Jul 07
I’ve been silent for few weeks as I wanted to leave the StoneBlog stage to the beautiful series of posts Tero made about the great news of StoneGate 5.2.
But I’m braking this silence now since there is a very important test we have done and I want to share with you all.
I have been assisting a partner in a project to implement federated authentication with our StoneGate SSL VPN solution combined with Microsoft STS (Security Token Service).
For those of you who don’t know what Federated Authentication (aka Federated ID or Brokered Authentication) is, I’ll sum it up by saying that it is a technique to access applications “in the cloud” (private or public) while keeping authentication “at home”.
In short, the idea is to request the access to the application to an entity called Service Provider (SP), who will redirect the user to an Identity Provider (IdP) for authentication purposes. As soon as the identity has been validated, the user is automagically redirected back to the SP who will let the user in because of the trusted relationship created with IdP.
In this post I’ll describe the lab test made with a great guy, hoping that this information could be useful to replicate similar scenarios elsewhere.
Continue reading »
written by RoarinPenguin - 4,205 views
\\ tags: ADFS 2.0, authentication, brokered authentication, Federated ID, identity provider, Microsoft, SAML, SAML 2.0, service provider, SSL VPN, StoneGate SSL VPN
Apr 30
Maybe old Benny 
had authentication in mind when he wrote this (paraphrased) quote.
Surely this is a great truth that we do understand well in Stonesoft, since we always kept focus and attention on usability of our solutions. Our legendary SMC ease of use is a proof of that, and another is SMS based authentication featured by StoneGate SSL VPN.
Recent cloud computing mega trend raised again concerns for authentication tied to access to the cloud, and many blog posts and discussion are undergoing about what are best methods to ensure strong enough, yet easy to achieve and use authentication method.
One time passwords seems to be a good idea, but implementation often made it too complicated because relying on hardware devices, software to install on hardware devices, PIN to remember, etc.
Few years ago, Finland made a nice technological gift to the world with first text message sent from a cell phone to another by a student staging at Nokia, and since then the situation evolved to 4.1 trillion of messages sent in year 2008. This indicates clearly that:
- mobile phones are quite popular
- we always keep them with us (and return home if we leave them there)
- SMS is a widely used technology, no matter which type of mobile phone we have
As stated in a previous post, StoneGate SSL VPN can be used to implement text messaging based authentication with OTP and… my Nokia proves it here below
Network Security. Simplified!
written by RoarinPenguin - 1,086 views
\\ tags: authentication, sms, SSL VPN, stonegate, text messaging
Feb 26
Cloud Computing is one of the most frequent buzzwords heard in these days. You may think it is the next big thing as it seems to be recognized as the new paradigm for the IT of any kind of an organization – from small to large, from the private to the public sector, private and stock-listed companies alike.
However, Cloud Computing is not hassle-free, and you can waste lot of time speculating about privacy, data protection, security and possible misuses.
Wikipedia defines Cloud Computing as "a paradigm shift whereby details are abstracted from the users who no longer need knowledge of, expertise in, or control over the technology infrastructure in the cloud that supports them. It typically involves the provision of dynamically scalable and often virtualized resources as a service over the Internet."
Cloud computing is the "phrase du jour" and, as usual, concepts and definitions change according to who is talking. "Cloud", as the internet, and "computing" are the only terms that do not change, although every time you combine them things become fuzzier and fuzzier.
There is one single good reason that motivates me to write this article: the consideration that no matter how big the fence is, there must be a way out and a way in. And that is where SSL VPN technology comes into play.
Continue reading »
written by RoarinPenguin - 1,460 views
\\ tags: access, authentication, cloud computing, security in the cloud, SSL VPN, virtual appliance
Feb 12
Few days ago I described a technique using certificate based authentication in StoneGate SSL VPN to match a certificate attribute to user attribute, in order to uniquely identify a user in Directory Service and allow login, perform Single Sign-On (SSO), etc.
In this article I’m taking it one step further, since StoneGate SSL VPN can authenticate a user presenting a valid certificate without even knowing who the user is, and use then whatever field of the certificate to perform SSO to protected resources.
