IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
Recommendations on the operating environment
Introduction
The installation of a firewall and its administration applications is part of implementing a global security policy. To ensure optimal protection of your assets, resources and information, installing a firewall between your network and the Internet, or installing administration applications to help you to configure them correctly are only the first steps. This is mainly because most attacks come from the inside (accidents, disgruntled employees, dismissed employee having retained internal access, etc.).
The following is the list of security recommendations on how to use the administration suite and the firewall.
Security watch
Check regularly for the Stormshield security advisories published on https://advisories.stomshield.eu.
Always apply updates if they fix security flaws on your firewall. Updates are available here: https://mystormshield.eu.
Physical security measures
SNS firewalls and their administration applications must be installed and stored in compliance with the state of the art regarding sensitive security devices: secured access to the premises, shielded cables with twisted pairs, labeled cables, etc.
Organizational security measures
The default password of the “admin” user (super administrator) must be changed the very first time the product is used.
In the web administration interface on SNS firewalls, this password can be changed in the Administrator module (System menu), under the Administrator account tab.
In the Stormshield Management Center (SMC) web administration interface, this password can be changed in the Maintenance module > SMC Server > Administrators tab.
This password must be set in line with the best practices described in the following section.
A particular administrative role – that of the super-administrator – has the following characteristics:
- The only administrator authorized to log in via the local console on SNS firewalls, and only during the installation of the SNS firewall or for maintenance operations outside of normal production use.
- In charge of defining the profiles of other administrators.
- All access to the premises where the SNS firewalls and virtual machines that host administration applications are stored must be under this administrator's supervision, regardless of whether the purpose of the access is to conduct operations on the firewall or on other equipment. All operations performed on applications will be this administrator’s responsibility.
User and administrator passwords must be chosen in such a way that it will take longer to successfully crack them, by implementing a policy that regulates how they are created and verified.
EXAMPLE
Combination of letters and numbers, minimum length, addition of special characters, words which are not taken from ordinary dictionaries, etc.
Administrators are aware of these best practices through their duties and are responsible for making users aware of these practices
For equipment in “trusted” networks which must be protected, the traffic control policy to be implemented must be defined as follows:
- Complete: the standard scenarios of how equipment is used have all been considered when defining the rules and their authorized limits have been defined.
- Strict: only the necessary uses of the equipment are authorized.
- Correct: rules do not contradict each other.
- Unambiguous: the wording of the rules provides a competent administrator with all the relevant elements for direct configuration of the appliance.
Human agents
Administrators are non hostile, competent agents with the means required to accomplish their duties. They have been trained to perform operations for which they are responsible. Their skills and organization mean that:
- Different administrators holding the same privileges will not perform conflicting administrative operations.
- Logs are used and alarms are processed within the appropriate time frames.
EXAMPLE
Inconsistent changes to the traffic control policies.
IT security environment
SNS firewalls and their administration applications must be installed in line with the current network interconnection policy.
Stormshield Network Security firewalls
SNS firewall are the only passageways between the various networks on which the traffic control policy must be applied. They are scaled according to the capacities of the adjacent devices or these devices restrict the number of packets per second, positioned slightly below the maximum processing capacities of each firewall installed in the network architecture.
Besides applying security functions, SNS firewalls do not provide any network service other than routing and address translation.
EXAMPLE
No DHCP, DNS, PKI, application proxies, etc.*
SNS firewalls are not configured to forward IPX, Netbios, AppleTalk, PPPoE or IPv6 traffic.
SNS firewalls do not depend on external “online” services (DNS, DHCP, RADIUS, etc.) to apply the traffic control policy.
Stormshield Management Center administration application
A traffic control policy must be applied to SMC to allow only its administrators and managed SNS firewalls to log in to it.
The virtual machine must be appropriately scaled (RAM, CPU, disk space) to enable administration on SNS firewalls managed by the application. The SMC operating system must never be modified, so that it can meet needs other than those it was designed to meet.
There must be sufficient and available bandwidth at all times between the SMC application and SNS firewalls so that all administration operations can be performed. The administrator must configure and even disable certain features to meet this requirement, otherwise restrict the number of packets per second to give priority to administration traffic.
