StoneBlog.stonesoft.com

Helsinki has been named World Design Capital for 2012.

As you might know, Design is not only about chairs, desktop and furniture…

The word comes from the late Middle English as a derivative word from Latin “Designare“, which means to indicate something for a purpose or duty.

As it happens for many concepts, the word has a definition but different meanings depending on the context where it is applied.

Just like Security.

Two important principles related to design are usability and ergonomics.
Both are related to improve people efficiency in their working environment.

The same two principles are not only related, but fundamentally important for Security.

When you design something, you mainly think about the purpose of that something in different contexts.
Because different usage contexts mean different needs to address, different perspectives, different angles.

Just like in Security planning.

Especially after Cloud Computing wave, there has been lots of talking about context-aware security.
To highlight and stress that security technologies and implementations should always consider the whole context of a session and not only a fragment of it.
For example, not limiting authentication to user credentials validation only but extend the analysis and validation to the whole “security posture” by assessing the hardware he’s using, the network he’s coming from, the strength of the authentication method used, etc.

At Stonesoft, we have blended all these important principles in our solutions from day one.

We offer dynamic, software based network security solutions that can adapt to the context where they are implemented, providing protection against the lastest and most dangerous threats: AETs.

We provide great usability both for security administrators and for users, to maximize the efficiency and user experience while minimizing impact on resources.

We can prove reduction of CAPEX and OPEX costs with real, tangible savings.

We believe in ergonomics principles applied to (e.g.) authentication, where users should be able to achieve strong authentication naturally, using methods and devices they learnt to use daily for multiple other purposes.

We offer secured authenticated access to the cloud, enabling universal access from multiple platforms and context-aware security.

We empower MSSPs to provide faster time-to-market for security services and most scalable solution to manage thousands customers with minimized OPEX.

Ins’t this… ergonomic Network Security by design?

written by RoarinPenguin - 332 views \\ tags: context-aware security, design, ergonomics, network security

Let’s start this 2012 with a technical tip about variables usage in Stonesoft SSL VPN.

More specifically, the variables described in this article are used when configuring a startup command in a Tunnel Set definition to allow TCP/UDP based applications to be used inside a SSL tunnel.
A sample use case is a user that needs to access to his home directory and we do not want to create as many tunnel set as users in the system.
The Startup Command in a Tunnel Set is executed as soon as the tunnel has been successfully established, to automate the launch of a given application.
In this example, the Startup Command content in SSL VPN Tunnel Set configuration could contain something like:

\\192.168.100.1\[$uid]

This particular $uid variable will be replaced with the user ID when the startup command will be invoked by the system.

I report below the other useful variables that can be used in the same context:

[$ehost]  =   the access point server name including port number

[$eprot]  =   HTTP or HTTPS

[$uid]  =   The external user name

[$iuid]  =   The internal user name (usually the same of $uid)

written by RoarinPenguin - 243 views \\ tags: SSL VPN, Tunnel Resource, Tunnel Set, variables

This afternoon I had an interesting conversation with a Partner about one of the best kept secrets in Stonesoft SSL VPN: the ability to secure mail in the cloud providing Exchange ActiveSync and Device ID locking support.

“It’s not for me, I don’t have a cloud” he said initially, when I started describing the solution.

This is a common misunderstanding: to believe that the Cloud is only public!

Because Cloud Computing describes mainly an IT ecosystem, everyone who is adopting techniques and technologies of this ecosystem has a cloud!

Naturally, there is a difference between public and private clouds.

Happy with this description, the Partner continued the discussion and we analyzed the solution illustrated below:

When the user implements a Mail system based on Exchange protected by Stonesoft SSL VPN, there are several interesting benefits:

• avoid the Exchange Server to be exposed in DMZ
• offload the SSL traffic from Exchange Server
• provide support for Exchange ActiveSync to synchronize mail, contacts, calendar and tasks to mobile devices supporting this feature (majority of most recent smartphones do)
• support Device ID locking, to prevent unauthorized mobile devices to access to Exchange

…beside securing access to Outlook Web Access and the mail control panel when the mail is accessed via browser.

