StoneBlog.stonesoft.com

Recently Stonesoft added a new feature to our SMC to allow you to “Search Rules”.   This feature allows to you search your rulebase based on any of the fields listed below.
✓    Source
✓    Destination
✓    Service
✓    Action
✓    Users
✓    QoS Class
✓    Time
✓    Comment
✓    Tag
✓    Source VPN
✓    Hits

So, with these fields to choose from you can use either one or many to help find a given rule in your rulebase.  This can be a very useful tool to help control your growing rulebase with all the change request you get.  I will provide two quick example’s of how to find the rules.   One is simply matching the elements in the rulebase and the other is matching alias elements.  Matching alias elements only takes one more step since they can have different values per firewall engines.

Continue reading »

written by SideKick - 1,183 views

How many times have you been asked to setup a VPN tunnel that requires you to have a NAT IP being presented in the tunnel. This is a common request since some of your VPNs might have same private subnets on both sides, like 192.168.0.0/24

Since the introduction of SMC 5.0, you now need to define both your source IP address with your NAT IP address within your encryption domain. Below is an example of how to accomplish this.

Continue reading »

written by SideKick - 4,064 views

How many times have you been asked to setup a VPN tunnel between your StoneGate firewalls and another 3rd party VPN endpoint that is sitting behind a NAT?   What’s the trick to getting this to work?  It’s very simple….. ‘Locations’….

Continue reading »

written by SideKick - 3,509 views

Security solutions arena is today very crowded place, with each vendor claiming to have the latest greatest technology for that spectacular in depth inspection, prevention, protection, detection, defense, etc.

How about some governance?

The market recently saw some nice technologies popping out pretending to manage and govern multiple security vendors’ solutions from a single, consistent administration console.

Words like Security Governance, Event Correlation, Policy Change Management, Administration Rights Delegation, Alert and Incident Management, Auditing are wildly used and very often abused, leading to some very interesting questions:

• Multivendor Policy Management: how is it possible to cope with the multiple configuration options offered by each security solution? For instance, a CheckPoint firewall is rather different from a Juniper, which in turn is again different from a StoneGate
• Event Correlation: this is one of most abused term in security… often resulting in complex rules that never meet customer expectations
• Policy Change Management: fair enough… but why should I pay for a revision tool when I would expect this functionality from my security management platform?
• Administration Rights: I would say same as above

Let’s now give a closer look to SMC, aka StoneGate Management Center.

Stonesoft has been very careful from day one to the Security Governance side of the solution offered… never forgetting that no matter how easy, powerful or sophisticated and flexible a solution is, it always involve an impact on resources, a learning curve, a need for meta information to support decision in critical moments, etc.

This focus we had grew and evolved with the security engines product, trying to meet constantly requirements from regulations (but also from customers), trying to offer broad range of functionality (but at the same time keeping usability levels high), trying to build a powerful and flexible protection architecture (without forgetting that power is nothing without control).

Let’s now take a closer look to the questions I mentioned above from a StoneGate standpoint, taking also advantages of new features coming with the next major version 5.0 described so well in previous posts by Tero:

• Policy Management:
  StoneGate Management Center includes several important tools to ensure that security policies are always consistent and error-free.
  The administrator can always compare the policy installed on a given engine with the latest version stored in SMC, highlighting eventual changes.
  Furthermore, it can check which engines among the installed base need a policy refresh.
  It is also possible to check past policy snapshots, comparing each with current policy, to validate a policy before the upload for common errors like unreachable destinations, duplicate rules, conflicting rules, inconsistent NAT definitions, etc.
  Finally, security administrators can check how often a given rule has been used in given amount of time to keep the rulebase always performant, manageable and correct.
  Other technologies to help greatly managing security policies, especially when installed base is large, are Templates, Subrules and Aliases.
  Last but not least, it is possible to create immediate corrections to policies from within the log browsing system, saving huge times in fine tuning operations like eliminating false positives, avoid useless logs, etc.
• Event Correlation:
  StoneGate takes event correlation to the State of the Art: not only it is possible to show relevant logs related to a given event (like an alert), not only it is possible to browse just the relevant logs for a given topic, but in StoneGate Management Center refined information and correlation is implemented to the highest degree of usability:
• Flow Correlation with StoneGate Analyzer, allowing the build of powerful correlation situations to detect even the most sophisticated threats and attacks attempts, performing analysis that spans time and/or space
• Visual correlation with geolocation, up to linking the refined aggregated information with Google Maps
• Combining different views of information needed with Live Overview to maximize monitoring
• Switch from detailed log view to graphs and report to maximize perception of trends and situations with aggregated informations
• Visual Reporting to generated refined information for security decision support
• Administration rights delegation:
  it’s not necessary to have 1000 security engines installed to need administration rights delegation. It’s surely needed when security is pervasively implemented throughout the Company Information Flow. Hence StoneGate Management System focuses on providing enhanced option to ensure proper low-impact efficient administration of the  whole architecture:
• complete and flexible access control, with administration roles and role-based granular rights.
• Separated Domains and Web Portal, to achieve proper segmentation of information managed by multiple groups.
• Multichannel, progressive Alert escalation with thresholds and moderations to ensure that time-critical events are notified properly to efficient channels
• Auditing, to achieve compliance with regulations and to control who did what and when
• integrated Incident Management System, to keep track of data and actions performed in case of critical events like threats and attacks

