StoneBlog.stonesoft.com

Recent security incidents with Diginotar and less recent (but lot less important) with Comodo and RSA raised quite a concern in something that was taken for granted: the implicit level of security of an SSL-encrypted channel and time-based strong authentication methods such as the hardware based one-time password generators.
Employees working from home, online banking users, citizen using governmental online services, web mail systems containing more and more personal data, web sites for online shopping, service providers offering applications “in the cloud”.
These are just samples of the countless services that are potentially impacted by the new new threat: valid digital certificates stolen by cybercriminals, used to fake connections to well known domain names.
Which is not that new new threat, since it is implicit in the SSL server certificate authentication model based on the level of trust put in the so called issuing Certificate Authorities.

Well, it really seems to me that the ‘problem’ continues to be the same.
Continue reading »

written by RoarinPenguin - 605 views \\ tags: authentication methods, combination, entropy, Security, Ssl certificates

According to Sari Kajantie from the Finnish National Bureau of Investigation (NBI) in Helsingin Sanomat, the biggest national newspaper in Finland on 4 August 2011: “It is not the fault of the employee who has opened the attachment, if the hacker can access all company data from a single laptop.”

Companies need to pay much more attention to their internal network activities and traffic. It should not come as a surprise to anybody that individual laptops are compromized. Workstation networks must be separated from the servers by firewalls and intrusion prevention systems; not only by installing these devices, but also by paying attention to rules and monitoring their alerts.

Continue reading »

written by Ari Vänttinen - 924 views \\ tags: Advanced Evasion Techniques, AET, Context and situation awareness, cybersecurity, IT security, risk management, Security, security threat, SMC

Read what head of Stonesoft´s vulnerability research team says about the challenges in evasion protection.

Dealing with evasions by Olli-Pekka Niemi

written by Ari Vänttinen - 762 views \\ tags: AET, intrusion prevention, network security, risk management, Security, security threat, stonesoft, Tips & Tricks, Training

By now, you likely have seen the news regarding the breach of RSA’s authentication tokens and the possibility of a long-term security compromise of SecurID. While the exact cause of the attack is still being determined, one thing is for certain: companies need to re-evaluate the security of remote access to their networks.

Not surprising, we have received numerous inquiries from customers about our approach to securing remote access.
Additions to the StoneGate SSL VPN remote access solution are already in development and we’ve expedited the release of our new authentication server to offer customers multiple authentication methods for securing remote access to critical data and applications across the network.

The new StoneGate Authentication Solution combines SSL-VPN and authentication server capabilities with other deployed authentication methods that can be pushed to any remote device. Our multi-factor authentication will convert the need for archaic, awkward, unusable hardware tokens into ergonomic, easy to implement and manage software tokens, or even a one time password (OTP) via text message to every mobile phone.

Highlights of the StoneGate Authentication Solution include:

• Secure remote access grant access to any application, including cloud-hosted
• Complete integration of multiple authentication methods, including StoneGate MobileID and SMS-based authentication
• Easy access to detailed user and log data to monitor access in real-time and proactively spot security concerns across the network
• The availability of geo-location information and reporting to increase awareness about remote access trends and threats
• Complete incident management capabilities, from identification and resolution to mass deployment of updates – all of which occurs from a single management console.

Are you reviewing your current strategy for remote access security? Should you be?
If so, the StoneGate Authentication Solution is an alternative to traditional solutions (such as token-based methods) that is more cost-effective, less complex and most importantly, more secure.

written by admin - 800 views \\ tags: cloud computing, rsa, Security, StoneGate Authentication Solution, StoneGate Mobile Text, StoneGate MobileID

Securing the access to data and systems continues to be one of the weakest points in the chain and PEBKAC is a constant issue.

Luckily, solutions exist… for those who think what strong innovative authentication could really mean.

StoneGate SSL VPN is the ultimate solution to secure the access to corporate data and applications, featuring over 25 authentication methods which can be combined in multiple fashions.

As stated in a previous post, very often it is not necessary to add complexity to the authentication process: combination of different techniques could help adding the needed… entropy.

Give a look to the interesting news linked here and let us know what you think!

written by RoarinPenguin - 706 views \\ tags: authentication, combining different authentication, hackers, Security, smartcard, sslvpn

NSS Labs recently released the results of its latest Network IPS Group Test, which was also covered by Jeremy Kirk at IDG News Service here. The results were interesting to say the least. Here are a few high level observations:

StoneGate IPS performance. Like a majority of the appliances tested, StoneGate received a Neutral rating indicating that the devices performed reasonably well and should be considered in the purchasing process. However, there were several areas where StoneGate IPS tested exceedingly well, including:

