How to configure Network Devices Protection Profile (NDPP) Compliance Checklist

07/02/2021 15 14400

DESCRIPTION:

NDPP describes security requirements for a network device that can be connected to a network and is intended to provide a minimal, baseline set of requirements that are targeted at mitigating well defined and described threats.

SonicWall UTM appliances can be configured to adhere to the security requirements of NDPP.

RESOLUTION:

RESOLUTION FOR SONICOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

To enable NDPP, perform the following steps:

1. Login to the SonicWall management GUI
2. Navigate to the Device| Firewall| Firmware and Settings| Settings page.

    3. Enable check- box NDPP. If the appliance configuration is not as per NDPP requirements, a pop-up window with the list of configuration      changes required in the SonicWall is displayed. Until these changes are made the NDPP check-box cannot be enabled.

The below steps describes how to configure the SonicWall UTM appliance to meet NDPP requirements.

Device| Firewall| Administration| Login/Multiple Administrators| Login Security

1.    Admin password life time is required
2.    New password must contain 4 characters different from the old password must be applied in NDPP mode:
3.    Minimum length of Admin or User password can not be less than 8
4.    Enforced password complexity must contain letters, numbers and symbols
5.    Enforced password complexity requirement must contain at least 1 upper case letter, 1 lower case letter, 1 numeric character, and 1 special character
6.    Must apply the password constraints for Administrator and Other full administrators

Device| Diagnostics | Tech Support Report 
7.    Not allowed to print password or pre-shared keys in TSR.

Device| Users | Settings - Enable check-box Force relogin after password change

8.    Require users to relogin after password change.

Network| Firewall| Advanced| IPv6 
9.    Must enable "Drop and log network packets whose source or destination address is reserved by RFC"

VPN | Settings

10.   Group VPN must set to disable in NDPP mode.
11.   The length of VPN pre-shared key should be at least 22
12.   IPsec Phase 2 lifetime(kbytes) not allowed to be unlimited in NDPP mode.
13.   SHA-256 or higher is required in IPsec.
14.   AES-128 or AES-256 is required in IPsec.

VPN | Advanced

15.    IKEv2 Dynamic Client Proposal in VPN advanced settings requires SHA-256
16.    IKEv2 Dynamic Client Proposal in VPN advanced settings requires AES-128 or AES-256

Network | System| Interfaces

17.    HTTP and SSH interface login is not allowed.
18.    IPv6 HTTP and SSH interface login is not allowed.

Manage| Logs and Reporting| Log Settings| Syslog

19.    Must configure at least one Syslog Server.
20.    Required to enable NDPP enforcement for Syslog Server.

• NDPP enforcement for Syslog server warrants the Syslog traffic be sent over a VPN tunnel. Therefore, a site to site VPN, either policy based or tunnel interface based, must be configured before enabling the option Enable NDPP Enforcement for Syslog Server.
• With the above requirement in place if the Syslog configuration is successful, a Network Monitor Policy is auto-created to probe the Syslog server.

21.    LDAP is not supported in NDPP mode.
User Authentication must be set to Local Users.

22.    SSL VPN is not allowed in NDPP mode.

Manage| Policies| Rules| Access Rules.

23.    Must set session quota for each management IP.
24.    Must set session quota for each IPv6 management IP.

To set session quota, perform the following steps:

1. In the SonicWall management GUI, navigate to access rule section
2. Change the page to LAN to LAN or WAN to WAN etc.
3. Click on Configure on the auto-created management access rule.
4. Click on the Optional Settings tab.
5. Enable check box under Enable connection limit for each Source IP Address
6. Enable check box under Enable connection limit for each Destination IP Address.
7. The threshold counter could be either the default 128 or a figure of your choice.

Session quota must be set in auto-created access rules where the destination IP is the default management IP address object. This applies to both IPv4 and IPv6. For example, All X0 Management IP, All X1 Management IP, X0 Management IPv6 Addresses etc.

This completes the configuration as required by NDPP.  To enable NDPP perform the following steps:

1. Navigate to Device| Firewall| Firmware and Settings| Settings
2. Enable the check box under NDPP.  If a configuration is pending, a pop-up window with the pending configuration is listed.  If the stipulated configuration is completed, the following pop-up window will be displayed.
3. Click on OK. A pop-window with a warning will be displayed.
4. Click on OK again.
5. Click on the restart message at the bottom of the screen or restart from System | Restart.

Subsequent to enabling NDPP mode, the settings configured for NDPP mode cannot be undone. NDPP must be manually disabled by de-selecting the NDPP check box under System | Settings or in the CLI before the configuration can be undone.

