Anyone else getting dinged for having an open web portal that can’t be disabled? So far this month I have three clients using SSL VPN that have received “Critical” security ratings from their carriers’ security groups for having the Virtual Office portal accessible, and are threatening to deny policy renewals.
We’ve demonstrated no resources are available through the portal, and no WAN management is configured. We’ve even disabled the User login feature for registering MFA, and just turn it on temporarily when someone is hired or gets a new phone. But the Virtual Office function cannot be turned off, only limited to specific IPs. We’re not about to collect and enter the home IPs of several hundred users - especially when most of them get new IPs whenever their modems restart.
I suppose an alternative is to move to the Global VPN, but meeting MFA requirements means setting up RADIUS infrastructure since the Global VPN doesn’t support TOTP like the SSL VPN. That’s not a viable solution for some clients who have no onsite servers anymore.
Albeit on a smaller scale, we’re using a dynamic DNS service and the Windows or Mac client to register the user’s IP in the dynamic DNS service. Then, on the SonicWall we enter the FQDN we’ve configured for the user and whitelist it. Only those IPs get through to the VPN. That, along with 2FA on SSL VPN has satisfied auditors…so far.
Are you using the default self signed certificate or have you had a CSR signed by a CA?
In my experience, most of the security assessment failures related to SSL VPN are for using a self signed certificate, Since those can’t be used to guarantee integrity or non-repudiation.
You should be able to DL a trial from the MSW site. If not ask someone from SNWL to provision one for you to try. Should be 30days. VMWare ESXi, Hyper-V, KVM, AWS and
Azure
Yea. We are seeing the same thing from certain providers. My guess is that it is related to a poor general risk assessment of sonicwall overall. I was given really poor references by the insurance company about why they feel this way. these are huge companies. I have reached out to sonicwall about it but there isn’t much to do.
To understand your situation, are you referring to just the web page to login for NetExtender MFA setup? Or are you using the Virtual Office as a portal into your internal resources?
Same here. Getting hammered with them this week. I frankly disagree with their entire train of thought. Had an insurance provider recommend we move to IPSec VPN, because it “doesn’t require SSL handshake or the login page to be ‘broadcasted’ in order to function”. Guess they never heard of scanning common ports. Of course, they also very helpfully reminded our customer that they are “partnered” with Cloudflare Access, so they would accept that as solution.
I am starting to think these are more attempts to upsell our customers more than anything. It does not help that the insurance providers are incredibly ignorant of cyber security or even what the scan results indicate. And when I actually talk with those that know their stuff, they just ask for some documentation and typically go away. The ones I converse with in the email only care that their vulnerability scan report shows scary, red X on it.
All certificates are publicly signed. They don’t care, having the portal is a Critical Risk. Their suggested option is to put it on a reverse proxy, but that won’t work with VPN connections.
Are you saying you can put a reverse proxy between the user and the sma appliance?
This sma firmware has been slaughtered in the last year with vulns. I have used sonicwall for decades. But I’m not sure if deploying this will help from an insurer point of view.
Here’s the exact text of their report, they’ve not cared that we’ve provided screenshots showing these are up-to-date NSA firewalls and not end of life SMA/SRA devices:
The critical security vulnerability can crash the device and prevent users from connecting to corporate resources. It could also open the door to remote code execution (RCE). In taking full control of the compromised system, the attacker could view, change, or delete data; install programs, or create new accounts with full user rights.
Release of this quote is contingent upon:
Updating the SonicWALL Appliance to the most recent version to fix any high-risk vulnerabilities. Updates are easy-to-deploy update that can fix any vulnerabilities that exist in earlier firmware versions and, block attackers from exploiting the device.
Enforcing multifactor authentication (2-FA) for ALL users and administrators of the device.
A forced password reset for ALL users and administrators of the device if MFA wasn’t previously enforced across all users, including any service accounts used on the device.
Disabling login portals from internet exposure, disable interactive logins and RDP internally on any VPN service accounts.
Reading through all your responses, it looks like you are setting up SSL VPN directly on your SonicWALL Firewall, and not on one of their Virtual Office appliances (SRA/SMA)
Yup, got the same thing here too. “You should move to Cloudflare VPN”. This is nothing more than a way to get kickbacks from their “partner”. There is no risk here, at least not beyond any other MFA remote access solution.
End users never get the login credentials for the client and on Windows it can be locked down some amount. Mac, not so much. About the worst a user can do is exit the client but that hurts them. User in a different country that’s in the GeoIP block list? No more whitelisting the hotel IP, etc… And, no more annoyed user.
We also use that on SonicWall devices where we don’t have a static IP, but do receive a public IP address. Sure makes management easier. 2FA enabled for the admin user, of course, and restricted to our WAN IPs.
I know this is old but is also happening to me. Their recommendation is to put it behind a VPN, , This IS the VPN! Also using publicly signed certs and most recent version of firmware.
That is strange. It seems they are looking for any excuse not to cover these clients because they are a higher risk for them or the have someone new that doesn’t know what they are doing. I am not sure if their scanners are just looking if you’re using Sonicwall devices or if it’s actually detecting the vulnerability for some strange reason.
In either case it’s absurd to require you to disable VPN completely on a fully patched device in the middle of a pandemic where people mostly work from home.
I see two options here. Get new firewalls / vpn service or tell your client to get more competent security insurance. The auditors are just blindly following scan results that they don’t understand. I don’t think you’ll be able to convince them otherwise.