SonicWALL TZ 180 TotalSecure Administrator’s Guide Introduction SonicWALL TZ 180 TotalSecure is included in SonicWALL’s unified threat management solution that integrates Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service into an intelligent, real-time network security solution. This provides a comprehensive, yet layered approach to securing your network.
What is TotalSecure? Prevention Service delivers unified threat management directly on the SonicWALL security appliance gateway. Unlike other threat management solutions, SonicWALL Gateway Anti-Virus, Anti-Spyware and Intrusion Prevention Service has the capacity to analyze files of any size in real-time without the need to add expensive hardware drive or extra memory.
SonicWALL Gateway Anti-Virus SonicWALL Gateway Anti-Virus This section provides an overview to the SonicWALL Gateway Anti-Virus.
SonicWALL Gateway Anti-Virus SonicWALL Gateway Anti-Virus/Intrusion Prevention Features The Gateway Anti-Virus/Intrusion Prevention features are described below: 4 • Integrated Deep Packet Inspection Technology - SonicWALL Gateway Anti-Virus/Intrusion Prevention Service features a configurable, high-performance deep packet inspection architecture that uses parallel searching algorithms up through the application layer to deliver increased application layer, Web and e-mail attack prevention.
SonicWALL Gateway Anti-Virus of other stream-based protocols. This closes potential backdoors that can be used to compromise the network while also improving employee productivity and conserving Internet bandwidth.
SonicWALL Gateway Anti-Virus Remote Site Protection To protect the internal network, perform the following steps: Step 1 Users send typical e-mail and files between remote sites and the corporate office. Step 2 SonicWALL GAV scans and analyzes files and e-mail messages on the SonicWALL security appliance. Step 3 Viruses are found and blocked before infecting remote desktop. Step 4 Virus is logged and alert is sent to administrator.
SonicWALL Gateway Anti-Virus Step 4 Virus is logged and alert is sent to administrator. Virus Discarded Alert Logged PRO 5060 HTTP File Downloads The process for HTTP File Downloads is described in the steps and diagram below: Step 1 Client makes a request to download a file from the Web. Step 2 File is downloaded through the Internet. Step 3 File is analyzed through the SonicWALL GAV engine for malicious code and viruses Step 4 If virus found, file discarded.
SonicWALL Gateway Anti-Virus Server Protection The process for Server Protection is described in the steps below: Step 1 Outside user sends an incoming e-mail. Step 2 E-mail is analyzed through the SonicWALL GAV engine for malicious code and viruses before received by e-mail server. Step 3 If virus found, threat prevented. Step 4 E-mail is returned to sender, virus is logged, and alert sent to administrator. SonicWALL GAV Architecture SonicWALL GAV is based on SonicWALL's high performance DPIv2.
SonicWALL Gateway Anti-Virus Stream Concurrency Limitations by SonicWALL Security Appliance Because SonicWALL GAV does not have to perform reassembly, there are no file-size limitations imposed by the scanning engine. Base64 decoding, ZIP, LHZ, and GZIP (LZ77) decompression are also performed on a single-pass, per-packet basis.
SonicWALL Gateway Anti-Virus Note 8-bit encoding is handled natively for all email based protocols (SMTP, POP3, and IMAP) since no decoding is required for each encoding scheme. SMTP Capabilities: base64 decoding, zip (including archives) and gzip decompression. Prevention Mechanism: The message which contains the virus is removed from the head of the sent queue, thus preventing it from being resent, via 552 SMTP response and the connection is terminated.
SonicWALL Intrusion Prevention Service Prevention Mechanism: The connection is terminated, preventing the user from receiving the malicious payload. FTP Capabilities: zip (including archives) and gzip decompression. FTP stateful code follows data port negotiations, allowing FTP data to be inspected across any operating TCP port. Suppresses the use of the FTP 'REST' (restart) request to prevent the sectional retrieval and reassembly of potentially malicious content.
SonicWALL Intrusion Prevention Service What is a Zone? A Zone is a logical grouping of one or more interfaces and/or VLANs designed to make management, such as the definition and application of Access Rules, a simpler and more intuitive process than following strict physical interface scheme.
SonicWALL Anti-Spyware SonicWALL Anti-Spyware SonicWALL Anti-Spyware is included within the SonicWALL Gateway Anti-Virus (GAV), Anti-Spyware and Intrusion Prevention Service (IPS) unified threat management solution. SonicWALL GAV, Anti-Spyware and IPS delivers a comprehensive, real-time gateway security solution for your entire network. This section provides an overview to the SonicWALL Anti-spyware.
