New features in SNS 4.1.1
Option to disable stealth mode
Stealth mode has been enhanced with the possibility of disabling it and allowing responses to ICMP requests (option Enable stealth mode in the Application protection > Protocols > IP protocols > IP module > Global configuration tab).
This option allows the firewall to be integrated more easily into existing infrastructures by moderating stealth mode on the firewall, and also prevents packets from being silently ignored. For example, the firewall can adopt the role of a device visible on the network when:
-
A packet exceeds the MTU and has a DF bit set to 1 (dfbit=1): the firewall blocks the packet and sends a response ICMP packet.
-
A packet passes through the firewall correctly: the firewall decrements the TTL ("Time To Live").
The value of this option, defined in the configuration of the IPS engine’s IP protocol processes, replaces the former configuration methods based on the sysctl commands net.inet.ip.icmpreply=1 and net.inet.ip.stealth=0.
Intrusion prevention
Filtering and analysis of IEC61850 protocols
SNS version 4.1 supports the IEC61850 protocol analysis (MMS, Goose and SV) and verifies the compliance of IEC61850 packets that pass through the firewall.
These protocols are used mainly in infrastructures that transport electricity to control, oversee and monitor electrical controllers
RDP protocol
The protocol analysis for RDP traffic has been improved.
HTTP
Protocols derived from HTTP report a specific alarm (alarm 732 "HTTP: invalid upgrade protocol stack") that allows the user to configure alarms an filters more granularly for these protocols.
DHCP client
New DHCP options (60 [vendor-class-identifier], 77 [user-class] and 90 [authsend]) allow SNS firewalls to authenticate on networks of telecoms operators that offer VLAN services. SNS firewalls can therefore be integrated into the operator’s network without the need for the PPPOE connection mode.
These options can only be modified through the CLI / Serverd command:
config network interface update ifname=xxx DHCPVendorClassId="aaa" DHCPUserClass="bbb" DHCPAuthsend="ccc"
config network interface activate
These commands are explained in detail in the CLI SERVERD Commands Reference Guide.
Update
The hash algorithm of firmware update files has been changed to comply with the highest standards.
New SNi20 firewall models
Compatibility
Version 4.1.0 of the firmware ensures compatibility with new SNi20 industrial firewalls.
In order to ensure service continuity in an industrial setting, the SNi20 firewall is equipped with a hardware bypass function, which when enabled, allows network traffic to pass through in the event of a power outage or appliance breakdown.
Hardware-based security for VPN secrets
SNi20 firewalls are equipped with a trusted platform module (TPM) that secures VPN secrets. With the TPM, a level of security can be added to SNi20 appliances that act as VPN concentrators, which may not necessarily be physically secure. Support for this module begins with this version 4.1.0.
SNi20 and SNi40 model firewalls
Link aggregation
Link aggregation (LACP) is now supported on SNi20 and SNi40 firewall models starting from version 4.1.0.
Network loop management protocols
RSTP and MSTP network loop management protocols are now supported on SNi20 and SNi40 firewall models starting from version 4.1.0.
Serverd
To reduce the attack surface on SNS, the Serverd service can be configured to listen only on the firewall's loopback address. This behavior is enabled by default on firewalls in factory configuration,
and can only be modified with the command:
CONFIG CONSOLE SERVERDLOOPBACK state=0/1
These commands are explained in detail in the CLI SERVERD Commands Reference Guide.
IPsec VPN mobile peers
Multiple mobile policies can now be supported simultaneously when peers are distinguished by their logins (ID). These policies can be added in Configuration > VPN > IPsec VPN, Peers tab.
Using the peer’s login (ID) also makes it possible to change the VPN configuration of a particular mobile peer distinguished by its login, without affecting the tunnels of other mobile peers.
Admin account
To change the password of the admin user (super administrator), the old password now needs to be entered as well.
IPsec VPN and LDAP groups
During IPsec VPN connections via SSO authentication, the firewall now retrieves the groups associated with users added from the LDAP, so that these groups can be used in filter rules.
SSL VPN and certificates
To authenticate peers (client or server) in TLS, Stormshield firewalls now only accept certificates that have the Key Usage field with the “ServerAuth” attribute, i.e., certificates that comply with X509 v3.
Certification authorities (CAs) and global certificates
Global certificates and certification authorities are now shown and identified as such when the option Display global policies (Network objects, Certificates, Filtering, NAT and IPsec VPN) is enabled in the Preferences module.
Certificates and PKI
When a certificate is imported in p12 format, the type of certificate (server or user certificate) is now automatically detected.
Certificate enrollment
Stormshield firewalls now support the EST (Enrollment over Secure Transport) certificate enrollment protocol, which is particular due to its use of HTTPS requests secured by the TLS protocol.
The following operations can be performed when EST is set up on Stormshield firewalls:
- Distribution of the public key of the certification authority (CA) that signs certificates,
- Certificate creation or renewal requests by the PKI administrator,
- Certificate creation or renewal requests by the certificate holder (enrollment),
The existing certificate can directly authenticate renewal requests, which no longer require a password, if the EST server allows it.
These operations can only be performed using CLI / serverd commands that begin with:
PKI EST
For more information on the syntax of these commands, refer to the CLI SERVERD Commands Reference Guide.
Certificates generation
Certificates can now be generated with new and more efficient algorithms that use elliptic curve cryptography. The following CLI / Serverd commands now offer the options of SECP, Brainpool and RSA:
PKI CA CREATE
PKI CERTIFICATE CREATE
PKI REQUEST CREATE
PKI CA CONFIG UPDATE
The size parameter in these commands also needs to be set. Its value must correspond to the selected algorithm:
| Algorithm | Sizes allowed |
| RSA | 768, 1024, 1536, 2048 or 4096 |
| SECP | 256, 384, or 521 |
| Brainpool | 256, 384, or 512 |
For more information on the syntax of these commands, refer to the CLI SERVERD Commands Reference Guide.
