New features in version 4.1.1

Option to disable stealth mode

Stealth mode has been enhanced with the possibility of disabling it and allowing responses to ICMP requests (option Enable stealth mode in the Application protection > Protocols > IP protocols > IP module > Global configuration tab).

This option allows the firewall to be integrated more easily into existing infrastructures by moderating stealth mode on the firewall, and also prevents packets from being silently ignored. For example, the firewall can adopt the role of a device visible on the network when:

  • A packet exceeds the MTU and has a DF bit set to 1 (dfbit=1): the firewall blocks the packet and sends a response ICMP packet.

  • A packet passes through the firewall correctly: the firewall decrements the TTL ("Time To Live").

The value of this option, defined in the configuration of the IPS engine’s IP protocol processes, replaces the former configuration methods based on the sysctl commands net.inet.ip.icmpreply=1 and net.inet.ip.stealth=0.

Intrusion prevention

Filtering and analysis of IEC61850 protocols

SNS version 4.1 supports the IEC61850 protocol analysis (MMS, Goose and SV) and verifies the compliance of IEC61850 packets that pass through the firewall.

These protocols are used mainly in infrastructures that transport electricity to control, oversee and monitor electrical controllers

RDP protocol

The protocol analysis for RDP traffic has been improved.

HTTP

Protocols derived from HTTP report a specific alarm (alarm 732 "HTTP: invalid upgrade protocol stack") that allows the user to configure alarms an filters more granularly for these protocols.

DHCP client

New DHCP options (60 [vendor-class-identifier], 77 [user-class] and 90 [authsend]) allow SNS firewalls to authenticate on networks of telecoms operators that offer VLAN services. SNS firewalls can therefore be integrated into the operator’s network without the need for the PPPOE connection mode.

These options can only be modified through the CLI / Serverd command:

config network interface update ifname=xxx DHCPVendorClassId="aaa" DHCPUserClass="bbb" DHCPAuthsend="ccc"
config network interface activate

These commands are explained in detail in the CLI SERVERD Commands Reference Guide.

Update

The hash algorithm of firmware update files has been changed to comply with the highest standards.

New SNi20 firewall models

Compatibility

Version 4.1.0 of the firmware ensures compatibility with new SNi20 industrial firewalls.

In order to ensure service continuity in an industrial setting, the SNi20 firewall is equipped with a hardware bypass function, which when enabled, allows network traffic to pass through in the event of a power outage or appliance breakdown.

Hardware-based security for VPN secrets

SNi20 firewalls are equipped with a trusted platform module (TPM) that secures VPN secrets. With the TPM, a level of security can be added to SNi20 appliances that act as VPN concentrators, which may not necessarily be physically secure. Support for this module begins with this version 4.1.0.

SNi20 and SNi40 model firewalls

Link aggregation

Link aggregation (LACP) is now supported on SNi20 and SNi40 firewall models starting from version 4.1.0.

Network loop management protocols

RSTP and MSTP network loop management protocols are now supported on SNi20 and SNi40 firewall models starting from version 4.1.0.

Serverd

To reduce the attack surface on SNS, the Serverd service can be configured to listen only on the firewall's loopback address. This behavior is enabled by default on firewalls in factory configuration,

and can only be modified with the command:

CONFIG CONSOLE SERVERDLOOPBACK state=0/1

These commands are explained in detail in the CLI SERVERD Commands Reference Guide.

IPSec VPN mobile peers

Multiple mobile policies can now be supported simultaneously when peers are distinguished by their logins (ID). These policies can be added in Configuration > VPN > IPSec VPN, Peers tab.

Using the peer’s login (ID) also makes it possible to change the VPN configuration of a particular mobile peer distinguished by its login, without affecting the tunnels of other mobile peers.

Admin account

To change the password of the admin user (super administrator), the old password now needs to be entered as well.

IPSec VPN and LDAP groups

During IPSec VPN connections via SSO authentication, the firewall now retrieves the groups associated with users added from the LDAP, so that these groups can be used in filter rules.

SSL VPN and certificates

To authenticate peers (client or server) in TLS, Stormshield firewalls now only accept certificates that have the Key Usage field with the “ServerAuth” attribute, i.e., certificates that comply with X509 v3.

Certification authorities (CAs) and global certificates

Global certificates and certification authorities are now shown and identified as such when the option Display global policies (Network objects, Certificates, Filtering, NAT and IPSec VPN) is enabled in the Preferences module.

Certificates and PKI

When a certificate is imported in p12 format, the type of certificate (server or user certificate) is now automatically detected.

Certificate enrollment

Stormshield firewalls now support the EST (Enrollment over Secure Transport) certificate enrollment protocol, which is particular due to its use of HTTPS requests secured by the TLS protocol.

The following operations can be performed when EST is set up on Stormshield firewalls:

  • Distribution of the public key of the certification authority (CA) that signs certificates,
  • Certificate creation or renewal requests by the PKI administrator,
  • Certificate creation or renewal requests by the certificate holder (enrollment),

The existing certificate can directly authenticate renewal requests, which no longer require a password, if the EST server allows it.

These operations can only be performed using CLI / serverd commands that begin with:

PKI EST

For more information on the syntax of these commands, refer to the CLI SERVERD Commands Reference Guide.

Certificates generation

Certificates can now be generated with new and more efficient algorithms that use elliptic curve cryptography. The following CLI / Serverd commands now offer the options of SECP, Brainpool and RSA:

PKI CA CREATE

PKI CERTIFICATE CREATE

PKI REQUEST CREATE

PKI CA CONFIG UPDATE

The size parameter in these commands also needs to be set. Its value must correspond to the selected algorithm:

Algorithm Sizes allowed
RSA 768, 1024, 1536, 2048 or 4096
SECP 256, 384, or 521
Brainpool 256, 384, or 512

For more information on the syntax of these commands, refer to the CLI SERVERD Commands Reference Guide.

