StoneBlog.stonesoft.com

I’ve recently had several interesting chats about StoneGate SSL VPN and iPad.
Couple of them were about usage of iPad as a business tool, thanks to the awesome portability of this marvel of technology (yes, I admit my passion for this cool iThing) which defined a new category in IT: the post-PC.
In this post I try to summarize why I really think that StoneGate SSL VPN represents an excellent enabler for adding security when using iPad in business, while keeping the splendid user experience unchanged.
Let’s focus on iPad in business, assuming that commonly needed use cases could be (in any particular importance) access to mail, using corporate web applications, browsing the intranet and access to files (such as PDF for example) that the Company made available to roaming users.
Finally, the business usage could imply access to some CRM applications which may be hosted in a cloud elsewhere, such as Salesforce.com or Google Apps.

Let’s start with the most important things: security of the device and authentication. Personally I find iPad rather secure as a device, since you can protect it with a passcode which can be left simple (4 digit number) or more complex. You can event setup the device to be erased if passcode is typed wrong for ten times and the recent move of Apple to give free MobileMe accounts for the Find my iPad thingy improved the situation furthermore.

Actually, I do consider my iPad safer than my laptop

Back to authentication, the cool thing is that you can combine two authentication methods to grant access to your application portal. This will make things even safer.

I protect the StoneGate SSL VPN application portal with a combination of certificate based authentication AND StoneGate Mobile Text. This means that first, I’ll validate a client certificate installed on my iPad, then I’ll prompt the user for a username and password. This will trigger an OTP to be sent via text message to (for example) my iPhone as shown below:

I type this credentials in my iPad browser and I get access to my applications.

I could use other cool authentication methods also…

This type of authentication is based on several factors (certificate, having iPad, having iPhone, knowing a password and ability to receive a text message): 6 factors authentication without sacrificing user experience. Strong enough? Good, let’s move to application experience.

After I got authenticated, I want to read mail, using for example web interface of my preferred mail system (Lotus Notes, Outlook Web Access, Squirrelmail…). Everything is smoothly parsed by SSL VPN and blended with Single Sign-On to maximize usability… naturally if user password to backend mail system changes, then SSL VPN will display a authentication prompt to update SSO Domain definition.

I might also want to use native mail of iPad since it is the most advanced mail interface I’ve ever experienced… and SSL VPN helps me (again) with Active Sync support with Device ID Locking, to secure my access to Exchange server through secure authenticated channel.

Moving on, let’s assume that I need to access to Salesforce and to Google Apps “in the cloud”: I can configure StoneGate SSL VPN to make ticket Single Sign On to Salesforce.com and Federated Authentication (as Identity Provider) to Google Apps or whatever other cloud application supporting this technology… including another StoneGate SSL VPN acting as a Cloud Service Provider.

Finally, I might want to make the application set available using multiple criteria… for example to avoid displaying applications to iPad users which are not usable from this device. This is possible linking access criteria to device definition, to enable StoneGate SSL VPN to recognize iPad as a connecting device and act accordingly.

Naturally the immense possibilities offered by this “post-PC” are immense and the new iPad 2 is even raising the bar… this is why Stonesoft is investigating in R&D how to boost this support even more in the future… but so far the situation is good enough to allow using StoneGate SSL VPN to implement a secured use of iPad for “business usage”.

And yes, I’ve written this post using WordPress for iPad.

iNetwork Security! Simplified!

written by RoarinPenguin - 1,594 views \\ tags: business, iPad, SSL VPN

“The Adventures of Antti Pilvinen” - A story by the RoarinPenguin

DISCLAIMER: All facts, people and companies in this story are fictional and do not have links with any real situation.

“I admit that when you invited me for a walk on the frozen sea to discuss business I expected a somewhat mystic experience… but I wasn’t certainly expecting THIS! I am literally enchanted!” exclaimed Claudio Nuvolari, Alliance Manager of CloudyBiz SpA.

Surely Antti Pilvinen knew how to impress his business partners with drops of typical Finnish beauty. After a long business lunch with Claudio (Italians are amazingly talkative and they simply love these endless lunches, where important business discussions can take place), Antti proposed a different experience.
“Instead of going back to the office to continue the discussion, let’s enjoy these few hours of sun and have a walk on the frozen sea, he offered.”

“Uhmmm…” mumbled Claudio, “isn’t it a bit cold outside?”

