Transcription
SONICWALL SECUREMOBILE ACCESS (SMA)Secure anywhere, anytime access to corporate resources across multicloud environments based on user and device identity, location and trust.SonicWall SMA is a unified secure accessgateway that enables organizations toprovide anytime, anywhere and anydevice access to mission critical corporateresources. SMA’s granular access controlpolicy engine, context aware deviceauthorization, application level VPN andadvanced authentication with singlesign-on empowers organizations toembrace BYOD and mobility in a multicloud environment.Mobility and BYODFor organizations wishing to embraceBYOD, flexible working or third partyaccess, SMA becomes the criticalenforcement point across them all.SMA delivers best-in-class security tominimize surface threats, while makingorganizations more secure by supportinglatest encryption algorithms and ciphers.SonicWall’s SMA allows administratorsto provision secure mobile access andidentity-based privileges so end-usersget fast, simple access to the businessapplications, data and resources theyrequire. At the same time, organizationscan institute secure BYOD policies toprotect their corporate networks and datafrom rogue access and malware.Move to the cloudFor organizations embarking on a cloudmigration journey, SMA offers a singlesign-on (SSO) infrastructure that uses asingle web portal to authenticate usersin a hybrid IT environment. Whether thecorporate resource is on-premise, onthe web or in a hosted cloud, the accessexperience is consistent and seamless.SMA also integrates with industry leadingmulti-factor authentication technologiesfor added security.Managed service providersFor either organizations hosting their owninfrastructure or for managed serviceproviders, SMA provides turnkey solutionto deliver a high degree of businesscontinuity and scalability. SMA can supportup to 20,000 concurrent connectionson a single appliance, with the ability toscale upwards of hundreds of thousandsusers through intelligent clustering. Datacenters can reduce costs with active-activeclustering and a built-in dynamic loadbalancer, which reallocates global traffic tothe most optimized data center in realtime based on user demand. SMA tool setsenable service providers to deliver serviceswith zero downtime, allowing them to fulfillvery aggressive SLAs.SMA empowers IT departments to providethe best experience and the most secureaccess depending on the user scenario.Available as hardened physical appliancesor powerful virtual appliances, SMA fitsseamlessly into existing on-prem and/orcloud infrastructure. Organizations canchoose from a range of fully clientlessweb-based secure access for third partiesor employees on personally owned devices,or a more traditional client-based fulltunnel VPN access for executives acrossall device types. Whether organizationsneed to provide reliable secure access tofive users from a single location, or scaleup to thousands’ of users across globallydistributed networks, SonicWall SMA hasa solution.SonicWall SMA enables organizations toembrace mobility and BYOD without fear,and move to the cloud with ease. SMAempowers workforces and provides themwith a consistent access experience.Benefits: Unified access to all network and cloudresources for “any time, any device, anyapplication” secure access Control who has access to what resourcesby defining granular policies with the robustaccess control engine Increase productivity by delivering federatedsingle sign-on to any SaaS or locally hostedapplication with a single URL Lower TCO and reduce complexity of accessmanagement by consolidating infrastructurecomponents in a hybrid IT environment Gain visibility into every connecting deviceand grant access based on policies and thehealth of the endpoint Prevent malware breaches by scanning allfiles uploaded into your network with CaptureATP sandbox Protect against web based attacks andprovide PCI compliance with Web ApplicationFirewall add-on Stop DDoS and zombie attacks with Geo IPdetection and Botnet protection Get secure, native agent functionality usingweb browser based clientless HTML5 accesswithout the overhead of installing andmaintaining agents on the endpoint devices Gain actionable insights you need to make theright decisions with real-time monitoring andcomprehensive reporting Deploy as physical appliance or virtualappliance in private clouds on ESXi orHyper-V, or in AWS or Microsoft Azure publiccloud environments Enable dynamic issuance of access licensesbased on real-time demand, with automatedendpoint direction to the highest performingand lowest latency connection Reduce upfront costs with built-in loadbalancing without additional hardware orservices, while providing zero user impact onappliance failover Insure against business disruptions orseasonal spikes by scaling capacity instantly
