StoneBlog.stonesoft.com

Security Right-Sizing

MMcKinley — Tue, 15 May 2012 19:27:55 +0000

“Security right-sizing” is a term that comes up often these days – and understandably so. The cost of network security has risen dramatically these last few years, while the general population has become desensitized to data breaches. Meanwhile, most companies can’t deploy the breadth and scope of security technologies they would like due to budget constraints.

I recently discussed this very topic over on the MSP Alliance blog. In that post, I provided steps to developing a network security strategy that balances offense, defense and resource constraints. Even if you’re not a MSSP, I urge you to read the post in full here. Meanwhile here is an excerpt:

“Pinpoint weaknesses: It’s imperative to understand the weakest links in a client’s network so that the appropriate counter measures can be implemented. For some, this may take the form of education, for others this may involve fortifying a particular area of the network. Regardless, spending the time to identify it now will stave off disaster in the future. If you don’t know where the weak spots are, hackers will certainly find it.

Determine costs of protection vs. avoidance: In an ideal world, protections would be deployed at every intersection of data traversal. The reality is that choices have to be made regarding the most important assets and how to protect them. MSSPs must help companies evaluate which assets are acceptable to risk, which are not and costs associated with both. When this understanding is reached, security devices and controls can be repositioned or reformulated to ensure that the most critical assets have the proper level of protection. Avoidance, on the other hand, may be necessary to ensure that other, more critical, assets are well protected.

Understand false causality: Last, and certainly not least, is the understanding that statistics have a certain value, but should serve more as a data point in multi-year trends. Particularly in the case of a sensitive subject, such as security, following statistics in making decisions can be dangerous. Every network, business and industry is different and statistics don’t always reflect such. In the never-ending game of offense and defense in the world of security, would you want to leave anything to chance?”

While these tips were obviously written for MSSPs, I believe they are still wholly relevant to any organization struggling to prioritize and optimize network security. What are your thoughts on security right-sizing? How do you strike a balance between protecting your networks and staying within your organization’s resource constraints?

How A2Cloud helps Mobile Device Management

RoarinPenguin — Fri, 11 May 2012 01:08:24 +0000

In a recent post we discussed the debated topic of BYOD, allowing at same time freedom of using your preferred device to get things done and loss of control from IT administrators about level of trust of connecting devices.

There is, however, another related discussion causing quite some eInk to be spilled: MDM or Mobile Device Management.

According to Wikipedia, MDM is all about software to secure, monitor, manage and support mobile devices deployed across mobile operators, service providers and enterprises.

One important aspect of an MDM strategy is controlled access to corporate data and applications.
Because devices with a low level of “trustability” could represent a risk and a threat to enterprise security.

Stonesoft SSL VPN, part of the A2Cloud solution, supports ability to identify connecting devices.

And once you know what is the preferred device (BYOD) of a given user or group of users, you can use this information to restrict, allow or deny access to specific resources in a dynamic and flexible fashion.

Customers are enamored of this feature for the incredible customization it offers; because the concept of device in SSL VPN is not only physical.
A device could be identified by its OS, by the browser it uses to access to SSL VPN, by the URL called and numerous other parameters.

This gives back to IT and Security Administrators the control they need to assist BYOD and MDM strategies with a proper, agile level of security.

What Should You Takeaway from the Global Payments, Inc. Breach?

MMcKinley — Tue, 08 May 2012 16:54:35 +0000

I recently wrote a blog post for the MSP Alliance about the Global Payments breach and PCI compliance. You can read the full post here, but I wanted to share a few highlights on StoneBlog.

In case you missed it, Global Payments, Inc. experienced a data breach in late March that impacted an estimated 1.5 million credit card accounts. As a leader in payments processing, the company has long taken strict measures to be PCI compliant. Visa wouldn’t trust millions of transactions a year with just anyone, right?

Right. And, yet somehow things turned very wrong. Avivah Litan, VP and Distinguished Analyst at Gartner Research, writes on her blog:

What’s the takeaway on PCI? The same one that’s been around for years. Passing a PCI compliance audit does not mean your systems are secure. Focus on security and not on passing the audit.

