User awareness

Administrator management

The administrator of the VPN firewall or SMC server is in charge of instructing users on network security, the equipment which make up the network and the information which passes through it.

Most users in a network are computer novices and even more so in network security. It is thus incumbent upon the administrator or person in charge of network security to organize training sessions or at least programs to create user awareness of network security.

These sessions should be used to state the importance of managing user passwords and the work environment as well as the management of users’ access to the company’s resources, as indicated in the following section.

Initial connection to the appliance or SMC server

A security procedure must be followed if the initial connection to the appliance or SMC server takes place through an untrusted network. This operation is not necessary if the administration workstation is plugged in directly to the product.

Access to the administration portal is secured through the SSL/TLS protocol. This protection makes it possible to authenticate the portal via a certificate, thereby assuring administrators that they are indeed logged in to the desired appliance or SMC server. This certificate can either be the appliance’s default certificate or the certificate entered during the configuration of the appliance (Authentication > Captive portal). For the SMC server, refer to Customizing the certificate of the SMC server web interface to replace the default certificate.

User password management

Throughout the evolution of information technologies, numerous authentication mechanisms have been invented and implemented to guarantee that companies’ information systems possess better security. The result of this multiplication of mechanisms is a complexity which contributes to the deterioration of company network security today.

Users (novices and untrained users) tend to choose “simplistic” passwords, in general drawn from their own lives and which often correspond to words found in a dictionary. This behavior, quite understandably, leads to a considerable deterioration of the information system’s security.

Dictionary attacks being an exceedingly powerful tool is a fact that has to be reckoned with. A study conducted in 1993 has already proven this point. The following is a reference to this study: ( The most disturbing revelation of this study is surely the table set out below (based on 8-character passwords):


Type of password  Number of characters Number of passwords Cracking time
English vocabulary 8 char. and + Special 250000 < 1 second
Lowercase only 26 208827064576 9-hour graph
Lowercase + 1 uppercase 26/special 1670616516608 3 days
Upper- and lowercase 52 53459728531456 96 days
Letters + numbers 62 218340105584896 1 year
Printable characters 95 6634204312890620 30 years
Set of 7-bit ASCII characters 128 72057594037927900 350 years

Another tendency which has been curbed but which is still happening is worth mentioning: those now-famous post-its pasted under keyboards.

The administrator has to organize actions (training, creating user awareness, etc) in order to modify or correct these “habits”.

  • Encourage your users to choose passwords that exceed 7 characters,
  • Remind them to use numbers and uppercase characters,
  • Make them change their passwords on a regular basis,
  • and last but not least, never to note down the password they have just chosen.

One classic method of choosing a good password is to choose a sentence that you know by heart (a verse of poetry, lyrics from a song) and to take the first letter of each word. This set of characters can then be used as a password.

Stormshield Network, Leading French manufacturer of FIREWALL and VPN appliances…”
The password can then be the following: SNLFmoFaVa.

The ANSSI (French Network and Information Security Agency) offers a set of recommendations for this purpose to assist in defining sufficiently robust passwords.

Work environment

The office is often a place where many people pass through every day, be they from the company or visitors, therefore users have to be aware of the fact that certain persons (suppliers, customers, workers, etc) can access their workspace and by doing so, obtain information about the company.

It is important that the user realizes that he should never disclose his password either by telephone or by e-mail (social engineering) and that he should type his password away from prying eyes.

User access management

To round up this section on creating user awareness of network security, the administrator has to tackle the management of user access. In fact, the authentication mechanism on a Stormshield Network Firewall or SMC server, like many other systems, is based on a login/password system and does not necessarily mean that when the application enabling this authentication is closed, the user is logged off. This concept may not always be apparent to the uninitiated user. As such, despite having shut down the application in question, the user (who is under the impression that he is no longer connected) remains authenticated. If he leaves his workstation for just a moment, an ill-intentioned person can then usurp his identity and access information contained in the application.

Remind users to lock their sessions before they leave their workstations unattended. This seemingly tedious task can be made easier with the use of authentication mechanisms which automate session locking (for example, a USB token).