StoneBlog.stonesoft.com

Helsinki has been named World Design Capital for 2012.

As you might know, Design is not only about chairs, desktop and furniture…

The word comes from the late Middle English as a derivative word from Latin “Designare“, which means to indicate something for a purpose or duty.

As it happens for many concepts, the word has a definition but different meanings depending on the context where it is applied.

Just like Security.

Two important principles related to design are usability and ergonomics.
Both are related to improve people efficiency in their working environment.

The same two principles are not only related, but fundamentally important for Security.

When you design something, you mainly think about the purpose of that something in different contexts.
Because different usage contexts mean different needs to address, different perspectives, different angles.

Just like in Security planning.

Especially after Cloud Computing wave, there has been lots of talking about context-aware security.
To highlight and stress that security technologies and implementations should always consider the whole context of a session and not only a fragment of it.
For example, not limiting authentication to user credentials validation only but extend the analysis and validation to the whole “security posture” by assessing the hardware he’s using, the network he’s coming from, the strength of the authentication method used, etc.

At Stonesoft, we have blended all these important principles in our solutions from day one.

We offer dynamic, software based network security solutions that can adapt to the context where they are implemented, providing protection against the lastest and most dangerous threats: AETs.

We provide great usability both for security administrators and for users, to maximize the efficiency and user experience while minimizing impact on resources.

We can prove reduction of CAPEX and OPEX costs with real, tangible savings.

We believe in ergonomics principles applied to (e.g.) authentication, where users should be able to achieve strong authentication naturally, using methods and devices they learnt to use daily for multiple other purposes.

We offer secured authenticated access to the cloud, enabling universal access from multiple platforms and context-aware security.

We empower MSSPs to provide faster time-to-market for security services and most scalable solution to manage thousands customers with minimized OPEX.

Ins’t this… ergonomic Network Security by design?

written by RoarinPenguin - 275 views \\ tags: context-aware security, design, ergonomics, network security

Let’s start this 2012 with a technical tip about variables usage in Stonesoft SSL VPN.

More specifically, the variables described in this article are used when configuring a startup command in a Tunnel Set definition to allow TCP/UDP based applications to be used inside a SSL tunnel.
A sample use case is a user that needs to access to his home directory and we do not want to create as many tunnel set as users in the system.
The Startup Command in a Tunnel Set is executed as soon as the tunnel has been successfully established, to automate the launch of a given application.
In this example, the Startup Command content in SSL VPN Tunnel Set configuration could contain something like:

\\192.168.100.1\[$uid]

This particular $uid variable will be replaced with the user ID when the startup command will be invoked by the system.

I report below the other useful variables that can be used in the same context:

[$ehost]  =   the access point server name including port number

[$eprot]  =   HTTP or HTTPS

[$uid]  =   The external user name

[$iuid]  =   The internal user name (usually the same of $uid)

written by RoarinPenguin - 190 views \\ tags: SSL VPN, Tunnel Resource, Tunnel Set, variables

Virtual Private Network Consortium, better known as VPNC, tests interoperability of various VPN technologies from different vendors. During year 2011 Stonesoft Firewall/VPN has received two new IPsec interoperability logos. These are logos for IKEv2 and IPv6.

Testing conducted by VPNC proves that vendor has implemented standards defined protocols in a way that can be used in real life where interoperability between different vendor’s implementation is frequently needed.

written by juhalu - 330 views \\ tags: VPN

Is your printer a security liability? It’s a question many IT professionals are asking after researchers at Columbia University discovered that printers can easily be targeted for network security attacks. The findings of this research – which are already precipitating class-action lawsuits against printer giant Hewlett Packard – disclosed that some printer devices can be “remotely controlled by computer criminals over the Internet, with the potential to steal personal information, attack otherwise secure networks and even cause physical damage” (see msnbc.com’s full article here).

The primary flaw discovered by Columbia University researchers rests in the firmware that allows modern printers to function as small computers. Like software, the printer routinely updates its firmware by connecting to the internet and downloading appropriate updates. Researchers discovered that printers don’t verify the source of the update software or the software’s authenticity, thereby providing a hidden point of entry for cyber criminals to gain access to the printer. As a result, a seemingly benign printer can be transformed into a “beachhead” for launching a network-wide attack.

