The idea is to be able to pull information about user profiles from a wide range of directory servers and use dynamically these information to populate user accounts in StoneGate Authentication Server.

Connection to the backend directory servers can be established using LDAP or LDAPS protocol as illustrated below:

Once a directory server is defined and linked, it is possible to activate Automatic User Linking. Using this technique, as soon as a user tries to authenticate with his password from the directory server, a user profile is automatically created and enabled with the desired strong authentication methods.

Passwords, PINs or other authentication related information are notified to the user in separated messages via mail or SMS.

Dynamic user linking is also possible in manual mode from Authentication Server User configuration (with dynamic typeahead search) or while browsing the content of a directory server in SMC GUI.

Dynamic Manual User Linking with Typeahead Search

Manual User Linking from LDAP Browse in SMC GUI

Dynamic User Linking reduce dramatically the time needed to define the user accounts and enable authentication, minimizing the TCO of the whole solution.

Strong Authentication! Simplified!

The concept of ergonomics is defined in Oxford Dictionary as “The study of people’s efficiency in their working environment”.

In StoneGate Authentication Server we applied this definition to innovative authentication methods, to make them designed for human beings.

Ergonomic Authentication means to offer authentication methods based on several factors of strength, without impacting on the user’s natural way of using common devices he’s using daily, such as his mobile phone or smartphone or tablet.In Stonesoft we believe it is useless to force the user to carry additional devices just for the purpose of authenticating, hence we propose three methods to ease user’s life when requiring Radius-based strong authentication.

StoneGate MobileID Synchronized

Features 2 factors strong authentication with a software token available for a wide variety of platforms, including iPhone/iPad and Android devices.

Allows to use your smartphone or tablet also as a strong authentication device.

StoneGate MobileID Challenge

Same client of previous method can be also used to implement a 3 factors strong authentication.

The picture below clarifies the logic.

StoneGate Mobile Text

This feature allows the user to type in his username and a password. A One Time Password is then sent to the user’s mobile phone as shown in the picture below:

These three Radius-based authentication techniques are included, together with a standard username/password pair one, in every StoneGate Authentication Server license.

Ergonomic Strong Authentication! Simplified!

Improved SNMP Agent. SNMP agent functionality in Firewal/VPN is enhanced with support for 64bit counter values and new trap types.

Support for ADSL and WiFi Interfaces. You can now configure one Wireless Interface on each single firewall. The Wireless Interface can have one or two SSID (service set identifier) Interfaces that represent a wireless LAN. In addition to Wireless Interfaces, there is now possibility to configure ADSL interface for Single Firewall elements. Both ADSL and Wireless Interfaces are supported only on a few specific StoneGate appliance models.

Dynamic routing enhancements. StoneGate Firewall/VPN and SMC version 5.3 provides enhanced (but still limited support) for dynamic routing. Supported protocols are RIP version 1, RIP version 2, RIPng, OSPF version 2, OSPF version 3 and BGP version 4. Support for these protocols is implemented via Quagga Software Routing Suite.

Longer IPsec certificates now supported. SMC 5.3 allows administrators to create longer IPsec certificate requests. The maximum key length of the certificate key is now 4096 bits instead of 2048 bits. The default key length is 2048 bits instead of 1024 bits. For GOST SMC versions the default value is still 1024 bits.

Improved SMC scalability and performance. StoneGate Management Center can scale up to manage up to 1000 Firewall/VPN or IPS nodes. The performance of simultaneous policy uploads has been significantly improved, and the Log Server’s log reception rate has been increased. Additionally, communication between the Management Client and the Management Server has been optimized.

New Online Help. The Java-based Online Help has been replaced with HTML Online Help that is located in the public web site.

New option in Configure Updates and Upgrades dialog. Configure Updates and Upgrades dialog now contains the option to remind the administrator with an alert when a policy refresh is needed after successful update package activation. It is also possible to refresh the policies automatically.

See who is currently editing the policy. SMC 5.3 shows in the policy tree-table and Info panel the name of the administrator who is currently editing the policy. Note that you can right-click the administrator and send an instant message to him/her directly from the Management Client.

Administrator’s IP address visible in Info panel. You are now able to see the IP address of the client that an administrator has had when logging in to the Management Client. The IP address is shown in Info panel when you have selected an Administrator element.

New Report templates. In SMC 5.3 there are new report templates for Anti-Virus and Application Usage.

Zoomable Geolocation statistics. It is now possible to zoom in to Geolocation top rate statistics in Overviews and Log Statistics.

Available with an optional license per named users, it can be easily enabled on every installation of StoneGate Management Center from 5.3.1 onward, on same server of SMC or onto other servers and even in mirrored configuration to maximize availability.

