StoneBlog.stonesoft.com

Here’s another SSL VPN Tech Dive for you StoneBlog Readers, with the usual goal of stimulate your creativity and to allow you getting the most out of StoneGate SSL VPN.

A resource defined in Administrator interface can be protected by a very flexible and powerful set of criteria: Authentication method, User group membership, IP address of incoming client, Client Device, Date, day and/or time, User storage, Assessment, Trace removal, Access Point used and Identity Provider.

These criteria can be combined with logical OR and logical AND to create a real access strategy, enforcing maximum level of security and authentication strength.

Beside these options, a very powerful one is also available: custom access rules.

Custom access rules are XML files structured to extend the default capabilities offered by StoneGate SSL VPN to implement the desired level of filtering access to protected resources with innovative criteria defined by the Security Administrator.

This post will explain how to create and add them to the configuration.

The starting point is to create an XML with the following basic structure:

<?xml version="1.0" encoding="UTF-8" ?>
<!—Example of Custom-Defined Access Rule in StoneGate SSL VPN.–>
<access-rule name="{ACCESS-RULE NAME}">
<description></description>
<setup executed="false">
<create>
<lookup type="{LOOKUP TYPE NAME}">
<attribute name="{LOOKUP NAME}"/>
<attribute X="{VALUE}"/>
</lookup>
<expression>
<attribute name="{EXPRESSION NAME}"/>
<attribute expression="{EXPRESSION}"/>
</expression>
</create>
</setup>
<expression name="{EXPRESSION NAME}" key=""/>
</access-rule>

Details about this structure and the different configuration options are explained fairly well in a public technical note, so I’m reporting below some examples to show the range of possibilities.

Prompt the user for authentication in a specific order

<?xml version="1.0" encoding="UTF-8" ?>
<!– Example of a Customized Access Rule –>
<access-rule name="Authentication Order">
  <description>The user should be prompted for authentication in a specified order.</description>
  <setup executed="false">
   <create>
     <expression>
       <attribute name="Authentication Order"/>
       <attribute expression="IF (‘Certificate’) THEN (StoneGate Password’) ELSE (‘StoneGate Mobile Text’)"/>
     </expression>
   </create>
  </setup>
  <expression name="Authentication Order" key=""/>
</access-rule>

Allow only user with username RoarinPenguin

<?xml version="1.0" encoding="UTF-8" ?>
<!– Example of a Customized Access Rule called "Access Only to RoarinPenguin". –>
<access-rule name="Access Only to RoarinPenguin">
  <description>Only user with username RoarinPenguin can get access.</description>
  <setup executed="false">  
    <create>
      <expression>
        <attribute name="Only RoarinPenguin"/>
        <attribute expression="([User Session.User Identification] = [&quot;RoarinPenguin&quot;])"/>
      </expression>
    </create>
  </setup>
  <expression name="Only RoarinPenguin" key=""/>
</access-rule>

Negate access to users member of a given group

Before proceeding to build the access rule, it is necessary to access SSL VPN Administrator and create a temporary access rule, based on group mambership, with the group you want to negate.
Once the rule is saved, replace in custom rule "not-this-group" xml file “deniedgroup” with the name of the group you used for the access rule previously created. 
Finally, import the custom rule and remove the temporary access rule created.

<?xml version="1.0" encoding="UTF-8"?>
<!– Example of a Customized Access Rule called "not-this-group". –>
<access-rule name="not-this-group">
  <description>The user should be denied access if user member of group deniedgroup</description>
  <setup executed="false">  
    <create>
      <expression>
        <attribute name="not-this-group"/>
        <attribute expression="!([User Group.'deniedgroup']=[Boolean.True])"/>
      </expression>
    </create>
  </setup>
  <expression name="not-this-group" key=""/>
</access-rule>

Access is denied if URL query does not match StoneGate Mobile Text

<?xml version="1.0" encoding="UTF-8"?>
<!– Returns denied if url query doesn’t match &quot;authmech=StoneGate Mobile Text&quot; –>
<access-rule name="Query MobileText">
  <description>Returns denied if url query doesn’t match &quot;authmech=StoneGate Mobile Text&quot;</description>
  <setup executed="false">   
    <create>
      <expression>
        <attribute name="Query MobileText"/>
        <attribute expression="([Agent.'URL Query'] = [&quot;authmech=StoneGate%20Mobile%20Text&quot;])"/>
      </expression>
    </create>
  </setup>
  <expression name="Query MobileText" key=""/>
</access-rule>

The examples above will hopefully give you some suggestions about interesting custom access rules to implement.

Naturally, if you want to share your examples for the benefit of the whole StoneBlog community you are welcome to comment this post.

written by RoarinPenguin - 954 views \\ tags: access rule, access security, custom, SSL VPN