should my VPN setup be improved to make it more secure?
I'm very much a newbie with SonicWall (TZ270) but have been learning a lot about it since I installed it some months ago.
I run a small (1 person; me) business where I occasionally need remote access to my in-home office.
It looks like someone has been putting a lot of effort into accessing my "WAN Group VPN" since I've seen a lot of IKE syslog entries. Since it was receiving so much "attention", it seemed sensible to take extra steps to protect myself from this sort of attack from the Internet by attackers who do not have access to any of my laptops or VPN information.
- a long an diverse shared secret
- not really acceptable: I turn it off when I don't expect to need it.
with my limited knowledge, I'm unsure of the vulnerabilities I should be concerned about.
Here's my setup:
- IKE using preshared secret
I don't have any geographic features licensed on my TZ270. For myself, I would need access from anywhere in the world.
Are there some simple things I could/should do to harden my TZ270 against attacks of this sort?
Thank you!
Best Answers
-
MarkD Cybersecurity Overlord ✭✭✭
HTTPS management is useful IF you want to manage the appliance over the VPN, External IP to WAN management should be disabled or min whitelisted from a fixed IP address via the WAN-WAN management rule - or as above secured via a VPN.
Your shared key is just that Shared between the client and the sever - symmetrical encryption, its never sent in the IKE negotiation.
Ensure your trusted user is using MFA for VPN access - TOTP in the config
Think about moving to SSLVPN you should have a license and its supported on more platforms than the Global VPN client.
The Logs you are seeing will background noise, not a direct attempt to access .
1 -
xray_74 Newbie ✭
Thank you for your reply, Mark!
>HTTPS management is useful IF you want to manage the appliance over the VPN
Thank you for explaining; I don't think I'll need that. when at some distance, I never want to tweak the appliance, in case I break something.
>Ensure your trusted user is using MFA for VPN access - TOTP in the config
NICE, thank you--I will be using that!!
>Think about moving to SSLVPN you should have a license and its supported on more platforms than the Global VPN client.
Hmmm, I do have a license for that but had only used it for access by my phone. maintaining just one VPN is also reducing the amount of work.
>The Logs you are seeing will background noise, not a direct attempt to access .
good to know!
thank you so much; you've been a great help!
0 -
Arkwright Community Legend ✭✭✭✭✭
Yes, license is per session not per user, but either way, with a single person using it a single license would be sufficient.
1
Answers
Thanks Xray yes only 1 SSL license I'm afraid, but you could switch using the Netextender when working remotely
It's just me, so shouldn't 1 SSL license be sufficient?