StoneBlog.stonesoft.com

Connection and Blacklist monitoring have been refactored in StoneGate 5.2. At the same time when making these functions more reliable, improved the communication protocol between the SMC and engines and increased the connection table update interval, we have introduced a couple of nice features for these two views. Read more information below about how Connection and Blacklist Monitoring have been improved.

Continue reading »

written by teroja - 278 views \\ tags: Aggregation, Blacklist Monitoring, Connection Monitoring, firewall, IPS, Monitoring, SMC, Snapshots, statistics

During the last two years we have received feedback from Gartner as well as some customers that StoneGate IPS is surely efficient but it is a bit difficult to configure inspection rules for the device. The other feedback we have noticed in customer interviews is that administrators are not aware of all StoneGate’s inspection capabilities. Administrators don’t seem to have time to configure and manage Inspection rules as granular way as for managing the FW access rules.

In StoneGate 5.2 we have now answered your needs. There is a brand new way of configuring inspection rules with the help of a new Inspection Rules panel. Read more how to configure the Inspection rules with SMC 5.2.

Continue reading »

written by teroja - 384 views \\ tags: False positives, firewall, Inspection, Inspection configuration, Inspection rules, IPS, Situations, SMC

StoneGate 5.2 version is scheduled to be released in June or July 2010. As the release gets closer, we decided to continue our tradition and publish a serie of articles about the new features and enhancements in advance here in StoneBlog.

Most of the 5.2 enhancements are based on customer feedback we are constantly gathering from StoneGate customers from all over the world. Our duty at Stonesoft R&D is to save your time and maximize the user experience of using StoneGate products! StoneGate 5.2 provides once again a lots of usability enhancements in StoneGate Management Center. In addition to this, there are pretty nice new technical features on engine side that may allow you to use StoneGate products in a different way or in new environments.

Stay tuned and find out what is coming in StoneGate 5.2. We are really interested to hear your feedback related to the new features and enhancements. Feel free to leave your comments and ratings to let us know what do you think about the latest improvements.

written by teroja - 226 views \\ tags: Feature Previews, FW, IPS, SMC

Have you ever been in the situation where you needed Stonesoft Support to help you troubleshoot a problem you are having only to be told to send them an sginfo and they will investigate?  Ever wonder why?

Continue reading »

written by SideKick - 507 views \\ tags: firewall, IPS, SMC, SSL VPN

Microsoft has just released the September security bulletins. There are 5 bulletins and all of they are ranked as critical.

The bulletins describe both client- and server side remote code execution vulnerabilities, and for most of these functional exploit code is *likely*, see http://www.microsoft.com/technet/security/bulletin/ms09-sep.mspx

The StoneGate IPS is able to prevent exploits against most of these vulnerabilities, but for example we cannot protect MS09-049, “Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710)” as the vulnerability is exposed to wireless network. Luckily, you can install the patches provided alongside the bulletins to fix these vulnerabilities.

But there are also unpatched vulnerabilities threatening your Windows systems.

 Windows Vista, Windows 7 RC and Server 2008 are affected by a  vulnerability in their file sharing service that allows remote code execution.  There are no patches available, but exploits are. See http://www.microsoft.com/technet/security/advisory/975497.mspx

Also the FTP server in IIS 5 and IIS 6 contain vulnerability that can be exploited to cause a denial of service and at least in IIS 5, remote code execution.  And there are no patches available, but exploits are.

The SGIPS Intrusion Prevention System can prevent the attacks against these unpatched vulnerabilities.  

written by Olli-Pekka Niemi - 591 views \\ tags: IPS, security threat

Hi all!

As we wrote earlier, last week we offered selected Finnish journalists a rare chance to peek into the mind of an IT criminal. The event, called “Hack the lab” was a total success. After some initial hesitation, a wave of enthusiasm and joy of discovery spreaded among participants. The journalists had the chance to try out different techniques, such as port scanning, password breaking and the use of intrusion tools. We let them do all the work, and just provided some advice and guidance in the background.

Based on the feedback, we realised that the editors were really surprised by how easy it is to break into a system. None of them could have imagined, how easy it could be to find powerful tools from the Internet and how easy it is to use them. Sure, we should keep in mind that someone has gone through great trouble making the tools first. Nevertheless, the point remains. The journalists also understood how important it is to have an up-to-date and modern intrusion prevention system in place.  When we protected the target systems with  our SGIPS, the hacks turned out to be unsuccessful. Without the IPS,  the target systems were completely owned.

The event generated some coverage as well, please see the links below. (Articles in Finnish)

YLE: Hakkerointi onnistuu kaikilta
mesiksen mietteet: Hakkerilabra opettaa pomoille tietoturvamokia
Tietokone: Hakkerilabra opettaa pahimmat tietoturvamokat
Helsingin Sanomat: Mustahuppuinen hakkeri ja salaiset reseptit (for subscribers only)

written by Olli-Pekka Niemi - 990 views \\ tags: demo, IPS, Security

With the help of StoneGate 5.0 administrators can configure HTML user responses that are shown in the end user’s web browser. The idea of HTML user responses is to inform the end-users why hey got banned.

The administrator can customize the HTML user responses for the following cases:

• Connection blacklisted
• Connection refused by access rule
• Connection terminated by inspection rule
• URL not allowed
• Virus found

For each case the administrator can decide whether to:

• Close silently the TCP connection
• Redirect the user to specified URL
• Show customized HTML response

You can for example notify your end-users that their web browser is outdated. You can of course make things as smooth as possible for the end-user and include the link to update the browser in the customized HTML user response.

written by teroja - 721 views \\ tags: 5.0, Features, IPS, SMC, stonegate

StoneGate IPS 5.0 allows you to protect your hosts and servers against attacks that are hidden inside HTTPS. Here are a couple of use cases what you may want to try with the StoneGate 5.0:

Client side protection:

• Detect and block attacks targeting the client Web browsers inside SSL tunnel.
• Protecting workstations and internal networks from malicious web servers.

Server side protection:

• Detect and block attacks targeting the HTTPS server inside SSL tunnel
• Protecting the server being compromised by the unauthorized uses

The HTTPS Inspection feature also provides support for usage of Certificate Revocation List (CRL). That list is updated via SMC.

You can also whitelist the Web sites you don’t want to inspect. There is a new HTTPS inspection policy element where you are supposed to add your users’ bank services etc.

written by teroja - 1,907 views \\ tags: 5.0, Features, IPS, SMC, stonegate

I recently wrote about clustered FW/IPS installations and in that discussion a question was raised about the bypass functionality of the IPS appliances.  So, let’s have a look.
Continue reading »

written by olli - 1,653 views \\ tags: IPS, tech details

The most common place for an IPS is right behind the edge firewall, where it inspects anything that goes through the firewall.  Firewall filters out most of the inbound crap, which is too obviously unnecessary to even inspect with IPS.  This is a fairly straightforward setup, you just connect the inline IPS’s between the firewall and the internal switch.  Cross cables from the firewall to the IPS and straight from the IPS to the switch and you’re done.  StoneGate IPS, while in inline mode, looks like a cable to the network.  It does not alter allowed traffic in any way, so deployment is simple.

Clustering the firewall does not seem to change much – you just add an IPS (or an inline pair) for each additional firewall node.  Quite straightforward still.

Let’s now stop and think for a minute.  What does this setup mean, how does it work?

Continue reading »

written by olli - 2,150 views \\ tags: clustering, IPS, load balancing