• No results found

SonicWALL Aventail SSL VPNs Working Together With SonicWALL End Point Security Solutions for Granular End Point Control

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "SonicWALL Aventail SSL VPNs Working Together With SonicWALL End Point Security Solutions for Granular End Point Control"

Copied!
22
0
0

Loading.... (view fulltext now)

Download now ( 22 Page )

Full text

(1)

SonicWALL Aventail SSL VPNs Working Together

With SonicWALL End Point Security Solutions for

Granular End Point Control

Step by step guide on how to configure

SonicWALL Aventail SSL VPNs to detect the

SonicWALL Enforced Client

CONTENTS

Overview 2

Configuration Steps 2

Zone Options

Standard (Allow) Zone for Full Access

Default Zone for Limited Access-

Download the SonicWALL Enforced Client

Quarantine Zone to Deny Access-

Download the SonicWALL Enforced Client

Deny Zone to Deny Access if SonicWALL Enforced Client is Out of Compliance

5 9 s 12 a 15 Conclusion 20

(2)

2

Overview

SonicWALL Aventail SSL VPN appliances have a feature called End Point Control (EPC) which has the ability to require that incoming clients meet certain criteria before connecting, the most common being that the incoming client be running a valid and up-to-date version of an anti-virus or anti-spyware program. Upon first contact with a SonicWALL Aventail appliance, the endpoint is interrogated against an administrator-defined set of attributes called Device Profiles. If the incoming connection meets said criteria, the client is assigned into a defined Policy Zone. If not, the administrator has a number of options, including assigning the endpoint into a Default Zone or Quarantine Zone for remediation. EPC interrogation and Zone assignment is available for all Aventail access methods, including Connect Tunnel.

This white paper is intended to provide step by step instruction on how the SonicWALL Aventail SSL VPN can be configured to enforce that end point devices have the appropriate version and configuration of the SonicWALL Enforced Client anti-virus solution. Both a SonicWALL Aventail SSL VPN (EX-750, EX-1600 or EX-2500) and a SonicWALL Enforced Client running on an end point device are required in order to follow the configuration steps detailed in this paper. The information presented in this paper represents the industry experience of the SonicWALL® research and development team and reflects the requirements that can be met by applying SonicWALL Aventail SSL VPN solutions combined with SonicWALL Enforced Client Anti-Virus solutions. The SonicWALL solutions are referenced in the conclusion to this paper and can be reviewed in detail on the SonicWALL Web site:

http://www.sonicwall.com.

Configuration Steps

In order for a SonicWALL Aventail SSL VPN appliance to enforce client usage of the ‘SonicWALL Enforced Client,’ there are a few prerequisites:

1. The Aventail SSL VPN appliance must run firmware 8.9 or newer. This can be obtained from the Aventail Assurance portal by customers with a current software service contract for their Aventail SSL VPN appliances. You can determine the current firmware version by logging into the Aventail Management Console (AMC); the version will display in the lower-left-hand corner of the AMC home page. The firmware version can also be determined by going to the System Configuration > Maintenance page. For an example, see below.

(3)

3

2. The incoming client connection must run version 4.5 or newer of the ‘SonicWALL Enforced Client’. In order to determine what version a client connection is running, right-click on the client’s taskbar (it’s the small red shield with the ‘M’ in it, on the right of the taskbar) and select ‘About’. For an example, see below.

(4)

4

3. On the Aventail SSL VPN appliance, in the Device Profile definition for Windows, the ‘McAfee Inc.’ Vendor name must be selected and the ‘Total Protection for Small Business’ Product name must be used. (There is no SonicWALL-specific entry at present; this will be resolved in a future firmware release.) Following is an example of the SonicWALL Enforced Client Device Profile:

(5)

5

4. The ‘SonicWALL Enforced Client’ is an OEM version of the ‘Total Protection for Small Business’ software application and, because of this, is recognized as such by the Aventail SSL VPN appliance.

5. While the ‘SonicWALL Enforced Client’ is an anti-spyware client as well as an anti-virus client, it only shows up in the‘Anti-Virus’ enforcement category on the Aventail SSL VPN appliance.