This couldn’t be more true. So many companies over invest time and resources trying to be PCI-compliant rather than treating network security as a process that must constantly evolve (both technically and procedurally) to protect against threats. Just as important is the fact that PCI audits are only as good as the people giving them. Just because an auditor doesn’t find a network security hole doesn’t mean it isn’t there.

My final takeaway? When PCI becomes THE end-all be-all standard, it becomes a risk. Focus on strong security – and compliance will follow.

Stonesoft SSL VPN 1.5.100: BYOD at your service

RoarinPenguin — Thu, 03 May 2012 14:29:10 +0000

BYOD.
An acronym, a promise, a new IT paradigm empowered by Cloud Computing wave.
BYOD stands for Bring Your Own Device.
And it means you should have freedom to use the most convenient client device to get things done.
Things like accessing corporate data and applications.
In your private, public or hybrid cloud.

But BYOD means also an issue… and quite a big one. Loss of control from IT about how trustable is the client device you choose to get things done.
And from security perspective, this is a relevant concern.
The upcoming version of Stonesoft SSL VPN, part of the A2Cloud solution, makes BYOD a viable path.

Building on universal access and verification of security posture promises, we have created a solution to enable true universal access for every client device, from anywhere, to any application.

This includes native support for Windows, Linux (32 and 64 bits) and MAC OS X operating systems for TCP/UDP based application tunneling into SSL, leaving to users complete freedom about which device to use to get things done.
Also, the product is perfectly supporting devices like smartphones, tablets etc to use Web based applications.

And Single Sign On completes the nice experience.

At Stonesoft, we believe that “level of trust” should not be limited to mere verification of credentials.

We allow IT admins to go the extra mile in keeping control even in BYOD cases: verification of security posture and context is available to ensure that the whole operating session is trusted and not just the… preferred device.

So, stay tuned to embrace the new way to embrace BYOD in your authenticated access to the cloud experience!

Stonesoft 5.4 – Other Enhancements

Tero Jantunen — Wed, 02 May 2012 06:00:33 +0000

There are number of other enhancements in 5.4 versions. Here are some that deserve to be mentioned here.

Look and feel updates As you may have noticed Stonesoft brand has changed recently. We have updated logos, OS level icons and look & feel of integrated web pages also inside our products. So don’t be surprised when you use Management Client, Web Portal, SSL VPN, IPsec VPN Client, Browser Based User Authentication or Online Help for the first time after the upgrade.
Policy usability enhancements We have introduced many new options for Rule Search tool in Policy Editor. It contains now e.g. possibility to define OR condition between different search criteria within same search cell as well as wildcard/network search for Source and Destination search cells. There are many other small enhancements in Policy Editor too that make your daily administration tasks even more convenient than before.
Internal User Database replication to separate administrative Domains If you have used Stonesoft internal user database and administrative Domains simultaneously, you have needed to create user elements in Shared Domain making them visible to all sub-domains. This restriction is now removed. You can create users also in sub domains. Note however, that system does not let you to create users with exactly same DN in different sub domains. You need to take this into account in DN naming convention.
Deeper integration with Authentication Server and Firewall We have improved the Authentication Server product to work better with Stonesoft Firewalls. It is now possible to use Authentication Server for IPsec VPN (and possibly also for WiFi authentication). It is now also possible to establish a Multi-Link capable communication channel between the Authentication Server and Firewall.

Security Issues in IPv6 Transition (Guest Post from Brian Monkman, ICSA Labs)

MMcKinley — Thu, 26 Apr 2012 16:36:06 +0000

StoneBlog welcomes a guest post from Brian Monkman, Perimeter Security Programs Manager at ICSA Labs (www.icsalabs.com):

Have you been off the Grid?

By now you have all heard, unless you have been totally off the grid for the last decade, that IPv4 depletion is a reality and that you MUST move to an IPv6 enabled infrastructure. So we have all taken this to heart and everything is hunky dory right?

Wrong!

IPv6 – Far from universal and fraught with problems

While a lot of security product vendors, though far from all, have implemented IPv6 functionality on their products and some enterprises are running IPv6 enabled servers and services – the adoption is very, very far from universal and is fraught with problems. Even the U.S. federal government with its NIST run USGv6 program doesn’t claim universal adoption.

