StoneBlog.stonesoft.com

Last week I posted details about one of the most exciting features of StoneGate Authentication Server: Automatic User Linking.
Designed to minimize the implementation time of a new Authentication Server deployment, this feature allows to setup a transparent connection to the backend database and a dynamic link to existing user profile data.
These user data are enabled with configured authentication method as soon as the users try to… authenticate.
The video below shows the magic in action

Network Security. Simplified!

written by RoarinPenguin - 721 views \\ tags: authentication, Automatic User Linking, StoneGate Authentication Server, tutorial

There are a couple of new session monitoring views in StoneGate Management Center 5.3.0. One of them is the live monitoring view of authenticated users. It lists all the users that have authenticated themselves against the firewall by using the captive portal or IPsec VPN Client.

Continue reading »

written by Tero Jantunen - 1,370 views \\ tags: 5.3, authentication, Feature Previews, firewall, Monitoring, SMC, Users

StoneGate Firewall and SMC 5.3 will provide an integrated, easy-to-use web authentication for end users. This Captive HTTP/HTTPS authentication portal provides an easy way for the end users to authenticate themselves to access some service behind the firewall. The feature works well together with User & User Group based access control that is also released in StoneGate 5.3.

Continue reading »

written by Tero Jantunen - 1,130 views \\ tags: 5.3, authentication, Captive Portal, Feature Previews, firewall, SMC, Users, Web

StoneGate 5.3 will be released within a couple of months. It contains a lot of interesting features. We thought we could reveal some information about them here in StoneBlog before you can try the new features in action. The theme for this release has been “Authentication and user and application awareness”. But as usual, there are a lot of other features and enhancements related to other topics as well.

Stay tuned and see what you can expect from the near future. The first feature previews will be published within a couple of days and we will keep on publishing them until the release is out.

written by Tero Jantunen - 746 views \\ tags: 5.3, Applications, authentication, Feature Previews, Features, firewall, SMC, Users

“The Adventures of Antti Pilvinen” - A story by the RoarinPenguin

DISCLAIMER: All facts, people and companies in this story are fictional and do not have links with any real situation.

“I admit that when you invited me for a walk on the frozen sea to discuss business I expected a somewhat mystic experience… but I wasn’t certainly expecting THIS! I am literally enchanted!” exclaimed Claudio Nuvolari, Alliance Manager of CloudyBiz SpA.

Surely Antti Pilvinen knew how to impress his business partners with drops of typical Finnish beauty. After a long business lunch with Claudio (Italians are amazingly talkative and they simply love these endless lunches, where important business discussions can take place), Antti proposed a different experience.
“Instead of going back to the office to continue the discussion, let’s enjoy these few hours of sun and have a walk on the frozen sea, he offered.”

“Uhmmm…” mumbled Claudio, “isn’t it a bit cold outside?”

“Well, -12 celsius is just normal for February here and the sun is shining outside,” commented Antti. Then, with a subtle smile on his face, he added, “and I doubt you have ever seen a 3pm sunset on the frozen sea… you might find it beautiful!”

“All right, you convinced me. After all we don’t need laptops and dashboards to continue our interesting discussion” said Claudio.

15 minutes later, they were strolling in the middle of the sea near Espoo, where the ASPF headquarters were located. They admired the incredible lights of the winter sunset ranging from dark blues to insanely bright oranges and reds –  in a word, spectacular!

That day was very important for Antti’s company, since a partnership with this Italian cloud computing service provider would mean a significant boost in business.

CloudyBiz was an Italian leading CRM services provider to an incredible number of small and medium size companies all over Europe. The recent dramatic growth of demand raised critical security concerns about access to the solution. Customers started to ask more about the security of their access and strong authentication, each one wanting a different authentication approach. Some love digital certificates, some dream for a one-time password, others ask for Active Directory integration, while some still have Novell eDirectory and would like to use it for authentication purposes (you know, customers take it always to extreme).

When Antti said ASPF might have a solution, Claudio immediately became interested and agreed to a meeting.

Antti started to talk about their solution. He mentioned, “two years ago we included in our offering solutions from an interesting Finnish vendor, Stonesoft.”

“Oh yes, I have heard of them,” commented Claudio. “They are the company that proposed a clustering solution for other vendors… stonedance, stone… beat, yes, StoneBeat was the name!”