• Excellent in value purchase and TCO. Stonesoft’s StoneGate IPS-1205 and IPS-3205 appliances were rated excellent in value purchase. In the sub-gigabit category, the StoneGate IPS-1205 provided the best price per Mbps-protected. In the high-end appliance category, the StoneGate IPS-3205 had the second lowest three-year TCO.
• Ease of use. “Stonesoft‘s Management Center builds on its firewall management and is extremely intuitive and easy to use. Deploying Stonesoft‘s pre-defined policies is simple and efficient. It took almost no time to setup, configure and tune.”
• 100 percent protection against evasions. The StoneGate IPS-1205 and IPS-3205 successfully handled 100 percent of NSS Labs’ traditional evasion attempts without error, including HTML evasions. However, it’s important to note that Advanced Evasion Techniques (AETs) were not included in this test, so the 100 percent coverage is for basic evasions only and will not provide protection against AETs.According to NSS Labs:
  ”If an attacker can avoid detection by fragmenting IP Packets or segmenting TCP streams, an IPS will be completely blind to ALL attacks”.

This concept has been at the heart of our AET research, and is why we are expecting NSS Labs to raise the bar in 2011 by incorporating AET tools into their testing suite.

written by TimoT - 1,732 views \\ tags: IPS, Security

On 16th Nov 2010 OpenSSL reported a serious vulnerability in TLS server extension code parsing that enables remote exploits against vulnerable servers.

None of Stonesoft StoneGate products are affected. Although we use the vulnerable version of the OpenSSL library, the server extension where the vulnerable code lies has not been included into our products.

BR,

- Joona

written by joona - 816 views \\ tags: Security, stonegate

Yesterday we publicly announced the discovery of new, advanced evasion techniques (AET) that can pose a serious threat to existing network security systems worldwide. The details of the discovery have been shared with CERT-FI in Finland for vulnerability coordination purposes and validated by ICSA Labs.

This discovery by Stonesoft vulnerability experts is not a new exploit or vulnerability, but a new method of delivering new and existing exploits (such as Stuxnet or Zeus) by bypassing today’s network security systems. Evasions enable advanced and hostile cyber criminals to deliver any malicious content, exploit or attack to a vulnerable system, without detection. Most evasion techniques to date have stayed within the confines of established rules for network traffic. Security systems can be rendered ineffective against evasion techniques, in the same way a stealth fighter can attack without detection by radar and other defensive systems. While evasions are nothing new, with research dating back to the late 1990s at least, AETs extend the research dramatically, adding new techniques and dramatically increasing the successful combinations possible.

AETs, a new species of evasion techniques, can be altered or combined in any order to avoid detection by security systems. AETs are, by their nature, dynamic, unconventional, virtually limitless in quantity, and unrecognizable by conventional detection methods. The amount of new AETs is growing exponentially, and thus they create an everlasting and ever-changing challenge for the information security industry and organizations around the world.

For more information about the announcement, see the press release, and join the discussion at www.antievasion.com.

written by markb - 1,259 views \\ tags: AET, evasion, IPS, Security

The principles of anti-evasion need to be re-written. Conventional principles are still valid, but we must take it a step further and realize the BIGGER picture. We need to be ready to break all the dominant rules and principles about evasion protection, like our enemies do. It has become evident that we only have seen the tip of the iceberg and over 90% of that iceberg is still unexplored. The theory and practice of evasion techniques needs to proceed hand-in-hand with leaps, not steps.

The idea of writing the principles of anti-evasion together as a community was born as the scope of the issue became clear. Re-writing principles is too challenging for one man. We need and want allies, andwe are ready to share insights and knowledge of our discovery and anti-evasion protection. So should everyone else before it escalates and poses an uncontrolled threat for the entire networked world.

Radical and fundamental revolution in network security and intrusion prevention is about to begin. Join the conversation now!

written by RoarinPenguin - 1,658 views \\ tags: AET, Antievasion, knowledge, Security

StoneBlog has been sleeping for few days now, and I’d like to revitalize it with this post about a real risk I was chatting about few minutes ago with a friend.

We have talked in past posts about one splendid feature of our legendary StoneGate Management Center: geolocation.

This is undoubtedly a very useful tool for security administrator, to perform monitoring tasks and to act like “human correlation tools”; that is, to use the ability of our brain of looking to visual information and have intuitions about events with a logic that is not definable in rules. No IT tool can help in this, or at least it would help but also it would be prone to too many errors and false positives/negatives.

If geolocation is very useful for IT Security tools, I have serious doubt it is a good idea when applied to people and activities of people. For instance, think to the option offered by several smartphones to interact with social sites to geolocalize  a person and offer information about where he is, where he has been, what he’s doing right now and even offer a map about the area where the person is.

Sure it is nice to show to friends that we are always on, always connected, always on the Net and always reachable, but imagine how these information could be potentially used to study an attack, or to plan a robbery, or to violate people properties, etc.

It’s not (anymore only) about privacy, it’s more about security… right?

I’m interested in understanding your comments about this topic, to continue to simplify… security.

written by RoarinPenguin - 716 views \\ tags: geolocation, Security