RESOLUTION FOR SONICOS 6.5.

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

To enable NDPP, perform the following steps:

1. Login to the SonicWall management GUI
2. Navigate to the Firmware and Backup | Settings page.

      3. Enable check- box NDPP. If the appliance configuration is not as per NDPP requirements, a pop-up window with the list of configuration      changes required in the SonicWall is displayed. Until these changes are made the NDPP check-box cannot be enabled.

The below steps describes how to configure the SonicWall UTM appliance to meet NDPP requirements.

Manage| System Setup| Appliance| Base Settings| Login Security

1.    Admin password life time is required
2.    New password must contain 4 characters different from the old password must be applied in NDPP mode:
3.    Minimum length of Admin or User password can not be less than 8
4.    Enforced password complexity must contain letters, numbers and symbols
5.    Enforced password complexity requirement must contain at least 1 upper case letter, 1 lower case letter, 1 numeric character, and 1 special character
6.    Must apply the password constraints for Administrator and Other full administrators

Investigate| Tools| System Diagnostics | Tech Support Report 
7.    Not allowed to print password or pre-shared keys in TSR.

Manage| System Setup| Users | Settings - Enable check-box Force relogin after password change

8.    Require users to relogin after password change.

Manage| Security Configuration| Advanced Settings| IPv6 Advanced Configurations

9.    Must enable "Drop and log network packets whose source or destination address is reserved by RFC"

VPN | Settings

10.   Group VPN must set to disable in NDPP mode.
11.   The length of VPN pre-shared key should be at least 22
12.   IPsec Phase 2 lifetime(kbytes) not allowed to be unlimited in NDPP mode.
13.   SHA-256 or higher is required in IPsec.
14.   AES-128 or AES-256 is required in IPsec.

VPN | Advanced

15.    IKEv2 Dynamic Client Proposal in VPN advanced settings requires SHA-256
16.    IKEv2 Dynamic Client Proposal in VPN advanced settings requires AES-128 or AES-256

Mange| Network | Interfaces

17.    HTTP and SSH interface login is not allowed.
18.    IPv6 HTTP and SSH interface login is not allowed.

Manage| Logs and Reporting| Log Settings| Syslog

19.    Must configure at least one Syslog Server.
20.    Required to enable NDPP enforcement for Syslog Server.

• NDPP enforcement for Syslog server warrants the Syslog traffic be sent over a VPN tunnel. Therefore, a site to site VPN, either policy based or tunnel interface based, must be configured before enabling the option Enable NDPP Enforcement for Syslog Server.
• With the above requirement in place if the Syslog configuration is successful, a Network Monitor Policy is auto-created to probe the Syslog server.

21.    LDAP is not supported in NDPP mode.
User Authentication must be set to Local Users.

22.    SSL VPN is not allowed in NDPP mode.

Manage| Policies| Rules| Access Rules.

23.    Must set session quota for each management IP.
24.    Must set session quota for each IPv6 management IP.

To set session quota, perform the following steps:

1. In the SonicWall management GUI, navigate to access rule section
2. Change the page to LAN to LAN or WAN to WAN etc.
3. Click on Configure on the auto-created management access rule.
4. Click on the Advanced tab.
5. Enable check box under Enable connection limit for each Source IP Address
6. Enable check box under Enable connection limit for each Destination IP Address.
7. The threshold counter could be either the default 128 or a figure of your choice.
8. Click on OK to save.

Session quota must be set in auto-created access rules where the destination IP is the default management IP address object. This applies to both IPv4 and IPv6. For example, All X0 Management IP, All X1 Management IP, X0 Management IPv6 Addresses etc.

This completes the configuration as required by NDPP.  To enable NDPP perform the following steps:

1. Navigate to System | Settings
2. Enable the check box under NDPP.  If a configuration is pending, a pop-up window with the pending configuration is listed.  If the stipulated configuration is completed, the following pop-up window will be displayed.
3. Click on OK. A pop-window with a warning will be displayed.
4. Click on OK again.
5. Click on the restart message at the bottom of the screen or restart from System | Restart.

Subsequent to enabling NDPP mode, the settings configured for NDPP mode cannot be undone. NDPP must be manually disabled by de-selecting the NDPP check box under System | Settings or in the CLI before the configuration can be undone.

Disabling NDPP from console

Enter the following commands in the CLI to disable NDPP. You must restart the SonicWall for the changes to take effect.

|config
|no ndpp
|commit best-effort
|exit