StoneBlog.stonesoft.com

Here’s another SSL VPN Tech Dive for you StoneBlog Readers, with the usual goal of stimulate your creativity and to allow you getting the most out of StoneGate SSL VPN.

A resource defined in Administrator interface can be protected by a very flexible and powerful set of criteria: Authentication method, User group membership, IP address of incoming client, Client Device, Date, day and/or time, User storage, Assessment, Trace removal, Access Point used and Identity Provider.

These criteria can be combined with logical OR and logical AND to create a real access strategy, enforcing maximum level of security and authentication strength.

Beside these options, a very powerful one is also available: custom access rules.

Custom access rules are XML files structured to extend the default capabilities offered by StoneGate SSL VPN to implement the desired level of filtering access to protected resources with innovative criteria defined by the Security Administrator.

This post will explain how to create and add them to the configuration.

Continue reading »

written by RoarinPenguin - 1,055 views \\ tags: access rule, access security, custom, SSL VPN

I was discussing today with a customer interested in verifying this option offered by StoneGate SSL VPN to protect a web resource… and I thought to document it here, especially describing the part related to Windows configuration.

The whole idea behind WIL is that a backend Internet Information Server (for example) protects a web path with this technique called Windows Integrated Login.

When a browser attempts to reach it, the web server sends back a challenge for authentication. These credentials are taken from the Windows environment, allowing authenticated users of a given domain to access smoothly.

Other users will have to insert credentials in a popup windows that will appear, getting a HTTP 401 – Unauthorized if validation fails.

Continue reading »

written by RoarinPenguin - 2,890 views \\ tags: SSL VPN, Windows Integrated Login

Welcome to a new techdive about StoneGate SSL VPN.

Today we’ll cover a very interesting topic in this new world of cloud computing and webservices: the Ticket Single-Sign On.

As most of you might guess, Single Sign-On is a technique to perform login to backend applications and systems without the need to retype user credentials, once the user is authenticated and access is granted on the main application portal.

StoneGate SSL VPN supports a wide variety of Single Sign-On techniques for legacy and web applications, ranging from static, adaptive, cookie based, ticket-based and form-based SSO.

I already defined Ticket-SSO as a splendid idea in a previous post, but today I will detail configuration steps to take to implement this technique with a very well known web app in the cloud: Salesforce.com.

Continue reading »

written by RoarinPenguin - 2,143 views \\ tags: SalesForce, SSL VPN, Ticket SSO

I’ve been silent for few weeks as I wanted to leave the StoneBlog stage to the beautiful series of posts Tero made about the great news of StoneGate 5.2.

But I’m braking this silence now since there is a very important test we have done and I want to share with you all.

I have been assisting a partner in a project to implement federated authentication with our StoneGate SSL VPN solution combined with Microsoft STS (Security Token Service).

For those of you who don’t know what Federated Authentication (aka Federated ID or Brokered Authentication) is, I’ll sum it up by saying that it is a technique to access applications “in the cloud” (private or public) while keeping authentication “at home”.

In short, the idea is to request the access to the application to an entity called Service Provider (SP), who will redirect the user to an Identity Provider (IdP) for authentication purposes. As soon as the identity has been validated, the user is automagically redirected back to the SP who will let the user in because of the trusted relationship created with IdP.

In this post I’ll describe the lab test made with a great guy, hoping that this information could be useful to replicate similar scenarios elsewhere.

Continue reading »

written by RoarinPenguin - 4,205 views \\ tags: ADFS 2.0, authentication, brokered authentication, Federated ID, identity provider, Microsoft, SAML, SAML 2.0, service provider, SSL VPN, StoneGate SSL VPN

Maybe old Benny had authentication in mind when he wrote this (paraphrased) quote.

Surely this is a great truth that we do understand well in Stonesoft, since we always kept focus and attention on usability of our solutions. Our legendary SMC ease of use is a proof of that, and another is SMS based authentication featured by StoneGate SSL VPN.

Recent cloud computing mega trend raised again concerns for authentication tied to access to the cloud, and many blog posts and discussion are undergoing about what are best methods to ensure strong enough, yet easy to achieve and use authentication method.

One time passwords seems to be a good idea, but implementation often made it too complicated because relying on hardware devices, software to install on hardware devices, PIN to remember, etc.