Zone Options

On the Aventail SSL VPN appliance, there are a number of options regarding how the administrator can use Aventail End Point Control settings to check the SonicWALLEnforced Client and take various actions if the Client is not running or up to date. For the purpose of this whitepaper, the following scenarios will be covered:

1. Standard (Allow) Zone for Full Access: This scenario assumes that the end user has the SonicWALL Enforced Client present on their end point device and it is configured with the appropriate version

2. Default Zone for Limited Access- Download the SonicWALL Enforced Client: This scenario assumes that the end user does not have the SonicWALL Enforced Client present on their end point device. The policy will allow the user to have limited access to resources. However, in order to gain full access to resources they will need to download and install the SonicWALL Enforced Client from a link that is present on the SSL VPN portal.

3. Quarantine Zone to Deny Access- Download the SonicWALL Enforced Client: This scenario also assumes that the end user does not have the SonicWALL Enforced Client present on their end point device. However, unlike the previous scenario the user is not allowed access to any resources until they download the SonicWALL Enforced Client. They will be placed into a quarantine zone and will be provided instructions on how to download the SonicWALL Enforced Client.

4. Deny Zone to Deny Access if the SonicWALL Enforced Client is Out of Compliance: This scenario assumes that the end user does have the SonicWALL Enforced Client but for some reason it is not the appropriate configuration (version out of date perhaps). They will be denied access until they perform the necessary update to their SonicWALL Enforced Client.

1.

Standard (Allow) Zone for Full Access

In this scenario, if the endpoint matches the Device Profile that was defined for the SonicWALL Enforced Client, then it will be placed into a “Trusted” Zone and given full access to all internal applications:

a) First, define a Standard Zone named “Trusted Zone” within the previously-defined ‘Enforce SonicWALL’ Device Profile:

(6)

6 b) Next, in the appropriate Community, under End Point Control Restrictions, place the new ‘Trusted Zone’ into the “In use” box in the Standard Zone settings to make the Zone available to the Community:

(7)

7 c) In the Access Control rules, modify the appropriate rule and add the “Trusted Zone’. In this

example, any user in the AD Realm will be permitted access to the Corporate Shared Drive, the intranet, OWA, and Terminal Services applications only if the endpoint is classified into the Trusted Zone.

(8)

8 d) After an authorized user logs into the WorkPlace from an endpoint that is running the SonicWALL Enforced Client, that endpoint is classified into the ‘Trusted Zone,’ and the user is allowed access to all applications:

(9)

9

2.

Default Zone for Limited Access – Download SonicWALL Enforced Client

In this scenario, if the endpoint does not match the Device Profile that was defined for the SonicWALL Enforced Client then it will be placed into a “Default” Zone and given access to a subset of internal applications. Also, a link is provided in the Default Zone to download and install the SonicWALL Enforced Client.

a) Define a new URL Resource for the SonicWALL Enforced Client installation. The exact syntax of the

URL

ishttp://virusscanasap.mcafeeasap.com/vs2/Sonicwall/rd.asp?CK=xxxxxx, where CK is the Company Key which is a SonicWALL-generated company designation for an installation of the Enforced Client. Multiple licenses can be applied to the same Company Key.

Only the hostname is defined in the URL Resource, while the remainder of the URL can be defined on the Start page option in the Advanced settings of the WorkPlace Shortcut:

(10)

10 b) When defining an external URL as Resource, is it important that the hostname gets added to the Resource Exclusion List that is located at the bottom of the Resource table. This tells the Aventail appliance not to translate the URL, so that the endpoint’s browser will resolve the URL to the correct public Web site:

(11)

11 c) Define a new Access Control rule for endpoints placed into the Default Zone that are not running an Enforced Client or that are not up-to-date (as defined in the Device Profile) that will permit access only to specified applications and the SonicWall Enforced Client download link:

d) Note that the Default Zone does not have to be added to the list of Standard Zones in the appropriate Community. The Default Zone is always present and is the last available Zone. In this example, since the endpoint will not match the Trusted Zone, it will fall into the Default Zone.

(12)

12 e) After logging into the WorkPlace from an endpoint without the SonicWALL Enforced Client

running, the endpoint is classified into the ‘Default Zone’ and is allowed access to only a subset of applications and a link to download the SonicWALL Enforced Client:

3.