“Of course,” continued Antti, “that was many years ago. However, now their offering has evolved into an advanced network security platform called StoneGate, which includes an identity and access management solution called StoneGate SSL VPN.”

“This could be a very good solution to CloudyBiz’s needs, because it supports over 25 different authentication methods and I’m pretty sure it includes the ones your customers are asking for.”

“Hmmm,” mumbled Claudio, “could be, but sometimes the customers are really reluctant in relying on CloudyBiz for user authentication… or in some cases they have hundreds of users already defined, and they don’t want to force these users to have yet another account and password to maintain and remember!”

“This is very true and understandable,” continued Antti, “that’s why we very often propose this solution in a federated authentication fashion: the basic idea is that users keep authentication at home and once it is successful, they will have access to the cloud in a secured way, providing only that bit of information (for example email address or mobile number) to identify the user profile and provide single sign-on to applications. I’m sure I can ask Juhani Kiviportti, our techie guru, to show you how it works. This is a very interesting and powerful solution.”

“It seems indeed,” exclaimed Claudio, “so now let’s go back to your office as it’s getting dark… and a bit cold for my tastes… we can see if Juhani is available and see this marvel in action”.

A few weeks later, CloudyBiz SpA announced a new security option in their offering with an amazingly funny advertising campaign having the following slogan:

“Spaghetti and reindeers: securing access to your CRM!”

written by RoarinPenguin - 485 views \\ tags: authentication, Federated ID, The Adventures of Antti Pilvinen

Securing the access to data and systems continues to be one of the weakest points in the chain and PEBKAC is a constant issue.

Luckily, solutions exist… for those who think what strong innovative authentication could really mean.

StoneGate SSL VPN is the ultimate solution to secure the access to corporate data and applications, featuring over 25 authentication methods which can be combined in multiple fashions.

As stated in a previous post, very often it is not necessary to add complexity to the authentication process: combination of different techniques could help adding the needed… entropy.

Give a look to the interesting news linked here and let us know what you think!

written by RoarinPenguin - 716 views \\ tags: authentication, combining different authentication, hackers, Security, smartcard, sslvpn

First post of this new 2011, together with my best wishes for a happy new year.

In a recent post I illustrated how to configure StoneGate SSL VPN to perform ticket-based Single-Sign-On to SalesForce.com.

The interesting benefit of the solution is to keep secure authentication at home while granting secure authenticated access to SalesForce application in the cloud.

The solution described in that post, although powerful and secure, lacks a little bit in usability because the user must first login to StoneGate SSL VPN application portal, click the SalesForce application icon and voilà, he’s in.

This post details how to use Device Definition in StoneGate SSL VPN to improve greatly the overall usability, to reach a quicker and smoother result while keeping the security at maximum level.

Device Definition allows to detect a specific type of connecting device based on patterns identified in HTTP request such as Agent, OS, URL requested, path, etc.
We can therefore define a device type in Manage System – Device Definition based on the URL requested as shown below:

This will ensure that URL request for https://salesforce.mydomain.tld are treated differently from others, according to configuration in Manage Resource Access – Global Resource Settings – Client Access.

We will configure the Device Definition to point to specific pages for authentication and, once authentication is successful, straight to SalesForce with ticket-based Single-Sign-On.

We can retrieve the needed links (Authentication Page and Welcome/Application Page) by looking at default login menu on StoneGate SSL VPN Access Point and “building” the application link as described below.

Open the StoneGate SSL VPN Access Point page and move mouse over the authentication method, then copy the links to authentication methods to retrieve the authentication page link you are interested in (in the example StoneGate Password).

About the application links, supposing that your Web Resource to access SalesForce with Ticket-SSO is called MySalesForce, then the direct link to application will be:

https://sslvpn.mydomain.tld/https/MySalesForce

To define the Client Access parameters for Device Definition, we just need to strip from URL above the host part. We will have therefore:

Authentication link (Default Page): /wa/auth?authmech=StoneGate%20Password

Application link (Welcome Page): /https/MySalesForce

We can finally configure Device Definition Client Access in Manage Resource Access - Global Resource Settings - Client Access - Add Device Settings… as shown below:

Click Add to finalize the configuration.

Last thing to do is to add a DNS A or C record to point to StoneGate SSL VPN system when this URL is requested, to route correctly the requests.

