StoneBlog.stonesoft.com

Recently the information security landscape was abuzz over findings from a recent NSS Labs report on firewalls, wherein products were found to be vulnerable to a TCP split handshake attack. This attack concept was based on research by Tod Beardsley and Jin Qian of BreakingPoint Systems.

Normally, TCP is considered to use a “three-way handshake”, where applications start sessions with a SYN, which response is a SYN/ACK, followed by a corresponding ACK from the originator of the session, as outlined in RFC 793. What Beardsley and Qian noticed is that the RFC actually spells out in section 3.3 a four way process, and states that “steps 2 and 3 can be combined in a single message”. Note that although this is the typical way systems handle it, there is no requirement to combine the SYN and ACK of the recipient.

Without getting into the further nitty-gritty details, the bottom line of the research and the recent testing is that stateful network security devices relying on an expected handshake sequence can be fooled into thinking that a connection is originating from a trusted segment instead of from the actual source. Although Stonesoft was not a tested vendor we decided to independently verify StoneGate’s handling of this situation. You can read more about the issue in various articles, such as The CyberJungle, or Government Security News.

Stonesoft’s research team, the Vulnerability Analysis Group tested both the StoneGate IPS and StoneGate Firewall/VPN, using the same BreakingPoint tests as outlined in the research paper. Our initial conclusion is that neither product is affected by this issue. For the StoneGate IPS, a four or five-way handshake will fail to hide the payload (direction) from the IPS, with the four-way flagged as “TCP_Segment-SYN-Unexpected-Reply”, and the five-way scenario [which is also very unlikely in real-world environments] as “TCP_Window_Shrinked”. The four-way handshake situation is not set to terminate by default, but it can easily be set if conditions or policy warrant.

For the StoneGate Firewall/VPN, the behavior is dependent on an Advanced property of the firewall or firewall cluster, whether it operates in loose, normal, or strict mode, and the behavior is further influenced by whether traffic in any given rule is inspected or anti-virus applied. With inspection and anti-virus, attacks in the payload are detected regardless of the handshake mechanism. Loose and normal mode with no additional inspection methods will permit the handshake. Strict mode will drop the connection. In any situation, the StoneGate Firewall/VPN will not be confused as to the origin of the session, so the bottom line is as with all security policies in StoneGate: what is not expressly permitted, is denied.

Stonesoft looks forward to the opportunity to participate in future tests and supports community efforts to drive improved testing of network security systems. Only by bettering testing efforts can we continue to ensure our solutions remain

Network Security. Simplified.

written by markb - 1,348 views \\ tags: information assurance, security threat, stonegate

According to Frost and Sullivan, global spending on intrusion detection and prevention technologies in 2010 exceeded $ 1.5 billion USD. At the same time, organizations are growing increasingly concerned by attack sophistication, such as Stuxnet, APTs, and the recent incidents involving RSA and Comodo. Yet, what if the first factor was rendered completely ineffective, and the second increased in its success? If all that money goes down the drain due to ineffective technologies, and sophistication is increasing, what do we do next?

Last October, Stonesoft made friends and enemies alike with its announcement regarding research in advanced evasion techniques and their disclosure to CERT-FI for vulnerability coordination. The subsequent disclosure at RSA that an additional 124 techniques were disclosed on top of the original 23 was met with even more resounding silence.

What’s interesting is that all of the discussion focuses around irrelevant sidebars. Bob Walder of Gartner and NSS Labs have discounted the threat of AETs as “yesterday’s news”; after all, evasions aren’t new, so what’s the big deal? And granted, Bob does know a thing or two about evasions; as one of the founders of NSS Labs, he’s a pretty sharp guy and created a few evasions of his own back in the day. The second sidebar centers around the likelihood of AETs being seen in the wild. No one has heard or seen of them being used, so clearly they must not exist.

Yet I would say that these are distractions from the real issue: old or new, in use or not, the bottom line is : advanced evasion techniques work. They work against just about every IPS technology on the market and in your network today. They enable the delivery of any exploit to vulnerable systems at any time, without detection or notice. But don’t take our word for it. Contact us and we’ll be happy to demonstrate for you. Read the validation of third party testing. Or even better, test it yourself. We’ve now made the first AET samples, originally provided to CERT-FI last year available at www.antievasion.com.

Does it matter how old it is? No, unlike a fine wine, AETs don’t get better or worse with age. They simply are. They work.

And in most cases, they work well. Against any IPS technology, next generation firewall, content scanning system, or Web application firewall. Why? Because vendors have typically focused on providing you, the customer, with what you ask for rather than what you need. They design systems that favor performance shortcuts vs. real security. They’d rather invest in nice marketing materials than in an effective normalization engine that still maintains decent throughput.

