New features in SNS 4.3.3

SD-WAN and QoS

IMPORTANT

These are early access features.

You must refer to the Known issues and Limitations and explanations on usage before enabling these features or updating an existing QoS configuration to an SNS 4.3 version.

Selecting the best link

Specific criteria can now be configured to determine whether a WAN link meets the quality level appropriate for its type of traffic (VoIP, video, etc.).

To do so, for each type of traffic, you can define a Service Level Agreement (SLA) based on one or several thresholds from the following criteria:

  • Latency,

  • Jitter,

  • Packet loss.

As soon as any threshold is not met, the firewall will select for the traffic in question another WAN link with the right SLA status.

This configuration can be applied to standard traffic or encrypted communications.

Regardless of the type of traffic, you can also set up a more general configuration to ensure that all communications will automatically be switched to a backup link when the quality of the main link is degraded.

You can view the quality of your various links at any time from the firewall’s web administration interface.

For further information, refer to the sections Network objects - Router, Monitoring - SD-WAN and Reports in the SNS User guide.

Improved Quality of Service (QoS) feature

The Quality of Service (QoS) feature has been enhanced to meet the requirements of recent infrastructures. With these changes, the definition of traffic priority as well as bandwidth restriction and reservation can be significantly improved.

For more information, refer to the section Quality of Service (QoS) in the User guide.

IMPORTANT
QoS configurations defined in versions earlier than SNS 4.3 are not automatically valid. Traffic shapers must be set so that these QoS configurations can be enabled after an update to SNS version 4.3.

Static routing - Router objects

Router objects can now be selected as gateways when a static route is created or modified. For each static route, this makes it possible to set a link selection policy.

You can always apply a different link selection policy to specific traffic streams by configuring them directly in the rules of your filter policy (policy-based routing). These configurations have higher priority than static routing configurations.

For further information, refer to the sections IPv4/IPv6 static routes, Network objects - Router and Filtering in the SNS User guide.

NOTE
Router objects defined with load balancing are not compatible with this feature.

TLS protocol 1.3

Analysis of server certificates

The intrusion prevention engine now attempts to retrieve the server certificate for every TLS v1.3 traffic stream that passes through the firewall so that any security flaws relating to this certificate can be analyzed and attack signatures and applications that rely on the analysis of this certificate can be enabled.

This analysis is enabled by default on the firewall. Some TLS 1.3 traffic can now be blocked, but previously could not due to this new protocol analysis.
Find out more

SSL proxy

The SSL proxy now supports the TLS 1.3 protocol.

SOFBUS and LACBUS industrial protocols

SNS firewalls can now detect and analyze SOFBUS and LACBUS protocols. This analysis is disabled by default and makes it possible to detect abnormal behavior and filter specific SOFBUS and LACBUS commands to minimize the attack surface and risk of compromise. These protocols are used mainly in water management infrastructures, and are the intellectual property of LACROIX Sofrel.
Find out more

Network captures

A new network capture tool is now available in the web administration interface of SNS firewalls and can be used to resolve issues. The most common filter criteria (IP, port, interface, etc.) can be entered in a filter creation wizard, which will allow users who are unfamiliar with tcpdump or the format of its filters to create network captures. The tcpdump filter can also be manually entered for advanced users.

With this new tool, up to five simultaneous captures can be run. To access it, the firewall must be equipped with a storage medium on which captures can be saved (e.g., internal storage or SD card).
Find out more

Remote access to the firewall via SSH

Opening access to the firewall's administrator accounts

Administrators declared on the firewall can now be assigned access privileges to the firewall in SSH. Such access is restricted by default to the nsrpc shell interpreter (CLI/Serverd commands are used) and can be extended to the operating system’s shell interpreter if the super-administrator (admin account) allows it.
Find out more

Protection from brute force attacks

Remote access to the firewall via SSH is now protected from brute force attacks. If this protection mode is already enabled on the firewall, its perimeter will be automatically extended.
Find out more

RADIUS authentication

Dashboard

RADIUS servers are now monitored and their statuses shown in the Services widget of the Dashboard.

Idle timeout and maximum number of connection attempts

The maximum number of attempts and idle timeout allowed to set up a connection with a RADIUS server (main and backup servers) can now be configured. This simply requires changing the CLI/Serverd command CONFIG AUTH RADIUS by adding the arguments timeout, retry, btimeout and bretry.
Find out more

Support for RADIUS VSAs

Users authenticated via RADIUS can now be associated with groups in the firewall after support for RADIUS VSAs was enabled. This makes it possible in particular to add administrators whose users or groups come from other domains. For this feature to work, the RADIUS server must also be configured to use VSAs.