Quarantine Zone to Deny Access- Download SonicWALL Enforced Client

Another option is if the endpoint does not match the Device Profile that was defined for the SonicWALL Enforced Client, then it will be placed into a Quarantine Zone and given access to a link to download and install the Client. In the Quarantine Zone, no application access is permitted outside of the remediation links that are defined.

a) Under the End Point Control Zone settings, define a new Quarantine Zone. As part of the definition, the administrator can specify any text they would like to appear in the Zone and also any useful Web links that can be used for remediation purposes. In this example, a link is defined to the SonicWall Enforced Client installation URL as described above.

(13)

13 b) In the appropriate Community under End Point Control Restrictions, change the Zone fallback options from “Place into default zone” to “Place into quarantine zone” and the SonicWALL Quarantine Zone is specified:

(14)

14 c) After logging into the WorkPlace from an endpoint without the SonicWALL Enforced Client

running, the endpoint is classified into the SonicWALL Quarantine Zone and is only permitted access to the remediation link specified:

(15)

15

4.

Deny Zone to Deny Access if SonicWALL Enforced Client is Out of Compliance

Finally, the Deny Zone can be used to deny access to an endpoint that matches a specific Device Profile. In this example, assume that a new version (5.0) of the SonicWALL Enforced Client has just been put into production and deployed to all end users. If a user tries to log into the WorkPlace from an endpoint that is running a SonicWALL Enforced Client with a version other then 5.0, they will be placed into the Deny Zone, not allowed any access at all into the internal network, and given a message explaining why they are denied access and whom to contact.

a) Under the End Point Control Zone settings, define a new Device Profile called Enforce SonicWALL. This profile will check to see if the endpoint’s SonicWALL Enforced Client version is equal to 4.x (and therefore not version 5.0). Other options can be set to check the last time the signatures were updated or the last time the file system was scanned:

(16)
(17)

17 b) Under the End Point Control Zone settings, define a new Deny Zone. In this Zone, we specify the Device Profile that we want to check for (Enforce SonicWALL) and also a custom message that we want to display to the end user:

(18)

18 c) In the appropriate Community, make the new Deny Zone available under the End Point Control

(19)

19

d)

After logging into WorkPlace from an endpoint that is not running the correct version of the SonicWALL Enforced Client, the endpoint is placed immediately into the Deny Zone and the pre-defined message is displayed:

(20)

20

Conclusion

The SonicWALL E-Class Aventail SSL VPN appliances provide secure access from employees, business partners, and customers to Web applications, client/server applications, and file shares. The Aventail SSL VPN appliances provide remote access control that manages and secures application access based on the ability to identify the following three things:

1) Who is the user?

• Identify users based on strong authentication. Group users into communities and groups based on admission policy.

2) What is on the end point device?

• Interrogation of the end point to determine the device identity and device integrity, and allow the results of the interrogation to be leveraged within admission and access control policies 3) What are the resources that the user needs to access?

• Allow access to individual applications based on who the user is and the trust level for the device used for access.

The Aventail SSL VPN appliances makes these resources available from a range of access methods— including a standard Web browser, an ActiveX or Java-enabled Web browser, or a native client

preinstalled on the device—on a wide range of platforms and devices that include Windows, Macintosh, Linux, and PDAs or smartphones. Administrators determine the resources that users will be allowed to access, and the Aventail SSL VPN appliances transparently and dynamically provision the access methods appropriate for those resources. All access control is handled centrally via the Web-based management console.

Why SonicWALL Aventail SSL VPNs? 1) More devices, more access points:

The pace of innovation in remote access technology has increased dramatically over the past decade. Broadband access to the Internet has become not merely ubiquitous, but an expected standard, at work, at home, and everywhere in between. Mobile devices have proliferated to the point where laptops, PDAs, and smartphones, mobilized with sophisticated wireless and cellular connectivity, are increasing the phase-out of traditional desktop PCs. The rise in VoIP has turned phone calls into data resources, and transformed telephony into yet another network access methodology.

2) Work is increasingly moving beyond the network perimeter:

Traditional network boundaries are disappearing, and “the office” no longer has anything to do with any specific physical location. Work is conducted from field offices and home offices, partner sites and manufacturing sites. Increased access has resulted in increased productivity. Business partners require access to internal enterprise resources from end point locations behind their own firewalls. Remote teleworkers and day extenders in all business capacities connect to business applications and files via WiFi hotspots at their home or neighborhood cafes. Enterprise boundaries are blurring, with “outside” partners, vendors, and consultants playing an increasingly vital a role in daily operations, often collaborating in cross-functional teams requiring secure access to “inside” application resources from “outside” devices, traversing internal and external firewalls.