High availability
LACP link aggregation
On firewalls containing LACP aggregates, a weight can now be assigned to each interface in the aggregate to calculate the quality of high availability.
Assign the value 1 to the new LACPMembersHaveWeight parameter in the following CLI / Serverd commands:
CONFIG HA CREATE
CONFIG HA UPDATE
This will display the interfaces of the aggregate in the Impact of the unavailability of an interface on a firewall's quality indicator table in the High availability module of the web administration interface.
Without these commands, the default behavior remains the same: the aggregate will be considered a single interface, and the cluster will switch only when all the interfaces in the aggregate are lost.
For more information on the syntax of these commands, refer to the CLI SERVERD Commands Reference Guide.
High availability monitoring via SMC
Monitoring of firewalls configured in high availability is now optimized, and gets the value of the System node name field.
Loss of network modules
The health status calculation that determines the switch from one node to another in a cluster has been enhanced so that the system will recognize the loss of network modules more easily, even after the firewall is restarted.
NAT rules with ARP publication
In high availability configurations, firewalls may send a Gratuitous ARP (GARP) for all their interfaces in order to maintain traffic routing, so that the network can be informed whenever the location of a MAC address changes.
This operating mode has been improved so that all virtual IP addresses from an ARP broadcast of a NAT rule will send a series of Gratuitous ARPs (GARP) during a switch.
Authentication
New SN SSO Agent pour Linux
A new Linux-based SN SSO Agent supports directories that run on non-Windows systems, such as Samba 4. It can be configured in the Authentication module in the web administration interface, and detected through logs exported via Syslog. Exported logs are filtered by regular expressions configured earlier in the interface.
For more information on the configuration and operation of the SN SSO Agent for Linux, refer to the technical note SSO Agent for Linux.
SSO Agent - Syslog
Backup syslog servers can now be configured for the SSO agent authentication method.
Temporary accounts
The password that the firewall automatically generates when a temporary account is created (User > Temporary accounts) now meets the minimum password length required in the firewall’s password policy (module System > Configuration > General configuration tab).
LDAP
Backup LDAP servers can now be configured on ports other than the main LDAP server port.
SN6100 firewall - Performance
The configuration of memory occupation has been optimized on the IPS engine of SN6100 appliances.
Details on the performance of SN6100 firewall models are provided in the SN6100 Network Security datasheet.
SNS - SMC synchronization
The synchronization of SNS with SMC has been enhanced to allow smoother data exchange between both products, especially during direct access to the firewall administration interface from SMC.
NTP client
The interface that NTP requests go through can now be configured. The time synchronization daemon on an SNS firewall previously made such requests go through the default interface.
This new parameter can only be modified through the CLI / Serverd command:
CONFIG NTP SERVER ADD name=<hostname|groupname> bindaddr=<Firewall_obj>
For more information on the syntax of this command, refer to the CLI Serverd Commands Reference Guide.
Network objects
Address range objects now make it possible to configure MAC address ranges.
SSL proxy
The keys generated by the SSL proxy now use the same encryption algorithms as what the certification authority of the SSL proxy uses instead of the algorithms defined by default.
Configuration backups
The algorithm used to derive the passwords that protect configuration backups has been updated to comply with the highest standards.
System
The random kernel generator has been upgraded so that it is now based on a faster, more robust algorithm.
Initial configuration via USB
Bird dynamic routing
Dynamic routing can now be configured by importing bird.conf configuration files for IPv4 and bird6.conf configuration files for IPv6. The CSV format of the command file has also been enriched for this purpose.
For further information regarding the preparation of .bird and .bird6 files, refer to the technical note Initial configuration via USB key.
setconf operation
In an initial configuration via USB key, the setconf command offers a new feature that allows writing lines in sections in addition to writing values in keys (tokens). The CSV format of the command file has been enriched for this purpose.
For further information regarding the setconf command, refer to the technical note Initial configuration via USB key.
New sethostname operation
A new sethostname operation has been added to the initial configuration via USB key, and makes it possible to set the firewall's host name. The CSV format of the command file has been enriched for this purpose.
For further information regarding the sethostname operation, refer to the technical note Initial configuration via USB key.
Dashboard
SSO agents and syslog servers are now monitored, and their statuses shown in the dashboard.
LDAP directories
Secure connections to internal LDAP directories are now based on standard protocol TLS 1.2.
Exclusion of the proxy for automatic backups
Automatic backups can now be configured to avoid going through the proxy set on the firewall.
This new parameter can only be modified through the CLI / Serverd command:
CONFIG AUTOBACKUP SET
For more information on the syntax of this command, refer to the CLI Serverd Commands Reference Guide.
Web administration interface
System node name
A system node name can now be defined for the firewall (Configuration > General configuration > Advanced properties tab).
This name is particularly useful in high availability configurations, as it easily identifies the member of the cluster on which you are connected when you open a session in console mode, for example.
When this system node name is configured, it appears in parentheses in the upper banner of the web administration interface, after the name of the firewall.
Filter - NAT - HTTP cache feature
The HTTP cache function can no longer be used in filter rules.
If a firewall used this function in an earlier firmware version, it will automatically be disabled when it is upgraded to version 4.1.0 or higher.
Regular CRL retrieval
The IP address presented by the firewall can now be specified for Regular retrieval of certificate revocation lists (CRL).
This address can only be configured through the CLI / Serverd command:
PKI CONFIG UPDATE CHECKBINDADDR=ip_address
For more information on the syntax of this command, refer to the CLI Serverd Commands Reference Guide.