StoneBlog.stonesoft.com

According to Oxford Dictionary, Ergonomics is the study of people’s efficiency in their working environment.

As mentioned in a previous post, we kept this concept clear in mind when we designed StoneGate Authentication Server.

The movie above is just… a proof of this

Secure Strong Authentication… simplified!

written by RoarinPenguin - 852 views \\ tags: ergonomic authentication, iPad, MobileID, StoneGate MobileID

Have a shiny new iPad/iPhone/iOS device and wonder how to access all your precious corporate data? Are you a sysadmin who needs to manage the corporate LAN from everywhere? Do you need some intranet-only web pages you don’t want to publish for security reasons?

This simple tutorial will explain how to create a VPN between your StoneGate and your iDevices.

Thanks to Marco Rottigni who gave me precious hints to make all things work!

This is my very first post to the Stoneblog, if you want feel free to give me feedbacks and suggestions! Roberto

written by roberto.toniolo - 3,714 views \\ tags: firewall, iOS, iPad, Tips & Tricks, VPN

I’ve recently had several interesting chats about StoneGate SSL VPN and iPad.
Couple of them were about usage of iPad as a business tool, thanks to the awesome portability of this marvel of technology (yes, I admit my passion for this cool iThing) which defined a new category in IT: the post-PC.
In this post I try to summarize why I really think that StoneGate SSL VPN represents an excellent enabler for adding security when using iPad in business, while keeping the splendid user experience unchanged.
Let’s focus on iPad in business, assuming that commonly needed use cases could be (in any particular importance) access to mail, using corporate web applications, browsing the intranet and access to files (such as PDF for example) that the Company made available to roaming users.
Finally, the business usage could imply access to some CRM applications which may be hosted in a cloud elsewhere, such as Salesforce.com or Google Apps.

Let’s start with the most important things: security of the device and authentication. Personally I find iPad rather secure as a device, since you can protect it with a passcode which can be left simple (4 digit number) or more complex. You can event setup the device to be erased if passcode is typed wrong for ten times and the recent move of Apple to give free MobileMe accounts for the Find my iPad thingy improved the situation furthermore.

Actually, I do consider my iPad safer than my laptop

Back to authentication, the cool thing is that you can combine two authentication methods to grant access to your application portal. This will make things even safer.

I protect the StoneGate SSL VPN application portal with a combination of certificate based authentication AND StoneGate Mobile Text. This means that first, I’ll validate a client certificate installed on my iPad, then I’ll prompt the user for a username and password. This will trigger an OTP to be sent via text message to (for example) my iPhone as shown below:

I type this credentials in my iPad browser and I get access to my applications.

I could use other cool authentication methods also…

This type of authentication is based on several factors (certificate, having iPad, having iPhone, knowing a password and ability to receive a text message): 6 factors authentication without sacrificing user experience. Strong enough? Good, let’s move to application experience.

After I got authenticated, I want to read mail, using for example web interface of my preferred mail system (Lotus Notes, Outlook Web Access, Squirrelmail…). Everything is smoothly parsed by SSL VPN and blended with Single Sign-On to maximize usability… naturally if user password to backend mail system changes, then SSL VPN will display a authentication prompt to update SSO Domain definition.

I might also want to use native mail of iPad since it is the most advanced mail interface I’ve ever experienced… and SSL VPN helps me (again) with Active Sync support with Device ID Locking, to secure my access to Exchange server through secure authenticated channel.

Moving on, let’s assume that I need to access to Salesforce and to Google Apps “in the cloud”: I can configure StoneGate SSL VPN to make ticket Single Sign On to Salesforce.com and Federated Authentication (as Identity Provider) to Google Apps or whatever other cloud application supporting this technology… including another StoneGate SSL VPN acting as a Cloud Service Provider.

Finally, I might want to make the application set available using multiple criteria… for example to avoid displaying applications to iPad users which are not usable from this device. This is possible linking access criteria to device definition, to enable StoneGate SSL VPN to recognize iPad as a connecting device and act accordingly.

Naturally the immense possibilities offered by this “post-PC” are immense and the new iPad 2 is even raising the bar… this is why Stonesoft is investigating in R&D how to boost this support even more in the future… but so far the situation is good enough to allow using StoneGate SSL VPN to implement a secured use of iPad for “business usage”.

And yes, I’ve written this post using WordPress for iPad.

iNetwork Security! Simplified!

written by RoarinPenguin - 1,594 views \\ tags: business, iPad, SSL VPN

“The Adventures of Antti Pilvinen” - A story by the RoarinPenguin

DISCLAIMER: All facts, people and companies in this story are fictional and do not have links with any real situation.

Our friend Antti Pilvinen was experiencing a moment of maximum happiness and satisfaction: not only had he overachieved his sales quota, not only did he add many new customers to his company (APSF – Antti Pilvinen Securing Finland)… he also won the internal sales competition’s top prize! Antti was now the owner of a shiny, new iPad 64 GB 3G, including a flat rate data contract for one year. The prize was proudly delivered that morning during a beautiful ceremony on the company’s fifth floor terrace with all of his colleagues applauding that great achievement.

That warmed terrace has been the best investment of last year: a great space with all windows to enjoy the beautiful panorama in Espoo. It is just an all around classy meeting room for these nice internal events, a very nice place to be in January. Although it was mid-morning and the sun was shining, outside it was -16 Celsius and the frozen pine trees were creating an enchanted landscape. Ah, beautiful Finland!

