IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
DNS
Domain name resolution is required when some services are used, e.g. the web proxy. When DNS servers are compromised, attackers can then redirect traffic to fraudulent peers.
R25 | Choose controlled DNS servers
Controlled DNS resolvers should be configured in System > Configure > Network settings.
R25 ⁃ | Change default DNS servers
DNS resolvers configured by default should be replaced with the ISP’s if there are no controlled resolvers in the IS.
An SNS appliance’s object database makes it possible to create static or dynamic objects. These objects depend on a domain name that the firewall regularly resolves. There are about fifteen such domain names by default, ending in netasq.com or stormshield.eu, part of which is represented in the image below (these names may vary depending on updates). This generates unnecessary and inconvenient DNS requests that cannot be blocked by filter rules.
Using an internal mirror (recommendation R24) means that an SNS appliance does not have to contact Stormshield's update servers directly. Also, when controlled DNS servers are used (recommendation R25) addresses for Stormshield's other services (license management, etc.) no longer need to be managed.
R26 | Restrict the use of dynamic objects
Unused dynamic objects should be deleted and objects that remain in static mode should be reconfigured instead in Objects > Network objects.