A growing number of Stonesoft Customers are already enjoying this cool feature, which is included in the base license of the SSL VPN solution.

Stonesoft SSL VPN licensing based on concurrent users and transparent integration with MS Active Directory with dynamic user linking allow a rapid and efficient deployment of a cost-effective solution.

Based on how the conversation ended, I really think that this “growing number” will increase by one soon…

Secure your mail in the cloud, with Stonesoft SSL VPN!

written by RoarinPenguin - 459 views \\ tags: MS Exchange, secured access to the cloud, secured mail, SSL VPN

Recent security incidents with Diginotar and less recent (but lot less important) with Comodo and RSA raised quite a concern in something that was taken for granted: the implicit level of security of an SSL-encrypted channel and time-based strong authentication methods such as the hardware based one-time password generators.
Employees working from home, online banking users, citizen using governmental online services, web mail systems containing more and more personal data, web sites for online shopping, service providers offering applications “in the cloud”.
These are just samples of the countless services that are potentially impacted by the new new threat: valid digital certificates stolen by cybercriminals, used to fake connections to well known domain names.
Which is not that new new threat, since it is implicit in the SSL server certificate authentication model based on the level of trust put in the so called issuing Certificate Authorities.

Well, it really seems to me that the ‘problem’ continues to be the same.
Continue reading »

written by RoarinPenguin - 614 views \\ tags: authentication methods, combination, entropy, Security, Ssl certificates

I’m pleased to announce that StoneGate SSL VPN MobileID free client software for strong authentication is now available for the latest greatest generation of Nokia products like the N8! Yes, the exact one used in Disney movie Tron

The software is available at no charge (as for all other supported platforms) in the download section on Stonesoft Web Site, with links to external stores/marketplaces when applicable.

…and yes, you can use it even if you are not Tron… and even if you use another Symbian S3 smartphone like Nokia C7 and others

Innovative strong authentication! Simplified!

written by RoarinPenguin - 680 views \\ tags: MobileID, nokia N8, SSL VPN, strong authentication, Symbian S3, Tron

…don’t miss the sixth episode of The Adventures of Antti Pilvinen, which has just been published

Happy reading,

The RoarinPenguin

written by RoarinPenguin - 668 views \\ tags: layered security, StoneGate Network Security Platform, The Adventures of Antti Pilvinen

By now, you likely have seen the news regarding the breach of RSA’s authentication tokens and the possibility of a long-term security compromise of SecurID. While the exact cause of the attack is still being determined, one thing is for certain: companies need to re-evaluate the security of remote access to their networks.

Not surprising, we have received numerous inquiries from customers about our approach to securing remote access.
Additions to the StoneGate SSL VPN remote access solution are already in development and we’ve expedited the release of our new authentication server to offer customers multiple authentication methods for securing remote access to critical data and applications across the network.

The new StoneGate Authentication Solution combines SSL-VPN and authentication server capabilities with other deployed authentication methods that can be pushed to any remote device. Our multi-factor authentication will convert the need for archaic, awkward, unusable hardware tokens into ergonomic, easy to implement and manage software tokens, or even a one time password (OTP) via text message to every mobile phone.

Highlights of the StoneGate Authentication Solution include:

• Secure remote access grant access to any application, including cloud-hosted
• Complete integration of multiple authentication methods, including StoneGate MobileID and SMS-based authentication
• Easy access to detailed user and log data to monitor access in real-time and proactively spot security concerns across the network
• The availability of geo-location information and reporting to increase awareness about remote access trends and threats
• Complete incident management capabilities, from identification and resolution to mass deployment of updates – all of which occurs from a single management console.