SonicWALL Anti-Spyware clients and reset those connections. For example, when spyware has been profiling a user's browsing habits and attempts to send the profile information home, the SonicWALL security appliance identifies that traffic and resets the connection. The SonicWALL Anti-Spyware Service provides the following protection: • Blocks spyware delivered through auto-installed ActiveX components, the most common vehicle for distributing malicious spyware programs.
SonicWALL Content Filtering Service - Premium SonicWALL Content Filtering Service - Premium This section provides an overview to the SonicWALL Content Filtering Service. This section contains the following subsections: • CFS Overview • How Does CFS Premium Work? • Benefits CFS Overview SonicWALL Content Filtering Services Premium (CFS Premium) enforces protection and productivity policies for businesses, schools and libraries to reduce legal and privacy risks while minimizing administration overhead.
SonicWALL Deep Packet Inspection SonicWALL Deep Packet Inspection This section provides an overview to the SonicWALL Intrusion Prevention Service (DPI). This section contains the following subsections: • DPI Overview • How Does DPI Work? • Benefits DPI Overview Deep Packet Inspection (DPI) looks at the data portion of the packet. The Deep Packet Inspection technology includes intrusion detection and intrusion prevention. Intrusion detection finds anomalies in the traffic and alerts the administrator.
SonicWALL Deep Packet Inspection Figure 1 Deep Packet Inspection Flow Diagram )NPUT 0ACKET /UTPUT 0ACKET The following steps describe how the SonicWALL Deep Packet Inspection Architecture functions: 1. Pattern Definition Language Interpreter uses signatures that can be written to detect and prevent against known and unknown protocols, applications and exploits. 2. TCP packets arriving out-of-order are reassembled by the Deep Packet Inspection framework. 3.
SonicWALL Security Dashboard This section provides an introduction to the Security Dashboard feature.
SonicWALL Security Dashboard Security Dashboard Overview The SonicWALL Security Dashboard provides reports of the latest threat protection data from a single SonicWALL appliance and aggregated threat protection data from SonicWALL security appliances deployed globally. The SonicWALL Security Dashboard displays automatically upon successful authentication to a SonicWALL security appliance running SonicOS 3.
SonicWALL Security Dashboard Each report includes a graph of threats blocked over time and a table of the top blocked threats. Reports, which are updated hourly, can be customized to display data for the last 12 hours, 14 days, 21 days, or 6 months. For easier viewing, SonicWALL Security Dashboard reports can be transformed into a PDF file format with the click of a button. Figure 2 provides the default view of the SonicWALL Security Dashboard.
SonicWALL Security Dashboard What is Security Dashboard? The TotalSecure provides the latest threat protection information to keep you informed about potential threats being blocked by SonicWALL security appliances. When you activate SonicWALL’s security services, including Gateway Anti-Virus, Gateway Anti-Spyware, Intrusion Prevention Service (IPS), and Content Filtering Service, you are automatically protected from the threats reported by the SonicWALL Security Dashboard.
Registering Your Appliance on MySonicWALL Figure 3 SonicWALL Security Dashboard PDF Report Registering Your Appliance on MySonicWALL While the SonicWALL TZ 180 TotalSecure includes licenses for the Intrusion Prevention services, you must activate these services by following the steps within the sections listed below. This section provides an overview to the SonicWALL Intrusion Prevention Service. This section contains the following subsections: 22 • Creating a mySonicWALL.
Registering Your Appliance on MySonicWALL Creating a mySonicWALL.com Account Creating a mySonicWALL.com account is fast, simple, and free. Simply complete an online registration form in the SonicWALL security appliance management interface. Note: If you already have a mysonicWALL.com account, go to “” on page 18. 1. Log into the SonicWALL security appliance management interface. 2.
TotalSecure Configuration Task List Registering Your SonicWALL Security Appliance 1. Log into the SonicWALL security appliance management interface. 2. If the System > Status page is not displaying in the management interface, click System in the left-navigation menu, and then click Status. 3. On the System > Status page, in the Security Services section, click the Register link. The mySonicWALL.com Login page is displayed. 4. Enter your mySonicWALL.
TotalSecure Configuration Task List Setting Up SonicWALL GAV Protection The Security Services > Gateway Anti-Virus page provides the settings for configuring SonicWALL GAV on your SonicWALL security appliance. Enabling SonicWALL GAV You must select Enable Gateway Anti-Virus check box in the Gateway Anti-Virus Global Settings section to enable SonicWALL GAV on your SonicWALL security appliance. If your SonicWALL security appliance is running SonicOS Standard 3.