Wouldn’t you rather have a vendor interested in making a better, more effective security technology for today’s threats? One that is more manageable, scalable, and simplified than what you’re doing now? Again, don’t take our word for it. Try it yourself. Learn why Stonesoft’s security solutions are:

Network Security. Simplified.

written by markb - 723 views \\ tags: AET, evasion, Intrusion, IPS, stonegate, stonesoft

First post of this new 2011, together with my best wishes for a happy new year.

In a recent post I illustrated how to configure StoneGate SSL VPN to perform ticket-based Single-Sign-On to SalesForce.com.

The interesting benefit of the solution is to keep secure authentication at home while granting secure authenticated access to SalesForce application in the cloud.

The solution described in that post, although powerful and secure, lacks a little bit in usability because the user must first login to StoneGate SSL VPN application portal, click the SalesForce application icon and voilà, he’s in.

This post details how to use Device Definition in StoneGate SSL VPN to improve greatly the overall usability, to reach a quicker and smoother result while keeping the security at maximum level.

Device Definition allows to detect a specific type of connecting device based on patterns identified in HTTP request such as Agent, OS, URL requested, path, etc.
We can therefore define a device type in Manage System – Device Definition based on the URL requested as shown below:

This will ensure that URL request for https://salesforce.mydomain.tld are treated differently from others, according to configuration in Manage Resource Access – Global Resource Settings – Client Access.

We will configure the Device Definition to point to specific pages for authentication and, once authentication is successful, straight to SalesForce with ticket-based Single-Sign-On.

We can retrieve the needed links (Authentication Page and Welcome/Application Page) by looking at default login menu on StoneGate SSL VPN Access Point and “building” the application link as described below.

Open the StoneGate SSL VPN Access Point page and move mouse over the authentication method, then copy the links to authentication methods to retrieve the authentication page link you are interested in (in the example StoneGate Password).

About the application links, supposing that your Web Resource to access SalesForce with Ticket-SSO is called MySalesForce, then the direct link to application will be:

https://sslvpn.mydomain.tld/https/MySalesForce

To define the Client Access parameters for Device Definition, we just need to strip from URL above the host part. We will have therefore:

Authentication link (Default Page): /wa/auth?authmech=StoneGate%20Password

Application link (Welcome Page): /https/MySalesForce

We can finally configure Device Definition Client Access in Manage Resource Access - Global Resource Settings - Client Access - Add Device Settings… as shown below:

Click Add to finalize the configuration.

Last thing to do is to add a DNS A or C record to point to StoneGate SSL VPN system when this URL is requested, to route correctly the requests.

The resulting configuration is that StoneGate SSL VPN will intercept the URL and, because of the Device Definition configuration, it will first direct the user to the authentication page configured and once authentication is performed it will allow straight access to SalesForce using Ticket based Single-Sign-On.

Secured Access to the Cloud, keeping Authentication at Home

written by RoarinPenguin - 1,552 views \\ tags: authentication, cloud computing, salesforce.com, Single Sign-On, sslvpn, stonegate

On 16th Nov 2010 OpenSSL reported a serious vulnerability in TLS server extension code parsing that enables remote exploits against vulnerable servers.

None of Stonesoft StoneGate products are affected. Although we use the vulnerable version of the OpenSSL library, the server extension where the vulnerable code lies has not been included into our products.

BR,

- Joona

written by joona - 816 views \\ tags: Security, stonegate

30 august 1990 – 30 august 2010!

Today Stonesoft celebrates 20 years!

20 years ago two Heroes decided to found Stonesoft to bring high availability into security arena… time went by success after success, with the creation of the extremely successful StoneBeat technology, until the new millennium arrived.

Stonesoft decided that it was time for a new idea, and in 2000 we became a public company listed at Helsinki Stock Exchange and we brewed what today is our core cool superb technology: StoneGate!

Born as a Firewall with high availability in the DNA, StoneGate concept evolved to StoneGate Network Security Architecture: a legendary infrastructure providing in-depth layered security throughout all the enterprise, beyond the corporate boundaries to provide secure, authenticated access to applications in the cloud.

Hence today all Stonians everywhoere raise virtually a glass of the most excellent cyberwine for this double fantastic celebration: 20 years of Stonesoft, 10 years of StoneGate!

Happy Birthday Stonesoft, Happy Birthday StoneGate!

written by RoarinPenguin - 829 views \\ tags: birthday, stonegate, stonesoft

If you’re headed to Black Hat like we are, there’s more to security than being cautious about the networks you connect to. Data at rest can also be a concern, both for the data on your devices as well as the data you may receive while there. Here’s our second security tip, to deal with the protection of that data.

The X-Files principle of Trust No One holds true in this case as well. We all love schwag, whether it’s simple things like stress balls, to more advanced things like iPad giveaways. In between everyone loves to pick up those USB sticks, which can be plain and simple or disguised as cute animals. But be careful, those animals can turn on you. In general, for a safer computing experience at Black Hat, do not trust any storage device handed to you by others. Whether it’s a USB drive or CD, or anything else (even that iPod you just won), they can contain viruses, Trojans or malware of any form. Even the ones that look professional can be dangerous. At best it’s good to discard them; if not at least scan them on a separate, up-to-date, sacrificial system first.