The production and distribution of connecting packages, which allow SMC to manage SNS firewalls, must be managed and entrusted to individuals who are familiar with security requirements. Such packages must only be shared through secure channels (encrypted e-mails, secured USB keys, etc.) between SMS and SNS firewalls.
Interconnectivity
Remote administration workstations are secured and kept up to date on all known vulnerabilities affecting operating systems and hosted applications. They must be installed in protected premises and are exclusively dedicated to the administration of SNS firewalls, their administration applications, and the storage of backups.
Network devices that the SNS firewall uses to set up VPN tunnels are subject to physical access, protection and configuration controls. These constraints are equivalent to those imposed on SNS firewalls.
Workstations on which the VPN clients of authorized users are launched are subject to restrictions regarding physical access control, protection and control over their configuration, equivalent to the restrictions placed on workstations in trusted networks. They are secured and kept up to date on all known vulnerabilities affecting operating systems and hosted applications.
Configurations and usage of evaluated SNS firewalls
The evaluated usage must possess the following characteristics:
- Certificates and CRLs are distributed manually (importing).
- The evaluated usage excludes the fact that the TOE relies on services other than PKI, DNS and DHCP servers and proxies. The optional modules provided by Stormshield Network to manage these services are disabled by default and have to stay that way. Specifically, these are:
- the internal public key infrastructure (PKI),
- the user authentication module,
- the SSL VPN module (Portal and Tunnel),
- antivirus engines,
- the Active Update module,
- the dynamic routing module (BIRD dynamic routing service),
- the DNS cache (DNS/Proxy cache),
- SSH, DHCP, MPD and SNMPD servers (SSH server, DHCP server and SNMP agent),
- the DHCP client (DHCP server),
- th NTP daemon (NTP client),
- the DHCP relay,
- the cloud backup service.
- Even though it is supported, the IPv6 feature is disabled by default and must remain so for the duration of the evaluation.
- IPsec administrators and users are managed by the internal LDAP directory. The evaluation of such usage excludes the fact that external LDAP clients outside the scope of the firewall-VPN appliance’s network can connect to this base.
- Audit logs – depending on the model – are either stored locally or sent by Syslog.
- The ability provided by the filter policy to associate each filter rule with an application inspection (HTTP, SMTP, POP3 and FTP proxies) and a schedule falls outside the scope of this evaluation and must not be used.
- The option of associating a “decrypt” action (SSL proxy) with a filter rule in the filter policy falls outside the scope of this evaluation and must not be used.
Cryptographic algorithms needed for compliance with the RGS (General Security Guidelines defined by ANSSI, the French Network and Information Security Agency) and used for the evaluation
| Algorithm | Key size |
| Diffie-Hellman | 2048, 3072, 4096 |
| Algorithm | Key size |
| RSA | 2048, 4096 |
| Algorithms | Fingerprint size |
| HMAC-SHA1 | 160 |
| HMAC-SHA2 | 256, 384, 512 |
| SHA2 | 256, 384, 512 |
| Algorithms | Key size |
| AES | 128, 192, 256 |
The Perfect Forward Secrecy (PFS) option performs a new Diffie-Hellman key exchange during IKE Phase 2. This makes it possible to ensure that when a key is stolen, the next or previous keys cannot be deduced, thereby preventing the whole IPsec exchange from being decrypted, apart from the segment of the communication protected by the corrupted key. You are strongly advised to leave PFS enabled in order to comply with the RGS, which is the scenario that has been chosen for the evaluation.
The security of the connection to the authentication portal and administration interface has been strengthened, as per the recommendations of the ANSSI (French Network and Information Security Agency). These connections must go through certain versions of the SSL/TLS protocol. Version SSLv3 has been disabled to make way for TLS versions. The use of AES encryption suites with Diffie-Hellman has also been imposed. As Internet Explorer in version 6, 7 and 8 does not support this configuration, you are advised to use a higher version of this browser. This configuration must not be disabled in order to stay within the scope of the evaluation.