(21)

21

3) IT is facing new challenges for controlling access:

The increasingly mobile trends in technology and business operations have accelerated the replacement of traditional network nodes from IT-managed hard-cabled desktops to wireless laptops and mobile devices. Even when these devices are issued by IT, usage has become difficult for IT to control. An end user might use the same mobile computing device at home as in the office, use a personally-owned device for business purposes, or use a corporate-owned device for personal purposes. It is increasingly hard for IT to be able to restrict what users do with access devices, and to limit ways in which users expose these devices to threats that can impact the security of enterprise resources.

(22)

22

Contacting SonicWALL

If you require technical assistance for your SonicWALL UTM appliance or SonicPoint, check these online SonicWALL resources:

The support site: http://www.sonicwall.com/us/Support.html

The interactive online Knowledge Portal:

http://www.nohold.net/noHoldCust22/Prod_3/Articles53234/sw_launch_frames.html

If you cannot find the information you need, contact SonicWALL telephone support at one of these numbers:

North America Telephone Support

U.S./Canada - 888.777.1476 or +1 408.752.7819 International Telephone Support

Australia + 1800.35.1642 Austria + 43(0)820.400.105 EMEA + 31(0)411.617.810 France + 33(0)1.4933.7414 Germany + 49(0)1805.0800.22 Hong Kong + 1.800.93.0997 India + 8026556828 Italy + 39.02.7541.9803 Japan + 81(0)3.5460.5356 New Zealand + 0800.446489 Singapore + 800.110.1441 Spain + 34(0)9137.53035 Switzerland + 41.1.308.3.977 UK + 44(0)1344.668.484

Note

: If you find that the number appropriate to your geographic region does not work, please visit

http://www.sonicwall.com/us/support/3001.html for the latest technical support telephone numbers.

More Information on SonicWALL Products

Contact SonicWALL, Inc. for information about SonicWALL products and services at: Web: http://www.sonicwall.com

E-mail: sales@sonicwall.com Phone: (408) 745-9600 Fax: (408) 745-9300

Author: dparry@sonicwall.com and dbuckwald@sonicwall.com Prepared by SonicWALL, Inc

References

Download now ( PDF - 22 Page - 560.97 KB )

Related documents

Performing Time Card Functions

Group edits allow you to perform tasks for an entire workgroup: add a punch, credit/debit hours or dollars, enter a transfer, authorize time cards, assign a schedule pattern,

Sensitivity of global cloud condensation nuclei concentrations to primary sulfate emission parameterizations

(b) Comparison of observed and simulated annual mean number concentrations of CN10 at the 21 low boundary layer sites. The total number and surface area of primary sulfate emitted

OPTIMIZED BACKUP AND RECOVERY FOR SAP LANDSCAPES ENABLED BY EMC DATA DOMAIN AND EMC NETWORKER

• Validate the SAP backup optimization by using a Data Domain system and NetWorker along with the additional software options in terms of backup storage consumption, backup

Why Switch from IPSec to SSL VPN. And Four Steps to Ease Transition

SonicWALL Aventail E-Class Secure Remote Access (SRA) appliances and SonicWALL SSL VPN appliances off er secure remote access for today’s mobile workforce, including remote

Consolidating SMB Network Security Infrastructure. Ways to Cut Costs and Complexity

The SonicWALL Advantage 8 SonicWALL Comprehensive Anti-Spam Service 9 SonicWALL Application Firewall 10 SonicWALL Clean Wireless 11 SonicWALL Clean VPN 12 SonicWALL GRID Network

Clean VPN Approach to Secure Remote Access

A SonicWALL Clean VPN can detect the identity of users and security state of the endpoint device, protect against malware and unauthorized access based on granular policy

Project portfolio management in turbulent times. Research executive summary series Volume 7 Issue 2

In addition to strategic alignment and resource constraints, the news and media, professional service, pharmaceutical and IT services organisations included other factors in their

Essays on the management of appointments for chronic conditions

The portion of the model that separates cases that are best forecasted using equally weighted multiple nearest neighbor cases involves eight dissimilarity and two smoothed time