Second, if you are bringing a laptop, install and verify the operation of full-disk encryption software. Use AES-256 bit encryption or better. If the hard drive has a hardware encryption option as some external ones do, use that instead. And while you’re at the conference, be sure to power off or hibernate your laptop whenever it isn’t in use to maximize the effect of the encryption software. Free disk encryption programs exist, and modern Windows and OS X systems include encryption technologies built-in.

To learn more about computing safely, to try your hand at Hack The Lab, and to learn about Stonesoft’s award-winning network security solutions, be sure to stop by Booth 33!

written by markb - 1,060 views \\ tags: conferences, encryption, Security, stonegate, stonesoft

It’s just a few weeks away! Stonesoft will be at the Black Hat 2010 conference and expo in Las Vegas, Nevada. If you’re going, join us there at booth 33, and learn about our solutions. We’re also featuring the popular StoneGate Hack The Lab event. Trade in your white hat for a black hat for a period and try your hand at hacking into systems in a lab environment.

In addition to Hack The Lab, we’ll also be featuring the StoneGate IPS component of the powerful, award-winning StoneGate network security solution. You can also register to win the VMware-certified StoneGate virtual firewall or IPS for a year for free!

Stay tuned here as well, as we post our security tips for a safe Black Hat computing event, or follow us on Twitter at @Hack_the_Lab and @Stonesoft_US. Or friend us on Facebook.

written by markb - 1,461 views \\ tags: Security, security threat, stonegate

Maybe old Benny had authentication in mind when he wrote this (paraphrased) quote.

Surely this is a great truth that we do understand well in Stonesoft, since we always kept focus and attention on usability of our solutions. Our legendary SMC ease of use is a proof of that, and another is SMS based authentication featured by StoneGate SSL VPN.

Recent cloud computing mega trend raised again concerns for authentication tied to access to the cloud, and many blog posts and discussion are undergoing about what are best methods to ensure strong enough, yet easy to achieve and use authentication method.

One time passwords seems to be a good idea, but implementation often made it too complicated because relying on hardware devices, software to install on hardware devices, PIN to remember, etc.

Few years ago, Finland made a nice technological gift to the world with first text message sent from a cell phone to another by a student staging at Nokia, and since then the situation evolved to 4.1 trillion of messages sent in year 2008. This indicates clearly that:

• mobile phones are quite popular
• we always keep them with us (and return home if we leave them there)
• SMS is a widely used technology, no matter which type of mobile phone we have

As stated in a previous post, StoneGate SSL VPN can be used to implement text messaging based authentication with OTP and… my Nokia proves it here below

Network Security. Simplified!

written by RoarinPenguin - 967 views \\ tags: authentication, sms, SSL VPN, stonegate, text messaging

Of course it’s important to follow up-and-coming transformative technologies. If the numbers on the first weekend of Apple iPad pre-orders are remotely close to being correct (~20,000 per hour), it classifies as a transformative device. With WiFi and optional 3G connectivity, it also makes a great platform for both organizational access and administration. Of course, those of us who are Apple fans would be remiss without placing our own order for testing all things StoneGate on this device. After all, StoneGate and Apple are both technologies people love.

We know from the iPhone that the StoneGate WebPortal interface works like a champ already, allowing administrators to view logs and reports, check security policies and more. Since the iPad reportedly uses iPhone OS 3.2, we don’t expect that to be any different. We also don’t expect that the StoneGate SSL VPN will be any different, easily allowing access to Web-based resources through a multitude of authentication technologies via 3G and WiFi networks. Of course, the remaining question is then whether the full StoneGate Management Client will work. At this time it’s speculation, but the answer initially is likely, “No” since – like the iPhone before it – the iPad will likely not support Java.

That said, stay tuned to StoneBlog to find out our first experiences as soon as the post delivers our new test subject; we’ll let you know at least the “unofficial” support of StoneGate on this tool. After all, what better way to achieve…

Network security. Simplified.

written by markb - 2,190 views \\ tags: administration, iPad, SSL VPN, stonegate, WebPortal

vSphere or VMware ESX 4.0 introduced a number of interesting features, among which the possibility to upgrade your virtual hardware to version 7 from version 4 (that was default in previous ESX 3.x world).

This upgrade, achieved right clicking on the virtual machine in VI Client and select “Upgrade Virtual Hardware”, will inject cool steroids in your virtual machine (but makes it also not backward compatible with VI 3.x anymore).

A positive side effect of such steroids is the ability to increase the number of NICs in your VM as shown below.

Continue reading »

written by RoarinPenguin - 1,585 views \\ tags: ESX 4, stonegate, virtual appliance, Virtualization, vsphere