Support for VSAs on the firewall is enabled by default but can be disabled using the CLI/Serverd command CONFIG AUTH RADIUS with the argument [VSAusergroup=<0|1>].

Find out more

IPv6 support

RADIUS servers can now be reached in IPv6, which means that RADIUS servers with objects that use IPv6 addresses can be configured in the firewall.

Support for the domain attribute

A user's domain name can now be copied to the field in the RADIUS request allowing the inclusion of RADIUS authentication in a federation that consists of several domains.

Source IP address of RADIUS requests

The source IP address of RADIUS requests can now be configured.

Find out more

Processing RADIUS requests

RADIUS requests are now asynchronously processed to facilitate their integration with OTP platforms.

LDAP server

The firewall's internal LDAP server now uses a TLS configuration in line with the recommendations given by the French Network Information Security Agency (ANSSI).

Find out more

VPN

IPsec VPN IKEv2 - Support for MOBIKE

MOBIKE can now be used with mobile peers. With MOBIKE, mobile users no longer need to renegotiate their tunnels when they change IP addresses.

MOBIKE can only be enabled by using the CLI/Serverd commands CONFIG IPSEC PEER NEW and CONFIG IPSEC PEER UPDATE with the argument [mobike=<0|1>] depending on whether you are adding or updating a peer.

An additional parameter makes it possible to define in an IPsec policy the interfaces on which the IPsec engine builds its list of IP addresses that it shares via MOBIKE. In this way, the IP addresses shared when MOBIKE is used can be kept to a strict minimum. The list of interfaces affected can only be modified using the CLI/Serverd command CONFIG IPSEC UPDATE with the argument [UsedInterface=<itf1,itf2,...>].

NOTE

MOBIKE is not compatible with the Diffusion Restreinte (DR) mode that complies with the recommendations of the French Network Information Security Agency (ANSSI).

SSL VPN

The speed with which connections are set up, and SSL VPN support for the TLS 1.3 protocol have been enhanced. You must use a TLS 1.3-compatible SSL VPN client to benefit from these enhancements. Do note that Stormshield Network SSL VPN Client in version 2.9 is not compatible with this protocol.

These enhancements now require a minimum mask size of /28 for the network object assigned to UDP and TCP clients in the SSL VPN configuration.

High availability and link aggregation

In configurations that contain network link aggregates, when high availability is initialized, the Enable link aggregation when the firewall is passive option is enabled by default. This option optimizes swap time.

High availability - Direct links between members of the cluster

In high availability configurations with direct HA links between both members of the cluster (without any intermediate network switch), when HA links are down after the main firewall fails, the switch to the other member of the cluster takes place immediately.

Link aggregation - Redundancy

Redundancy link aggregates can now be created. With the redundancy feature, a backup link can be set up in case the main link (identified as Master in the aggregate) stops responding. A Redundancy aggregate must contain two links.

This new feature is available only on SN510, SN710, SN910, SN1100, SN2000, SN2100, SN3000, SN3100, SN6000, SN6100, SNi20 and SNi40 models. SNS firewalls support this feature only with Cisco switches.
Find out more

Telemetry service

When SNS firewall administrators connect to the web administration interface, a window prompts them to enable the telemetry service if it has been disabled.

Find out more

Certificates and PKI

Web enrollment - Certificate enrollment

The web enrollment service has been enhanced to allow users to submit certificate requests from the latest versions of mainstream web browsers. When users submit a request, they must now define the encryption key themselves, to encrypt their private key.
Find out more

Refreshing the CRL of a CA

A new CLI/Serverd command SYSTEM CHECKCRL is available, and makes it possible to force the refreshment of a certification authority’s (CA) certificate revocation list (CRL).

Find out more

Hardening of the operating system

Executable file integrity verification mechanism

SNS firewalls now generate a system event when the executable file integrity verification mechanism refuses to run a binary file.

Secure Boot

The Secure Boot feature can now be enabled in the UEFI of Sni20, SN1100 and SN3100 firewalls. When this feature is enabled, the security of the system can be increased, in particular by verifying the signature of the system that was loaded when the firewall started up.