TotalSecure Configuration Task List Applying SonicWALL GAV Protection on Zones (SonicOS Enhanced 3.0) If your SonicWALL security appliance is running SonicOS Enhanced 3.0, you can enforce SonicWALL GAV not only between each network zone and the WAN, but also between internal zones. For example, enabling SonicWALL GAV on the LAN zone enforces anti-virus protection on all incoming and outgoing LAN traffic.
TotalSecure Configuration Task List Note You also enable SonicWALL GAV protection for new zones you create on the Network > Zones page. Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit Zone window.
TotalSecure Configuration Task List Updating SonicWALL GAV Signatures By default, the SonicWALL security appliance running SonicWALL GAV automatically checks the SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for new signature updates. You can also manually update your SonicWALL GAV database at any time by clicking the Update button located in the Gateway Anti-Virus Status section. SonicWALL GAV signature updates are secured.
TotalSecure Configuration Task List The Enable Inbound Inspection protocol traffic handling represented as a table: Enabling Outbound SMTP Inspection The Enable Outbound Inspection feature is available for SMTP traffic, such as for a mail server that might be hosted on the DMZ. Enabling outbound inspection for SMTP scans mail that is delivered to the internally hosted SMTP server for viruses.
TotalSecure Configuration Task List Configuring Client Alerts If you want clients on your network to receive notifications on their desktop when a HTTP file download is blocked by GAV, check the Enable Client Notification Alerts (desktop client installation is required) box. You must install the client software included on the Resource CD for your SonicWALL security appliance for the client to receive these notifications from SonicWALL GAV.
TotalSecure Configuration Task List • Restrict Transfer of password-protected Zip files - Disables the transfer of password protected ZIP files over any enabled protocol. This option only functions on protocols (e.g. HTTP, FTP, SMTP) that are enabled for inspection. • Restrict Transfer of MS-Office type files containing macros (VBA 5 and above) Disables the transfers of any MS Office 97 and above files that contain VBA macros. • Restrict Transfer of packed executable files (UPX, FSG, etc.
TotalSecure Configuration Task List Navigating the Gateway Anti-Virus Signatures Table The SonicWALL GAV signatures are displayed fifty to a page in the Gateway Anti-Virus Signatures table. The Items field displays the table number of the first signature. If you’re displaying the first page of a signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table.
TotalSecure Configuration Task List To disable IPS, uncheck the Enable IPS check box. This will prevent blocking of traffic that matches the IPS signatures. However, some signatures belong to Application Filter category sets as well as other types of category sets such as GAV, IPS, Anti-Spyware, or Web Filters. If Application Filtering is enabled, these signatures are blocked by the Application Filter process even when you configure the other filters to allow them.
TotalSecure Configuration Task List • Use the IPS Global Setting to enable the option Prevent All for all three IPS Signature Groups. Now all three IPS Signature Groups [High, Medium resp. Low Priority] will be Prevented, which will Prevent quite a lot flowing in the network, for example: • MSN Messenger, Yahoo Messenger, AIM, IRC and other Instant Messaging application will not work as will not any Peer-to-Peer applications. • A Terminal Service client will not be able to connect.
TotalSecure Configuration Task List Caution • Anti-Spyware Global Settings - provides the key settings for enabling SonicWALL Anti-Spyware on your SonicWALL security appliance, specifying global SonicWALL Anti-Spyware protection based on three classes of spyware, and other configuration options. • Anti-Spyware Policies - allows you to view SonicWALL Anti-Spyware signatures and configure the handling of signatures by category groups or on a signature by signature basis.
Glossary Specifying Spyware Danger Level Protection SonicWALL Anti-Spyware allows you to globally manage your network protection against attacks by simply selecting the class of attacks: High Danger Level Spyware, Medium Danger Level Spyware and Low Danger Level Spyware. Selecting the Prevent All and Detect All check boxes for High Danger Level Spyware and Medium Danger Level Spyware in the Signature Groups table, and then clicking Apply protects your network against the most dangerous spyware.
Glossary • Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate farther into the protocol to examine information at the application layer and defend against attacks targeting application vulnerabilities.
Related Documentation Related Documentation SonicWALL user guides and reference documents are available at the SonicWALL Technical Documentation Online Library: http://www.sonicwall.com/us/Support.html For basic and advanced deployment examples, refer to SonicOS Guides and SonicWALL TechNotes available on the Web site.
Related Documentation See the following documents for more information: • SonicWALL CFS Premium Administrator's Guide • SonicWALL Gateway Anti-Virus 2.0 Administrator's Guide • SonicWALL Intrusion Prevention Service 2.0 Administrator's Guide • SonicWALL Anti-Spyware Administrator's Guide • SonicOS Standard 3.8 Administrator's Guide • SonicOS Enhanced 3.
Related Documentation 40 SonicWALL TZ 180 TotalSecure
