StoneBlog.stonesoft.com

Helsinki has been named World Design Capital for 2012.

As you might know, Design is not only about chairs, desktop and furniture…

The word comes from the late Middle English as a derivative word from Latin “Designare“, which means to indicate something for a purpose or duty.

As it happens for many concepts, the word has a definition but different meanings depending on the context where it is applied.

Just like Security.

Two important principles related to design are usability and ergonomics.
Both are related to improve people efficiency in their working environment.

The same two principles are not only related, but fundamentally important for Security.

When you design something, you mainly think about the purpose of that something in different contexts.
Because different usage contexts mean different needs to address, different perspectives, different angles.

Just like in Security planning.

Especially after Cloud Computing wave, there has been lots of talking about context-aware security.
To highlight and stress that security technologies and implementations should always consider the whole context of a session and not only a fragment of it.
For example, not limiting authentication to user credentials validation only but extend the analysis and validation to the whole “security posture” by assessing the hardware he’s using, the network he’s coming from, the strength of the authentication method used, etc.

At Stonesoft, we have blended all these important principles in our solutions from day one.

We offer dynamic, software based network security solutions that can adapt to the context where they are implemented, providing protection against the lastest and most dangerous threats: AETs.

We provide great usability both for security administrators and for users, to maximize the efficiency and user experience while minimizing impact on resources.

We can prove reduction of CAPEX and OPEX costs with real, tangible savings.

We believe in ergonomics principles applied to (e.g.) authentication, where users should be able to achieve strong authentication naturally, using methods and devices they learnt to use daily for multiple other purposes.

We offer secured authenticated access to the cloud, enabling universal access from multiple platforms and context-aware security.

We empower MSSPs to provide faster time-to-market for security services and most scalable solution to manage thousands customers with minimized OPEX.

Ins’t this… ergonomic Network Security by design?

written by RoarinPenguin - 333 views \\ tags: context-aware security, design, ergonomics, network security

Recent security incidents with Diginotar and less recent (but lot less important) with Comodo and RSA raised quite a concern in something that was taken for granted: the implicit level of security of an SSL-encrypted channel and time-based strong authentication methods such as the hardware based one-time password generators.
Employees working from home, online banking users, citizen using governmental online services, web mail systems containing more and more personal data, web sites for online shopping, service providers offering applications “in the cloud”.
These are just samples of the countless services that are potentially impacted by the new new threat: valid digital certificates stolen by cybercriminals, used to fake connections to well known domain names.
Which is not that new new threat, since it is implicit in the SSL server certificate authentication model based on the level of trust put in the so called issuing Certificate Authorities.

Well, it really seems to me that the ‘problem’ continues to be the same.
Continue reading »

written by RoarinPenguin - 615 views \\ tags: authentication methods, combination, entropy, Security, Ssl certificates

According to Sari Kajantie from the Finnish National Bureau of Investigation (NBI) in Helsingin Sanomat, the biggest national newspaper in Finland on 4 August 2011: “It is not the fault of the employee who has opened the attachment, if the hacker can access all company data from a single laptop.”

Companies need to pay much more attention to their internal network activities and traffic. It should not come as a surprise to anybody that individual laptops are compromized. Workstation networks must be separated from the servers by firewalls and intrusion prevention systems; not only by installing these devices, but also by paying attention to rules and monitoring their alerts.

Continue reading »

written by Ari Vänttinen - 943 views \\ tags: Advanced Evasion Techniques, AET, Context and situation awareness, cybersecurity, IT security, risk management, Security, security threat, SMC

Just before the world’s best hackers and network security leaders converged in Las Vegas for Black Hat, Stonesoft spoke with Bill Jackson at Government Computer News. Bill was undoubtedly getting ready for a week of the latest and greatest hacking techniques and vulnerabilities – but he wanted to discuss something different: AETs. Ten months ago, Stonesoft’s discovery of AETs was made public. Bill wanted to know what had happened since then, what was the industry doing, etc. What has happened since then?

Nearly a year after their discovery and disclosure, AETs aren’t exactly “news.” But, the problem hasn’t gone away by any stretch of the imagination. The pcaps of the first 23 AETs discovered are available for public download. The article reminds us that the network security industry – more than ever before – must be kept accountable and proactive.

You can read the article, but the gist is that the network security industry is still lagging behind in their response to the threat of AETs. Only six of about 60 vendors have updated their tools to the first release of 23 AETs. Last winter, 100+ new AETs were disclosed. The reaction? Crickets. Nada. Nothing.

