SonicWALL Aventail SSL VPNs Working Together
With SonicWALL End Point Security Solutions for
Granular End Point Control
Step by step guide on how to configure
SonicWALL Aventail SSL VPNs to detect the
SonicWALL Enforced Client
CONTENTS
Overview 2
Configuration Steps 2
Zone Options
• Standard (Allow) Zone for Full Access
• Default Zone for Limited Access-
Download the SonicWALL Enforced Client
• Quarantine Zone to Deny Access-
Download the SonicWALL Enforced Client
• Deny Zone to Deny Access if SonicWALL Enforced Client is Out of Compliance
5 9 s 12 a 15 Conclusion 20
2
Overview
SonicWALL Aventail SSL VPN appliances have a feature called End Point Control (EPC) which has the ability to require that incoming clients meet certain criteria before connecting, the most common being that the incoming client be running a valid and up-to-date version of an anti-virus or anti-spyware program. Upon first contact with a SonicWALL Aventail appliance, the endpoint is interrogated against an administrator-defined set of attributes called Device Profiles. If the incoming connection meets said criteria, the client is assigned into a defined Policy Zone. If not, the administrator has a number of options, including assigning the endpoint into a Default Zone or Quarantine Zone for remediation. EPC interrogation and Zone assignment is available for all Aventail access methods, including Connect Tunnel.
This white paper is intended to provide step by step instruction on how the SonicWALL Aventail SSL VPN can be configured to enforce that end point devices have the appropriate version and configuration of the SonicWALL Enforced Client anti-virus solution. Both a SonicWALL Aventail SSL VPN (EX-750, EX-1600 or EX-2500) and a SonicWALL Enforced Client running on an end point device are required in order to follow the configuration steps detailed in this paper. The information presented in this paper represents the industry experience of the SonicWALL® research and development team and reflects the requirements that can be met by applying SonicWALL Aventail SSL VPN solutions combined with SonicWALL Enforced Client Anti-Virus solutions. The SonicWALL solutions are referenced in the conclusion to this paper and can be reviewed in detail on the SonicWALL Web site:
http://www.sonicwall.com.
Configuration Steps
In order for a SonicWALL Aventail SSL VPN appliance to enforce client usage of the ‘SonicWALL Enforced Client,’ there are a few prerequisites:
1. The Aventail SSL VPN appliance must run firmware 8.9 or newer. This can be obtained from the Aventail Assurance portal by customers with a current software service contract for their Aventail SSL VPN appliances. You can determine the current firmware version by logging into the Aventail Management Console (AMC); the version will display in the lower-left-hand corner of the AMC home page. The firmware version can also be determined by going to the System Configuration > Maintenance page. For an example, see below.
3
2. The incoming client connection must run version 4.5 or newer of the ‘SonicWALL Enforced Client’. In order to determine what version a client connection is running, right-click on the client’s taskbar (it’s the small red shield with the ‘M’ in it, on the right of the taskbar) and select ‘About’. For an example, see below.
4
3. On the Aventail SSL VPN appliance, in the Device Profile definition for Windows, the ‘McAfee Inc.’ Vendor name must be selected and the ‘Total Protection for Small Business’ Product name must be used. (There is no SonicWALL-specific entry at present; this will be resolved in a future firmware release.) Following is an example of the SonicWALL Enforced Client Device Profile:
5
4. The ‘SonicWALL Enforced Client’ is an OEM version of the ‘Total Protection for Small Business’ software application and, because of this, is recognized as such by the Aventail SSL VPN appliance.
5. While the ‘SonicWALL Enforced Client’ is an anti-spyware client as well as an anti-virus client, it only shows up in the‘Anti-Virus’ enforcement category on the Aventail SSL VPN appliance.
Zone Options
On the Aventail SSL VPN appliance, there are a number of options regarding how the administrator can use Aventail End Point Control settings to check the SonicWALLEnforced Client and take various actions if the Client is not running or up to date. For the purpose of this whitepaper, the following scenarios will be covered:
1. Standard (Allow) Zone for Full Access: This scenario assumes that the end user has the SonicWALL Enforced Client present on their end point device and it is configured with the appropriate version
2. Default Zone for Limited Access- Download the SonicWALL Enforced Client: This scenario assumes that the end user does not have the SonicWALL Enforced Client present on their end point device. The policy will allow the user to have limited access to resources. However, in order to gain full access to resources they will need to download and install the SonicWALL Enforced Client from a link that is present on the SSL VPN portal.
3. Quarantine Zone to Deny Access- Download the SonicWALL Enforced Client: This scenario also assumes that the end user does not have the SonicWALL Enforced Client present on their end point device. However, unlike the previous scenario the user is not allowed access to any resources until they download the SonicWALL Enforced Client. They will be placed into a quarantine zone and will be provided instructions on how to download the SonicWALL Enforced Client.