Are you reviewing your current strategy for remote access security? Should you be?
If so, the StoneGate Authentication Solution is an alternative to traditional solutions (such as token-based methods) that is more cost-effective, less complex and most importantly, more secure.

written by admin - 807 views \\ tags: cloud computing, rsa, Security, StoneGate Authentication Solution, StoneGate Mobile Text, StoneGate MobileID

I’ve recently had several interesting chats about StoneGate SSL VPN and iPad.
Couple of them were about usage of iPad as a business tool, thanks to the awesome portability of this marvel of technology (yes, I admit my passion for this cool iThing) which defined a new category in IT: the post-PC.
In this post I try to summarize why I really think that StoneGate SSL VPN represents an excellent enabler for adding security when using iPad in business, while keeping the splendid user experience unchanged.
Let’s focus on iPad in business, assuming that commonly needed use cases could be (in any particular importance) access to mail, using corporate web applications, browsing the intranet and access to files (such as PDF for example) that the Company made available to roaming users.
Finally, the business usage could imply access to some CRM applications which may be hosted in a cloud elsewhere, such as Salesforce.com or Google Apps.

Let’s start with the most important things: security of the device and authentication. Personally I find iPad rather secure as a device, since you can protect it with a passcode which can be left simple (4 digit number) or more complex. You can event setup the device to be erased if passcode is typed wrong for ten times and the recent move of Apple to give free MobileMe accounts for the Find my iPad thingy improved the situation furthermore.

Actually, I do consider my iPad safer than my laptop

Back to authentication, the cool thing is that you can combine two authentication methods to grant access to your application portal. This will make things even safer.

I protect the StoneGate SSL VPN application portal with a combination of certificate based authentication AND StoneGate Mobile Text. This means that first, I’ll validate a client certificate installed on my iPad, then I’ll prompt the user for a username and password. This will trigger an OTP to be sent via text message to (for example) my iPhone as shown below:

I type this credentials in my iPad browser and I get access to my applications.

I could use other cool authentication methods also…

This type of authentication is based on several factors (certificate, having iPad, having iPhone, knowing a password and ability to receive a text message): 6 factors authentication without sacrificing user experience. Strong enough? Good, let’s move to application experience.

After I got authenticated, I want to read mail, using for example web interface of my preferred mail system (Lotus Notes, Outlook Web Access, Squirrelmail…). Everything is smoothly parsed by SSL VPN and blended with Single Sign-On to maximize usability… naturally if user password to backend mail system changes, then SSL VPN will display a authentication prompt to update SSO Domain definition.

I might also want to use native mail of iPad since it is the most advanced mail interface I’ve ever experienced… and SSL VPN helps me (again) with Active Sync support with Device ID Locking, to secure my access to Exchange server through secure authenticated channel.

Moving on, let’s assume that I need to access to Salesforce and to Google Apps “in the cloud”: I can configure StoneGate SSL VPN to make ticket Single Sign On to Salesforce.com and Federated Authentication (as Identity Provider) to Google Apps or whatever other cloud application supporting this technology… including another StoneGate SSL VPN acting as a Cloud Service Provider.

Finally, I might want to make the application set available using multiple criteria… for example to avoid displaying applications to iPad users which are not usable from this device. This is possible linking access criteria to device definition, to enable StoneGate SSL VPN to recognize iPad as a connecting device and act accordingly.

Naturally the immense possibilities offered by this “post-PC” are immense and the new iPad 2 is even raising the bar… this is why Stonesoft is investigating in R&D how to boost this support even more in the future… but so far the situation is good enough to allow using StoneGate SSL VPN to implement a secured use of iPad for “business usage”.

And yes, I’ve written this post using WordPress for iPad.

iNetwork Security! Simplified!

written by RoarinPenguin - 1,235 views \\ tags: business, iPad, SSL VPN

“The Adventures of Antti Pilvinen” - A story by the RoarinPenguin

DISCLAIMER: All facts, people and companies in this story are fictional and do not have links with any real situation.

“I admit that when you invited me for a walk on the frozen sea to discuss business I expected a somewhat mystic experience… but I wasn’t certainly expecting THIS! I am literally enchanted!” exclaimed Claudio Nuvolari, Alliance Manager of CloudyBiz SpA.