GCN’s coverage of AETs once again pointed out a fatal flaw in network security. Too often, people focus on the new and exciting rather than the persistent, existing challenges that have yet to be solved, as is the case with AETs. The thousands of unexplained attacks that cost companies billions of dollars of year are a red flag. Understanding your vulnerability to these attacks is the first step in protection.

See also the Black Hat Infosec Island video interview for additional coverage of AETs at the event.

written by markb - 584 views \\ tags: evasion, intrusion prevention, security threat

Read what head of Stonesoft´s vulnerability research team says about the challenges in evasion protection.

Dealing with evasions by Olli-Pekka Niemi

written by Ari Vänttinen - 778 views \\ tags: AET, intrusion prevention, network security, risk management, Security, security threat, stonesoft, Tips & Tricks, Training

The recent list of successful cyber attacks is getting longer and more severe, with the IT security landscape changing fast. By now, everyone knows this. Every second some organization is being attacked, and yet the criminals remain untouched. Why? Because they are improving their tools and methods so quickly that the industry and organizations can not keep up. During recent years, the gap between defense and offense has become quite narrow, but seems to be growing again.

Continue reading »

written by Ari Vänttinen - 792 views \\ tags: AET, attacks, IT security, network security, risk management, security governance, security threat

Recently the information security landscape was abuzz over findings from a recent NSS Labs report on firewalls, wherein products were found to be vulnerable to a TCP split handshake attack. This attack concept was based on research by Tod Beardsley and Jin Qian of BreakingPoint Systems.

Normally, TCP is considered to use a “three-way handshake”, where applications start sessions with a SYN, which response is a SYN/ACK, followed by a corresponding ACK from the originator of the session, as outlined in RFC 793. What Beardsley and Qian noticed is that the RFC actually spells out in section 3.3 a four way process, and states that “steps 2 and 3 can be combined in a single message”. Note that although this is the typical way systems handle it, there is no requirement to combine the SYN and ACK of the recipient.

Without getting into the further nitty-gritty details, the bottom line of the research and the recent testing is that stateful network security devices relying on an expected handshake sequence can be fooled into thinking that a connection is originating from a trusted segment instead of from the actual source. Although Stonesoft was not a tested vendor we decided to independently verify StoneGate’s handling of this situation. You can read more about the issue in various articles, such as The CyberJungle, or Government Security News.

Stonesoft’s research team, the Vulnerability Analysis Group tested both the StoneGate IPS and StoneGate Firewall/VPN, using the same BreakingPoint tests as outlined in the research paper. Our initial conclusion is that neither product is affected by this issue. For the StoneGate IPS, a four or five-way handshake will fail to hide the payload (direction) from the IPS, with the four-way flagged as “TCP_Segment-SYN-Unexpected-Reply”, and the five-way scenario [which is also very unlikely in real-world environments] as “TCP_Window_Shrinked”. The four-way handshake situation is not set to terminate by default, but it can easily be set if conditions or policy warrant.

For the StoneGate Firewall/VPN, the behavior is dependent on an Advanced property of the firewall or firewall cluster, whether it operates in loose, normal, or strict mode, and the behavior is further influenced by whether traffic in any given rule is inspected or anti-virus applied. With inspection and anti-virus, attacks in the payload are detected regardless of the handshake mechanism. Loose and normal mode with no additional inspection methods will permit the handshake. Strict mode will drop the connection. In any situation, the StoneGate Firewall/VPN will not be confused as to the origin of the session, so the bottom line is as with all security policies in StoneGate: what is not expressly permitted, is denied.

Stonesoft looks forward to the opportunity to participate in future tests and supports community efforts to drive improved testing of network security systems. Only by bettering testing efforts can we continue to ensure our solutions remain

Network Security. Simplified.

written by markb - 1,365 views \\ tags: information assurance, security threat, stonegate

According to Frost and Sullivan, global spending on intrusion detection and prevention technologies in 2010 exceeded $ 1.5 billion USD. At the same time, organizations are growing increasingly concerned by attack sophistication, such as Stuxnet, APTs, and the recent incidents involving RSA and Comodo. Yet, what if the first factor was rendered completely ineffective, and the second increased in its success? If all that money goes down the drain due to ineffective technologies, and sophistication is increasing, what do we do next?

