MITM Man-in-the-middle attack or HTTP Strict Transport Security (HSTS) recommendations
04/29/2021 5 People found this article helpful 473,647 Views
Description
Is SMA1000 vulnerable to HTTP Strict Transport Security (HSTS) attacks
Cause
HTTP Strict Transport Security (HSTS) is an security enhancement that is specified by a web application through the use of a special response header.
Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will
instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.
Resolution
SonicWall SMA1000 devices are recommended to be placed behind Firewall and only Specific Ports to be allowed for VPN access:
- 443 SSL Tunneling
- 4500 UDP for ESP Tunneling
- 53 UDP/DNS
- Any Custom Defined URL Ports.
- SonicWall does not recommend to have AMC access over Internet. AMC access on Port 8443 is recommended to be accessed internally with proper certificate assigned for AMC access.
Securing VPN Access:
-MA Device are to be applied with below CEM Value(s) Note: Recommended to get this applied under Support Guidance.
1. Log in to AMC.
2. Click on Maintenance in the left-hand navigation menu.
3. In the URL, append "?advanced=1", and hit return.
4. Click on Configure under the new section Configuration extensions.
5. Click New
6. For the Key field, put in EW_ENABLE_HSTS
7. For the Value field, put in true
8. Click OK.
9. Click Save,
10. Apply Changes (this will force an apply-all, making the changes take effect).
Note: For CMS Deployment CEM Values could be pushed to Management Appliances.
1. Log in to AMC.
2. Click on Maintenance in the left-hand navigation menu.
3. In the URL, append "?advanced=1", and hit return.
4. Click on Configure under the new section Configuration extensions
On policy synchronization, overwrite all CEMs on the managed appliances with CEMs on the CMS
Note:
- Post Save and apply pending changes would restart services. Such changes would impact Connected users.
- Management Console Access and Workplace are to be with Valid and Trusted Certificates
- Management Console Access is always recommended from Internal Trusted Network.
- Management Console to be accessed or tied with External Auth-Server or 2FA.
- Scans run against Management console are false positive and does not affect SMA1000 devices.
Related Articles
Categories