StoneBlog.stonesoft.com

“Security right-sizing” is a term that comes up often these days – and understandably so. The cost of network security has risen dramatically these last few years, while the general population has become desensitized to data breaches. Meanwhile, most companies can’t deploy the breadth and scope of security technologies they would like due to budget constraints.

I recently discussed this very topic over on the MSP Alliance blog. In that post, I provided steps to developing a network security strategy that balances offense, defense and resource constraints. Even if you’re not a MSSP, I urge you to read the post in full here. Meanwhile here is an excerpt:

“Pinpoint weaknesses: It’s imperative to understand the weakest links in a client’s network so that the appropriate counter measures can be implemented. For some, this may take the form of education, for others this may involve fortifying a particular area of the network. Regardless, spending the time to identify it now will stave off disaster in the future. If you don’t know where the weak spots are, hackers will certainly find it.

Determine costs of protection vs. avoidance: In an ideal world, protections would be deployed at every intersection of data traversal. The reality is that choices have to be made regarding the most important assets and how to protect them. MSSPs must help companies evaluate which assets are acceptable to risk, which are not and costs associated with both. When this understanding is reached, security devices and controls can be repositioned or reformulated to ensure that the most critical assets have the proper level of protection. Avoidance, on the other hand, may be necessary to ensure that other, more critical, assets are well protected.

Understand false causality: Last, and certainly not least, is the understanding that statistics have a certain value, but should serve more as a data point in multi-year trends. Particularly in the case of a sensitive subject, such as security, following statistics in making decisions can be dangerous. Every network, business and industry is different and statistics don’t always reflect such. In the never-ending game of offense and defense in the world of security, would you want to leave anything to chance?”

While these tips were obviously written for MSSPs, I believe they are still wholly relevant to any organization struggling to prioritize and optimize network security. What are your thoughts on security right-sizing? How do you strike a balance between protecting your networks and staying within your organization’s resource constraints?

written by MMcKinley - 138 views \\ tags: data breaches, network security, right-sizing

In a recent post we discussed the debated topic of BYOD, allowing at same time freedom of using your preferred device to get things done and loss of control from IT administrators about level of trust of connecting devices.

There is, however, another related discussion causing quite some eInk to be spilled: MDM or Mobile Device Management.

According to Wikipedia, MDM is all about software to secure, monitor, manage and support mobile devices deployed across mobile operators, service providers and enterprises.

One important aspect of an MDM strategy is controlled access to corporate data and applications.
Because devices with a low level of “trustability” could represent a risk and a threat to enterprise security.

Stonesoft SSL VPN, part of the A2Cloud solution, supports ability to identify connecting devices.

And once you know what is the preferred device (BYOD) of a given user or group of users, you can use this information to restrict, allow or deny access to specific resources in a dynamic and flexible fashion.

Customers are enamored of this feature for the incredible customization it offers; because the concept of  device in SSL VPN is not only physical.
A device could be identified by its OS, by the browser it uses to access to SSL VPN, by the URL called and numerous other parameters.

This gives back to IT  and Security Administrators the control they need to assist BYOD and MDM strategies with a proper, agile level of security.

written by RoarinPenguin - 314 views \\ tags: BYOD, cloud computing, MDM, Mobile Device Management, Security, security in the cloud

I recently wrote a blog post for the MSP Alliance about the Global Payments breach and PCI compliance. You can read the full post here, but I wanted to share a few highlights on StoneBlog.

In case you missed it, Global Payments, Inc. experienced a data breach in late March that impacted an estimated 1.5 million credit card accounts. As a leader in payments processing, the company has long taken strict measures to be PCI compliant. Visa wouldn’t trust millions of transactions a year with just anyone, right?

Right. And, yet somehow things turned very wrong. Avivah Litan, VP and Distinguished Analyst at Gartner Research, writes on her blog:

What’s the takeaway on PCI? The same one that’s been around for years. Passing a PCI compliance audit does not mean your systems are secure. Focus on security and not on passing the audit.