Last October, Stonesoft made friends and enemies alike with its announcement regarding research in advanced evasion techniques and their disclosure to CERT-FI for vulnerability coordination. The subsequent disclosure at RSA that an additional 124 techniques were disclosed on top of the original 23 was met with even more resounding silence.

What’s interesting is that all of the discussion focuses around irrelevant sidebars. Bob Walder of Gartner and NSS Labs have discounted the threat of AETs as “yesterday’s news”; after all, evasions aren’t new, so what’s the big deal? And granted, Bob does know a thing or two about evasions; as one of the founders of NSS Labs, he’s a pretty sharp guy and created a few evasions of his own back in the day. The second sidebar centers around the likelihood of AETs being seen in the wild. No one has heard or seen of them being used, so clearly they must not exist.

Yet I would say that these are distractions from the real issue: old or new, in use or not, the bottom line is : advanced evasion techniques work. They work against just about every IPS technology on the market and in your network today. They enable the delivery of any exploit to vulnerable systems at any time, without detection or notice. But don’t take our word for it. Contact us and we’ll be happy to demonstrate for you. Read the validation of third party testing. Or even better, test it yourself. We’ve now made the first AET samples, originally provided to CERT-FI last year available at www.antievasion.com.

Does it matter how old it is? No, unlike a fine wine, AETs don’t get better or worse with age. They simply are. They work.

And in most cases, they work well. Against any IPS technology, next generation firewall, content scanning system, or Web application firewall. Why? Because vendors have typically focused on providing you, the customer, with what you ask for rather than what you need. They design systems that favor performance shortcuts vs. real security. They’d rather invest in nice marketing materials than in an effective normalization engine that still maintains decent throughput.

Wouldn’t you rather have a vendor interested in making a better, more effective security technology for today’s threats? One that is more manageable, scalable, and simplified than what you’re doing now? Again, don’t take our word for it. Try it yourself. Learn why Stonesoft’s security solutions are:

Network Security. Simplified.

written by markb - 729 views \\ tags: AET, evasion, Intrusion, IPS, stonegate, stonesoft

Securing the access to data and systems continues to be one of the weakest points in the chain and PEBKAC is a constant issue.

Luckily, solutions exist… for those who think what strong innovative authentication could really mean.

StoneGate SSL VPN is the ultimate solution to secure the access to corporate data and applications, featuring over 25 authentication methods which can be combined in multiple fashions.

As stated in a previous post, very often it is not necessary to add complexity to the authentication process: combination of different techniques could help adding the needed… entropy.

Give a look to the interesting news linked here and let us know what you think!

written by RoarinPenguin - 717 views \\ tags: authentication, combining different authentication, hackers, Security, smartcard, sslvpn

NSS Labs recently released the results of its latest Network IPS Group Test, which was also covered by Jeremy Kirk at IDG News Service here. The results were interesting to say the least. Here are a few high level observations:

StoneGate IPS performance. Like a majority of the appliances tested, StoneGate received a Neutral rating indicating that the devices performed reasonably well and should be considered in the purchasing process. However, there were several areas where StoneGate IPS tested exceedingly well, including:

• Excellent in value purchase and TCO. Stonesoft’s StoneGate IPS-1205 and IPS-3205 appliances were rated excellent in value purchase. In the sub-gigabit category, the StoneGate IPS-1205 provided the best price per Mbps-protected. In the high-end appliance category, the StoneGate IPS-3205 had the second lowest three-year TCO.
• Ease of use. “Stonesoft‘s Management Center builds on its firewall management and is extremely intuitive and easy to use. Deploying Stonesoft‘s pre-defined policies is simple and efficient. It took almost no time to setup, configure and tune.”
• 100 percent protection against evasions. The StoneGate IPS-1205 and IPS-3205 successfully handled 100 percent of NSS Labs’ traditional evasion attempts without error, including HTML evasions. However, it’s important to note that Advanced Evasion Techniques (AETs) were not included in this test, so the 100 percent coverage is for basic evasions only and will not provide protection against AETs.According to NSS Labs:
  ”If an attacker can avoid detection by fragmenting IP Packets or segmenting TCP streams, an IPS will be completely blind to ALL attacks”.

This concept has been at the heart of our AET research, and is why we are expecting NSS Labs to raise the bar in 2011 by incorporating AET tools into their testing suite.

written by TimoT - 1,741 views \\ tags: IPS, Security