Login Security

The internal SonicWall Web-server now only supports SSL version 3.0 and TLS with strong ciphers (12 -bits or greater) when negotiating HTTPS management sessions. SSL implementations prior to version 3.0 and weak ciphers (symmetric ciphers less than 128-bits) are not supported. This heightened level of HTTPS security protects against potential SSLv2 rollback vulnerabilities and ensures compliance with the Payment Card Industry (PCI) and other security and risk-management standards.

 
* 
TIP: By default, Mozilla Firefox 2.0 and Microsoft Internet Explorer 7.0 enable SSL 3.0 and TLS, and disable SSL 2.0. SonicWall recommends using these most recent Web browser releases. If you are using a previous release of these browsers, you should enable SSL 3.0 and TLS and disable SSL 2.0. In Internet Explorer, go to Tools > Internet Options, click on the Advanced tab, and scroll to the bottom of the Settings menu. In Firefox, go to Tools > Options, click on the Advanced tab, and then click on the Encryption tab.

SonicOS provides password constraint enforcement, which can be configured to ensure that administrators and users are using secure passwords. Password constraint enforcement satisfies the confidentiality requirements as defined by current information security management systems or compliance requirements, such as Common Criteria and the Payment Card Industry (PCI) standard.
Password must be changed every (days) – requires users to change their passwords after the designated number of days has elapsed. When a user attempts to login with an expired password, a pop-up window will prompt the user to enter a new password. The User Login Status window now includes a Change Password button so that users can change their passwords at any time. The default number of days is 90.
Bar repeated passwords for this many changes – requires users to use unique passwords for the specified number of password changes. The default number is 4.
New password must contain 4 characters different from the old password – requires users to change at least 4 alphanumeric characters in their old password when creating a new one.
Enforce a minimum password length of – sets the shortest allowed password.
Enforce password complexity –specifies how complex a user’s password must be to be accepted. The drop-down menu provides these options:
None (default)
Require both alphabetic and numeric characters
Require alphabetic, numeric, and symbolic characters – for symbolic characters, only !, @, #, $, %, ^, &, *, (, and ) are allowed; all others are denied.
Complexity Requirement – When the password complexity option is selected, sets the minimum number of alphanumeric and symbolic characters in a user’s password. The default number for each is 0.
Upper Case Characters
Lower Case Characters
Number Characters
Symbolic Characters
Apply these password constraints for — the check boxes specify to which classes of users the password constraints are applied. By default, all check boxes are selected.
Administrator – refers to the default administrator with the username admin.
Other full administrators
Limited administrators
Other local users
Log out the Administrator after inactivity of (minutes) – sets the length of inactivity time that elapses before you are automatically logged out of the Management Interface. By default, the SonicWall security appliance logs out the administrator after 5 minutes of inactivity. The inactivity timeout can range from 1 to 9999 minutes.
 
* 
TIP: If the Administrator Inactivity Timeout is extended beyond five minutes, you should end every management session by clicking Logout in the upper right corner of the page to prevent unauthorized access to the SonicWall security appliance’s Management Interface.
Enable administrator/user lockout – locks administrators out of accessing the appliance after the specified number of incorrect login attempts. This option is disabled by default.
Failed login attempts per minute before lockout specifies the number of incorrect login attempts within a one-minute time frame that triggers a lockout. The minimum time is 1 minute, the maximum time is 60 minutes, and the default is 5 minutes.
Lockout Period (minutes) specifies the number of minutes that the administrator is locked out. The minimum time is 1 minute, the maximum time is 60 minutes, and the default is 5 minutes.