So why is this, what are the issues and what are problems you should be aware of?

Let’s assume first you have done the obvious and have only purchased products or are only considering products from vendors that have been verified as being IPv6 compliant from a credible 3rd party lab. You have undoubtedly found that the range of choices isn’t as broad as you might wish. But why is that?

IPv6 Security Camps

When it comes to IPv6 implementation most security product vendors fall into one of three camps. First, you have the early adopters – the vendors who saw this coming, knew it was inevitable and wanted to be first to market. Second, the vendors who watched their competitors and quickly played catch-up. Then the third, by far the majority, who are developing new features and functionality based on ROI equations. This group largely claims that until recently there has been little to no user demand for IPv6.

IPv6 Planning

This should be a concern to all who are planning to or have implemented IPv6 within your enterprise. You may well take care of the primary servers and ensure everything is up and running, (your firewalls or network IPS devices are running in dual stack mode, etc) but what about your monitoring or network management tools? We have seen evidence that a number of enterprises have no idea what is happening on their network from an IPv6 point of view because their network management and/or management tools are not IPv6 ready.

What can be done?

You need to harass the account managers for those product vendors and ensure they follow through with IPv6 implementation as soon as possible. You can’t risk running blind.

Certifications

And of course – insert shameless plug – INSIST on an independent 3rd party verification such as, ICSA Labs. In addition to testing against USGv6 Testing Program requirements a number of programs, such as Network Firewalls and IPSec, have IPv6 requirements. The IPv6 implementation from BOTH a routing and security perspective is critical. Visit ICSA Labs at www.icsalabs.com for an overview of all of these offerings.

Awareness

Vendors who have subjected their products to the scrutiny of ICSA Labs testing demonstrate an awareness that it takes more than pointing a traffic generator at a product to ensure products are secure. In addition to using traffic generators there must be in-depth hands-on testing against publicly vetted certification or evaluation requirements. Any testing that does not rise to this level of rigor should be considered suspect. Vendors who choose to subject themselves to this level of pain should be lauded.

Walk the walk

Admittedly vendors who subject themselves and their products to testing at ICSA Labs never have an easy time of it. But thankfully there are vendors who not only walk the walk, they talk the talk.

Our position is that security testing is not an event, it is a long term ongoing commitment.

What are your thoughts?

Stonesoft 5.4 – LEEF Forwarding/Reception Support

Tero Jantunen — Wed, 25 Apr 2012 11:00:59 +0000

Stonesoft has recently joined Q1 Labs Security Intelligence Partner Program meaning that Stonesoft Log Server can be configured to forward logs to QRadar in Log Event Enhanced (LEEF) format. This makes it possible to receive logs from Stonesoft Security Engines, Firewall/VPNs, IPS Engines and SSL VPNs to QRadar security information and event management tool. Log Forwarding support has actually been introduced in SMC 5.3.4 version.

While becoming familiar with LEEF format, we also developed out-of-box logging profile for LEEF log format. Stonesoft Management Center can thus receive logs from LEEF compatible devices, thereby enhancing Stonesoft’s own third-party event management support. The logging profile will be introduced in SMC 5.4.0 version.

An Update on Stonesoft’s IPv6 Readiness

MMcKinley — Tue, 24 Apr 2012 15:23:08 +0000

Today, Stonesoft announced that its Next Generation Firewall has met the U.S. National Institute of Standards and Technology’s USGv6 evaluation requirements. Our solution has also passed ICSA Labs’ Network Firewall IPv6 and High Availability certification tests.

If you can’t tell, we’re taking IPv6 very seriously over here. Why? Because many network security vendors aren’t.

Stonesoft’s Brian Vosburgh goes into detail on this topic in a post on ICSA’s blog. You can read his full comments over there, but here are a few highlights. Most of today’s vendors are providing checkbox IPv6 capabilities, thereby deceiving many customers into thinking they are ready to support and secure IPv6 traffic. While it’s true most vendors do offer IPv6 inspection, the majority of these capabilities are limited. Only a handful of vendors (Stonesoft is one of them) can provide full inspection, logging and event correlation for IPv6 traffic at realistic traffic volumes and without affecting performance.

