SonicWALL SMA - End Point Control (EPC); SSL and Encryption

To Next Page

To Previous Page

SonicWallSMAConnectTunnel12.0DeploymentPlanningGuide

AboutSonicWallSMAConnectTunnel

EndPointControl(EPC)

TraditionalVPNsolutionstypicallyprovideaccessonlyfromtherelativesafetyofanIT‐manageddevice.Inthat

environment,themajorsecurityconcernisunauthorizednetworkaccess.BecauseanSSLVPNenablesaccess

fromanyWeb‐enabledsystem,itmaybringtheadditionalriskofcomputersinuntrustedenvironments,suchas



akioskatanairportorhotel,oranemployee‐ownedcomputer.

Theappliance’sEPCconfigurationoptionsgiveyougranularcontroloverVPNaccessusingprofilesandzonesto

protectsensitivedataandensurethatyournetworkisnotcompromised:

• Adeviceprofileisasetofattributesthatcharacterize

thedevicerequestingtheconnection,suchasa

Windowsdomainname,thepresenceofacertainsoftwareprogram,aregistryentry,orotherunique

characteristics.

• AnapplicationaccesszoneisasetofattributesusedtoestablishatrustrelationshipwithaclientiOSor

Androiddevice.

• AnEndPointControl

zoneclassifiesaconnectionrequestbasedonthepresenceorabsenceofadevice

profile.Thezoneinwhichadeviceisthenplacedcontrolstheprovisioningofdataprotection

componentsandcanbeusedtodeterminewhichresourcesareavailable.Adevicecanbeplacedina

Standardzone,

aQuarantinezone(withinstructionsoninstallingtherequiredsecurityprograms),orina

Denyzone,wheretheuserisdeniedaccesstothenetwork.

SSLandEncryption

TheSonicWallSMAapplianceencryptsinformationusingtheSecureSocketsLayer(SSL)protocol.SSLprotocolis

anauthenticationandencryptionprotocolthatusesakeyexchangemethodtoestablishasecureenvironment

inwhichalldataexchangedisencryptedtoprotectitfromeavesdroppingandalteration.

TheapplianceusesSSLce rtificates

tovalidatetheappliance’sidentitytoconnectingusers,andtoprovidea

publickeytosecureinformationthattheclientcomputersendstotheserver.Theappliancerequiresa

minimumoftwoSSLcertificates:

• Theapplianceservicesuseacertificatetosecureusertraffic.

• TheApplianceManagementConsole(AMC)uses

acertificatetosecuremanagementtraffic.

Therearetwotypesofcertificates:self‐signedand commercial.Withaself‐signed SSLcertificate,theappliance

identifiesitselfwithacertificatethathasnotbeensignedbyacommercialCA,andtheassociatedprivatekey

dataisencryptedusingapassword.AMC uses

aself‐signedcertificate.

Aself‐signedcertificatecanalsobeawi ldcardcertificate,allowingittobeusedbymultipleserverswhichshare

thesameIPaddressandcertificate,buthavedifferentFQDNs.Forexample,awildcardcertificatesuchas

*.company.comcouldbeusedforiPhoneaccessatand

forVPNaccessatvpn.company.com.

YoucanalsoconfigureanauthenticationservertotrustanintermediateCA.Forexample,youcouldcreatea

rootcertificatesigningauthorityonasystemthatisnotconnectedtothecorporatenetwork.Youcanthenissue

asetoftrustedintermediatesigningauthoritycertificatesto

bedeployedinvarioussectorsofthenetwork

(oftenbydepartmentororganizationalunit).

Althoughaself‐signedSSLcertificateissecure,youmaywanttosecureusertr afficwithacertificatefroma

commercialcertificateauthority(CA)suchasVeriSign.

Whendecidingwhichtype ofcertificatetousefor

theservers,considerwhowi llbeconnectingtotheappliance

andhowtheywilluseresourcesonyournetwork:

• IfbusinesspartnersareconnectingtoWebresourcesthroughtheappliance,theywilllikelywantsome

assuranceofyouridentitybeforeperformingatransactionorprovidingconfidentialinformation.Inthis

case,you

wouldprobablywanttoobtainacertificatefromacommercialCAfortheappliance.

Main Page

SonicWALL SMA - End Point Control (EPC); SSL and Encryption

Table of Contents

Related product manuals