“Well, -12 celsius is just normal for February here and the sun is shining outside,” commented Antti. Then, with a subtle smile on his face, he added, “and I doubt you have ever seen a 3pm sunset on the frozen sea… you might find it beautiful!”

“All right, you convinced me. After all we don’t need laptops and dashboards to continue our interesting discussion” said Claudio.

15 minutes later, they were strolling in the middle of the sea near Espoo, where the ASPF headquarters were located. They admired the incredible lights of the winter sunset ranging from dark blues to insanely bright oranges and reds –  in a word, spectacular!

That day was very important for Antti’s company, since a partnership with this Italian cloud computing service provider would mean a significant boost in business.

CloudyBiz was an Italian leading CRM services provider to an incredible number of small and medium size companies all over Europe. The recent dramatic growth of demand raised critical security concerns about access to the solution. Customers started to ask more about the security of their access and strong authentication, each one wanting a different authentication approach. Some love digital certificates, some dream for a one-time password, others ask for Active Directory integration, while some still have Novell eDirectory and would like to use it for authentication purposes (you know, customers take it always to extreme).

When Antti said ASPF might have a solution, Claudio immediately became interested and agreed to a meeting.

Antti started to talk about their solution. He mentioned, “two years ago we included in our offering solutions from an interesting Finnish vendor, Stonesoft.”

“Oh yes, I have heard of them,” commented Claudio. “They are the company that proposed a clustering solution for other vendors… stonedance, stone… beat, yes, StoneBeat was the name!”

“Of course,” continued Antti, “that was many years ago. However, now their offering has evolved into an advanced network security platform called StoneGate, which includes an identity and access management solution called StoneGate SSL VPN.”

“This could be a very good solution to CloudyBiz’s needs, because it supports over 25 different authentication methods and I’m pretty sure it includes the ones your customers are asking for.”

“Hmmm,” mumbled Claudio, “could be, but sometimes the customers are really reluctant in relying on CloudyBiz for user authentication… or in some cases they have hundreds of users already defined, and they don’t want to force these users to have yet another account and password to maintain and remember!”

“This is very true and understandable,” continued Antti, “that’s why we very often propose this solution in a federated authentication fashion: the basic idea is that users keep authentication at home and once it is successful, they will have access to the cloud in a secured way, providing only that bit of information (for example email address or mobile number) to identify the user profile and provide single sign-on to applications. I’m sure I can ask Juhani Kiviportti, our techie guru, to show you how it works. This is a very interesting and powerful solution.”

“It seems indeed,” exclaimed Claudio, “so now let’s go back to your office as it’s getting dark… and a bit cold for my tastes… we can see if Juhani is available and see this marvel in action”.

A few weeks later, CloudyBiz SpA announced a new security option in their offering with an amazingly funny advertising campaign having the following slogan:

“Spaghetti and reindeers: securing access to your CRM!”

written by RoarinPenguin - 551 views \\ tags: authentication, Federated ID, The Adventures of Antti Pilvinen

StoneGate SSL VPN 1.4.5 Maintenance Release has just been made available for download!

Beside including several important fixes detailed in the Release Notes, it also offers interesting small enhancements to make administrator’s life easier and happier.

One of these enhancement is the ability to change the Directory Service it is based on with an option to migrate the user base. This is very useful when

The feature is simple and “it just works”, but I thought to illustrate it in a movie here below.

Directory Service migration! Simplified!

written by RoarinPenguin - 734 views \\ tags: Directory Service migration, SSL VPN

“The Adventures of Antti Pilvinen” - A story by the RoarinPenguin

DISCLAIMER: All facts, people and companies in this story are fictional and do not have links with any real situation.

“Business is business, but some days are really long and stressful!”

That was the thought of Antti Pilvinen on a bright and sunny 12^th day of September near Espoo, Finland.

And this thought had nothing to do with the beautiful lengthy summer days. Instead, it seemed that the phone couldn’t stop ringing that day, which was awesome since almost all of the calls were business related (including that interesting security project for a Helsinki municipality).

Anyway, such is the hard life of a successful salesman, and at 18.45 in the evening the sunset view he was enjoying from the small cottage on the Helsinki coastline was marvelous. Late summer sunsets in Finland are like a movie –  they can last more than one hour… of pure enchantment!

While waiting for friends to arrive, Antti thought it would be good time to connect to his SSL VPN portal and do one last email check before an evening of relaxation and fun. He booted up his laptop, connected to the portal via the 3G network and was ready for authentication. When grabbing his Nokia E72 phone to proceed with the MobileID authentication, he discovered… boom! No battery! Zero! Phone is dead!