SMA DeploymentA hardened edge gateway for anytime, anywhere, any device secure accessSMA provides comprehensive end-to-end secure remote access to corporate resources hosted across on-prem, cloud and hybrid datacenters. It appliesidentity-based, policy enforced access controls, context-aware device authentication, and application level VPN to grant access to data, resources andapplications after establishing user and device identity, location and trust. Flexibly deployed as a hardened Linux appliance or virtual appliance in privateclouds on ESXi or Hyper-V, or in AWS or Microsoft Azure public cloud environments.Users/ClientsConfigure full orpermissible access3Grant secure VPNaccess via SSO & MFA4Anywhere, anytimesecured access afterestablishing user anddevice identity and trustClientless Accesshttps://SSO&ManagementConsole3MFAVPNSaaSVPN AdminGoogle Drive1TunSMA WorkplaceOneDrivenelnelEstablish users/devicesidentity and trustAuthentication &ConfigurationsIDP/MFA/SSOTun2Central Management Server (CMS) SPOG management of SMA 1000 Series Allocate pooled user licenses Global Traffic Optimizer (GTO), Global HA and DR View alerts and user activity reports Automate tasks/maintenance schedulesAnywhere Remote UsersCorporate ResourcesOn-PremVPN1SMA Global Access LayerGlobal HA SMA (Active)24Zero-Trust Secure AccessVPN TunnelGlobal HA SMA (Active)Endpoint ComplianceNVPHQApplications & DatanTunel3Remote/Internal UsersFull Client EPCPNO&SSAVMFlneTunPrivate CloudGlobal HA SMA (Standby/DR)Company Cloud ResourcesSMA Cloud / On-prem DeploymentFlexible deployment with physical and virtual appliancesSonicWall SMA can be deployed as a hardened, highperformance appliance or as a virtual appliance leveragingshared computing resources to optimize utilization, easemigration and reduce capital costs. The hardware appliances arebuilt on a multi-core architecture that offers high performancewith SSL acceleration, VPN throughput and powerful proxiesto deliver robust secure access. For regulated and federalorganizations, SMA is also available with FIPS 140-2 Level 2certification. The SMA virtual appliances offer the same robustsecure access capabilities on major virtual or cloud platformsincluding Microsoft Hyper-V, VMware ESX, and AWS.Shared user licenses across the appliancesOrganizations with appliances that are globally distributed canbenefit from the fluctuating demands for user licenses due totime differences. Whether an organization deploys full VPNlicenses or basic ActiveSync licenses, SMA’s central managementreallocates licenses to managed appliances where user demandshave peaked from appliances in a different geographic area,where usage has fallen due to off-work/night hours.Network visibility with context aware device profilingBest-in-class, context-aware authentication grants access onlyto trusted devices and authorized users. Laptops and PCsare also interrogated for the presence or absence of securitysoftware, client certificates, and device ID. Mobile devices are2interrogated for essential security information such as jailbreakor root status, device ID, certificate status and OS versions priorto granting access. Devices that do not meet policy requirementsare not allowed network access and the user is notifiedof non-compliance.Consistent experience from a single web portalUsers do not need to remember all the individual applicationURLs and maintain exhaustive bookmarks. SMA provides acentralized access portal, giving users one URL to access allmission critical applications from a standard web browser. Afterthe user logs on through a browser, a customizable web userportal is displayed in the browser window, providing a singlepane of glass view to access any SaaS or local application. Theportal only displays links and personalized bookmarks relevantto the particular endpoint device, user or group. The portalis platform agnostic and supports all major device platformsincluding Windows, Mac OS, Linux, iOS and Android devices,and broad browser support across all these devices.Federated single sign-on to both SaaS and local applicationsEliminate the need for multiple passwords, and stop bad securitypractices such as password reuse. SMA provides federatedSSO to both cloud hosted SaaS applications and campus hostedapplications. SMA integrates with multiple authentication,authorization, and accounting servers and leading multi-factorauthentication technologies for added security. Secure SSO isdelivered only to authorized endpoint devices after SMA checks
