StoneBlog.stonesoft.com

Let’s start this 2012 with a technical tip about variables usage in Stonesoft SSL VPN.

More specifically, the variables described in this article are used when configuring a startup command in a Tunnel Set definition to allow TCP/UDP based applications to be used inside a SSL tunnel.
A sample use case is a user that needs to access to his home directory and we do not want to create as many tunnel set as users in the system.
The Startup Command in a Tunnel Set is executed as soon as the tunnel has been successfully established, to automate the launch of a given application.
In this example, the Startup Command content in SSL VPN Tunnel Set configuration could contain something like:

\\192.168.100.1\[$uid]

This particular $uid variable will be replaced with the user ID when the startup command will be invoked by the system.

I report below the other useful variables that can be used in the same context:

[$ehost]  =   the access point server name including port number

[$eprot]  =   HTTP or HTTPS

[$uid]  =   The external user name

[$iuid]  =   The internal user name (usually the same of $uid)

written by RoarinPenguin - 237 views \\ tags: SSL VPN, Tunnel Resource, Tunnel Set, variables

This afternoon I had an interesting conversation with a Partner about one of the best kept secrets in Stonesoft SSL VPN: the ability to secure mail in the cloud providing Exchange ActiveSync and Device ID locking support.

“It’s not for me, I don’t have a cloud” he said initially, when I started describing the solution.

This is a common misunderstanding: to believe that the Cloud is only public!

Because Cloud Computing describes mainly an IT ecosystem, everyone who is adopting techniques and technologies of this ecosystem has a cloud!

Naturally, there is a difference between public and private clouds.

Happy with this description, the Partner continued the discussion and we analyzed the solution illustrated below:

When the user implements a Mail system based on Exchange protected by Stonesoft SSL VPN, there are several interesting benefits:

• avoid the Exchange Server to be exposed in DMZ
• offload the SSL traffic from Exchange Server
• provide support for Exchange ActiveSync to synchronize mail, contacts, calendar and tasks to mobile devices supporting this feature (majority of most recent smartphones do)
• support Device ID locking, to prevent unauthorized mobile devices to access to Exchange

…beside securing access to Outlook Web Access and the mail control panel when the mail is accessed via browser.

A growing number of Stonesoft Customers are already enjoying this cool feature, which is included in the base license of the SSL VPN solution.

Stonesoft SSL VPN licensing based on concurrent users and transparent integration with MS Active Directory with dynamic user linking allow a rapid and efficient deployment of a cost-effective solution.

Based on how the conversation ended, I really think that this “growing number” will increase by one soon…

Secure your mail in the cloud, with Stonesoft SSL VPN!

written by RoarinPenguin - 454 views \\ tags: MS Exchange, secured access to the cloud, secured mail, SSL VPN

I’m pleased to announce that StoneGate SSL VPN MobileID free client software for strong authentication is now available for the latest greatest generation of Nokia products like the N8! Yes, the exact one used in Disney movie Tron

The software is available at no charge (as for all other supported platforms) in the download section on Stonesoft Web Site, with links to external stores/marketplaces when applicable.

…and yes, you can use it even if you are not Tron… and even if you use another Symbian S3 smartphone like Nokia C7 and others

Innovative strong authentication! Simplified!

written by RoarinPenguin - 679 views \\ tags: MobileID, nokia N8, SSL VPN, strong authentication, Symbian S3, Tron

I’ve recently had several interesting chats about StoneGate SSL VPN and iPad.
Couple of them were about usage of iPad as a business tool, thanks to the awesome portability of this marvel of technology (yes, I admit my passion for this cool iThing) which defined a new category in IT: the post-PC.
In this post I try to summarize why I really think that StoneGate SSL VPN represents an excellent enabler for adding security when using iPad in business, while keeping the splendid user experience unchanged.
Let’s focus on iPad in business, assuming that commonly needed use cases could be (in any particular importance) access to mail, using corporate web applications, browsing the intranet and access to files (such as PDF for example) that the Company made available to roaming users.
Finally, the business usage could imply access to some CRM applications which may be hosted in a cloud elsewhere, such as Salesforce.com or Google Apps.

Let’s start with the most important things: security of the device and authentication. Personally I find iPad rather secure as a device, since you can protect it with a passcode which can be left simple (4 digit number) or more complex. You can event setup the device to be erased if passcode is typed wrong for ten times and the recent move of Apple to give free MobileMe accounts for the Find my iPad thingy improved the situation furthermore.

Actually, I do consider my iPad safer than my laptop

Back to authentication, the cool thing is that you can combine two authentication methods to grant access to your application portal. This will make things even safer.

I protect the StoneGate SSL VPN application portal with a combination of certificate based authentication AND StoneGate Mobile Text. This means that first, I’ll validate a client certificate installed on my iPad, then I’ll prompt the user for a username and password. This will trigger an OTP to be sent via text message to (for example) my iPhone as shown below:

I type this credentials in my iPad browser and I get access to my applications.