It features four Radius based servers to provide ergonomic authentication methods. It can participate in Federated Authentication scenarios as Identity Provider and provides great log processing, reporting and auditing information with geolocation thanks to its complete integration with SMC. Another very nice feature is transparent integration with a wide variety of user repositories (for example, MS Active Directory, Novell eDirectory, LDAPV3-based systems, etc) to perform automatic user linking.

This means that users do not have to be imported or redefined in Authentication Server, but they are generated as they are taken into use, with automatic notification via mail/sms of passwords, PIN, seeds or whatever else is needed to activate automatically the desired authentication method for a user account.

StoneGate Authentication Server is also a part of StoneGate Authentication Solution, that is the combination of StoneGate Authentication Server and StoneGate SSL VPN to achieve highly secured access to the cloud, complete with multiple access criteria and authentication methods combined, plus verification of connecting client security posture and single sign-on.

Secured Access to the Cloud. Simplified!

The fundamental idea of StoneGate Anti-Spam is that each incoming e-mail is assigned a score to determine the likelihood of its being spam. The user can alter the score thresholds 1) after which the firewall will add SPAM prefix to the message subject and 2) after which the firewall will reject the message.

The system uses many different functions and algorithms for spam detection including:

• Local Antispoofing and Anti-Relay
• Honeypot filtering
• SPF/MX record matching
• DNS-based blackhole lists
• Envelope and Header fields
• Email Content

In addition to score based spam detection it is possible to mark email as spam, discard, reject, blacklist and graylist based on any envelope field, header field or email payload. The values can be input either as plain text or regular expressions. If none of these custom rules matches the received email message, then the scoring is used to make the decision whether the message is allowed, blocked or marked as spam.

The Anti-Spam licenses will be published later in autumn 2011. The product can be already evaluated with StoneGate Firewall 5.3.0 and SMC 5.3.0.

VPN Multi-Link aggregation provides the ability to spread traffic evenly to all active VPN links. With this feature you can achieve higher VPN throughput by effectively making sure that all connections use all active VPN links. The achieved aggregated throughput is optimized when ADSL lines are very similar in throughput and latency. In practice, the VPN link aggregation feature will cause some packet reordering that slightly decreases the theoretical max throughput. (It is much up to the TCP connection endpoint’s TCP stack behavior how packet reordering will affect to the throughput).

QoS Based Multi-Link Selection: In StoneGate 5.3 it is also possible to classify VPN traffic with QoS classes and select the VPN Multilink tunnel based on this QoS classification. This feature lets you to configure e.g. VoIP traffic in one VPN link and other type of traffic to some other VPN link(s). This complements nicely the other VPN Multi-Link traffic balancing methods earlier described here.

Note that administrators can still change the security policy after the initial configuration has been stored in USB stick or Installation Server. When saving the initial configuration, you just define which security policy the appliance should use. The most recent version of that policy will get installed to the appliance after it has successfully made the initial contact with the Management Server.

The automatic initial policy push feature can be used directly from “Save Initial Configuration” dialog or as part of the new FW element creation wizard.

There is also a new Logging Profile that allows you to easily receive logs from other vendors’ products that are CEF compatible. This makes StoneGate Management Center’s Third Party event management easier from customer point of view because there is no need to define specific logging profiles anymore for those devices that can send the logs in CEF format. In addition to CEF, StoneGate Management Center has predefined logging profiles for CLF and WELF as well.

The end result is that the administrator can set up hundreds of Firewalls ready to be deployed in a few minutes. And the appliances can actually be delivered directly to the remote office – the administrators don’t even need to open the appliance boxes before they are deployed.

The most convenient way to launch the wizard is to copy-paste the POS codes from the order confirmation email to the first page of the wizard in the SMC. The serial numbers of the devices are appended to each element name by default. Once you know which appliance has been sent to which location it makes sense to rename the Firewall element with more meaningful name. That can be done already as part of the wizard before elements are created.

In the wizard you basically define the same settings what you need to configure for individual Single Firewall element. The only difference is that those settings are automatically applied to all firewalls you create with the wizard. You can also create Internal Gateway elements as part of the wizard to make the initial VPN configuration smoother.

What comes to interface configuration, you need to have at least one dynamic interface per firewall that is used as default route to Internet. You can select that interface as separate part of the wizard. It also makes sense to create Firewall elements for same type of appliances at once because they may contain different amount of interfaces for example. Note that in addition to regular Ethernet, VLAN and 3G interfaces, StoneGate FW/VPN contains now also WiFi and ADSL interfaces that you can also configure as part of the wizard.

Remember that SMC provides excellent tools for further management of hundreds of firewalls. You can utilize the new Zone based policy configurations, Aliases, Sub-Policies, Policy Templates, editing of common properties, flexible search capabilities, category filters, and of course automatic updates and upgrades designed especially for managing large customer deployments.