And if the above is not enough, let’s complete the overview by mentioning state-of-the-art monitoring with Network Diagrams and new VPN Monitoring, Failsafe Remote Upgrade and other nice “historical legendary features” of StoneGate Management Center, now available to monitor and process logs of Third Party Devices.

Anyone for Security Governance?

written by RoarinPenguin - 917 views \\ tags: low tco, policy change management, security governance

StoneGate 5.0 allows you to create new policy rules based on the selected log records. With a couple of clicks you can change the action for the specific log records, create an alert when the record next time appears or just say that you don’t want to get log records out of that specific type of event anymore.

How it works then?

1. Launch one of the “Create rule…” actions in the log entry’s right-click menu or in the Log Details view
2. Preview of the auto-generated rule is displayed in the dialog. The system auto-generates the host elements if no hosts already exist with the src and dst addresses of the log entry. The system also figures out what policy is currently installed to the engine that sent the specific record and change the action and logging level according to your wishes.
3. As the last step you can optionally open the desired policy for editing and drag & drop or cut & paste the rule to the correct location. By default, the rule is added to the beginning of the policy.

The Create rule -shortcuts are really convenient way to solve network issues in real-time with just a couple of clicks. However, we recommend that you manually group and reorganize these “exception rules” every now and then.

written by Tero Jantunen - 1,846 views \\ tags: 5.0, Features, Policy, SMC, stonegate

According to our studies, editing policies is the most frequent task of StoneGate administrators. That’s why we have introduced many new tools to optimize the workflows and tools related to policy editing tasks. Rule comment sections is one of those features.

StoneGate 5.0 creates automatically expandable/collapsable rule comment sections. Now it is easy to organize the policy so that your colleagues understand it too.

written by Tero Jantunen - 1,456 views \\ tags: 5.0, Features, Policy, SMC, stonegate

Did you accidentally drag & drop an element to a wrong rule? Or did you move the rule accidentally to a wrong location? Don’t panic – in StoneGate Management Center 5.0 you can undo/redo these kind of accidents now also in the policy editor. The solution we will provide supports unlimited amount of undo/redo steps until the last policy save.

written by Tero Jantunen - 1,498 views \\ tags: 5.0, Features, Policy, SMC, stonegate

The refuse action behaves differently depending on the protocol in rule:

• For TCP packets (with any combination of flags), a TCP Reset packet is sent with proper port and sequence number settings.

• For UDP packets, an ICMP Port Unreachable (Type 3, Code 3) is sent with the eight first bytes copied from the original IP packet (exactly like they appear) in the payload.

• For ICMP packets, no responses are sent at all. This is treated like a ‘discard’ action would be used.

• For any other type of IP packets, an ICMP Protocol Unreachable (Type 3, Code 2) is sent with the eight first bytes copied from the original IP packet (exactly like they appear) in the payload.

written by christoph - 1,132 views \\ tags: action, engine, Policy, refuse, stonegate firewall

Are you having the problem that your security policies have already hundreds or even thousands of rules and you don’t have a clear view anymore what rules are important and what are not? Or you may even suspect that some rules are not needed anymore but you don’t want to take the risk of removing them?

Don’t worry… StoneGate 5.0 introduces the new rule usage analysis tool. You will see directly in the policy editor how many times each rule has matched within the specified time period. The usage of rule counter tool does not even require you to turn the logging on for the rules. Engines send the rule hit counts automatically to SMC to be displayed in the Management Client. Note however that both your engines and SMC need to be version 5.0 or higher.

Rule hit counts, Policy validation tool and Policy comparison tool provides you an efficient set of tools to make your policies easier to understand. Now there is no excuse to postpone the policy clean-up project!

Benefits:

• You can easily find the rules that never match
• You can optimize the order of your rules

written by Tero Jantunen - 2,086 views \\ tags: 5.0, Features, Policy, SMC, stonegate