Helsinki has been named World Design Capital for 2012.

As you might know, Design is not only about chairs, desktop and furniture…

The word comes from the late Middle English as a derivative word from Latin “Designare“, which means to indicate something for a purpose or duty.

As it happens for many concepts, the word has a definition but different meanings depending on the context where it is applied.

Just like Security.

Two important principles related to design are usability and ergonomics.
Both are related to improve people efficiency in their working environment.

The same two principles are not only related, but fundamentally important for Security.

When you design something, you mainly think about the purpose of that something in different contexts.
Because different usage contexts mean different needs to address, different perspectives, different angles.

Just like in Security planning.

Especially after Cloud Computing wave, there has been lots of talking about context-aware security.
To highlight and stress that security technologies and implementations should always consider the whole context of a session and not only a fragment of it.
For example, not limiting authentication to user credentials validation only but extend the analysis and validation to the whole “security posture” by assessing the hardware he’s using, the network he’s coming from, the strength of the authentication method used, etc.

At Stonesoft, we have blended all these important principles in our solutions from day one.

We offer dynamic, software based network security solutions that can adapt to the context where they are implemented, providing protection against the lastest and most dangerous threats: AETs.

We provide great usability both for security administrators and for users, to maximize the efficiency and user experience while minimizing impact on resources.

We can prove reduction of CAPEX and OPEX costs with real, tangible savings.

We believe in ergonomics principles applied to (e.g.) authentication, where users should be able to achieve strong authentication naturally, using methods and devices they learnt to use daily for multiple other purposes.

We offer secured authenticated access to the cloud, enabling universal access from multiple platforms and context-aware security.

We empower MSSPs to provide faster time-to-market for security services and most scalable solution to manage thousands customers with minimized OPEX.

Ins’t this… ergonomic Network Security by design?

More specifically, the variables described in this article are used when configuring a startup command in a Tunnel Set definition to allow TCP/UDP based applications to be used inside a SSL tunnel.
A sample use case is a user that needs to access to his home directory and we do not want to create as many tunnel set as users in the system.
The Startup Command in a Tunnel Set is executed as soon as the tunnel has been successfully established, to automate the launch of a given application.
In this example, the Startup Command content in SSL VPN Tunnel Set configuration could contain something like:

\\192.168.100.1\[$uid]

This particular $uid variable will be replaced with the user ID when the startup command will be invoked by the system.

I report below the other useful variables that can be used in the same context:

[$ehost]  =   the access point server name including port number

[$eprot]  =   HTTP or HTTPS

[$uid]  =   The external user name

[$iuid]  =   The internal user name (usually the same of $uid)

Testing conducted by VPNC proves that vendor has implemented standards defined protocols in a way that can be used in real life where interoperability between different vendor’s implementation is frequently needed.

The primary flaw discovered by Columbia University researchers rests in the firmware that allows modern printers to function as small computers. Like software, the printer routinely updates its firmware by connecting to the internet and downloading appropriate updates. Researchers discovered that printers don’t verify the source of the update software or the software’s authenticity, thereby providing a hidden point of entry for cyber criminals to gain access to the printer. As a result, a seemingly benign printer can be transformed into a “beachhead” for launching a network-wide attack.

As researchers determine which printer vendors are vulnerable and the extent of these vulnerabilities, Stonesoft would like to remind you of the following:

• Any device connected to your network is at risk. Security targets aren’t limited to desktops, laptops and servers. If left unprotected, printers, VoIP, PBXs and other low-interfacing devices can be gateways to network attacks.
• Your network security strategy should cover every device. When is the last time you inventoried how many disparate devices are accessing your network and how? Most enterprises fail to protect every network-connected device, and this is certainly the case with printers.
• Multi-layer protection is critical. Deep packet and web traffic inspection should be executed at the perimeter and inside of the network.

“It’s not for me, I don’t have a cloud” he said initially, when I started describing the solution.