Surely Antti Pilvinen knew how to impress his business partners with drops of typical Finnish beauty. After a long business lunch with Claudio (Italians are amazingly talkative and they simply love these endless lunches, where important business discussions can take place), Antti proposed a different experience.
“Instead of going back to the office to continue the discussion, let’s enjoy these few hours of sun and have a walk on the frozen sea, he offered.”

“Uhmmm…” mumbled Claudio, “isn’t it a bit cold outside?”

“Well, -12 celsius is just normal for February here and the sun is shining outside,” commented Antti. Then, with a subtle smile on his face, he added, “and I doubt you have ever seen a 3pm sunset on the frozen sea… you might find it beautiful!”

“All right, you convinced me. After all we don’t need laptops and dashboards to continue our interesting discussion” said Claudio.

15 minutes later, they were strolling in the middle of the sea near Espoo, where the ASPF headquarters were located. They admired the incredible lights of the winter sunset ranging from dark blues to insanely bright oranges and reds –  in a word, spectacular!

That day was very important for Antti’s company, since a partnership with this Italian cloud computing service provider would mean a significant boost in business.

CloudyBiz was an Italian leading CRM services provider to an incredible number of small and medium size companies all over Europe. The recent dramatic growth of demand raised critical security concerns about access to the solution. Customers started to ask more about the security of their access and strong authentication, each one wanting a different authentication approach. Some love digital certificates, some dream for a one-time password, others ask for Active Directory integration, while some still have Novell eDirectory and would like to use it for authentication purposes (you know, customers take it always to extreme).

When Antti said ASPF might have a solution, Claudio immediately became interested and agreed to a meeting.

Antti started to talk about their solution. He mentioned, “two years ago we included in our offering solutions from an interesting Finnish vendor, Stonesoft.”

“Oh yes, I have heard of them,” commented Claudio. “They are the company that proposed a clustering solution for other vendors… stonedance, stone… beat, yes, StoneBeat was the name!”

“Of course,” continued Antti, “that was many years ago. However, now their offering has evolved into an advanced network security platform called StoneGate, which includes an identity and access management solution called StoneGate SSL VPN.”

“This could be a very good solution to CloudyBiz’s needs, because it supports over 25 different authentication methods and I’m pretty sure it includes the ones your customers are asking for.”

“Hmmm,” mumbled Claudio, “could be, but sometimes the customers are really reluctant in relying on CloudyBiz for user authentication… or in some cases they have hundreds of users already defined, and they don’t want to force these users to have yet another account and password to maintain and remember!”

“This is very true and understandable,” continued Antti, “that’s why we very often propose this solution in a federated authentication fashion: the basic idea is that users keep authentication at home and once it is successful, they will have access to the cloud in a secured way, providing only that bit of information (for example email address or mobile number) to identify the user profile and provide single sign-on to applications. I’m sure I can ask Juhani Kiviportti, our techie guru, to show you how it works. This is a very interesting and powerful solution.”

“It seems indeed,” exclaimed Claudio, “so now let’s go back to your office as it’s getting dark… and a bit cold for my tastes… we can see if Juhani is available and see this marvel in action”.

A few weeks later, CloudyBiz SpA announced a new security option in their offering with an amazingly funny advertising campaign having the following slogan:

“Spaghetti and reindeers: securing access to your CRM!”

written by RoarinPenguin - 485 views \\ tags: authentication, Federated ID, The Adventures of Antti Pilvinen

StoneGate SSL VPN 1.4.5 Maintenance Release has just been made available for download!

Beside including several important fixes detailed in the Release Notes, it also offers interesting small enhancements to make administrator’s life easier and happier.

One of these enhancement is the ability to change the Directory Service it is based on with an option to migrate the user base. This is very useful when

The feature is simple and “it just works”, but I thought to illustrate it in a movie here below.

Directory Service migration! Simplified!

written by RoarinPenguin - 612 views \\ tags: Directory Service migration, SSL VPN