The resulting configuration is that StoneGate SSL VPN will intercept the URL and, because of the Device Definition configuration, it will first direct the user to the authentication page configured and once authentication is performed it will allow straight access to SalesForce using Ticket based Single-Sign-On.

Secured Access to the Cloud, keeping Authentication at Home

written by RoarinPenguin - 1,557 views \\ tags: authentication, cloud computing, salesforce.com, Single Sign-On, sslvpn, stonegate

StoneGate SSL VPN is a perfect solution for granting secure access to the cloud.

One of the preferred authentication methods, used standalone or in conjunction with others to strengthen the authentication process, is authentication based on digital certificates.

This movie shows the various powerful and flexible options offered by StoneGate SSL VPN to implement an excellent level of secure authentication when accessing to applications in the cloud using digital certificates.

Secure Access to the Cloud! Simplified!

written by RoarinPenguin - 901 views \\ tags: authentication, cloud computing, digital certificate, sslvpn

Recent discussions about Cloud Computing and security standards it should grant, and about psychological barriers which are slowing down adoption (although less than in the past) focus attention on a fundamental aspect: security of the access.

The countless advantages of a data center “in the cloud” are well described in the streams of ink and… eInk spilled about it.
However, too often the angle is to illustrate flexibility, low impact on maintenance process, ad hoc performances, ubiquitous access… forgetting a key aspect when talking about access to sensitive data and applications.

Hence the question is: if a CIO accept to move corporate IT into the cloud – trusting SLA and security standards of the service provider – which part of the process should be “bomb-proof”?

The answer is too often neglected: Access! Or, better, security level and strength of the access process!

Authentication systems considered “state of the art” such as OTP sent via text message have been recently questioned because of Man in the middle type of attacks, vanishing the whole security measures.
How should you react to the growing threats, strengthening the overall process?

The answer is contained in an historical quote: Divide and Conquer.

Divide concerns the combination of authentication and identity validation systems (each one featuring a good implicit strength level) to create a barrier to protect access; and make this barrier almost impossible to penetrate unless valid credentials are provided.

StoneGate SSL VPN is an Identity and Management (IAM) system featuring over 25 different authentication methods, both native and/or interoperating with existing backend systems in the enterprise. Completes by security posture validation and trace removal at the end of the session, the solution give secure and authenticated access the applications available to a certain user in a given context.

The interesting possibility is the ability to combine multiple instances of the same or different authentication methods to grant an exponential raise of the overall authentication process strength.
For example, let’s consider four authentication methods:

• One time password delivered via SMS
• One time password generated with StoneGate MobileID
• Certificate authentication with client certificate protected by passphrase
• Native Active Directory authentication.

Each of these methods features a good security level (password variability, number of factors in authentication, difficulty of extraction of protected information).

The security level could be maximized if IAM system would allow to combine the four authentication methods, since overall strength and number of factors would be multiplied.

Therefore access to a particularly important application or to special sensitive data could be protected by supersafe authentication schema, such as:

• type in a username and fixed password, OTP will be sent to phone via text message
• present a valid passphrase-protected digital certificate, stored on a smartcard or token
• insert a OTP generated using MobileID free client software, installed on a different device from the one you are using to access
• type in your Active Directory username and password

By combining this process to security context validation (such as antivirus state and check of serial numbers of client HW components) it is possible to reach an unbeatable strength in the authentication and access process, enabling access to the cloud with a security levels accepted by the most demanding customer, without sacrifying (too much) usability of the process itself.

Cloud Computing. Secured!

written by RoarinPenguin - 1,210 views \\ tags: access security, authentication, cloud computing, sslvpn

It’s the real thing, yeah the real thing, it’s the real thing… even better than the real thing!

That is what the U2 would probably comment if they would experience what I wrote in the title of this post.

iPad is rapidly growing as a new, cool, flexible business tool with more and more companies adopting it massively.

New apps are popping up everyday, and again the number of them dedicate to business is growing.

Stonesoft recently released the support of this platform (together with the other iThings and Android) for the client authentication free token software StoneGate MobileID.

Let’s see what this means.

Continue reading »

written by RoarinPenguin - 1,631 views \\ tags: Apple, authentication, iPad, iPhone, iPod, security in the cloud, StoneGate MobileID