we are using a SonicWall TZ350 as our firewall at work. The SonicWall is also used as our VPN, so the remote workers can access our NAS in the office. Except the VPN, there are no services or ports which are exposed to the outside. The subscription for the Advances Protection ended last week and because SonicWall increased their prices by a lot we are thinking about switching to another firewall.
We don’t have the capacity to get in touch with other providers because the end of the year is hectic as always. How large are the risks for us with the given circumstances (VPN via the SonicWall and no other open ports)? Is this something that should be resolved ASAP, or is the SonicWall without the subscription still safe enough to take our time with the eventual switch to another provider?
Update: We got a good Trade-in deal and now upgrade to a 7th gen device for less than 50% of the yearly cost of the subscription for the TZ350. Delivery should be this week and as we can simply copy our old config the problem should be resolved before Christmas. I will look into all the ideas and recommendations in the new year.
This was my first time asking a critical question on reddit and I‘m blown away by the quality and amount of help I recieved. THANKS A LOT!! I wish nothing but the best for you all.
Are you even using any of the features provided by that license, or are you mainly doing the VPN? The meat of the license appears to be L7 inspection type features.
No one can say how safe you will be, it might be fine or there might be a critical vulnerability that targets the VPN tomorrow. You need to stay on top of any new version release notes and vulnerability announcements.
Just disable VPN access for the holidays as a gift to workers so they can “focus on what’s really important” or replace by a secure software based free alternative like OpenVPN or wireguard (tailscale, netbird)
Renewing the subscription on a tz350 has been inflated by SonicWall. You are better off doing a 2yr trade up on a new appliance as they will be EOL soon.
And all the manufacturers have increased their pricing. Every player that has something to do with security has upped their fees.
Quite a few ransomware hacks have taken place specifically through unpatched sonicawall ssl vpns. Turn it off, even if it is up to date, unless you are sure that it’s not vulnerable to anything.
I like the person’s suggestion to tell people to have a nice holiday - you will not be able to get into work.
Keep the firmware updated as needed, make sure NetExtender is updated, make sure users have MFA, keep an eye on logs, should be ok. I would keep support active
Which VPN? It matters a lot. IPSec Site to Site SA with static at both ends, no risk if you create a rule WAN to WAN to only allow connections from the peer. Global VPN client or Site to Site with a dynamic peer - low. SSL-VPN check your firmware as there have been several recent Auth bypass critical vulnerabilities. This could be anywhere from your device has already been compromised to you are safe until the next vulnerability comes along.
Yeah just roll out a fresh open-source Client VPN solution before Christmas. lmao
Either OP works for a mid-sized company, in which case this would be a time-intensive project adjusting and testing client- and server-side configuration. Or it’s a small shop where no one cares and OP runs things on a prayer, in which case they won’t have the infrastructure in place to efficiently and remotely roll out a new solution like this to clients.