4. Deny Zone to Deny Access if the SonicWALL Enforced Client is Out of Compliance: This scenario assumes that the end user does have the SonicWALL Enforced Client but for some reason it is not the appropriate configuration (version out of date perhaps). They will be denied access until they perform the necessary update to their SonicWALL Enforced Client.
1.
Standard (Allow) Zone for Full Access
In this scenario, if the endpoint matches the Device Profile that was defined for the SonicWALL Enforced Client, then it will be placed into a “Trusted” Zone and given full access to all internal applications:
a) First, define a Standard Zone named “Trusted Zone” within the previously-defined ‘Enforce SonicWALL’ Device Profile:
6 b) Next, in the appropriate Community, under End Point Control Restrictions, place the new ‘Trusted Zone’ into the “In use” box in the Standard Zone settings to make the Zone available to the Community:
7 c) In the Access Control rules, modify the appropriate rule and add the “Trusted Zone’. In this
example, any user in the AD Realm will be permitted access to the Corporate Shared Drive, the intranet, OWA, and Terminal Services applications only if the endpoint is classified into the Trusted Zone.
8 d) After an authorized user logs into the WorkPlace from an endpoint that is running the SonicWALL Enforced Client, that endpoint is classified into the ‘Trusted Zone,’ and the user is allowed access to all applications:
9
2.
Default Zone for Limited Access – Download SonicWALL Enforced Client
In this scenario, if the endpoint does not match the Device Profile that was defined for the SonicWALL Enforced Client then it will be placed into a “Default” Zone and given access to a subset of internal applications. Also, a link is provided in the Default Zone to download and install the SonicWALL Enforced Client.
a) Define a new URL Resource for the SonicWALL Enforced Client installation. The exact syntax of the
URL
ishttp://virusscanasap.mcafeeasap.com/vs2/Sonicwall/rd.asp?CK=xxxxxx, where CK is the Company Key which is a SonicWALL-generated company designation for an installation of the Enforced Client. Multiple licenses can be applied to the same Company Key.Only the hostname is defined in the URL Resource, while the remainder of the URL can be defined on the Start page option in the Advanced settings of the WorkPlace Shortcut:
10 b) When defining an external URL as Resource, is it important that the hostname gets added to the Resource Exclusion List that is located at the bottom of the Resource table. This tells the Aventail appliance not to translate the URL, so that the endpoint’s browser will resolve the URL to the correct public Web site:
11 c) Define a new Access Control rule for endpoints placed into the Default Zone that are not running an Enforced Client or that are not up-to-date (as defined in the Device Profile) that will permit access only to specified applications and the SonicWall Enforced Client download link:
d) Note that the Default Zone does not have to be added to the list of Standard Zones in the appropriate Community. The Default Zone is always present and is the last available Zone. In this example, since the endpoint will not match the Trusted Zone, it will fall into the Default Zone.
12 e) After logging into the WorkPlace from an endpoint without the SonicWALL Enforced Client
running, the endpoint is classified into the ‘Default Zone’ and is allowed access to only a subset of applications and a link to download the SonicWALL Enforced Client:
3.
Quarantine Zone to Deny Access- Download SonicWALL Enforced Client
Another option is if the endpoint does not match the Device Profile that was defined for the SonicWALL Enforced Client, then it will be placed into a Quarantine Zone and given access to a link to download and install the Client. In the Quarantine Zone, no application access is permitted outside of the remediation links that are defined.
a) Under the End Point Control Zone settings, define a new Quarantine Zone. As part of the definition, the administrator can specify any text they would like to appear in the Zone and also any useful Web links that can be used for remediation purposes. In this example, a link is defined to the SonicWall Enforced Client installation URL as described above.
13 b) In the appropriate Community under End Point Control Restrictions, change the Zone fallback options from “Place into default zone” to “Place into quarantine zone” and the SonicWALL Quarantine Zone is specified:
14 c) After logging into the WorkPlace from an endpoint without the SonicWALL Enforced Client
running, the endpoint is classified into the SonicWALL Quarantine Zone and is only permitted access to the remediation link specified:
15
4.
Deny Zone to Deny Access if SonicWALL Enforced Client is Out of Compliance
Finally, the Deny Zone can be used to deny access to an endpoint that matches a specific Device Profile. In this example, assume that a new version (5.0) of the SonicWALL Enforced Client has just been put into production and deployed to all end users. If a user tries to log into the WorkPlace from an endpoint that is running a SonicWALL Enforced Client with a version other then 5.0, they will be placed into the Deny Zone, not allowed any access at all into the internal network, and given a message explaining why they are denied access and whom to contact.