As researchers determine which printer vendors are vulnerable and the extent of these vulnerabilities, Stonesoft would like to remind you of the following:

• Any device connected to your network is at risk. Security targets aren’t limited to desktops, laptops and servers. If left unprotected, printers, VoIP, PBXs and other low-interfacing devices can be gateways to network attacks.
• Your network security strategy should cover every device. When is the last time you inventoried how many disparate devices are accessing your network and how? Most enterprises fail to protect every network-connected device, and this is certainly the case with printers.
• Multi-layer protection is critical. Deep packet and web traffic inspection should be executed at the perimeter and inside of the network.

written by MMcKinley - 389 views

This afternoon I had an interesting conversation with a Partner about one of the best kept secrets in Stonesoft SSL VPN: the ability to secure mail in the cloud providing Exchange ActiveSync and Device ID locking support.

“It’s not for me, I don’t have a cloud” he said initially, when I started describing the solution.

This is a common misunderstanding: to believe that the Cloud is only public!

Because Cloud Computing describes mainly an IT ecosystem, everyone who is adopting techniques and technologies of this ecosystem has a cloud!

Naturally, there is a difference between public and private clouds.

Happy with this description, the Partner continued the discussion and we analyzed the solution illustrated below:

When the user implements a Mail system based on Exchange protected by Stonesoft SSL VPN, there are several interesting benefits:

• avoid the Exchange Server to be exposed in DMZ
• offload the SSL traffic from Exchange Server
• provide support for Exchange ActiveSync to synchronize mail, contacts, calendar and tasks to mobile devices supporting this feature (majority of most recent smartphones do)
• support Device ID locking, to prevent unauthorized mobile devices to access to Exchange

…beside securing access to Outlook Web Access and the mail control panel when the mail is accessed via browser.

A growing number of Stonesoft Customers are already enjoying this cool feature, which is included in the base license of the SSL VPN solution.

Stonesoft SSL VPN licensing based on concurrent users and transparent integration with MS Active Directory with dynamic user linking allow a rapid and efficient deployment of a cost-effective solution.

Based on how the conversation ended, I really think that this “growing number” will increase by one soon…

Secure your mail in the cloud, with Stonesoft SSL VPN!

written by RoarinPenguin - 392 views \\ tags: MS Exchange, secured access to the cloud, secured mail, SSL VPN

Hello,

since I’ve been upgrading and installing a 5.3.2 cluster, I now do see these situations in the logs: Anti-Virus_Buffering-Limit-Exceeded ==> I suspect this messsage means that the AV part of the FW can not handle the size of the requested file.

As I couldn’t find it in the online-doc, is there anyone who can point me out the documentation that describe the value of this size limit ?

Is the a way to modify this limit ?

As it is new to me, what is the user supposed to see when such a limit is reached ?

PS: sorry, I’m new to WordPress and posting in forum: is there a better place to share q&a about StoneGate ?

written by docstephano - 575 views

Big enterprises and government agencies are expected to have ironclad network security. But, what about that café down the street? Or the retail store you visited last week that used an iPad to swipe your credit card? One would hope they’re taking security seriously too – right? Unfortunately, the simple fact is that most of these multi-location, small businesses have inadequate or misconfigured security because it’s too difficult to deploy, configure and manage.

This is where Stonesoft Mass Security comes in. We’re making the installation of advanced network security as simple as plugging in a laptop. Perfect for multi-location and franchised businesses, office managers and store clerks simply have to plug in the security device (e.g. firewall) and it calls home to an installation cloud to access pre-configured settings.

Right now, our goal here at Stonesoft is to educate the masses about what Mass Security is, how it works and how it’s changing the landscape of network security. We have a ton of resources available to help speed this along, including:

• Website: This is a microsite dedicated solely to all things Mass Security. Everything you need to know – from technical know how to the basic “What is it?” – is here.
• Brief: This not-too-technical whitepaper explains how Mass Security works. It’s a must-have primer. Download here.
• Video: When’s the last time you’ve installed a firewall in 81 seconds? Now, when’s the last time you’ve enabled thousands of firewalls to install in 81 seconds? Check out this video to see it done.
• Webcast: Our next online discussion about Mass Security is on November 2, 2011 at 1pm ET (US). Join us.

written by heather.pritchett - 490 views

…as Bruce Springsteen would sing

Few days ago Stonesoft released the A2Cloud solution.
That is, the combination of multiple technologies to create secured and authenticated access to the cloud, no matter if it is public or private… because everybody has a cloud, right?

