MITM Man-in-the-middle attack or HTTP Strict Transport Security (HSTS) recommendations

04/29/2021 0 813

DESCRIPTION:

Is SMA1000 vulnerable to  HTTP Strict Transport Security (HSTS)  attacks

CAUSE:

HTTP Strict Transport Security (HSTS) is an security enhancement that is  specified by a web application through the use of a special response header.
Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will
instead send all communications over HTTPS. It also prevents HTTPS click through  prompts on browsers.

RESOLUTION:

SonicWall SMA1000 devices are recommended to be placed behind Firewall and only Specific Ports to be allowed for VPN access: 

1.   443 SSL Tunneling
2.   4500 UDP for ESP Tunneling
3.    53  UDP/DNS
4.   Any Custom Defined URL Ports.
5. SonicWall does not recommend to have AMC access over Internet.   AMC access on Port 8443 is recommended to be accessed internally with proper certificate assigned for AMC access.

 Securing VPN Access:

-MA Device are to be applied with below CEM Value(s)  Note: Recommended to get this applied under Support Guidance.

1.     Log in to AMC.

2.     Click on Maintenance in the left-hand navigation menu.

3.     In the URL, append "?advanced=1", and hit return.

4.     Click on Configure under the new section Configuration extensions.

5.     Click New

6.     For the Key field, put in EW_ENABLE_HSTS 

7.     For the Value field, put in  true

8.     Click OK.

9.     Click Save,

10.  Apply Changes (this will force an apply-all, making the changes take effect).

 Note:  For CMS Deployment CEM Values could be pushed to Management Appliances.

1.     Log in to AMC.

2.     Click on Maintenance in the left-hand navigation menu.

3.     In the URL, append "?advanced=1", and hit return.

4.     Click on Configure under the new section Configuration extensions

On policy synchronization, overwrite all CEMs on the managed appliances with CEMs on the CMS

Note: 

1. Post Save and apply pending changes would restart services.  Such changes would impact Connected users.
2. Management Console Access and Workplace are to be with Valid and Trusted Certificates
3. Management Console Access is always recommended from Internal Trusted Network. 
4. Management Console to be accessed or tied with External Auth-Server or 2FA.
5. Scans run against Management console are false positive and does not affect SMA1000 devices.