“Right”, he thought. “I managed to dry out a Nokia E72 battery in one day! Tomorrow I’ll have to write to the Guinness Book of World Records!” “How to authenticate now”, he questioned. That MobileID client token software is a cool strong solution for authentication, but it relies upon one important assumption: your phone, that specific phone where the software is loaded and seeded…must be up and running. While he was cursing himself for leaving the additional battery lying in the first drawer of his living room closet at home, the loud sound of a Volvo V70 horn woke him up to reality!

Matti! Matti Pelastaja was arriving! Hopefully with the brand new iPhone 4 he was showing so proudly last week at the public sauna! After greetings were exchanged, Antti kindly asked him if he could borrow the phone for an urgent local call and he dialed the number of Juhani KiviPortti, the technical Guru of IT.
After Juhani patiently listened to the story, he simply replied, “I have a solution for you! I’ll change your mobile number to the one you’re dialing from, then you can select StoneGate Mobile Text to authenticate and a one time password will come straight to your phone with a text message”.

“Whoa!”, Antti said. “Isn’t this a bit insecure?”

“Well no,” Juhani replied. “Because you will need to type in your network password to trigger the sending of the OTP, and also the number it will use is coded in your user profile.”

“Fantastic!”

Juhani added, “To avoid confusing our roaming employees, we took the benefit of the multi-portal feature of StoneGate SSL VPN and created another portal for this authentication. You have to point your browser https://smsauth.apsf.fi”.

“Many thanks Juhani… have a great evening!”

Before the other two friends arrived, Antti was able to authenticate using an OTP sent to Matti’s mobile, check his mail and complete the offer for a project that he successfully concluded three weeks later. Right in time for the closing of the business quarter!

written by RoarinPenguin - 588 views \\ tags: The Adventures of Antti Pilvinen

“The Adventures of Antti Pilvinen” - A story by the RoarinPenguin

DISCLAIMER: All facts, people and companies in this story are fictional and do not have links with any real situation.

Our friend Antti Pilvinen was experiencing a moment of maximum happiness and satisfaction: not only had he overachieved his sales quota, not only did he add many new customers to his company (APSF – Antti Pilvinen Securing Finland)… he also won the internal sales competition’s top prize! Antti was now the owner of a shiny, new iPad 64 GB 3G, including a flat rate data contract for one year. The prize was proudly delivered that morning during a beautiful ceremony on the company’s fifth floor terrace with all of his colleagues applauding that great achievement.

That warmed terrace has been the best investment of last year: a great space with all windows to enjoy the beautiful panorama in Espoo. It is just an all around classy meeting room for these nice internal events, a very nice place to be in January. Although it was mid-morning and the sun was shining, outside it was -16 Celsius and the frozen pine trees were creating an enchanted landscape. Ah, beautiful Finland!

Later in the afternoon, while the light outside was disappearing into the chilly winter night, he started daydreaming of what to do with that oh so cool jewel… ebooks, surfing the web, watching podcasts, listening to music, storing the pictures of his latest travel in Dubai, reading corporate mail… wait! WAIT! Mail? Uhmmm… that might very well be an issue, and a serious one, since APSF was very strict on mail access and security in general. Of course, he could continue to read mail using the Outlook Web interface through that marvelous StoneGate SSL VPN they bought recently but… well, iPad mail is a completely new and insanely great experience!

In addition, iPad has native support for Microsoft Exchange, the platform APSF moved to recently. Timing was just right to meet the guru of their internal systems: Juhani Kiviportti. Full of hope, he went to the internal systems department to look for that genius, who seems to have the native talent to solve all IT issues, no matter how complex they are. Juhani was the person who insisted upon adoption of the StoneGate SSL VPN, which has brought many benefits, in particular increasing the productivity of the sales team. Ubiquitous access to corporate data and applications… from anywhere… but now? Secured access to mail using iPad native exchange support? Maybe this was too much even for Juhani…

Lost in these obscure thoughts, he almost bumped into Juhani’s desktop, fully covered with every possible gadget, including a penguin coming down from the ceiling as a symbol of his “IT faith”: Linux.

With a trembling voice, he started sharing with Juhani his “happy problem”. His mood boosted suddenly when he saw a smile growing on the face of his genial colleague, who simply said: “yeah, this is a part of our SSL VPN I’m thinking to deepen… leave it with me”.

