User awareness

Administrator management

The Firewall administrator is in charge of instructing users on network security, the equipment which make up the network and the information which passes through it.

Most users in a network are computer novices and even more so in network security. It is thus incumbent upon the administrator or person in charge of network security to organize training sessions or at least programs to create user awareness of network security.

These sessions should be used to state the importance of managing user passwords and the work environment as well as the management of users’ access to the company’s resources, as indicated in the following section.

 

Initial connection to the appliance

A security procedure must be followed if the initial connection to the appliance takes place through an untrusted network. This operation is not necessary if the administration workstation is plugged in directly to the product.

Access to the administration portal is secured through the SSL/TLS protocol. This protection allows authenticating the portal via a certificate, thereby assuring the administrator that he is indeed logged in to the desired appliance. This certificate can either be the appliance’s default certificate or the certificate entered during the configuration of the appliance (Authentication > Captive portal). The name (CN) of the appliance’s default certificate is the appliance’s serial number and it is signed by two authorities called NETASQ - Secure Internet Connectivity ("O") / NETASQ  Firewall Certification Authority ("OU") and Stormshield ("O") / Cloud Services ("OU").

To confirm a secure access, the browser must trust the certificate authority that signed the certificate used, which must belong to the browser’s list of trusted certificate authorities. Therefore to confirm the integrity of an appliance, the NETASQ and Stormshield certificate authorities must be added to the browser’s list of trusted certificate authorities before the initial connection. These authorities are available at http://pki.stormshieldcs.eu/netasq/root.crt and http://pki.stormshieldcs.eu/products/root.crt. If a certificate signed by another authority has been configured on the appliance, this authority will need to be added instead of the NETASQ and Stormshield authorities.

As a result, the initial connection to the appliance will no longer raise an alert in the browser regarding the trusted authority. However, a message will continue to warn the user that the certificate is not valid. This is because the certificate defines the Firewall by its serial number instead of its IP address. To stop this warning from appearing, you will need to indicate to the DNS server that the serial number is associated with the IP address of the Firewall.

NOTE

The default password of the “admin” user (super administrator) must be changed the very first time the product is used. The wizard will prompt the user to change his password during the initial installation, in the Administration of the appliance window. In the web administration interface, this password can be changed in the Administrator module (System menu), under the Administrator account tab.

The definition of this password must observe the best practices described in the following section, under User password management.

This password must never be saved in the browser.

User password management

Throughout the evolution of information technologies, numerous authentication mechanisms have been invented and implemented to guarantee that companies’ information systems possess better security. The result of this multiplication of mechanisms is a complexity which contributes to the deterioration of company network security today.

Users (novices and untrained users) tend to choose “simplistic” passwords, in general drawn from their own lives and which often correspond to words found in a dictionary. This behavior, quite understandably, leads to a considerable deterioration of the information system’s security.

Dictionary attacks being an exceedingly powerful tool is a fact that has to be reckoned with. A study conducted in 1993 has already proven this point. The following is a reference to this study: (http://www.klein.com/dvk/publications/). The most disturbing revelation of this study is surely the table set out below (based on 8-character passwords):

 

Type of password

 

Number of characters Number of passwords Cracking time

English vocabulary 8 char. and +

Special

250000

< 1 second

Lowercase only

26

208827064576

9-hour graph

Lowercase + 1 uppercase

26/special

1670616516608

3 days

Upper- and lowercase

52

53459728531456

96 days

Letters + numbers

62

218340105584896

1 year

Printable characters

95

6634204312890620

30 years

Set of 7-bit ASCII characters

128

72057594037927900

350 years

Another tendency which has been curbed but which is still happening is worth mentioning: those now-famous post-its pasted under keyboards.

The administrator has to organize actions (training, creating user awareness, etc) in order to modify or correct these “habits”.

 

Example

  • Encourage your users to choose passwords that exceed 7 characters,
  • Remind them to use numbers and uppercase characters,
  • Make them change their passwords on a regular basis,
  • and last but not least, never to note down the password they have just chosen.

 

One classic method of choosing a good password is to choose a sentence that you know by heart (a verse of poetry, lyrics from a song) and to take the first letter of each word. This set of characters can then be used as a password. For example:

  • Stormshield Network, Leading French manufacturer of FIREWALL and VPN appliances…”

The password can then be the following: SNLFmoFaVa.

The ANSSI (French Network and Information Security Agency) offers a set of recommendations for this purpose to assist in defining sufficiently robust passwords.

Users are authenticated via the captive portal by default, through an SSL/TLS access that uses a certificate signed by two authorities not recognized by the browsers. It is therefore necessary to deploy these certificate authorities used by a GPO on users’ browsers. These authorities are by default the NETASQ CA and Stormshield CA, available from the following links:

For further detail, please refer to the previous section Administrator management, under Initial connection to the appliance.

Work environment

The office is often a place where many people pass through every day, be they from the company or visitors, therefore users have to be aware of the fact that certain persons (suppliers, customers, workers, etc) can access their workspace and by doing so, obtain information about the company.

It is important that the user realizes that he should never disclose his password either by telephone or by e-mail (social engineering) and that he should type his password away from prying eyes.

User access management

To round up this section on creating user awareness of network security, the administrator has to tackle the management of user access. In fact, a Stormshield Network Firewall’s authentication mechanism, like many other systems, is based on a login/password system and does not necessarily mean that when the application enabling this authentication is closed, the user is logged off. This concept may not always be apparent to the uninitiated user. As such, despite having shut down the application in question, the user (who is under the impression that he is no longer connected) remains authenticated. If he leaves his workstation for just a moment, an ill-intentioned person can then usurp his identity and access information contained in the application.

Remind users to lock their sessions before they leave their workstations unattended. This seemingly tedious task can be made easier with the use of authentication mechanisms which automate session locking (for example, a USB token).