I could use other cool authentication methods also…

This type of authentication is based on several factors (certificate, having iPad, having iPhone, knowing a password and ability to receive a text message): 6 factors authentication without sacrificing user experience. Strong enough? Good, let’s move to application experience.

After I got authenticated, I want to read mail, using for example web interface of my preferred mail system (Lotus Notes, Outlook Web Access, Squirrelmail…). Everything is smoothly parsed by SSL VPN and blended with Single Sign-On to maximize usability… naturally if user password to backend mail system changes, then SSL VPN will display a authentication prompt to update SSO Domain definition.

I might also want to use native mail of iPad since it is the most advanced mail interface I’ve ever experienced… and SSL VPN helps me (again) with Active Sync support with Device ID Locking, to secure my access to Exchange server through secure authenticated channel.

Moving on, let’s assume that I need to access to Salesforce and to Google Apps “in the cloud”: I can configure StoneGate SSL VPN to make ticket Single Sign On to Salesforce.com and Federated Authentication (as Identity Provider) to Google Apps or whatever other cloud application supporting this technology… including another StoneGate SSL VPN acting as a Cloud Service Provider.

Finally, I might want to make the application set available using multiple criteria… for example to avoid displaying applications to iPad users which are not usable from this device. This is possible linking access criteria to device definition, to enable StoneGate SSL VPN to recognize iPad as a connecting device and act accordingly.

Naturally the immense possibilities offered by this “post-PC” are immense and the new iPad 2 is even raising the bar… this is why Stonesoft is investigating in R&D how to boost this support even more in the future… but so far the situation is good enough to allow using StoneGate SSL VPN to implement a secured use of iPad for “business usage”.

And yes, I’ve written this post using WordPress for iPad.

iNetwork Security! Simplified!

written by RoarinPenguin - 1,230 views \\ tags: business, iPad, SSL VPN

StoneGate SSL VPN 1.4.5 Maintenance Release has just been made available for download!

Beside including several important fixes detailed in the Release Notes, it also offers interesting small enhancements to make administrator’s life easier and happier.

One of these enhancement is the ability to change the Directory Service it is based on with an option to migrate the user base. This is very useful when

The feature is simple and “it just works”, but I thought to illustrate it in a movie here below.

Directory Service migration! Simplified!

written by RoarinPenguin - 611 views \\ tags: Directory Service migration, SSL VPN

“The Adventures of Antti Pilvinen” - A story by the RoarinPenguin

DISCLAIMER: All facts, people and companies in this story are fictional and do not have links with any real situation.

Our friend Antti Pilvinen was experiencing a moment of maximum happiness and satisfaction: not only had he overachieved his sales quota, not only did he add many new customers to his company (APSF – Antti Pilvinen Securing Finland)… he also won the internal sales competition’s top prize! Antti was now the owner of a shiny, new iPad 64 GB 3G, including a flat rate data contract for one year. The prize was proudly delivered that morning during a beautiful ceremony on the company’s fifth floor terrace with all of his colleagues applauding that great achievement.

That warmed terrace has been the best investment of last year: a great space with all windows to enjoy the beautiful panorama in Espoo. It is just an all around classy meeting room for these nice internal events, a very nice place to be in January. Although it was mid-morning and the sun was shining, outside it was -16 Celsius and the frozen pine trees were creating an enchanted landscape. Ah, beautiful Finland!

Later in the afternoon, while the light outside was disappearing into the chilly winter night, he started daydreaming of what to do with that oh so cool jewel… ebooks, surfing the web, watching podcasts, listening to music, storing the pictures of his latest travel in Dubai, reading corporate mail… wait! WAIT! Mail? Uhmmm… that might very well be an issue, and a serious one, since APSF was very strict on mail access and security in general. Of course, he could continue to read mail using the Outlook Web interface through that marvelous StoneGate SSL VPN they bought recently but… well, iPad mail is a completely new and insanely great experience!

In addition, iPad has native support for Microsoft Exchange, the platform APSF moved to recently. Timing was just right to meet the guru of their internal systems: Juhani Kiviportti. Full of hope, he went to the internal systems department to look for that genius, who seems to have the native talent to solve all IT issues, no matter how complex they are. Juhani was the person who insisted upon adoption of the StoneGate SSL VPN, which has brought many benefits, in particular increasing the productivity of the sales team. Ubiquitous access to corporate data and applications… from anywhere… but now? Secured access to mail using iPad native exchange support? Maybe this was too much even for Juhani…

Lost in these obscure thoughts, he almost bumped into Juhani’s desktop, fully covered with every possible gadget, including a penguin coming down from the ceiling as a symbol of his “IT faith”: Linux.

With a trembling voice, he started sharing with Juhani his “happy problem”. His mood boosted suddenly when he saw a smile growing on the face of his genial colleague, who simply said: “yeah, this is a part of our SSL VPN I’m thinking to deepen… leave it with me”.

Two days later, he received the following email from Juhani:

“Hi Antti. Please proceed to configure your mail on the iPad simply by typing your email address and you should be operational within few seconds”.