Two days later, he received the following email from Juhani:

“Hi Antti. Please proceed to configure your mail on the iPad simply by typing your email address and you should be operational within few seconds”.

With a sense of disbelief (naah, it couldn’t be that simple!), he tapped on Settings – Mail – Add Account – Microsoft Exchange on his iPad and inserted antti.pilvinen@apsf.fi. He was shocked to see a few seconds later that his iPad screen populated with… his mail messages! Suddenly (professional bias), he wanted to know everything about the security of the entire implementation so he went to see Juhani again with a bunch of question to “stress test” him.

Antti: “How did you do it? This is… magic!!!”

Juhani: “Any sufficiently advanced technology is indistinguishable from magic…”

Antti: “Seriously… is this secure?”

Juhani: “Of course, thanks to the StoneGate SSL VPN support of secure Active Sync with Device ID Locking in case of loss or theft of the device. Plus, I registered your iPad on Apple MobileMe free service as an additional security measure”.

Antti: “I’m astonished! And you did this in two days?”

Juhani: “Well… no… yesterday I was on holiday.”

Antti: “WOW! And is it working only for iPad?”

Juhani: “That’s the best part of it! You have been the Proof of Concept. The configuration we implemented will allow every device in the company supporting Microsoft Exchange to access email in a secure and authenticated way: Nokia phones, Android phone, iPhone, iPad… all of them… with complete mail, calendar and contacts synchronization. We have reached complete client independence from the mail server!!!”

Antti: “Fantastic! Awesome! Thank you very much for this!”

Juhani “You are very welcome”.

The best part for Juhani Kiviportti came at the end of that month… when he saw a special bonus in his salary with one comment:“To the person who brought APSF to Secure Mail Nirvana! A.P.”

written by RoarinPenguin - 788 views \\ tags: iPad, MS Exchange, SSL VPN, The Adventures of Antti Pilvinen

“The Adventures of Antti Pilvinen” - A story by the RoarinPenguin

DISCLAIMER: All facts, people and companies in this story are fictional and do not have links with any real situation with the exception of Robert’s Coffee, Sonera and Finavia.

Helsinki – February – 8.30 AM – Vantaa airport

Antti Pilvinen, a typical Finnish salesman, has just finished his espresso at Robert’s Coffee… the aroma of his croissant is still pervading the warm environment…

What a beautiful feeling, especially when the car he left in the parking lot 20 minutes earlier is still freezing at -23 C.

Sitting in a comfortable chair, he realizes that there is still 45 minutes before the green flashing Portille sign will appear on the screen at the gate.

Thinking about how fantastic this morning is for business, he remembers that he has to finish an offer for 10 SSL VPN application portals for his potential client Sanomat. Then, it occurs to him that it could be a great moment to check email and also update Salesforce.com with a couple of notes about the two meetings he attended yesterday.

He is particularly thinking of the very promising second meeting which involves a potentially immense number of IPS engines, after the Stuxnet threat variation appeared in the wild a few days before. He needs to react quickly and prompt the Sales Engineer to send more info to Mr. Virtanen.

While waiting for his Dell to boot up, he was silently giving thanks to Finavia for sponsoring free WiFi connectivity at the airport. Sonera’s network is good but not free.

Two minutes later, he’s cheered by the logo of APSF (Antti Pilvinen Securing Finland) Oy, a nice puffy cloud on the SSL VPN portal.

Once again, he thought to what a worthwhile investment that StoneGate SSL VPN technology has been! Even on an insecure WiFi connection, from anywhere, it allowed him to safely access applications he needed. No fear about theft of identity or credentials, since  the combination of certificate-based authentication and the one time password sent to his Nokia E72 makes authentication secure and valid only for that session.

The comfortable set of icons appeared to him after the system silently but efficiently checked his security posture, and 25 minutes later he was boarding Finnair flight AY796 to Milan Malpensa to enjoy the Sales Meeting in Lago di Como organized by the Country Manager of the Italian subsidiary, Emilio.

His sales mind, so committed to results, so keen on convincing every customer to invest in security solutions… never gave a single second’s thought to the backend complexity of accessing three different systems (Outlook Web Mail, Word in Remote Desktop and CRM hosted in the cloud by Salesforce.com), each one with different credentials, simply by…

…clicking an icon.

Secure access to applications in the cloud. Simplified!

written by RoarinPenguin - 994 views \\ tags: secured access to the cloud, sslvpn, story, The Adventures of Antti Pilvinen

Securing the access to data and systems continues to be one of the weakest points in the chain and PEBKAC is a constant issue.