a) Under the End Point Control Zone settings, define a new Device Profile called Enforce SonicWALL. This profile will check to see if the endpoint’s SonicWALL Enforced Client version is equal to 4.x (and therefore not version 5.0). Other options can be set to check the last time the signatures were updated or the last time the file system was scanned:
17 b) Under the End Point Control Zone settings, define a new Deny Zone. In this Zone, we specify the Device Profile that we want to check for (Enforce SonicWALL) and also a custom message that we want to display to the end user:
18 c) In the appropriate Community, make the new Deny Zone available under the End Point Control
19
d)
After logging into WorkPlace from an endpoint that is not running the correct version of the SonicWALL Enforced Client, the endpoint is placed immediately into the Deny Zone and the pre-defined message is displayed:20
Conclusion
The SonicWALL E-Class Aventail SSL VPN appliances provide secure access from employees, business partners, and customers to Web applications, client/server applications, and file shares. The Aventail SSL VPN appliances provide remote access control that manages and secures application access based on the ability to identify the following three things:
1) Who is the user?
• Identify users based on strong authentication. Group users into communities and groups based on admission policy.
2) What is on the end point device?
• Interrogation of the end point to determine the device identity and device integrity, and allow the results of the interrogation to be leveraged within admission and access control policies 3) What are the resources that the user needs to access?
• Allow access to individual applications based on who the user is and the trust level for the device used for access.
The Aventail SSL VPN appliances makes these resources available from a range of access methods— including a standard Web browser, an ActiveX or Java-enabled Web browser, or a native client
preinstalled on the device—on a wide range of platforms and devices that include Windows, Macintosh, Linux, and PDAs or smartphones. Administrators determine the resources that users will be allowed to access, and the Aventail SSL VPN appliances transparently and dynamically provision the access methods appropriate for those resources. All access control is handled centrally via the Web-based management console.
Why SonicWALL Aventail SSL VPNs? 1) More devices, more access points:
The pace of innovation in remote access technology has increased dramatically over the past decade. Broadband access to the Internet has become not merely ubiquitous, but an expected standard, at work, at home, and everywhere in between. Mobile devices have proliferated to the point where laptops, PDAs, and smartphones, mobilized with sophisticated wireless and cellular connectivity, are increasing the phase-out of traditional desktop PCs. The rise in VoIP has turned phone calls into data resources, and transformed telephony into yet another network access methodology.
2) Work is increasingly moving beyond the network perimeter:
Traditional network boundaries are disappearing, and “the office” no longer has anything to do with any specific physical location. Work is conducted from field offices and home offices, partner sites and manufacturing sites. Increased access has resulted in increased productivity. Business partners require access to internal enterprise resources from end point locations behind their own firewalls. Remote teleworkers and day extenders in all business capacities connect to business applications and files via WiFi hotspots at their home or neighborhood cafes. Enterprise boundaries are blurring, with “outside” partners, vendors, and consultants playing an increasingly vital a role in daily operations, often collaborating in cross-functional teams requiring secure access to “inside” application resources from “outside” devices, traversing internal and external firewalls.
21
3) IT is facing new challenges for controlling access:
The increasingly mobile trends in technology and business operations have accelerated the replacement of traditional network nodes from IT-managed hard-cabled desktops to wireless laptops and mobile devices. Even when these devices are issued by IT, usage has become difficult for IT to control. An end user might use the same mobile computing device at home as in the office, use a personally-owned device for business purposes, or use a corporate-owned device for personal purposes. It is increasingly hard for IT to be able to restrict what users do with access devices, and to limit ways in which users expose these devices to threats that can impact the security of enterprise resources.
22
Contacting SonicWALL
If you require technical assistance for your SonicWALL UTM appliance or SonicPoint, check these online SonicWALL resources:
The support site: http://www.sonicwall.com/us/Support.html
The interactive online Knowledge Portal:
http://www.nohold.net/noHoldCust22/Prod_3/Articles53234/sw_launch_frames.html
If you cannot find the information you need, contact SonicWALL telephone support at one of these numbers:
North America Telephone Support
U.S./Canada - 888.777.1476 or +1 408.752.7819 International Telephone Support
Australia + 1800.35.1642 Austria + 43(0)820.400.105 EMEA + 31(0)411.617.810 France + 33(0)1.4933.7414 Germany + 49(0)1805.0800.22 Hong Kong + 1.800.93.0997 India + 8026556828 Italy + 39.02.7541.9803 Japan + 81(0)3.5460.5356 New Zealand + 0800.446489 Singapore + 800.110.1441 Spain + 34(0)9137.53035 Switzerland + 41.1.308.3.977 UK + 44(0)1344.668.484
Note
: If you find that the number appropriate to your geographic region does not work, please visithttp://www.sonicwall.com/us/support/3001.html for the latest technical support telephone numbers.
More Information on SonicWALL Products
Contact SonicWALL, Inc. for information about SonicWALL products and services at: Web: http://www.sonicwall.com
E-mail: sales@sonicwall.com Phone: (408) 745-9600 Fax: (408) 745-9300
Author: dparry@sonicwall.com and dbuckwald@sonicwall.com Prepared by SonicWALL, Inc