StoneBlog.stonesoft.com

Few days ago I described a technique using certificate based authentication in StoneGate SSL VPN to match a certificate attribute to user attribute, in order to uniquely identify a user in Directory Service and allow login, perform Single Sign-On (SSO), etc.

In this article I’m taking it one step further, since StoneGate SSL VPN can authenticate a user presenting a valid certificate without even knowing who the user is, and use then whatever field of the certificate to perform SSO to protected resources.

Continue reading »

written by RoarinPenguin - 197 views \\ tags: authentication, certificate, SSL VPN

When thinking to a system to allow secure, authenticated access to corporate application, major questions (headaches?) are:

• how to access to existing user repositories?
• what if I need a new one aside?
• what if I need access to multiple repositories?
• which information can I use?
• what about grouping?

StoneGate SSL VPN provides a very flexible and powerful answer to these questions, and this article will provide some useful details.

Continue reading »

written by RoarinPenguin - 301 views \\ tags: SSL VPN, user storage

Finnish CERT (CERT-FI) recommends to pay special attention to certain address blocks.  They mention the DROP-list by the Spamhaus project as the most up-to-date list of malicious addresses.

It is always boring and time consuming to type long lists of addresses, so I made a quick-and-dirty script, which converts the DROP-list into StoneGate elements, and creates a group of them.  You can feed the DROP-list to this script, zip the result and import it into SMC.

Being an oldtimer, I wrote this with an ancient tool called awk, which you can find in most unix-based systems, including linux.  The most common variant is the GNU awk, gawk.  Someone would probably write this in 2 lines of Perl…

I provide this script as is, with no expressed or implied guarantees of any kind.  Use this at your own risk.  If you manage to break something with this, you have been warned and you assume full responsibility.  I have tested this on one system (Fedora Core 9) with one input, today’s DROP list from Spamhaus.org.

So, take a look at the code and decide yourself if you trust this.  Especially see the comment in the beginning.  Change the element naming convention to suit your needs and enjoy.

written by olli - 277 views \\ tags: DROP-list, script, Spamhaus

As you know there are multiple ways how to visualize the log data with StoneGate Management Client. You have probably noticed the “Statistics” shortcuts in the Log Browser’s toolbar already. Here is another convenient way to find more log statistics shortcuts:

Just right-click any column header in the Log Browser and select some of the log statistics shortcuts from the menu that opens. Note that these shortcuts are all related to the column you originally selected.

A picture is worth a thousand words! Log Statistics provide you efficient tools to drill in to the relevant pieces of log data.

written by teroja - 270 views \\ tags: Log Statistics, logs, Shortcuts, SMC, Tips & Tricks

In SMC 5.0 there is one new shortcut that speeds up the daily administration tasks a bit. You can namely create new hosts wherever you see IP addresses. Just right-click that IP address and select “New Host” action from the menu that opens. This is a nice shortcut when you recognize some IP from the logs and you know you need to use a host element with that IP later e.g. in a security policy.

Continue reading »

written by teroja - 286 views \\ tags: logs, New Host, Shortcuts, SMC, Tips & Tricks

You have probably noticed that there are lots of useful shortcut actions in engines’ right-click menu. You can e.g. view logs from that firewall or access the engine’s current policy by right-clicking the engine and selecting the actions from the menu that opens.

Since SMC 4.3 this right-click menu has also contained actions that open Overview of engine specific statistics. But did you know that you can customize which Overview templates are visible there?

Read for more instructions how do you do this… Continue reading »

written by teroja - 290 views \\ tags: Monitoring, Overview, SMC, Tips & Tricks

You often need to unplug your laptop from the network e.g. when moving to the meeting rooms. Now from SMC 5.0.2 onwards there is a small enhancement in the Management Client that makes life easier for those administrators that need to move around.

When selecting Reconnect option from the File menu, the system pops up the login dialog. After inputting the login credentials, you can continue the work with the same windows and tabs you had opened when you lost the connectivity to Management Server.

written by teroja - 216 views

Recently Stonesoft added a new feature to our SMC to allow you to “Search Rules”.   This feature allows to you search your rulebase based on any of the fields listed below.
✓    Source
✓    Destination
✓    Service
✓    Action
✓    Users
✓    QoS Class
✓    Time
✓    Comment
✓    Tag
✓    Source VPN
✓    Hits

So, with these fields to choose from you can use either one or many to help find a given rule in your rulebase.  This can be a very useful tool to help control your growing rulebase with all the change request you get.  I will provide two quick example’s of how to find the rules.   One is simply matching the elements in the rulebase and the other is matching alias elements.  Matching alias elements only takes one more step since they can have different values per firewall engines.

Continue reading »

written by SideKick - 403 views

I want to share a small cosmetic thing indicating how much we do care about details to constantly improve usability and user experience in our technology.

StoneGate Management Center (SMC) client can be started via a web link using Java Web Start technique, simplifying the effort of distributing the client in case of (for instance) SMC upgrade.

Starting from version 5.0, something cool happens when you try to do it from an operating system that since 1997… thinks different!

Continue reading »

written by RoarinPenguin - 682 views \\ tags: GUI, StoneGate Client, Think Different

How many times have you been asked to setup a VPN tunnel between your StoneGate firewalls and another 3rd party VPN endpoint that is sitting behind a NAT?   What’s the trick to getting this to work?  It’s very simple….. ‘Locations’….

Continue reading »

written by SideKick - 874 views