Luckily, solutions exist… for those who think what strong innovative authentication could really mean.

StoneGate SSL VPN is the ultimate solution to secure the access to corporate data and applications, featuring over 25 authentication methods which can be combined in multiple fashions.

As stated in a previous post, very often it is not necessary to add complexity to the authentication process: combination of different techniques could help adding the needed… entropy.

Give a look to the interesting news linked here and let us know what you think!

written by RoarinPenguin - 860 views \\ tags: authentication, combining different authentication, hackers, Security, smartcard, sslvpn

…or, in other words: how secure should be your access to the cloud?

It really does not matter if private or public, but as stated multiple times the authentication process is the key and the main enabler for cloud computing to happen.

And it seems that now the call for action is rapidly growing.

Stonesoft is offering state of the art StoneGate SSL VPN to secure the access to the cloud, with powerful yet flexible and easy to use authentication methods to grant the maximum level of security when accessing your data in the cloud.

Please note that often the need is not for a brand new shiny authentication method, since combining powerful existing ones could also be an efficient solution… or what do you think?

Please let us know your opinion with comments…

written by RoarinPenguin - 1,609 views \\ tags: cloud computing, combination, secured access to the cloud, strong authentication

First post of this new 2011, together with my best wishes for a happy new year.

In a recent post I illustrated how to configure StoneGate SSL VPN to perform ticket-based Single-Sign-On to SalesForce.com.

The interesting benefit of the solution is to keep secure authentication at home while granting secure authenticated access to SalesForce application in the cloud.

The solution described in that post, although powerful and secure, lacks a little bit in usability because the user must first login to StoneGate SSL VPN application portal, click the SalesForce application icon and voilà, he’s in.

This post details how to use Device Definition in StoneGate SSL VPN to improve greatly the overall usability, to reach a quicker and smoother result while keeping the security at maximum level.

Device Definition allows to detect a specific type of connecting device based on patterns identified in HTTP request such as Agent, OS, URL requested, path, etc.
We can therefore define a device type in Manage System – Device Definition based on the URL requested as shown below:

This will ensure that URL request for https://salesforce.mydomain.tld are treated differently from others, according to configuration in Manage Resource Access – Global Resource Settings – Client Access.

We will configure the Device Definition to point to specific pages for authentication and, once authentication is successful, straight to SalesForce with ticket-based Single-Sign-On.

We can retrieve the needed links (Authentication Page and Welcome/Application Page) by looking at default login menu on StoneGate SSL VPN Access Point and “building” the application link as described below.

Open the StoneGate SSL VPN Access Point page and move mouse over the authentication method, then copy the links to authentication methods to retrieve the authentication page link you are interested in (in the example StoneGate Password).

About the application links, supposing that your Web Resource to access SalesForce with Ticket-SSO is called MySalesForce, then the direct link to application will be:

https://sslvpn.mydomain.tld/https/MySalesForce

To define the Client Access parameters for Device Definition, we just need to strip from URL above the host part. We will have therefore:

Authentication link (Default Page): /wa/auth?authmech=StoneGate%20Password

Application link (Welcome Page): /https/MySalesForce

We can finally configure Device Definition Client Access in Manage Resource Access - Global Resource Settings - Client Access - Add Device Settings… as shown below:

Click Add to finalize the configuration.

Last thing to do is to add a DNS A or C record to point to StoneGate SSL VPN system when this URL is requested, to route correctly the requests.

The resulting configuration is that StoneGate SSL VPN will intercept the URL and, because of the Device Definition configuration, it will first direct the user to the authentication page configured and once authentication is performed it will allow straight access to SalesForce using Ticket based Single-Sign-On.

Secured Access to the Cloud, keeping Authentication at Home

written by RoarinPenguin - 1,731 views \\ tags: authentication, cloud computing, salesforce.com, Single Sign-On, sslvpn, stonegate

StoneGate SSL VPN is a perfect solution for granting secure access to the cloud.

One of the preferred authentication methods, used standalone or in conjunction with others to strengthen the authentication process, is authentication based on digital certificates.

This movie shows the various powerful and flexible options offered by StoneGate SSL VPN to implement an excellent level of secure authentication when accessing to applications in the cloud using digital certificates.

Secure Access to the Cloud! Simplified!

written by RoarinPenguin - 1,044 views \\ tags: authentication, cloud computing, digital certificate, sslvpn