Continue reading »
written by RoarinPenguin - 1,224 views
\\ tags: authentication, certificate, SSL VPN
Dec 28
Cloud computing is cool, sexy and maybe here to stay.
But as recently stated by Bruce Schneier, it is a matter of trust.
And trust is not only involving the service provider, it is impacting the connecting user also and naturally the strength of authenticated and validated access.
Hence SSL VPN technologies have a key role, and StoneGate SSL VPN is a very interesting solution to look at from this perspective.
Authentication is genetically part of our solution thanks to support of advanced and sophisticated techiques such as MobileID, federation, OATH and other numerous technologies.
An easy one to implement, already documented some time ago, is StoneGate SMS.
Continue reading »
written by RoarinPenguin - 1,646 views
\\ tags: access, authentication, cloud computing, trust
Nov 12
This is exactly the comment I heard from a prospect when I explained him what was a possible use case for Ticket Single Sign On, IMHO one of the most interesting features of StoneGate SSL VPN technology… included at no additional charge
To give him a realistic example, I asked him:
“Do you happen to use SalesForce in your company?”
I already knew the answer was yes 
but such small sales “segreti di Pulcinella” are useful to get immediate attention, therefore I use them quite often…
Of course he replied yes, so I began my story…
Continue reading »
written by RoarinPenguin - 1,884 views
\\ tags: authentication, integration, interoperability, SalesForce, Single Sign-On, SSL VPN, Ticket SSO
Sep 22
I was talking with a potential customer in the past days about the plusses (differentiators) of StoneGate SSL VPN technology versus other competitors.
Soon I realized that, beside the common wish of having a good clientless mobile to site encrypted communication channel, there is high interest in two “shining” features of StoneGate SSL VPN: the Application Portal logic and, above all, the various authentication methods (over 15) included and supported.
And about authentication, we had a nice discussion about how the beauty of hardware based OTP tokens turns rapidly into a nightmare for system administrators, because such devices are maybe the “most forgotten on the shelf at home ”
Continue reading »
written by RoarinPenguin - 3,248 views
\\ tags: application portal, authentication, MobileID, SSL VPN, story
Jul 30
I hope the passionate of Art among you are not disturbed by this photoretouch I’ve made of this masterpiece made by the great Jacques-Louis David, but the title of the painting (The Oath of the Horatii) was too yummy for the purpose of this post.
You can see the original version, less “IT branded” , at Louvre Museum in Paris.
Yesterday Stonesoft made available for download StoneGate SSL VPN version 1.3.1.
This version contains a very interesting new feature: support for OATH as an authentication method.
Continue reading »
written by RoarinPenguin - 2,416 views
\\ tags: authentication, OATH, SSL VPN
May 12
Goal of this short post is to shed light on StoneGate SSL VPN logic to allow better understanding of the technology itself.
Specifically, this document describes what happens inside SSL VPN when user is authenticated and authorized:
- When accessing SSL VPN user firstly types URL of SSL VPN (e.g. https://ssl.mydomain.com).
After SSL Tunnel has been negotiated the enabled authentication methods are presented by Access Point service.
- Next, user chooses the authentication method that he/she wants use and enters his/her credentials.
- After user submits the credentials, Access Point contacts Policy Service, which verifies that user can be found from access rules.
- If used authentication method is OK, Policy Service contacts Authentication Service and asks it to authenticate user.
- Authentication Service checks user credentials from LDAP/RADIUS server and if they are OK (authentication successful), Authentication Service sends OK to Policy service.
Note: Depending on the authentication method user credential may be checked via secure RADIUS or LDAPS connection or via unsecure LDAP connection.
- Once authentication is successful, Policy Service checks access rules for each resource and evaluates which resources user is allowed to access.
- Based on this evaluation Policy Service informs Access Point which resources to place on Application Portal for this authenticated user.
This simple yet powerful logic allow the implementation of very flexible solutions where proper application access over the web is made possible.
Network security. Simplified.
written by RoarinPenguin - 1,144 views
\\ tags: authentication, authorization, logic, SSL VPN
(6 votes, average: 4.83 out of 5)
Loading ...
Recent Comments