Sign in to follow this  
Adam_a

SonicWall NSA 2650 Review Discussion

Recommended Posts

SonicWall’s NSA 2650 is a 1U firewall with the aim of protecting mid-sized networks, branch offices, and distributed enterprises. With 22 connection ports (counting the console and management), the 2650 also offers significant connectivity improvments over its predecessor, the NSA 2600. The NSA 2650 also adds SFP ports for farther reaching areas, as well as 2.5Gbps ports for supporting newer and faster Wave2 access points that support greater connection speeds. In terms of performance, SonicWall has also made dramtic improvements across the board. Connection throughput has doubled with the newest model such as the Full DPI throughput, Application inspection throughput, and IPS throughput. In some instances the NSA 2650 support as much as 13 times the connections than the NSA 2600. At the heart of the firewall’s security is SonicWall’s patented RFDPI engine and the just-released SonicOS 6.5 operating system, which offers a huge step up in look and feel and ease of management. Overall the new NSA 2650 has a lot to offer, with plenty of room for expansion for a growing mid-size organization.

 

SonicWall NSA 2650 Review

Share this post


Link to post
Share on other sites

How is it doing Deep Packet Inspection of SSL connections? Is it using a zero-day to decrypt the packets? Or is it impersonating the websites connected to using cloned security certs?

Unless I'm missing something, the article describes a successful Man-in-the-Middle attack, breaking current internet security, as though it were a routine feature.

Share this post


Link to post
Share on other sites

SonicWall Response – 

Thanks for the question. As noted in the review, SonicWall firewalls perform deep packet inspection of both clear and encrypted traffic, a standard practice for security products. The deep packet inspection engine in our firewalls intercepts TLS/SSL encrypted traffic, scans it for threats and stops them at the perimeter. This is a network security best practice as noted by industry analysts and implemented by other network security vendors in addition to SonicWall.                                                                                                                                                              

Please refer to the following resources for more details on how our firewalls perform deep packet inspection of encrypted traffic –

https://www.sonicwall.com/en-us/resources/infographics/infographic-how-to-stop-encrypted-threats-dpi-ssl

https://www.sonicwall.com/en-us/lp/executive-brief-the-dark-side-of-encryption

https://www.sonicwall.com/en-us/lp/the-dark-side-of-encrypted-traffic

 

Share this post


Link to post
Share on other sites

The 2nd and 3rd links require registration. Real name, email, company. The 2nd one additionally wants phone number and postal code. I'll give those a pass.

Based on the 1st infographic, they're installing a custom SSL/TLS certificate on the end-user's computer, then performing a man-in-the-middle attack. When the user opens an https connection, they're only opening one to the firewall router. The router opens the real https connection to the server. Decodes all the traffic both ways, checks for malware (and anything else the sysadmin dislikes) then re-encrypts remaining content and sends it along.

There's no mention of banking, government, or other classes of sites being off-limits to the attack. Based on the infographic, ALL secure connections are intercepted for filtering and analysis.

I can see this for a business serving employees. I'd consider it dubious for home use serving family members. And totally unacceptable for use by a library, hotel, or restaurant. Or most especially, by an ISP.

It makes a mockery of the padlock icon, which is supposed to mean you have a private connection to a server. With only the sender and recipient privy to the contents.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this