High availability

LACP link aggregation

On firewalls containing LACP aggregates, a weight can now be assigned to each interface in the aggregate to calculate the quality of high availability.

Assign the value 1 to the new LACPMembersHaveWeight parameter in the following CLI / Serverd commands:

CONFIG HA CREATE

CONFIG HA UPDATE

This will display the interfaces of the aggregate in the Impact of the unavailability of an interface on a firewall's quality indicator table in the High availability module of the web administration interface.

Without these commands, the default behavior remains the same: the aggregate will be considered a single interface, and the cluster will switch only when all the interfaces in the aggregate are lost.

For more information on the syntax of these commands, refer to the CLI SERVERD Commands Reference Guide.

High availability monitoring via SMC

Monitoring of firewalls configured in high availability is now optimized, and gets the value of the System node name field.

Loss of network modules

The health status calculation that determines the switch from one node to another in a cluster has been enhanced so that the system will recognize the loss of network modules more easily, even after the firewall is restarted.

NAT rules with ARP publication

In high availability configurations, firewalls may send a Gratuitous ARP (GARP) for all their interfaces in order to maintain traffic routing, so that the network can be informed whenever the location of a MAC address changes.

This operating mode has been improved so that all virtual IP addresses from an ARP broadcast of a NAT rule will send a series of Gratuitous ARPs (GARP) during a switch.

Authentication

New SN SSO Agent pour Linux

A new Linux-based SN SSO Agent supports directories that run on non-Windows systems, such as Samba 4. It can be configured in the Authentication module in the web administration interface, and detected through logs exported via Syslog. Exported logs are filtered by regular expressions configured earlier in the interface.

For more information on the configuration and operation of the SN SSO Agent for Linux, refer to the technical note SSO Agent for Linux.

SSO Agent - Syslog

Backup syslog servers can now be configured for the SSO agent authentication method.

Temporary accounts

The password that the firewall automatically generates when a temporary account is created (User > Temporary accounts) now meets the minimum password length required in the firewall’s password policy (module System > Configuration > General configuration tab).

LDAP

Backup LDAP servers can now be configured on ports other than the main LDAP server port.

SN6100 firewall - Performance

The configuration of memory occupation has been optimized on the IPS engine of SN6100 appliances.
Details on the performance of SN6100 firewall models are provided in the SN6100 Network Security datasheet.

SNS - SMC synchronization

The synchronization of SNS with SMC has been enhanced to allow smoother data exchange between both products, especially during direct access to the firewall administration interface from SMC.

NTP client

The interface that NTP requests go through can now be configured. The time synchronization daemon on an SNS firewall previously made such requests go through the default interface.

This new parameter can only be modified through the CLI / Serverd command:

CONFIG NTP SERVER ADD name=<hostname|groupname> bindaddr=<Firewall_obj>

For more information on the syntax of this command, refer to the CLI Serverd Commands Reference Guide.

Network objects

Address range objects now make it possible to configure MAC address ranges.

SSL proxy

The keys generated by the SSL proxy now use the same encryption algorithms as what the certification authority of the SSL proxy uses instead of the algorithms defined by default.

Configuration backups

The algorithm used to derive the passwords that protect configuration backups has been updated to comply with the highest standards.

System

The random kernel generator has been upgraded so that it is now based on a faster, more robust algorithm.

Initial configuration via USB

Bird dynamic routing

Dynamic routing can now be configured by importing bird.conf configuration files for IPv4 and bird6.conf configuration files for IPv6. The CSV format of the command file has also been enriched for this purpose.

For further information regarding the preparation of .bird and .bird6 files, refer to the technical note Initial configuration via USB key.

setconf operation

In an initial configuration via USB key, the setconf command offers a new feature that allows writing lines in sections in addition to writing values in keys (tokens). The CSV format of the command file has been enriched for this purpose.

For further information regarding the setconf command, refer to the technical note Initial configuration via USB key.

New sethostname operation

A new sethostname operation has been added to the initial configuration via USB key, and makes it possible to set the firewall's host name. The CSV format of the command file has been enriched for this purpose.

For further information regarding the sethostname operation, refer to the technical note Initial configuration via USB key.

Dashboard

SSO agents and syslog servers are now monitored, and their statuses shown in the dashboard.

LDAP directories

Secure connections to internal LDAP directories are now based on standard protocol TLS 1.2.

Exclusion of the proxy for automatic backups

Automatic backups can now be configured to avoid going through the proxy set on the firewall.

This new parameter can only be modified through the CLI / Serverd command:

CONFIG AUTOBACKUP SET

For more information on the syntax of this command, refer to the CLI Serverd Commands Reference Guide.

Web administration interface

System node name

A system node name can now be defined for the firewall (Configuration > General configuration > Advanced properties tab).

This name is particularly useful in high availability configurations, as it easily identifies the member of the cluster on which you are connected when you open a session in console mode, for example.

When this system node name is configured, it appears in parentheses in the upper banner of the web administration interface, after the name of the firewall.

Filter - NAT - HTTP cache feature

The HTTP cache function can no longer be used in filter rules.

If a firewall used this function in an earlier firmware version, it will automatically be disabled when it is upgraded to version 4.1.0 or higher.

Regular CRL retrieval

The IP address presented by the firewall can now be specified for Regular retrieval of certificate revocation lists (CRL).

This address can only be configured through the CLI / Serverd command:

PKI CONFIG UPDATE CHECKBINDADDR=ip_address

For more information on the syntax of this command, refer to the CLI Serverd Commands Reference Guide.