With a sense of disbelief (naah, it couldn’t be that simple!), he tapped on Settings – Mail – Add Account – Microsoft Exchange on his iPad and inserted antti.pilvinen@apsf.fi. He was shocked to see a few seconds later that his iPad screen populated with… his mail messages! Suddenly (professional bias), he wanted to know everything about the security of the entire implementation so he went to see Juhani again with a bunch of question to “stress test” him.

Antti: “How did you do it? This is… magic!!!”

Juhani: “Any sufficiently advanced technology is indistinguishable from magic…”

Antti: “Seriously… is this secure?”

Juhani: “Of course, thanks to the StoneGate SSL VPN support of secure Active Sync with Device ID Locking in case of loss or theft of the device. Plus, I registered your iPad on Apple MobileMe free service as an additional security measure”.

Antti: “I’m astonished! And you did this in two days?”

Juhani: “Well… no… yesterday I was on holiday.”

Antti: “WOW! And is it working only for iPad?”

Juhani: “That’s the best part of it! You have been the Proof of Concept. The configuration we implemented will allow every device in the company supporting Microsoft Exchange to access email in a secure and authenticated way: Nokia phones, Android phone, iPhone, iPad… all of them… with complete mail, calendar and contacts synchronization. We have reached complete client independence from the mail server!!!”

Antti: “Fantastic! Awesome! Thank you very much for this!”

Juhani “You are very welcome”.

The best part for Juhani Kiviportti came at the end of that month… when he saw a special bonus in his salary with one comment:“To the person who brought APSF to Secure Mail Nirvana! A.P.”

written by RoarinPenguin - 659 views \\ tags: iPad, MS Exchange, SSL VPN, The Adventures of Antti Pilvinen

StoneGate SSL VPN 1060 appliance has received 5 stars rating from SC Magazine in the US!

This happened last monday, with a very nice article detailing the excellent values the solution provides.

SSL VPN 1060 appliance is the midrange model in StoneGate SSL VPN product line, providing license options from 50 to 500 concurrent users . The overall SSL VPN appliance offering covers wider licensing options range, from 10 to 5000 concurrent users.

The solution is also available for virtualized datacenters to provide secure authenticated access to the cloud and has been recently certified VMware Ready.

written by RoarinPenguin - 855 views \\ tags: rating, sc magazine, SSL VPN, ssl-1060

Hello World!

It’s my pleasure to announce that StoneGate SSL VPN Virtual Appliance obtained the VMware Ready certification.

Stonesoft has been one of the first vendor to strongly believe in power of virtualization and the need of a proper, simplified level of security, and the number of posts on this blog are a proof of this.

This certification represent a continuation of our strategy to provide virtualized datacenter with an optimal level of security, including identity and access management offered by StoneGate SSL VPN.

With over 25 authentication methods supported, including legendary ones such as StoneGate MobileID and StoneGate Mobile Text, StoneGate SSL VPN Virtual Appliance is the perfect solution to grant secure and authenticated access to the cloud.

Virtualization Security. Simplified!

written by RoarinPenguin - 1,173 views \\ tags: security in the cloud, SSL VPN, virtual appliance, Virtualization

The new top class SSL-3201 StoneGate SSL VPN appliance is now available.

Pure power at your service, with ability to serve 5000 concurrent users.

The most interesting innovation of this new model is flexibility, thanks to modular interfaces to fit your network topology.
Support of this appliance for copper and fiber interfaces of different types and speed boost secure and authenticated access to corporate applications in the cloud, no matter how the cloud is… wired

Preinstalled with StoneGate SSL VPN software, this machine can be plugged in various existing networks and activated in minutes, to simplify and secure access to a dynamically populated application portal from a wide variety of mobile users.
Multiple authentication methods, connecting clients security posture verification, trace removal at the end of the session and support for wide range of client platforms define a new powerful yet flexible and customizable standard for securing the information flow.

Identity and Access Management in the Cloud. Simplified!

written by RoarinPenguin - 548 views \\ tags: Appliance, secure information flow, SSL VPN, SSL-3201

Here’s another SSL VPN Tech Dive for you StoneBlog Readers, with the usual goal of stimulate your creativity and to allow you getting the most out of StoneGate SSL VPN.

A resource defined in Administrator interface can be protected by a very flexible and powerful set of criteria: Authentication method, User group membership, IP address of incoming client, Client Device, Date, day and/or time, User storage, Assessment, Trace removal, Access Point used and Identity Provider.

These criteria can be combined with logical OR and logical AND to create a real access strategy, enforcing maximum level of security and authentication strength.

Beside these options, a very powerful one is also available: custom access rules.

Custom access rules are XML files structured to extend the default capabilities offered by StoneGate SSL VPN to implement the desired level of filtering access to protected resources with innovative criteria defined by the Security Administrator.

This post will explain how to create and add them to the configuration.

Continue reading »

written by RoarinPenguin - 952 views \\ tags: access rule, access security, custom, SSL VPN