Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

should my VPN setup be improved to make it more secure?

I'm very much a newbie with SonicWall (TZ270) but have been learning a lot about it since I installed it some months ago.

I run a small (1 person; me) business where I occasionally need remote access to my in-home office.

It looks like someone has been putting a lot of effort into accessing my "WAN Group VPN" since I've seen a lot of IKE syslog entries. Since it was receiving so much "attention", it seemed sensible to take extra steps to protect myself from this sort of attack from the Internet by attackers who do not have access to any of my laptops or VPN information.

  • a long an diverse shared secret
  • not really acceptable: I turn it off when I don't expect to need it.

with my limited knowledge, I'm unsure of the vulnerabilities I should be concerned about.

Here's my setup:

  • IKE using preshared secret

I don't have any geographic features licensed on my TZ270. For myself, I would need access from anywhere in the world.

Are there some simple things I could/should do to harden my TZ270 against attacks of this sort?

Thank you!

Category: Remote Access Management and Reporting
Reply

Best Answers

  • CORRECT ANSWER
    MarkDMarkD Cybersecurity Overlord ✭✭✭
    Answer ✓

    HTTPS management is useful IF you want to manage the appliance over the VPN, External IP to WAN management should be disabled or min whitelisted from a fixed IP address via the WAN-WAN management rule - or as above secured via a VPN.

    Your shared key is just that Shared between the client and the sever - symmetrical encryption, its never sent in the IKE negotiation.

    Ensure your trusted user is using MFA for VPN access - TOTP in the config

    Think about moving to SSLVPN you should have a license and its supported on more platforms than the Global VPN client.

    The Logs you are seeing will background noise, not a direct attempt to access .

  • CORRECT ANSWER
    xray_74xray_74 Newbie ✭
    Answer ✓

    Thank you for your reply, Mark!

    >HTTPS management is useful IF you want to manage the appliance over the VPN

    Thank you for explaining; I don't think I'll need that. when at some distance, I never want to tweak the appliance, in case I break something.

    >Ensure your trusted user is using MFA for VPN access - TOTP in the config

    NICE, thank you--I will be using that!!

    >Think about moving to SSLVPN you should have a license and its supported on more platforms than the Global VPN client.

    Hmmm, I do have a license for that but had only used it for access by my phone. maintaining just one VPN is also reducing the amount of work.

    >The Logs you are seeing will background noise, not a direct attempt to access .

    good to know!

    thank you so much; you've been a great help!

  • CORRECT ANSWER
    ArkwrightArkwright Community Legend ✭✭✭✭✭
    Answer ✓

    Yes, license is per session not per user, but either way, with a single person using it a single license would be sufficient.

Answers

  • MarkDMarkD Cybersecurity Overlord ✭✭✭

    Thanks Xray yes only 1 SSL license I'm afraid, but you could switch using the Netextender when working remotely

  • xray_74xray_74 Newbie ✭

    It's just me, so shouldn't 1 SSL license be sufficient?

Sign In or Register to comment.