Our claims have been independently verified by ICSA Labs and held to the highest standard as evidenced by our recent USGv6 certification. We’re one of the few vendors to achieve this certification. Brian Monkman over at ICSA Labs shares a few more thoughts here on the role of IPv6 certification in the future of network security. I urge StoneBlog readers to check it out.

IPv6 isn’t going away – and Stonesoft has tackled the challenge head on. If you have any questions about security and IPv6 readiness, please ask them here!

7 ways to love the A2Cloud

RoarinPenguin — Thu, 19 Apr 2012 03:41:42 +0000

Cloud computing is here. Companies are increasingly using various cloud services to make everyday activities easier and more efficient. However, these advantages come with downsides – the real price for flexibility is lack of control, increased risks of human error and technological complexity due to various outsourced authentication methods and practices.
Stonesoft a2cloud is designed to remove these downsides and make life truly easier and more secure. In short, Stonesoft a2cloud revolutionizes how companies access the cloud. It is a perfect answer for the security needs of organizations using any cloud. Just say no to expensive authentication gadgets or hard tokens.
Check out below the 7 ways we have found to love A2Cloud in a webinar that will go live later today at 4 PM GMT+2!

Stonesoft 5.4 – Inspection Improvements

Tero Jantunen — Tue, 17 Apr 2012 06:00:08 +0000

There are a lot of interesting enhancements related to Deep Inspection. Read the sections below to find out more what is new in 5.4 versions.

Common Inspection Policies Inspection rules have been separated from Firewall and IPS Policy elements into a separate element. This enables you to reuse same Inspection policy for all security engines (including individual Firewall and IPS engines). Inspection Policies are referred from dedicated tab from Firewall and IPS Policy elements.
Snort Signatures It is now possible to translate Snort signatures for inspection. Snort signatures can be imported as batch run or individually into Stonesoft Management Center. It translates them into Stonesoft custom Situation elements. You can modify the custom fingerprints with dedicated fingerprint editor still after the import.
Improved Application Control Stonesoft introduced in 5.3 version support for dynamical protocol and application identification. Now the protocol support is extended meaning we can dynamically do port independent access control and application identification also for non-web traffic. The amount of applications is also all the time increasing. The target for 5.4.0 release is to have about 500 application elements.
Integrated Analyzer The Analyzer component, like we know today, disappear in 5.4 version. The Analyzer features are integrated in Log Server and in FW/IPS/Layer-2 Firewall roles. From customer perspective this change can be seen positive though. Customers are not actually losing any functionality but instead have more ways to benefit from the existing correlation features. The correlations are not limited in IPS anymore but can run simultaneously on Log Server and on all engine roles. In addition, it becomes possible to use Terminate Action with correlation directly on the engines.It is still possible to manage 5.2 version IPS Analyzer with SMC 5.4 version. However, after upgrading Sensor to 5.4, log data are sent directly to Log Server instead of Analyzer component. Gradually, this will obsolete the Analyzer from the IPS deployment.
File Context File Context is a technical enhancement that makes possible to detect and inspect transferred files on any TCP or UDP port number. When a file is being transferred, the content of the file are passed to the “File Context” after stripping the transfer encoding. The File Contexts currently available are; generic binary context for files with recognizable identifier, a PDF file context for PDF files, an OLE context for Microsoft Office Files, and a text file context that is used for files with no recognizable identifier. This change will allow us to provide you better inspection coverage and performance.
Deep Inspection for Express We wanted to produce a PCI-DSS compatible low-end appliance mainly for retail market. To fulfill this goal, it is now possible to do deep packet inspection and URL filtering also in our smallest FW-105 Express devices. Since the resources of that appliance are limited, deep inspection support covers only HTTP protocol.
IPv6 Inspection for Firewall With 5.4 Firewall (and Security Engine), it is possible to configure inspection rules also on IPv6 (on layer 3). Previously this has been possible only on layer 2 (for IPS). In SMC 5.4, Inspection Rules are separated from Access rules. Same Inspection policy work for both IPv4 and IPv6.