StoneBlog.stonesoft.com

“The Adventures of Antti Pilvinen” - A story by the RoarinPenguin

DISCLAIMER: All facts, people and companies in this story are fictional and do not have links with any real situation with the exception of Robert’s Coffee, Sonera and Finavia.

Helsinki – February – 8.30 AM – Vantaa airport

Antti Pilvinen, a typical Finnish salesman, has just finished his espresso at Robert’s Coffee… the aroma of his croissant is still pervading the warm environment…

What a beautiful feeling, especially when the car he left in the parking lot 20 minutes earlier is still freezing at -23 C.

Sitting in a comfortable chair, he realizes that there is still 45 minutes before the green flashing Portille sign will appear on the screen at the gate.

Thinking about how fantastic this morning is for business, he remembers that he has to finish an offer for 10 SSL VPN application portals for his potential client Sanomat. Then, it occurs to him that it could be a great moment to check email and also update Salesforce.com with a couple of notes about the two meetings he attended yesterday.

He is particularly thinking of the very promising second meeting which involves a potentially immense number of IPS engines, after the Stuxnet threat variation appeared in the wild a few days before. He needs to react quickly and prompt the Sales Engineer to send more info to Mr. Virtanen.

While waiting for his Dell to boot up, he was silently giving thanks to Finavia for sponsoring free WiFi connectivity at the airport. Sonera’s network is good but not free.

Two minutes later, he’s cheered by the logo of APSF (Antti Pilvinen Securing Finland) Oy, a nice puffy cloud on the SSL VPN portal.

Once again, he thought to what a worthwhile investment that StoneGate SSL VPN technology has been! Even on an insecure WiFi connection, from anywhere, it allowed him to safely access applications he needed. No fear about theft of identity or credentials, since  the combination of certificate-based authentication and the one time password sent to his Nokia E72 makes authentication secure and valid only for that session.

The comfortable set of icons appeared to him after the system silently but efficiently checked his security posture, and 25 minutes later he was boarding Finnair flight AY796 to Milan Malpensa to enjoy the Sales Meeting in Lago di Como organized by the Country Manager of the Italian subsidiary, Emilio.

His sales mind, so committed to results, so keen on convincing every customer to invest in security solutions… never gave a single second’s thought to the backend complexity of accessing three different systems (Outlook Web Mail, Word in Remote Desktop and CRM hosted in the cloud by Salesforce.com), each one with different credentials, simply by…

…clicking an icon.

Secure access to applications in the cloud. Simplified!

written by RoarinPenguin - 994 views \\ tags: secured access to the cloud, sslvpn, story, The Adventures of Antti Pilvinen

Securing the access to data and systems continues to be one of the weakest points in the chain and PEBKAC is a constant issue.

Luckily, solutions exist… for those who think what strong innovative authentication could really mean.

StoneGate SSL VPN is the ultimate solution to secure the access to corporate data and applications, featuring over 25 authentication methods which can be combined in multiple fashions.

As stated in a previous post, very often it is not necessary to add complexity to the authentication process: combination of different techniques could help adding the needed… entropy.

Give a look to the interesting news linked here and let us know what you think!

written by RoarinPenguin - 860 views \\ tags: authentication, combining different authentication, hackers, Security, smartcard, sslvpn

First post of this new 2011, together with my best wishes for a happy new year.

In a recent post I illustrated how to configure StoneGate SSL VPN to perform ticket-based Single-Sign-On to SalesForce.com.

The interesting benefit of the solution is to keep secure authentication at home while granting secure authenticated access to SalesForce application in the cloud.

The solution described in that post, although powerful and secure, lacks a little bit in usability because the user must first login to StoneGate SSL VPN application portal, click the SalesForce application icon and voilà, he’s in.

This post details how to use Device Definition in StoneGate SSL VPN to improve greatly the overall usability, to reach a quicker and smoother result while keeping the security at maximum level.

Device Definition allows to detect a specific type of connecting device based on patterns identified in HTTP request such as Agent, OS, URL requested, path, etc.
We can therefore define a device type in Manage System – Device Definition based on the URL requested as shown below:

This will ensure that URL request for https://salesforce.mydomain.tld are treated differently from others, according to configuration in Manage Resource Access – Global Resource Settings – Client Access.

We will configure the Device Definition to point to specific pages for authentication and, once authentication is successful, straight to SalesForce with ticket-based Single-Sign-On.

We can retrieve the needed links (Authentication Page and Welcome/Application Page) by looking at default login menu on StoneGate SSL VPN Access Point and “building” the application link as described below.