Few years ago, Finland made a nice technological gift to the world with first text message sent from a cell phone to another by a student staging at Nokia, and since then the situation evolved to 4.1 trillion of messages sent in year 2008. This indicates clearly that:

• mobile phones are quite popular
• we always keep them with us (and return home if we leave them there)
• SMS is a widely used technology, no matter which type of mobile phone we have

As stated in a previous post, StoneGate SSL VPN can be used to implement text messaging based authentication with OTP and… my Nokia proves it here below

Network Security. Simplified!

written by RoarinPenguin - 1,086 views \\ tags: authentication, sms, SSL VPN, stonegate, text messaging

…you can believe it or not.

This is exactly the power that new StoneGate SSL VPN version 1.4 gives when assessing a Windows workstation trying to access corporate applications.

You can decide to verify case by case antivirus, age of pattern file, etc for a number of Antivirus engines (and customize parameters if you need to) such as McAfee, Trend Micro, Sophos, Panda Software, Norman, Grisoft, CA eTrust and others.

You can event check for running processes, registry paths, listening ports… or you can simply trust Windows Security Center when it says I’m OK! since quite often this means:

• Windows is updated from patch perspective
• Windows Firewall (or equivalent) is properly operational
• Antivirus is running and updated

Here’s how to do that.

Continue reading »

written by RoarinPenguin - 1,326 views \\ tags: assessment, End Point Security, eps, SSL VPN, Windows Security Center

Ten different opinions or interpretation about same concepts by different people  convinced me that it is time to shed some light on two very important concepts for StoneGate SSL VPN:
Directory Service and User Storage.

These two terms might be often related to the same backend technologies (like an OpenLDAP server for example), hence generating confusion and misunderstanding.

I will try now to give a clear explanation of usage and purpose of both, to blow fog away.

Continue reading »

written by RoarinPenguin - 1,824 views \\ tags: difference, directory service, SSL VPN, user storage

Of course it’s important to follow up-and-coming transformative technologies. If the numbers on the first weekend of Apple iPad pre-orders are remotely close to being correct (~20,000 per hour), it classifies as a transformative device. With WiFi and optional 3G connectivity, it also makes a great platform for both organizational access and administration. Of course, those of us who are Apple fans would be remiss without placing our own order for testing all things StoneGate on this device. After all, StoneGate and Apple are both technologies people love.

We know from the iPhone that the StoneGate WebPortal interface works like a champ already, allowing administrators to view logs and reports, check security policies and more. Since the iPad reportedly uses iPhone OS 3.2, we don’t expect that to be any different. We also don’t expect that the StoneGate SSL VPN will be any different, easily allowing access to Web-based resources through a multitude of authentication technologies via 3G and WiFi networks. Of course, the remaining question is then whether the full StoneGate Management Client will work. At this time it’s speculation, but the answer initially is likely, “No” since – like the iPhone before it – the iPad will likely not support Java.

That said, stay tuned to StoneBlog to find out our first experiences as soon as the post delivers our new test subject; we’ll let you know at least the “unofficial” support of StoneGate on this tool. After all, what better way to achieve…

Network security. Simplified.

written by markb - 2,476 views \\ tags: administration, iPad, SSL VPN, stonegate, WebPortal

Cloud Computing is one of the most frequent buzzwords heard in these days. You may think it is the next big thing as it seems to be recognized as the new paradigm for the IT of any kind of an organization – from small to large, from the private to the public sector, private and stock-listed companies alike.

However, Cloud Computing is not hassle-free, and you can waste lot of time speculating about privacy, data protection, security and possible misuses.

Continue reading »

written by RoarinPenguin - 1,460 views \\ tags: access, authentication, cloud computing, security in the cloud, SSL VPN, virtual appliance

Few days ago I described a technique using certificate based authentication in StoneGate SSL VPN to match a certificate attribute to user attribute, in order to uniquely identify a user in Directory Service and allow login, perform Single Sign-On (SSO), etc.

In this article I’m taking it one step further, since StoneGate SSL VPN can authenticate a user presenting a valid certificate without even knowing who the user is, and use then whatever field of the certificate to perform SSO to protected resources.

Continue reading »

written by RoarinPenguin - 1,224 views \\ tags: authentication, certificate, SSL VPN