What are some high performance TCP hacks

Effective firewall configuration against ransomware

Firewall configuration instructions against ransomware

, Munich, source: SonicWall | Author: Herbert Wieler

Tech Base SonicWall: Step-by-Step Guide to Defense against Ransomware

The following article describes a step-by-step procedure for an effective firewall configuration to prevent ransomware exploits. This also includes new network exploits such as polymorphic front-end and zero-day worm propagation techniques.

The following are instructions on how to configure SonicWall Network Security Appliances (Firewalls) to prevent ransomware.

Please note that many of the steps contained in this Best Practice Guide can also be relevant for many other general best practices in IT security in order to prevent this type of exploits.

The following instructions apply to SonicWall TZ SOHOW up to the SuperMassive 9800 (Generation 6) devices with running firmware and higher. SonicWall Capture Advanced Threat Protection is available from TZ 300.


1. Security Services Subscription

For all SonicWall appliances it is recommended to use the Advanced Gateway Security Suite (AGSS) with activated subscriptions for Gateway Anti-Virus, Intrusion Prevention, Anti-Spyware, Content Filtering, Botnet Filter, Geo IP Filter, Application Firewall as well as DPI-SSL, DPI - Integrate SSH and Capture. Updates and configurations are not possible without these subscriptions.

2. Activate Gateway Anti-Virus

  • Make sure GAV is updated with the latest signatures
  • Activate GAV
  • Activate Cloud GAV
  • Enable inspection for inbound and outbound for all HTTP, FTP, IMAP, SMTP, POP3, CIFS / NetBIOS and TCP stream

In the protocol settings, please ensure that you have blocked the following options:

  • Restriction of the transfer of password-protected ZIP files
  • Restriction of the transfer of MS Office files with macros (VBA 5 and higher)
  • Restricting the transfer of completed executable files (UPX, FSG, etc.)
  • Click Configure Gateway AV Settings
  • Check the option to block files with multiple levels of Zip / Gzip compression

3. Activate intrusion prevention

Many of today's modified ransomware exploits are malicious Trojans and worm elements. Intrusion prevention is an essential part of preventing these attacks in networks.

  • Make sure the SonicWall has the latest signature updates from SonicWall Capture Labs.
  • Activate the IPS service
  • Prevention Setting to (at least) high and medium threats, but you may also have to set a low priority based on existing compliance regulations for the network.

Activate intrusion detection if the log data of intrusion detection are required as additional information. SonicWall Intrusion Detection is responsible for providing the log events of intrusions. If not activated, no log data will be created.

4. Activate the Geo-IP filter

Geo-IP Filter is able to control traffic to and from different countries and is a core part of the CGSS / AGSS security subscription.

  • Activate geo-IP filter
    • This can be set up under "All Connections" or "Firewall Rule Based".
    • All connections include all traffic, but standard rules would exclude firewall subnets
    • Firewall Rule Based requires the activation of the services for individual rules in the Firewall Access Rules. When this method is used, all rules for WAN-> WAN, WAN-> LAN and LAN-> WAN should be enabled.
  • Make sure the traffic to "Anonymous Proxy / Private IP" is selected from the country list
  • Make sure that "Block all UNKNOWN subnets" is also checked. This is often referred to as BOGON subnets.

5. Activate botnet filter

The botnet filter is able to prevent traffic to and from known malicious hosts that act as botnet networks

  • Activate botnet filter
    • This can be set up under "All Connections" or "Firewall Rule Based".
    • All connections include all traffic, standard rules exclude firewall subnets.
    • Firewall Rule Based requires the activation of the services based on individual rules within the Firewall Access Rules. When this method is used, all rules for WAN-> WAN, WAN-> Internal, or Internet-> WAN should be enabled.

6. Enable DPI SSL Client Inspection

The firewall's DPI-SSL feature allows you to examine encrypted communications across multiple protocols and applications. DPI-SSL enables the firewall to act as a proxy to scan encrypted communications such as webmail, social media and HTTPS connections. The DPI-SSL settings specific to these best practices are relatively straightforward. For questions about setting up and deploying DPI-SSL, please refer to the SonicWall Knowledge Base.

  • Enable SonicWall DPI-SSL on the firewall
  • Make sure that the services are activated for all sub-functions:
    • Intrusion prevention
    • Gateway Anti-Virus
    • Gateway anti-spyware
    • Application firewall
    • Content filter

7. Configuration of the Content Filtering Service

The environmental rules described here apply to configurations for firmware and are based on CFS v4.0. To avoid ransomware, it is recommended to block access to the following categories: Malware, Hacking / Proxy Avoidance, and Not Rated.

Please note that blocking the "Not Rated" category can be administration-intensive, as not all websites can be rated.

Make sure the default and custom user group policies are all set to Block Malware, Hacking / Proxy Avoidance, and Not Rated

8. Activate application firewall rules

In order to protect against common methods of the newer generation of obfuscation, which also use traditional applications, it is advisable to activate various application firewall rules. To prevent malware such as ransomware from being able to bypass the forced communication, it is advisable to create rules to restrict the DNS, SSH and proxy access applications.

  • While DNS typically uses TCP / UDP 53 ports, the DNS protocol can also be used on non-standard ports. Malicious applications will take advantage of DNS cache poisoning or redirect traffic to illegitimate websites. It is recommended that you not only block access rules to specify "trusted" DNS hosts, but also create an address object and an application rule to restrict the DNS protocol to only the "trusted" DNS host.
  • This security mechanism can also be used with SonicWall's DNS proxy configuration as an alternative. However, this still requires application and access rules to restrict DNS to trusted sources only.
  • The next rule of application would be to limit the SSH connections only to trusted and trained users, and only from trusted sources or only to trusted destinations.
  • It is recommended to create this control as an application firewall rule, as it is possible to deviate from the standard SSH-TCP 22 configuration.

The final application firewall policy to be created is to prevent all proxy access applications

Warning: Blocking this whole category could also block legitimate applications or stop working properly. It is therefore recommended that these rules are carefully checked and that exceptions are created, insofar as the source and target-specific information applies to these specific applications.

9. Activate capture

The SonicWall Capture should be activated due to the permanent change in the malware strategies. The AGSS (Advanced Gateway Security Suite) license is required for this.

  • Activate Capture and make sure that Gateway Anti-Virus is enabled for all services
  • Make sure all file types are selected for inspection

It is recommended to activate capture on “Block until verdict”. This prevents malware from passing through the system without being tested first.

Here are a few additional recommendations for action to prevent ransomware exploits:

  • Installation of end-point anti-virus software with the latest signatures
  • Update of host operating systems, browsers and browser plugins with the latest security patches.
  • Performing regular offline (cold) system backups
  • Training of users regarding the potential dangers of opening unknown files from unknown sources, etc.

written by HW