This is a common misunderstanding: to believe that the Cloud is only public!

Because Cloud Computing describes mainly an IT ecosystem, everyone who is adopting techniques and technologies of this ecosystem has a cloud!

Naturally, there is a difference between public and private clouds.

Happy with this description, the Partner continued the discussion and we analyzed the solution illustrated below:

When the user implements a Mail system based on Exchange protected by Stonesoft SSL VPN, there are several interesting benefits:

• avoid the Exchange Server to be exposed in DMZ
• offload the SSL traffic from Exchange Server
• provide support for Exchange ActiveSync to synchronize mail, contacts, calendar and tasks to mobile devices supporting this feature (majority of most recent smartphones do)
• support Device ID locking, to prevent unauthorized mobile devices to access to Exchange

…beside securing access to Outlook Web Access and the mail control panel when the mail is accessed via browser.

A growing number of Stonesoft Customers are already enjoying this cool feature, which is included in the base license of the SSL VPN solution.

Stonesoft SSL VPN licensing based on concurrent users and transparent integration with MS Active Directory with dynamic user linking allow a rapid and efficient deployment of a cost-effective solution.

Based on how the conversation ended, I really think that this “growing number” will increase by one soon…

Secure your mail in the cloud, with Stonesoft SSL VPN!

since I’ve been upgrading and installing a 5.3.2 cluster, I now do see these situations in the logs: Anti-Virus_Buffering-Limit-Exceeded ==> I suspect this messsage means that the AV part of the FW can not handle the size of the requested file.

As I couldn’t find it in the online-doc, is there anyone who can point me out the documentation that describe the value of this size limit ?

Is the a way to modify this limit ?

As it is new to me, what is the user supposed to see when such a limit is reached ?

PS: sorry, I’m new to WordPress and posting in forum: is there a better place to share q&a about StoneGate ?

This is where Stonesoft Mass Security comes in. We’re making the installation of advanced network security as simple as plugging in a laptop. Perfect for multi-location and franchised businesses, office managers and store clerks simply have to plug in the security device (e.g. firewall) and it calls home to an installation cloud to access pre-configured settings.

Right now, our goal here at Stonesoft is to educate the masses about what Mass Security is, how it works and how it’s changing the landscape of network security. We have a ton of resources available to help speed this along, including:

• Website: This is a microsite dedicated solely to all things Mass Security. Everything you need to know – from technical know how to the basic “What is it?” – is here.
• Brief: This not-too-technical whitepaper explains how Mass Security works. It’s a must-have primer. Download here.
• Video: When’s the last time you’ve installed a firewall in 81 seconds? Now, when’s the last time you’ve enabled thousands of firewalls to install in 81 seconds? Check out this video to see it done.
• Webcast: Our next online discussion about Mass Security is on November 2, 2011 at 1pm ET (US). Join us.

Few days ago Stonesoft released the A2Cloud solution.
That is, the combination of multiple technologies to create secured and authenticated access to the cloud, no matter if it is public or private… because everybody has a cloud, right?

There is nothing new in the purpose to authenticate access to data and applications, since this has been a need for quite a while now… what A2Cloud the idea is to innovate the way to answer to this need from two main standpoints.

• Ergonomic Authentication
• Governance

For too long strong authentication has been synonym of hardware tokens, dedicated devices to carry around with the sole purpose of generating a one-time password based on specific algorithms.
And for too long these devices has been prone to errors in usage, battery run out ahead of time, clumsy usability and… being forgotten at home.

And for too long awareness of what was happening in the field from authentication and security governance viewpoints has been a serious issue for security administrators and auditors.
Questions such as “how often a given authentication method was used”, “how users reacted to strong authentication”, “how easy it was to use that given authentication” and many others remained without a proper answer.

A2Cloud was conceived to provide a reliable and complete answer to these questions, while relieving the users from the “doom of hardware tokens”.

