Dear Valued Customer, We are upgrading our customer portal to enhance your experience. For Support, please send mail on support@seqrite.com Thank you for your patience and understanding. Best regards, Seqrite

Best practices for configuring Seqrite UTM

05-04-2022 23:36:42

OVERVIEW:  UTM is a crucial security tool for any organization. Misconfigurations in UTM can expose the network to major security threats and also impacts overall productivity. Here is a list of some best practices to secure customers network from any existing or potential threat.


APPLICABLE VERSIONS:  2.0 and above 

1) Principal of least privilege:

 It is recommended to only enable specific traffic explicitly to known services. Create firewall rule as specific as possible.

 Never create a firewall rule to allow “any” traffic for “any” source and “destination”.

 To ensure that undesired traffic does not leak through a security policy, place an explicit drop rule (any-any-any drop) at the bottom of each security zone.

This strategy provides good control over the traffic and minimizes the attack surface.

Note:- When we deploy UTM in a network by default all traffic is blocked through the firewall except HTTP and HTTPS. However, HTTP and HTTPS is also accessible only after providing authentication to the user.


2) Configure zone-based segmentation where needed.


 Seqrite UTM has a zone-based firewall which allows you to place different interfaces into different zones. It provides a buffer between different networks and helps to keep servers/systems in separate segments for enhanced security.

 Different zone do not communicate with each other by default. We can create firewall rules to allow specific communication wherever applicable.




3) Use appropriate names while creating firewall rules


 Do not use the names which are getting used in UTM by default such as LAN, WAN, DMZ, FIREWALL, VPN, LAN-VPN, etc.
 Configure custom names such as “LAN_1”, “Blocklist_2”, “AllowVPNforLAN4” etc.
 Do not use duplicate names while configuring firewall rules or any other policy. It may cause unexpected issues and malfunction.


4) Remote access over a public network

 Consider using VPN instead of port forwarding to provide remote access of an internal server. VPN is more secure than port forwarding because it creates a secure tunnel between the source and destination server.
 Allowing remote access of an internal system to “any” source is a big risk to network security.


Example of a bad port forwarding rule:

 If Port forwarding is necessary then do the below-mentioned configuration changes to ensure maximum security :

1
. Provide access to specific hosts only.
2. 
Change external port in the port forwarding rule.
3.
Change the RDP port of the internal server to something else (it can be done from the Windows registry editor)

Example of a good port forwarding rule:

 Refer to mentioned link to modify the default RDP port in Windows.

https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/change-listening-port



5) Don’t keep the SSH port open if not needed

 For remote troubleshooting purposes, we often use to open the ssh port of UTM (from WAN to UTM). Don’t forget to close the ssh port once you are done with remote troubleshooting.
 Again! try to create firewall rules as specific as possible.


6) UTM access from external/public network


Prefer HTTPS over the internet to access UTM. HTTP access can be used over the local network but over the internet it is not recommended. HTTPS is more secure than HTTP.

HTTP url example for UTM access: http://192.168.1.1:88         (It is less secure. Can be used to access UTM in a local network)

https url example for UTM access: https://192.168.1.1:543     (It is more secure. Recommended to access UTM from the public network )


7) URL Categorization policy

 Block malicious and dangerous categories in the URL categorization policy. Even if you don’t need to block websites in your network still it is good to block the most harmful website categories.

For example - Botnets, Compromised, Malware, Phishing and fraud, pornography, etc.


8) Authenticate valid hosts only


 Provide authentication to valid hosts only. For example - If your network is having 50 nodes including desktops, laptops, mobile devices, etc. which need to be connected to Internet. Provide authentication to 50 users only.

 Do not create users blindly with a complete network range.

9) Do not use the same network IP address on different interfaces.

For example - if 192.168.1.1/24 is configured on any of the interfaces then you should avoid configuring 192.168.1.x ip address on any other interface.

Having the same network Ip address on different interfaces may cause malfunctioning, Unexpected behavior or UTM can become accessible.


10) Prefer default DNS


By default google public DNS 8.8.8.8 is configured in DNS settings. If there is no specific requirement then do not add any other IP address under the DNS section. 8.8.8.8 works with almost all ISP’s.


11) Upgrade UTM to the latest firmware


Always upgrade UTM to the latest OS version whenever available. New features and security enhancements come with the new version and It keeps the device unaffected with old software bugs.

12) Configuration backup

Take backup after making any configuration changes in UTM. Download the backup and keep it safe.  It helps to roll back to the previous working state of UTM in case of UTM failure or any miss happening.

Refer below-mentioned kb article on the backup-restore process.

https://techsupport.seqrite.com/index.php?/selfhelp/view-article/configuration-backup-and-restore-process-in-seqrite-utm


13) Remove overlapping Firewall rules

Remove unused or overlapping firewall rules. Removing overlapping rules reduces the size of the rule set, making it easier to manage.

14)
Do not add any host or MAC ID in the bypass proxy option if not necessary.


15) Set complex and strong Administrator passwords for CLI and GUI login of UTM.