This couldn’t be more true. So many companies over invest time and resources trying to be PCI-compliant rather than treating network security as a process that must constantly evolve (both technically and procedurally) to protect against threats. Just as important is the fact that PCI audits are only as good as the people giving them. Just because an auditor doesn’t find a network security hole doesn’t mean it isn’t there.

My final takeaway? When PCI becomes THE end-all be-all standard, it becomes a risk. Focus on strong security – and compliance will follow.

written by MMcKinley - 223 views \\ tags: compliance, data breach, PCI

BYOD. An acronym, a promise, a new IT paradigm empowered by Cloud Computing wave. BYOD stands for Bring Your Own Device. And it means you should have freedom to use the most convenient client device to get things done. Things like accessing corporate data and applications. In your private, public or hybrid cloud.

But BYOD means also an issue… and quite a big one. Loss of control from IT about how trustable is the client device you choose to get things done.
And from security perspective, this is a relevant concern.
The upcoming version of Stonesoft SSL VPN, part of the A2Cloud solution, makes BYOD a viable path.

Continue reading »

written by RoarinPenguin - 741 views \\ tags: a2cloud, Bring Your Own Device, BYOD, cloud computing, Secure Authentication, SSL VPN

There are number of other enhancements in 5.4 versions. Here are some that deserve to be mentioned here.

Continue reading »

written by Tero Jantunen - 274 views \\ tags: 5.4, Authentication Server, Brand, Domains, Express, Feature Previews, firewall, Look & Feel, Policy, search, SMC, User database

StoneBlog welcomes a guest post from Brian Monkman, Perimeter Security Programs Manager at ICSA Labs (www.icsalabs.com):

Have you been off the Grid?

By now you have all heard, unless you have been totally off the grid for the last decade, that IPv4 depletion is a reality and that you MUST move to an IPv6 enabled infrastructure. So we have all taken this to heart and everything is hunky dory right?

Wrong!

IPv6 – Far from universal and fraught with problems

While a lot of security product vendors, though far from all, have implemented IPv6 functionality on their products and some enterprises are running IPv6 enabled servers and services – the adoption is very, very far from universal and is fraught with problems. Even the U.S. federal government with its NIST run USGv6 program doesn’t claim universal adoption.

So why is this, what are the issues and what are problems you should be aware of?

Let’s assume first you have done the obvious and have only purchased products or are only considering products from vendors that have been verified as being IPv6 compliant from a credible 3rd party lab. You have undoubtedly found that the range of choices isn’t as broad as you might wish. But why is that?

IPv6 Security Camps

When it comes to IPv6 implementation most security product vendors fall into one of three camps. First, you have the early adopters – the vendors who saw this coming, knew it was inevitable and wanted to be first to market. Second, the vendors who watched their competitors and quickly played catch-up. Then the third, by far the majority, who are developing new features and functionality based on ROI equations. This group largely claims that until recently there has been little to no user demand for IPv6.

IPv6 Planning

This should be a concern to all who are planning to or have implemented IPv6 within your enterprise. You may well take care of the primary servers and ensure everything is up and running, (your firewalls or network IPS devices are running in dual stack mode, etc) but what about your monitoring or network management tools? We have seen evidence that a number of enterprises have no idea what is happening on their network from an IPv6 point of view because their network management and/or management tools are not IPv6 ready.

What can be done?

You need to harass the account managers for those product vendors and ensure they follow through with IPv6 implementation as soon as possible. You can’t risk running blind.

Certifications

And of course – insert shameless plug – INSIST on an independent 3rd party verification such as, ICSA Labs. In addition to testing against USGv6 Testing Program requirements a number of programs, such as Network Firewalls and IPSec, have IPv6 requirements. The IPv6 implementation from BOTH a routing and security perspective is critical. Visit ICSA Labs at www.icsalabs.com for an overview of all of these offerings.