Later in the afternoon, while the light outside was disappearing into the chilly winter night, he started daydreaming of what to do with that oh so cool jewel… ebooks, surfing the web, watching podcasts, listening to music, storing the pictures of his latest travel in Dubai, reading corporate mail… wait! WAIT! Mail? Uhmmm… that might very well be an issue, and a serious one, since APSF was very strict on mail access and security in general. Of course, he could continue to read mail using the Outlook Web interface through that marvelous StoneGate SSL VPN they bought recently but… well, iPad mail is a completely new and insanely great experience!

In addition, iPad has native support for Microsoft Exchange, the platform APSF moved to recently. Timing was just right to meet the guru of their internal systems: Juhani Kiviportti. Full of hope, he went to the internal systems department to look for that genius, who seems to have the native talent to solve all IT issues, no matter how complex they are. Juhani was the person who insisted upon adoption of the StoneGate SSL VPN, which has brought many benefits, in particular increasing the productivity of the sales team. Ubiquitous access to corporate data and applications… from anywhere… but now? Secured access to mail using iPad native exchange support? Maybe this was too much even for Juhani…

Lost in these obscure thoughts, he almost bumped into Juhani’s desktop, fully covered with every possible gadget, including a penguin coming down from the ceiling as a symbol of his “IT faith”: Linux.

With a trembling voice, he started sharing with Juhani his “happy problem”. His mood boosted suddenly when he saw a smile growing on the face of his genial colleague, who simply said: “yeah, this is a part of our SSL VPN I’m thinking to deepen… leave it with me”.

Two days later, he received the following email from Juhani:

“Hi Antti. Please proceed to configure your mail on the iPad simply by typing your email address and you should be operational within few seconds”.

With a sense of disbelief (naah, it couldn’t be that simple!), he tapped on Settings – Mail – Add Account – Microsoft Exchange on his iPad and inserted antti.pilvinen@apsf.fi. He was shocked to see a few seconds later that his iPad screen populated with… his mail messages! Suddenly (professional bias), he wanted to know everything about the security of the entire implementation so he went to see Juhani again with a bunch of question to “stress test” him.

Antti: “How did you do it? This is… magic!!!”

Juhani: “Any sufficiently advanced technology is indistinguishable from magic…”

Antti: “Seriously… is this secure?”

Juhani: “Of course, thanks to the StoneGate SSL VPN support of secure Active Sync with Device ID Locking in case of loss or theft of the device. Plus, I registered your iPad on Apple MobileMe free service as an additional security measure”.

Antti: “I’m astonished! And you did this in two days?”

Juhani: “Well… no… yesterday I was on holiday.”

Antti: “WOW! And is it working only for iPad?”

Juhani: “That’s the best part of it! You have been the Proof of Concept. The configuration we implemented will allow every device in the company supporting Microsoft Exchange to access email in a secure and authenticated way: Nokia phones, Android phone, iPhone, iPad… all of them… with complete mail, calendar and contacts synchronization. We have reached complete client independence from the mail server!!!”

Antti: “Fantastic! Awesome! Thank you very much for this!”

Juhani “You are very welcome”.

The best part for Juhani Kiviportti came at the end of that month… when he saw a special bonus in his salary with one comment:“To the person who brought APSF to Secure Mail Nirvana! A.P.”

written by RoarinPenguin - 788 views \\ tags: iPad, MS Exchange, SSL VPN, The Adventures of Antti Pilvinen

It’s the real thing, yeah the real thing, it’s the real thing… even better than the real thing!

That is what the U2 would probably comment if they would experience what I wrote in the title of this post.

iPad is rapidly growing as a new, cool, flexible business tool with more and more companies adopting it massively.

New apps are popping up everyday, and again the number of them dedicate to business is growing.

Stonesoft recently released the support of this platform (together with the other iThings and Android) for the client authentication free token software StoneGate MobileID.

Let’s see what this means.

Continue reading »

written by RoarinPenguin - 1,895 views \\ tags: Apple, authentication, iPad, iPhone, iPod, security in the cloud, StoneGate MobileID

Of course it’s important to follow up-and-coming transformative technologies. If the numbers on the first weekend of Apple iPad pre-orders are remotely close to being correct (~20,000 per hour), it classifies as a transformative device. With WiFi and optional 3G connectivity, it also makes a great platform for both organizational access and administration. Of course, those of us who are Apple fans would be remiss without placing our own order for testing all things StoneGate on this device. After all, StoneGate and Apple are both technologies people love.

We know from the iPhone that the StoneGate WebPortal interface works like a champ already, allowing administrators to view logs and reports, check security policies and more. Since the iPad reportedly uses iPhone OS 3.2, we don’t expect that to be any different. We also don’t expect that the StoneGate SSL VPN will be any different, easily allowing access to Web-based resources through a multitude of authentication technologies via 3G and WiFi networks. Of course, the remaining question is then whether the full StoneGate Management Client will work. At this time it’s speculation, but the answer initially is likely, “No” since – like the iPhone before it – the iPad will likely not support Java.

That said, stay tuned to StoneBlog to find out our first experiences as soon as the post delivers our new test subject; we’ll let you know at least the “unofficial” support of StoneGate on this tool. After all, what better way to achieve…

Network security. Simplified.

written by markb - 2,476 views \\ tags: administration, iPad, SSL VPN, stonegate, WebPortal