Administration services

Configuring administration IP addresses

Unrestricted access to the SNS firewall’s administration interfaces raises the risk of intrusion attempts and of the firewall being controlled by other firewalls that have obtained illegal access to it.

R11 | SNS | Define administration sub-networks clearly
The IP addresses or administration sub-networks allowed to access an SNS firewall’s administration interfaces should be explicitly defined in Configuration > System > Configuration > Firewall administration.

These IP addresses and administration sub-networks must be configured using specific objects placed together in an object group. In line with the chapter Filter policy, the use of such groups makes it possible to better manage permissions consistently with filter rules.

R12 | SNS | Use an administrator object group
The use of object groups is recommended, containing all sub-networks and IP addresses allowed to manage the SNS firewall.

Dedicated web administration interface

Sharing a web administration interface with the production network increases the number of individuals and appliances with access to the SNS firewall’s administration interface, and also increases the volume of traffic that the interface must handle. As a result, this raises the risk of the web administration interface being attacked or unreachable. Moreover, using VLANs does not guarantee airtight access between the configured networks.

R13 | SNS | Dedicate an Ethernet interface to administration
SNS firewalls should be managed on a dedicated Ethernet interface connected to an administration network also dedicated to such operations. The filtering applied must be as restrictive as possible.

The ANSSI guide Recommendations on the secure administration of information systems (in French) sets out the recommended measures regarding the secure administration of information systems.

Security on the web administration interface

Security on the SNS firewall web administration interface and SMC server contributes to their security by protecting the confidentiality and integrity of legitimate administration traffic.

On the SNS firewall, sslparanoiac mode is enabled by default, thereby imposing the use of TLS 1.3 or TLS 1.2 with robust cryptographic suites. The TLS settings of the web administration interface can be checked using the NSRPC command config auth show. The cryptographic suites suggested by default are:

ECDHE-ECDSA-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
DHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_256_GCM_SHA384

R14 | SNS | Keep default cryptographic suites
Keeping the default configuration of cryptographic suites facilitates compliance with the ANSSI’s Security recommendations relating to TLS (in French) and Appendix B1 of the ANSSI’s RGS.

R14+ | SNS | Harden TLS parameters on the web administration interface
Users are advised to keep only TLS suites with ECDHE as recommended in the guide Security recommendations relating to TLS (in French).

Cryptographic suites can be restricted using NSRPC commands:

config auth https cipherlist="ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384"
config auth activate

Changing the certificate of the web administration interface

By default, the certificate presented to administrators when they connect to the web administration interface on an SNS firewall is a certificate signed by the Stormshield CA. On the SMC server, self-signed certificates are used. In both cases, there is no more control over the criteria for generating the private key used, or how it can be used.

R15 | SNS | Replace the web interface certificate
The certificate of the web administration interface should be replaced with a certificate issued by a controlled PKI to strengthen the security involved in accessing it.
Refer to the ANSSI’s General Security Guidelines (in French), in particular appendices A4 and B1.

The server certificate configuration used by the SNS firewall's web administration interface can be configured in Configuration > System > Configuration > Firewall administration > Configure the SSL certificate of the service.

INFORMATION
To allow administrators to authenticate the SNS firewalls they are connecting to, the public key of the CA that signed the certificate must be in the certificate store of the browser that administrators use.

Administration via NSRPC

During direct connections to the NSRPC server, the SNS firewall requires read-only access to the user’s password hash (this information is required for the authentication protocol to function properly). If the SNS firewall’s access to the directory is hijacked, all saved password hashes may then be compromised. The hash is a critical component, as brute force attacks can compromise passwords. The use of such accounts in the information system must therefore be monitored (connections from another appliance, illegal requests, etc.).

An NSRPC console is available from the web administration interface. Access to this console does not require additional authentication. Hashes do not need to be accessed.

R16 | SNS | Use NSRPC from the web administration interface
NSRPC commands should only be used from Configuration > System > CLI console in the web administration interface.

R16 ⁃ | SNS | Use accounts dedicated to direct NSRPC connections
During direct access to the NSRPC console, dedicated accounts are recommended for this purpose, passwords should be changed regularly and only the hashes of these accounts on the remote directory should be exposed.

INFORMATION
By default, Active Directory and OpenLDAP directories do not allow password hashes to be read.

Localization features

Several localization features can be found on the SNS firewall:

  • Web administration interface language, which can be selected in the connection window,

  • Keyboard layout of the console, which can be configured in Configuration > System > Configuration,

  • Language in which logs are generated, which can be configured in Configuration > System > Configuration.

The language in which logs are generated changes the messages displayed in the Monitoring > Dashboard menu and in local and remote log files. The language chosen affects:

  • How users understand log files,

  • Patterns that monitoring systems look for,

  • The types of searches conducted in the knowledge base on Stormshield's website.

All existing messages are listed in Monitoring > Logs - Audit logs > System events and their translations are available on the SNS firewall in the /usr/Firewall/System/Language/ folder. Every generated message bears an index number associated with the corresponding error. This number is the same in all translations.

R17 | SNS | Use the same language in logs
The same language should be configured for all logs on all SNS firewalls. This will make it easier to read them and integrate them into monitoring tools.

WARNING
Logs are available only in English on the SMC server. The SNS firewall's traces and logs should be configured in English if the firewall is managed via the SMC server.

R18 | SNS-SMC | Use a language that users understand
SNS firewalls must be configured in a language that users understand.

INFORMATION
Stormshield's Technical documentation website can be accessed in French and English. The Knowledge base can be accessed from the Stormshield personal area only in English.