endpoint health status and compliance. Access policy engineensures that users can see only the authorized applicationsand grants access after successful authentication. The solutionsupports federated SSO even when using VPN clients, providingcustomers a seamless authentication experience whether usingclient-based or clientless secure access.Prevent breaches and advanced threatsSonicWall SMA adds a layer of access security to improve yoursecurity posture and reduce the surface area for threats. SMA integrates with the SonicWall Capture ATP cloud-basedmulti-engine sandbox to scan all files uploaded by users withunmanaged endpoints, or by those outside the corporatenetwork. This ensures users have the same level of protectionfrom advanced threats, such as ransomware or zero-daymalware, when they are on the road as they have in the office1. SonicWall Web Application Firewall service offers businessesan affordable, well-integrated solution to secure internalweb-based applications. This allows customers to ensurethe confidentiality of data, and internal web servicesremain uncompromised should there be malicious or rogueauthenticated user access. Geo-IP & Botnet detection protects organizations fromDDoS and zombie attacks, and from compromised endpointsfunctioning as botnets.Seamless and secure browser-based clientless accessThe “clientless” nature of the SonicWall SMA means that thereis no need for the administrator to install a fat client componentmanually to a computer that will be used for remote access. Thisremoves any dependency on Java and overhead for IT, therebygreatly expanding the concept of remote access. It means thatsince there is no pre-installation or pre-configuration required,an authorized remote worker can sit down at any computer,anywhere in the world, and securely access their corporateresources. In its purest form, secure access is strictly browserbased using HTML5, providing a seamless and unified experiencefor the users.Deliver an "Always On" experienceFor a seamless user experience, SMA delivers Always On VPNfor managed windows devices. Administrators can configuresettings to automatically establish a VPN connection any timean authorized endpoint client detects a public or untrustednetwork. A single login event to the windows device providesthe user with a secure connection to corporate resources. Usersdo not have to login to their VPN clients or maintain additionalpasswords. This provides a seamless experience to mobile usersto access mission critical resources just as they were in the officeand empowers IT admins to maintain control over manageddevices, improving the security posture of the organization.Intuitive management and comprehensive reportingSonicWall provides an intuitive web-based managementplatform, Central Management Server (CMS), to streamlineappliance management while providing extensive reportingcapabilities. The easy-to-use GUI brings clarity to managingindividual or multiple appliances and policies. Each pageshows how settings are configured across all machines undermanagement. Unified policy management helps you create andmonitor access policies and configurations. A single policy cancontrol access from your users, devices and applications, todata, servers and networks. IT can automate routine tasks andschedule activities, freeing up security teams from repetitivetasks to focus on strategic security tasks like incidence response.IT gains insights into user access trends and system-wide healththrough easy-to-use reporting and centralized logging.Provide 24x7 service availabilityOrganizations have requirements to maintain their servicesand keep them up and running with a high degree of reliabilityto provide secure access to mission critical applications at alltimes. SMA appliances support traditional active-passive HighAvailability (HA) for organizations with single data centers,or global HA with active-active or active-standby clusteringfor local or distributed data centers. Both HA models deliverfrictionless experience to users with zero-impact failover andsession persistence.Deploy the VPN client that suits your needsChoose from a broad range of VPN clients to deliver policy-enforced secure remote access for various endpoints including laptops,smartphones and tablets.VPN clientSupported OSSupported SMA modelKey highlightMobile ConnectiOS, OS X, Android, Chrome OS,Windows 10All modelsDeliver biometric authentication, per appVPN and endpoint control enforcementConnect Tunnel(Thin Client)Windows, Mac OS and Linux6200, 6210, 7200,7210, 8200v, 9000Provide a complete “in-office” experiencewith robust endpoint controlNetExtender(Thin Client)Windows and Linux210, 410, 500vEnforce granular access policies and extendnetwork access through native clients3
Reduce upfront costs with built-in load balancerGet insurance against unforeseen eventsThe load balancing functionality built into the SMA applianceachieves the level scalability expected for medium-sizedbusiness and enterprise deployments. Select models of SMAappliance offer dynamic load balancing to intelligently assignsession loads and allocate user licenses in real-time based ondemand. Organizations do not need to invest in external loadbalancers, thus reducing upfront costs.A complete business continuity and DR solution must be ableto handle a significant spike in remote access traffic, while stillmaintaining security and cost controls. SonicWall Spike licensepacks for the SMA are add-on licenses that enable distributedbusinesses to scale user count and reach maximum capacityinstantly, enabling seamless business continuity. Spike licenseswork like an insurance policy toward any future planned orunplanned spikes from current user counts to tens or evenhundreds of additional users.FeaturesAdvanced authenticationFederated single