StoneBlog.stonesoft.com

Virtual Private Network Consortium, better known as VPNC, tests interoperability of various VPN technologies from different vendors. During year 2011 Stonesoft Firewall/VPN has received two new IPsec interoperability logos. These are logos for IKEv2 and IPv6.

Testing conducted by VPNC proves that vendor has implemented standards defined protocols in a way that can be used in real life where interoperability between different vendor’s implementation is frequently needed.

written by juhalu - 377 views \\ tags: VPN

Have a shiny new iPad/iPhone/iOS device and wonder how to access all your precious corporate data? Are you a sysadmin who needs to manage the corporate LAN from everywhere? Do you need some intranet-only web pages you don’t want to publish for security reasons?

This simple tutorial will explain how to create a VPN between your StoneGate and your iDevices.

Thanks to Marco Rottigni who gave me precious hints to make all things work!

This is my very first post to the Stoneblog, if you want feel free to give me feedbacks and suggestions! Roberto

written by roberto.toniolo - 2,242 views \\ tags: firewall, iOS, iPad, Tips & Tricks, VPN

SMC 5.3.1 is now publicly available and FW/VPN 5.3.0 is also published as controlled shipment. I wanted to conclude the StoneGate 5.3 feature previews by listing the other significant enhancements that are introduced in version 5.3. More details can be found from SMC and FW Release Notes and product manuals.

Continue reading »

written by Tero Jantunen - 1,167 views \\ tags: 5.3, ADSL, Certificates, Dynamic routing, Feature Previews, firewall, SMC, SNMP agent, VPN, WiFi

StoneGate Firewall 5.3 contains a new integrated Anti-Spam feature that complements the StoneGate UTM feature portfolio. The Anti-Spam feature has been developed in-house and contains a lot of different algorithms and tools for spam detection. It suits well for example small MSSP customers that have a single firewall and own email domain.

Continue reading »

written by Tero Jantunen - 852 views \\ tags: 5.3, Anti-Spam, DNSBL, Feature Previews, firewall, SMC, UTM

To make the mass deployment scenarios even more convenient from the administrator point of view, StoneGate 5.3 introduces a new “Create Multiple Single Firewalls” wizard. With that wizard the administrator can create hundreds of Single Firewall and Internal Gateway elements. In the end of the wizard, you can optionally upload the initial configurations to be available for Plug & Play installation.

The end result is that the administrator can set up hundreds of Firewalls ready to be deployed in a few minutes. And the appliances can actually be delivered directly to the remote office – the administrators don’t even need to open the appliance boxes before they are deployed.

Continue reading »

written by Tero Jantunen - 696 views \\ tags: 5.3, Feature Previews, firewall, Plug and play, SMC, Wizard

StoneGate 5.3 introduces really nice tools for mass deployment scenarios. One of them is so called Plug & Play Installation. It basically means, that administrator can prepare the firewall elements in SMC in advance and publish the configuration to be available in Stonesoft Installation Server. Once the appliance is shipped to the remote office, anyone can just plug in the network and power cables. The device will automatically contact to Stonesoft’s Installation Server and retrieve its configuration from there. After that it can automagically establish the initial contact with the correct Management Server, receive its initial security policy and start working. Here is a short video how the process actually goes:

Continue reading »

written by Tero Jantunen - 770 views \\ tags: 5.3, Feature Previews, Installation, Mass deployments, Mass Security, Plug & Play, SMC, Videos

Now as we celebrate the World IPv6 day today, it is a good time to announce that StoneGate Firewall 5.3 and StoneGate Management Center 5.3 will extend the IPv6 support to cover: IPv6 FW clustering IPv6 NAT rules IPv6 VPN IPv6 FTP Protocol Agent Stonesoft is among the first security vendors to participate in the World IPv6 day’s “test flight” in which the participants offer their services over IPv6 for a 24-hour time period. Stonesoft’s corporate website and blog will actually remain to be available over both IPv4 and IPv6 also after the test flight.

Continue reading »

written by Tero Jantunen - 1,966 views \\ tags: 5.3, Feature Previews, firewall, IPv6, SMC, World IPv6 day

Recently the information security landscape was abuzz over findings from a recent NSS Labs report on firewalls, wherein products were found to be vulnerable to a TCP split handshake attack. This attack concept was based on research by Tod Beardsley and Jin Qian of BreakingPoint Systems.

Normally, TCP is considered to use a “three-way handshake”, where applications start sessions with a SYN, which response is a SYN/ACK, followed by a corresponding ACK from the originator of the session, as outlined in RFC 793. What Beardsley and Qian noticed is that the RFC actually spells out in section 3.3 a four way process, and states that “steps 2 and 3 can be combined in a single message”. Note that although this is the typical way systems handle it, there is no requirement to combine the SYN and ACK of the recipient.

Without getting into the further nitty-gritty details, the bottom line of the research and the recent testing is that stateful network security devices relying on an expected handshake sequence can be fooled into thinking that a connection is originating from a trusted segment instead of from the actual source. Although Stonesoft was not a tested vendor we decided to independently verify StoneGate’s handling of this situation. You can read more about the issue in various articles, such as The CyberJungle, or Government Security News.

Stonesoft’s research team, the Vulnerability Analysis Group tested both the StoneGate IPS and StoneGate Firewall/VPN, using the same BreakingPoint tests as outlined in the research paper. Our initial conclusion is that neither product is affected by this issue. For the StoneGate IPS, a four or five-way handshake will fail to hide the payload (direction) from the IPS, with the four-way flagged as “TCP_Segment-SYN-Unexpected-Reply”, and the five-way scenario [which is also very unlikely in real-world environments] as “TCP_Window_Shrinked”. The four-way handshake situation is not set to terminate by default, but it can easily be set if conditions or policy warrant.

For the StoneGate Firewall/VPN, the behavior is dependent on an Advanced property of the firewall or firewall cluster, whether it operates in loose, normal, or strict mode, and the behavior is further influenced by whether traffic in any given rule is inspected or anti-virus applied. With inspection and anti-virus, attacks in the payload are detected regardless of the handshake mechanism. Loose and normal mode with no additional inspection methods will permit the handshake. Strict mode will drop the connection. In any situation, the StoneGate Firewall/VPN will not be confused as to the origin of the session, so the bottom line is as with all security policies in StoneGate: what is not expressly permitted, is denied.

Stonesoft looks forward to the opportunity to participate in future tests and supports community efforts to drive improved testing of network security systems. Only by bettering testing efforts can we continue to ensure our solutions remain

Network Security. Simplified.

written by markb - 1,365 views \\ tags: information assurance, security threat, stonegate

…don’t miss the sixth episode of The Adventures of Antti Pilvinen, which has just been published

Happy reading,

The RoarinPenguin

written by RoarinPenguin - 668 views \\ tags: layered security, StoneGate Network Security Platform, The Adventures of Antti Pilvinen

VPN Consortium (VPNC) recently started to test IPsec VPN product interoperability against a new criteria. The test is about VPN interoperability when tunnel setup is authenticated using certificates from a common trusted certificate authority.

In October 2010 VPNC update first results were announced. StoneGate Firewall/VPN was among the first five vendors to pass this test and receive right to use this new logo.

As a VPN technology this is nothing new for StoneGate FW’s IPsec VPN. It has supported certificate based VPN authentication starting from the very first version.

written by juhalu - 1,046 views \\ tags: VPN