There is nothing new in the purpose to authenticate access to data and applications, since this has been a need for quite a while now… what A2Cloud the idea is to innovate the way to answer to this need from two main standpoints.

• Ergonomic Authentication
• Governance

For too long strong authentication has been synonym of hardware tokens, dedicated devices to carry around with the sole purpose of generating a one-time password based on specific algorithms.
And for too long these devices has been prone to errors in usage, battery run out ahead of time, clumsy usability and… being forgotten at home.

And for too long awareness of what was happening in the field from authentication and security governance viewpoints has been a serious issue for security administrators and auditors.
Questions such as “how often a given authentication method was used”, “how users reacted to strong authentication”, “how easy it was to use that given authentication” and many others remained without a proper answer.

A2Cloud was conceived to provide a reliable and complete answer to these questions, while relieving the users from the “doom of hardware tokens”.

Ergonomic authentication means to apply the principles of ergonomics to enable usage of common tools we’re keen to use everyday for strong authentication purposes too. And these tools are something we’ll never forget home (or, better, if it happens we’re very willing to get back home to take them )… I’m talking about mobile phones, smartphones, PDAs, tablets, netbooks and notebooks.

In short, tools we can’t live without (anymore).

Security awareness means availability of tools to understand what’s going on, how to audit authentication and other security related operations; how to get the information you need, when you need it, and with the level of detail you need to do what you need to do (supervision, troubleshooting, monitoring, alert, react to security threat, log analysis, auditing, etc.).

Visit A2Cloud minisite to develop a better understanding about how Stonesoft solution can ease your professional life of a cloud user and/or security administrator.

Share a little of that human touch…

written by RoarinPenguin - 449 views \\ tags: a2cloud, ergonomic authentication, governance

The team at Stonesoft is thrilled to announce that the StoneGate IPS outperformed several of the industry’s leading network IPS devices in a recent test conducted by ICSA Labs. In this test, network IPS devices were tested from the industry’s top vendors against vulnerabilities less than three months old.

In ICSA Labs’ initial test, products scored an effectiveness rating of between 59.4 percent and 78.1 percent. After being allowed to modify their products to better protect against current security threats, final tests showed an effectiveness rating of between 81.3 percent and 90.6 percent. Stonesoft’s StoneGate IPS-1205 performed at the highest end of the range for both tests with a 78.1 rating for the initial test and a 90.6 rating for the final test.

If you want to read the full report and individual vendor scores, it’s available on ICSA Labs’ Quarterly Network IPS Vulnerability Testing page, including individual vendor scores.

In addition, our IPS has been nominated in SC Magazine’s Reader Trust category for Best IPS. We encourage you to support Stonesoft by voting! Click here to vote.

As we continue to make strides in our evasion research, we look forward to maintaining the highest performance and protection across our portfolio of IPS solutions. As always, let us know what you think, what we can do better and so forth. We take a team approach here at Stonesoft – and everyone of our customers, partners and colleagues play a valuable role.

written by heather.pritchett - 625 views

Recent security incidents with Diginotar and less recent (but lot less important) with Comodo and RSA raised quite a concern in something that was taken for granted: the implicit level of security of an SSL-encrypted channel and time-based strong authentication methods such as the hardware based one-time password generators.
Employees working from home, online banking users, citizen using governmental online services, web mail systems containing more and more personal data, web sites for online shopping, service providers offering applications “in the cloud”.
These are just samples of the countless services that are potentially impacted by the new new threat: valid digital certificates stolen by cybercriminals, used to fake connections to well known domain names.
Which is not that new new threat, since it is implicit in the SSL server certificate authentication model based on the level of trust put in the so called issuing Certificate Authorities.

Well, it really seems to me that the ‘problem’ continues to be the same.
Continue reading »

written by RoarinPenguin - 593 views \\ tags: authentication methods, combination, entropy, Security, Ssl certificates