Awareness

Vendors who have subjected their products to the scrutiny of ICSA Labs testing demonstrate an awareness that it takes more than pointing a traffic generator at a product to ensure products are secure. In addition to using traffic generators there must be in-depth hands-on testing against publicly vetted certification or evaluation requirements. Any testing that does not rise to this level of rigor should be considered suspect. Vendors who choose to subject themselves to this level of pain should be lauded.

Walk the walk

Admittedly vendors who subject themselves and their products to testing at ICSA Labs never have an easy time of it. But thankfully there are vendors who not only walk the walk, they talk the talk.

Our position is that security testing is not an event, it is a long term ongoing commitment.

What are your thoughts?

written by MMcKinley - 406 views \\ tags: icsa labs, IPv6, USGv6

Stonesoft has recently joined Q1 Labs Security Intelligence Partner Program meaning that Stonesoft Log Server can be configured to forward logs to QRadar in Log Event Enhanced (LEEF) format. This makes it possible to receive logs from Stonesoft Security Engines, Firewall/VPNs, IPS Engines and SSL VPNs to QRadar security information and event management tool. Log Forwarding support has actually been introduced in SMC 5.3.4 version.

While becoming familiar with LEEF format, we also developed out-of-box logging profile for LEEF log format. Stonesoft Management Center can thus receive logs from LEEF compatible devices, thereby enhancing Stonesoft’s own third-party event management support. The logging profile will be introduced in SMC 5.4.0 version.

written by Tero Jantunen - 226 views \\ tags: 5.4, Feature Previews, LEEF, Log forwarding, logs, Q1Labs, QRadar, SMC

Today, Stonesoft announced that its Next Generation Firewall has met the U.S. National Institute of Standards and Technology’s USGv6 evaluation requirements. Our solution has also passed ICSA Labs’ Network Firewall IPv6 and High Availability certification tests.

If you can’t tell, we’re taking IPv6 very seriously over here. Why? Because many network security vendors aren’t.

Stonesoft’s Brian Vosburgh goes into detail on this topic in a post on ICSA’s blog. You can read his full comments over there, but here are a few highlights. Most of today’s vendors are providing checkbox IPv6 capabilities, thereby deceiving many customers into thinking they are ready to support and secure IPv6 traffic. While it’s true most vendors do offer IPv6 inspection, the majority of these capabilities are limited. Only a handful of vendors (Stonesoft is one of them) can provide full inspection, logging and event correlation for IPv6 traffic at realistic traffic volumes and without affecting performance.

Our claims have been independently verified by ICSA Labs and held to the highest standard as evidenced by our recent USGv6 certification. We’re one of the few vendors to achieve this certification. Brian Monkman over at ICSA Labs shares a few more thoughts here on the role of IPv6 certification in the future of network security. I urge StoneBlog readers to check it out.

IPv6 isn’t going away – and Stonesoft has tackled the challenge head on. If you have any questions about security and IPv6 readiness, please ask them here!

written by MMcKinley - 296 views \\ tags: icsa labs, IPv6, NIST, stonesoft, USGv6, verizon

Cloud computing is here. Companies are increasingly using various cloud services to make everyday activities easier and more efficient. However, these advantages come with downsides – the real price for flexibility is lack of control, increased risks of human error and technological complexity due to various outsourced authentication methods and practices.
Stonesoft a2cloud is designed to remove these downsides and make life truly easier and more secure. In short, Stonesoft a2cloud revolutionizes how companies access the cloud. It is a perfect answer for the security needs of organizations using any cloud. Just say no to expensive authentication gadgets or hard tokens.
Check out below the 7 ways we have found to love A2Cloud in a webinar that will go live later today at 4 PM GMT+2!

written by RoarinPenguin - 254 views \\ tags: a2cloud

There are a lot of interesting enhancements related to Deep Inspection. Read the sections below to find out more what is new in 5.4 versions.

Continue reading »

written by Tero Jantunen - 432 views \\ tags: 5.4, Analyzer, Application Control, Application Identification, Correlation, Feature Previews, File Context, FW-105, Inspection, IPS, Log Server, Snort Signatures, URL filtering