sign-on2SMA uses SAML 2.0 authentication to enable federated SSO via a single portal to bothon-premises and cloud resources, while enforcing stacked multifactor authentication foradded security.Multifactor authenticationX.509 digital certificatesServer-side and client-side digital certificatesRSA SecurID, Dell Defender, Google Authenticator, Duo Security and other one-timepassword/two-factor authentication tokensCommon Access Card (CAC)Dual or stacked authenticationCaptcha support, username/passwordSAML AuthenticationSMA can be configured as SAML Identity Provider (IdP), SAML Service Provider (SP) orproxy an existing on-prem IdP to enable federated single sign-on (SSO) using SAML 2.0authentication.Authentication repositoriesSMA provides simple integrations with industry standard repositories for easy management ofuser accounts and passwords.User groups can be populated dynamically based on RADIUS, LDAP or Active Directoryauthentication repositories, including nested groups.Common or custom LDAP attributes can be interrogated for specific authorization or deviceregistration verification.4Layer 3-7 application proxySMA provides flexible proxy options, for example vendor access can be provided throughdirect proxy, contractor access through reverse proxy and employee access to Exchangethrough ActiveSync.Reverse proxyThe enhanced reverse proxy service with authentication allows administrators to configureapplication offloading portal & bookmarks, allowing users to connect seamlessly to remoteapplications and resources including RDP and HTTP. This feature supports all browsersincluding IE, Chrome and Firefox.Kerberos constrained delegationSMA provides authentication support using an existing Kerberos infrastructure, which does notneed to trust front-end services to delegate a service.
Access managementAccess Control Engine (ACE)Administrators grant or deny access based on organizational policies and set remediationactions when quarantining sessions. ACE object-based policy utilizes elements of network,resource, identity, device, application, data and time.End Point Control (EPC)EPC allows the administrator to enforce granular access control rules based on the healthstatus of the connecting device. With deep OS integration, many elements are combinedfor type classification and risk factor assessment. EPC interrogation simplifies device profilesetup using a comprehensive, predefined list of anti-virus, personal firewall and anti-spywaresolutions for Windows, Mac and Linux platforms, including version and applicability ofsignature file update.App Access Control (AAC)Administrators can define which specific mobile applications are allowed to access whichresources on the network through individual app tunnels. AAC policies are enforced both atthe client and server, providing robust perimeter protection.Superior security5Layer 3 SSL VPNThe SMA series delivers high performance layer-3 tunneling capabilities to a wide variety ofclient devices running in any environment.Cryptography supportConfigurable session lengthCiphers: AES 128 256 bit, Triple DES, RC4 128 bitHashes: SHA-256Elliptic Curve Digital Signature Algorithm (ECDSA)Advanced ciphers supportSMA appliances provide strong security stance out-of-the box for compliance, with defaultconfiguration ciphers, and administrators can further refine for performance, security strength,or compatibility.Security certificationsCertified for FIPS 140-2 Level 2, ICSA SSL-TLS, In-progress for Common Criteria, UC-APLSecure file shareStop unknown, zero-day attacks such as ransomware at the gateway with automatedremediation. Files uploaded using unmanaged endpoints with secure access to corporatenetworks are inspected by our cloud based multi-engine Capture ATP.Web Application Firewall (WAF)Prevent protocol and web-based attacks, helping financial, healthcare, e-commerce and otherbusinesses attain OWASP Top 10 and PCI compliance.Geo IP detection andbotnet protectionGeo IP Detection and Botnet Protection allows customers with a mechanism to allow orrestrict user access from various geographical locations.TLS 1.3 supportProvide both security and performance improvement while reducing complexities over itspredecessors.
Intuitive user experienceAlways On VPNAutomatically establish a secure connection to the corporate network from company issuedWindows devices to improve security, gain traffic visibility and remain in complianceSecure Network Detection (SND)SMA’s network-aware VPN client detects when the device is off campus and auto-reconnectsthe VPN, bringing it down again when the device returns to a trusted network.Clientless access to resourcesSMA provides secure clientless access to resources via HTML5 browser agents delivering RDP,ICA, VNC, SSH and Telnet proto
SONICWALL SECURE MOBILE ACCESS (SMA) Secure anywhere, anytime access to corporate resources across multi-cloud environments based on user and device identity, location and trust. SonicWall SMA is a unified secure access gateway that enables organizations to provide anytime, anywhere and a