Ergonomic authentication means to apply the principles of ergonomics to enable usage of common tools we’re keen to use everyday for strong authentication purposes too. And these tools are something we’ll never forget home (or, better, if it happens we’re very willing to get back home to take them )… I’m talking about mobile phones, smartphones, PDAs, tablets, netbooks and notebooks.

In short, tools we can’t live without (anymore).

Security awareness means availability of tools to understand what’s going on, how to audit authentication and other security related operations; how to get the information you need, when you need it, and with the level of detail you need to do what you need to do (supervision, troubleshooting, monitoring, alert, react to security threat, log analysis, auditing, etc.).

Visit A2Cloud minisite to develop a better understanding about how Stonesoft solution can ease your professional life of a cloud user and/or security administrator.

Share a little of that human touch…

In ICSA Labs’ initial test, products scored an effectiveness rating of between 59.4 percent and 78.1 percent. After being allowed to modify their products to better protect against current security threats, final tests showed an effectiveness rating of between 81.3 percent and 90.6 percent. Stonesoft’s StoneGate IPS-1205 performed at the highest end of the range for both tests with a 78.1 rating for the initial test and a 90.6 rating for the final test.

If you want to read the full report and individual vendor scores, it’s available on ICSA Labs’ Quarterly Network IPS Vulnerability Testing page, including individual vendor scores.

In addition, our IPS has been nominated in SC Magazine’s Reader Trust category for Best IPS. We encourage you to support Stonesoft by voting! Click here to vote.

As we continue to make strides in our evasion research, we look forward to maintaining the highest performance and protection across our portfolio of IPS solutions. As always, let us know what you think, what we can do better and so forth. We take a team approach here at Stonesoft – and everyone of our customers, partners and colleagues play a valuable role.

Well, it really seems to me that the ‘problem’ continues to be the same.
The weak link of the security chain continues to be the same.
It is the common issue which caused all these incidents in the first place.
The ‘common denominator’ putting at risk the most reliable and strongest security measure: the human factor.

In a situation where you cannot trust the security channel, where the algorythm used to generate the one-time passwors can be compromised as well, where username and static password pairs are potentially travelling within insecure channels (hence comparable to clear trasmission), the question is:
how to grant the minimal decent level of security to remote access to corporate or cloud applications and authentication processes?
After thinking a long while to this question, the answer I have is: raise the entropy!
In statistical mechanics, entropy is the measure of the randomness of the microscopic consituents of a thermodynamic system.
Transposing this concept and coping with the need to create a secure system, trying to make it too complex to be compromised, my proposal is to combine methods of channel encryption and strong authentication.
To grant that even if one of them gets compromised, this incident won’t lead to any theft of important data.
This is achievable when the technological solution is clever enough to allow a scenario like the one described below.

1. Using federated authentication technologies, based on standard, I can separate the authentication process from the access to applications process, without having a big impact on the overall user experience (thanks to transparent redirection). Each of the two ‘parties’ is protected by different server side certificates and the parties authenticate one to each other using digital certificates, potentially issued by different CAs.
2. The party caring about authentication, also known as Identity Provider, could authenticate the user using multiple authentication methods chained together to raise entropy.
   This should be done considering again to avoid big impact on the user experience: the more natural to use is the process, the better it is. An example could be the combination of client digital certificate authentication with a one time password sent via sms and eventually with otp generated by software token.
3. Once authentication process is completed, the session is redirected to the Service Provider (second party in the scenario) which provides access to protected data and application using a security assertion (that is, an information used to recognize the user without requiring user credentials to travel on the internet) to grant single-sign on direct access.

Stonesoft offers a unique combination of technologies to provide the building blocks of the scenario described above, thanks to the interaction between StoneGate Authentication Server and StoneGate SSL VPN. StoneGate Management Center glues together the two components while providing governance, monitoring, statistics and situation awareness as additional benefits for security administrators.

Secured and Authenticated Access. Simplified!