Open the StoneGate SSL VPN Access Point page and move mouse over the authentication method, then copy the links to authentication methods to retrieve the authentication page link you are interested in (in the example StoneGate Password).

About the application links, supposing that your Web Resource to access SalesForce with Ticket-SSO is called MySalesForce, then the direct link to application will be:

https://sslvpn.mydomain.tld/https/MySalesForce

To define the Client Access parameters for Device Definition, we just need to strip from URL above the host part. We will have therefore:

Authentication link (Default Page): /wa/auth?authmech=StoneGate%20Password

Application link (Welcome Page): /https/MySalesForce

We can finally configure Device Definition Client Access in Manage Resource Access - Global Resource Settings - Client Access - Add Device Settings… as shown below:

Click Add to finalize the configuration.

Last thing to do is to add a DNS A or C record to point to StoneGate SSL VPN system when this URL is requested, to route correctly the requests.

The resulting configuration is that StoneGate SSL VPN will intercept the URL and, because of the Device Definition configuration, it will first direct the user to the authentication page configured and once authentication is performed it will allow straight access to SalesForce using Ticket based Single-Sign-On.

Secured Access to the Cloud, keeping Authentication at Home

written by RoarinPenguin - 1,731 views \\ tags: authentication, cloud computing, salesforce.com, Single Sign-On, sslvpn, stonegate

StoneGate SSL VPN is a perfect solution for granting secure access to the cloud.

One of the preferred authentication methods, used standalone or in conjunction with others to strengthen the authentication process, is authentication based on digital certificates.

This movie shows the various powerful and flexible options offered by StoneGate SSL VPN to implement an excellent level of secure authentication when accessing to applications in the cloud using digital certificates.

Secure Access to the Cloud! Simplified!

written by RoarinPenguin - 1,044 views \\ tags: authentication, cloud computing, digital certificate, sslvpn

Recent discussions about Cloud Computing and security standards it should grant, and about psychological barriers which are slowing down adoption (although less than in the past) focus attention on a fundamental aspect: security of the access.

The countless advantages of a data center “in the cloud” are well described in the streams of ink and… eInk spilled about it.
However, too often the angle is to illustrate flexibility, low impact on maintenance process, ad hoc performances, ubiquitous access… forgetting a key aspect when talking about access to sensitive data and applications.

Hence the question is: if a CIO accept to move corporate IT into the cloud – trusting SLA and security standards of the service provider – which part of the process should be “bomb-proof”?

The answer is too often neglected: Access! Or, better, security level and strength of the access process!

Authentication systems considered “state of the art” such as OTP sent via text message have been recently questioned because of Man in the middle type of attacks, vanishing the whole security measures.
How should you react to the growing threats, strengthening the overall process?

The answer is contained in an historical quote: Divide and Conquer.

Divide concerns the combination of authentication and identity validation systems (each one featuring a good implicit strength level) to create a barrier to protect access; and make this barrier almost impossible to penetrate unless valid credentials are provided.

StoneGate SSL VPN is an Identity and Management (IAM) system featuring over 25 different authentication methods, both native and/or interoperating with existing backend systems in the enterprise. Completes by security posture validation and trace removal at the end of the session, the solution give secure and authenticated access the applications available to a certain user in a given context.

The interesting possibility is the ability to combine multiple instances of the same or different authentication methods to grant an exponential raise of the overall authentication process strength.
For example, let’s consider four authentication methods:

• One time password delivered via SMS
• One time password generated with StoneGate MobileID
• Certificate authentication with client certificate protected by passphrase
• Native Active Directory authentication.

Each of these methods features a good security level (password variability, number of factors in authentication, difficulty of extraction of protected information).

The security level could be maximized if IAM system would allow to combine the four authentication methods, since overall strength and number of factors would be multiplied.

Therefore access to a particularly important application or to special sensitive data could be protected by supersafe authentication schema, such as:

• type in a username and fixed password, OTP will be sent to phone via text message
• present a valid passphrase-protected digital certificate, stored on a smartcard or token
• insert a OTP generated using MobileID free client software, installed on a different device from the one you are using to access
• type in your Active Directory username and password

By combining this process to security context validation (such as antivirus state and check of serial numbers of client HW components) it is possible to reach an unbeatable strength in the authentication and access process, enabling access to the cloud with a security levels accepted by the most demanding customer, without sacrifying (too much) usability of the process itself.

Cloud Computing. Secured!

written by RoarinPenguin - 1,349 views \\ tags: access security, authentication, cloud computing, sslvpn