User awareness
Administrator management
The administrator of the VPN firewall or SMC server is in charge of instructing users on network security, the equipment which make up the network and the information which passes through it.
Most users in a network are computer novices and even more so in network security. It is thus incumbent upon the administrator or person in charge of network security to organize training sessions or at least programs to create user awareness of network security.
These sessions should be used to state the importance of managing user passwords and the work environment as well as the management of users’ access to the company’s resources, as indicated in the following section.
Initial connection to the appliance or SMC server
A security procedure must be followed if the initial connection to the appliance or SMC server takes place through an untrusted network. This operation is not necessary if the administration workstation is plugged in directly to the product.
Access to the administration portal is secured through the SSL/TLS protocol. This protection makes it possible to authenticate the portal via a certificate, thereby assuring administrators that they are indeed logged in to the desired appliance or SMC server. This certificate can either be the appliance’s default certificate or the certificate entered during the configuration of the appliance (Authentication > Captive portal). For the SMC server, refer to Customizing the certificate of the SMC server web interface to replace the default certificate.
User password management
Throughout the evolution of information technologies, numerous authentication mechanisms have been invented and implemented to guarantee that companies’ information systems possess better security. The result of this multiplication of mechanisms is a complexity which contributes to the deterioration of company network security today.
Users (novices and untrained users) tend to choose “simplistic” passwords, in general drawn from their own lives and which often correspond to words found in a dictionary. This behavior, quite understandably, leads to a considerable deterioration of the information system’s security.
Dictionary attacks being an exceedingly powerful tool is a fact that has to be reckoned with. A study conducted in 1993 has already proven this point. The following is a reference to this study: (http://www.klein.com/dvk/publications/). The most disturbing revelation of this study is surely the table set out below (based on 8-character passwords):
| Type of password | Number of characters | Number of passwords | Cracking time |
| English vocabulary 8 char. and + | Special | 250000 | < 1 second |
| Lowercase only | 26 | 208827064576 | 9-hour graph |
| Lowercase + 1 uppercase | 26/special | 1670616516608 | 3 days |
| Upper- and lowercase | 52 | 53459728531456 | 96 days |
| Letters + numbers | 62 | 218340105584896 | 1 year |
| Printable characters | 95 | 6634204312890620 | 30 years |
| Set of 7-bit ASCII characters | 128 | 72057594037927900 | 350 years |
Another tendency which has been curbed but which is still happening is worth mentioning: those now-famous post-its pasted under keyboards.
The administrator has to organize actions (training, creating user awareness, etc) in order to modify or correct these “habits”.
- Encourage your users to choose passwords that exceed 7 characters,
- Remind them to use numbers and uppercase characters,
- Make them change their passwords on a regular basis,
- and last but not least, never to note down the password they have just chosen.
One classic method of choosing a good password is to choose a sentence that you know by heart (a verse of poetry, lyrics from a song) and to take the first letter of each word. This set of characters can then be used as a password.
EXAMPLE
“Stormshield Network, Leading French manufacturer of FIREWALL and VPN appliances…”
The password can then be the following: SNLFmoFaVa.
The ANSSI (French Network and Information Security Agency) offers a set of recommendations for this purpose to assist in defining sufficiently robust passwords.
Work environment
The office is often a place where many people pass through every day, be they from the company or visitors, therefore users have to be aware of the fact that certain persons (suppliers, customers, workers, etc) can access their workspace and by doing so, obtain information about the company.
It is important that the user realizes that he should never disclose his password either by telephone or by e-mail (social engineering) and that he should type his password away from prying eyes.
User access management
To round up this section on creating user awareness of network security, the administrator has to tackle the management of user access. In fact, the authentication mechanism on a Stormshield Network Firewall or SMC server, like many other systems, is based on a login/password system and does not necessarily mean that when the application enabling this authentication is closed, the user is logged off. This concept may not always be apparent to the uninitiated user. As such, despite having shut down the application in question, the user (who is under the impression that he is no longer connected) remains authenticated. If he leaves his workstation for just a moment, an ill-intentioned person can then usurp his identity and access information contained in the application.
Remind users to lock their sessions before they leave their workstations unattended. This seemingly tedious task can be made easier with the use of authentication mechanisms which automate session locking (for example, a USB token).