malicious Trojans and worm elements, exploiting network communications, and impacting systems. Intrusion Prevention is an essential cornerstone of preventing these attacks in networks.

    • Make sure that the SonicWall has the latest signature updates from the SonicWall Capture Labs.
    • Enable the IPS Service.
    • Enable Prevention for (at a minimum) of High and Medium Threats, but may need to include Low Priority based on additional requirement and compliance regulations based on the network being deployed.
      Image

    • Enable Intrusion Detection if log data of intrusion information is required. SonicWall Intrusion Detection is responsible for providing the log event of Intrusions. If not selected log data will not be created.


    Enable Geo-IP Filter
    Geo-IP Filter is able to control traffic to and from various countries, and is a core component of the CGSS/AGSS security subscription.

    • Enable Geo-IP Filter
      • This can be setup on All Connections or Firewall Rule Based.
      • All Connections will include all traffic, but default rules would be to exclude Firewall Subnets.
      • Firewall Rule Based requires enabling the service on individual rules within Firewall Access Rules. If this method is applied, any rules for WAN to WAN, WAN to LAN, and LAN to WAN should be enabled.

        Image

    • Make sure that traffic to 'Anonymous Proxy / Private IP' is selected at a minimum from the country list.
    • Make sure that Block all UNKNOWN countries is also enabled.


    Enable Botnet Filter
    Botnet Filter is able to prevent traffic to or from known malicious hosts that act as Botnet networks.

    • Enable Botnet Filter.
      • This can be setup on All Connections or Firewall Rule Based.
      • All Connections will include all traffic, but default rules would be to exclude Firewall Subnets.
      • Firewall Rule Based requires enabling the service on individual rules within the Firewall Access Rules. If this method is applied, any rules for WAN to WAN WAN-> Internal or Internet->WAN should be enabled.
        Image 

    Enable DPI-SSL Client Inspection
    The DPI-SSL Feature of the firewall delivers the ability to inspect within encrypted communications on multiple protocols and applications. DPI-SSL enables the firewall to act as a proxy to inspect encrypted communications such as Webmail, social media, and other web contact leveraging HTTPS connections. The settings for DPI-SSL specifically as it applies to this article is relatively simple. For questions on the setup and deployment of DPI-SSL please consult the Where Can I Learn More About DPI-SSL?.

    • Enable SonicWall DPI-SSL on the firewall.
    • Ensure that the services is enabled for all sub-functions including.

      • Intrusion Prevention
      • Gateway Anti-Virus
      • Gateway Anti-Spyware
      • Application Firewall
      • Content Filter
        Image 

    Configure Content Filtering Service
    The Content Filtering rules outlined here apply to configurations for firmware 6.2.7.1, and are based on CFS v4.0. For the purposes of preventing Ransomware, it is recommended to block access to the following categories: Malware, Hacking / Proxy Avoidance, and Not Rated.

    NOTE:  blocking the category 'Not Rated' can be management intensive as not all websites that specific networks use has been rated. Submissions for Not Rated Sites can be submitted online at Report Issues.

    • Ensure that default and custom policies for user groups are all set to Block Malware, Hacking / Proxy Avoidance, and Not Rated
      Image 


    Enable Application Firewall Rules

    In order to safeguard against common methods of newer generation of obfuscation leveraging traditional applications, it is recommended to enable various Application Firewall Rules. In order to prevent malware such as Ransomware from being able to circumvent enforced communications, it is advised to build rules to restrict DNS, SSH, and Proxy-Access Applications.

    • While DNS is typically TCP/UDP 53, the DNS protocol can be used on non-standard ports. Malicious applications will leverage DNS Cache Poisoning, or redirect traffic to illegitimate sites. It is advised to lock down not only access rules to specify Trusted  DNS Hosts, but to also create an Address Object and Application Rule to restrict the DNS protocol to only the Trusted DNS Host.
    • This security mechanism can also be applied with SonicWall's DNS Proxy configuration as an alternative, however this will still require application and access rules to restrict DNS to untrusted sources.

      Image

    • The next application rule would be to restrict SSH Connections to only trusted and trained users, from only trusted sources, or to only trusted destinations.
    • It is advised to create this control as an Application Firewall rule, as it is possible to deviate from the standard SSH TCP 22 configuration.Image 

    • The last Application Firewall policy that should be created is the prevention of all Proxy-Access Applications.
      Image 

    • By blocking this entire category there is the potential for legitimate applications to also break or cease to function properly. It is advised that these applications be reviewed and exceptions be created where applicable for the source and destination specific information for those specific applications.


    Enable Capture

    NOTE: Given the dynamic and constant creation of new malware, it is highly advised that the SonicWall Capture solution. Be advised this requires the AGSS (Advanced Gateway Security Suite) License.
    Image

    • Enable Capture, and ensure that Gateway Anti-Virus is enabled on all services.
    • Ensure that all file types are selected for inspection.
      Image

    • It is recommended to enable Capture to Block until verdict. This will prevent malware from passing through the system until properly tested.


    Additional suggestions to prevent Ransomware exploits may include, but not limited to.

    • Installing end-point Anti-Virus software and keeping it updated with the latest signatures.
    • Updating host Operating Systems, browsers, and browser Plugin with the latest security patches.
    • Performing regular offline (cold) system back-ups.
    • Educating users on the dangers of opening unknown files from unknown sources, etc.


    Related Articles

    • SSL Control and DPI-SSL Compatibility
    • FIPS Mode: Radius protected with IPSEC VPN
    • Maximum DHCP Leases

    Categories

    • Firewalls > NSa Series > IPS/GAV/Spyware
    • Firewalls > NSv Series > IPS/GAV/Spyware
    • Firewalls > TZ Series > IPS/GAV/Spyware

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
      Scroll to top
      Trace:dd05288e52973a5809ba22c373a5ba22-70