Recommendations on the operating environment

The installation of an SNS firewall and an SMC server is part of implementing a global security policy. To ensure optimal protection of your assets, resources and information, installing an SNS firewall between your network and the Internet or installing an SMC server to help you to configure them correctly are only the first steps. This is mainly because most attacks come from the inside (accidents, disgruntled employees, dismissed employee having retained internal access, etc.).

The following is a list of security recommendations on how to use the SNS firewall and the SMC server.

IMPORTANT

Recommendations

Physical security measures

SNS firewalls and the SMC server are must be installed and stored according to the state of the art regarding sensitive security devices: secured access to the premises, shielded cables with twisted pairs, labeled cables, etc.

Organizational security measures

Super administrator

A particular administrator role, the super administrator, displays the following characteristics:

  • The only administrator allowed to log on via the local console on SNS firewalls, and only during the installation of the SNS firewall or for maintenance operations outside of normal production use,

  • In charge of defining the profiles of other administrators,

  • All access to the premises where the SNS firewalls and the SMC server are stored must be under the super administrator's supervision, regardless the purpose of the access is to conduct operations on the SNS firewall or on other equipment. All operations performed will be this administrator’s responsibility.

IMPORTANT
The default password of the super administrator must be changed the very first time the SNS firewall is used.

Password

User and administrator passwords must be chosen in such a way that it will take longer to successfully crack them, by implementing a policy that regulates how they are created and verified (e.g., mix of alphanumeric characters, minimum length, inclusion of special characters, no dictionary words, etc.).

Administrators can change their password in the web administration interface of:

  • SNS in Configuration > System > Administrators, Administrator account tab,

  • SMC in Maintenance > SMC Server > Administrators.

Administrators are aware of these best practices through their duties and are responsible for making users aware of these practices (see the next section User Awareness).

Good information flow control policies

The information flow control policies to be implemented, for equipments on the trusted networks to be protected, are defined as such:

  • Complete: standard usage scenarios of how equipments are used have all been considered when defining the rules and their authorized limits have been defined,
  • Strict: only the necessary uses of equipments are authorized,
  • Correct: rules do not contradict each other,
  • Unambiguous: the list of rules provides all the relevant elements for direct configuration of the SNS firewall by a qualified administrator.

Cryptographic keys

Cryptographic keys that were generated outside the SNS firewall and injected into it must have been generated according to the general security guidelines defined by the French National Cybersecurity Agency (ANSSI) in the Référentiel général de sécurité (RGS) document (in French).

Human agents

Administrators are non-hostile, competent persons with the necessary means for accomplishing their tasks. They have been trained to perform operations for which they are responsible. Their skills and organization mean that:

  • Different administrators with the same privileges do not perform contradictory administrative actions (e.g., inconsistent modifications to the information flow control policy),
  • Logs are used and alarms are processed within the appropriate time frames.

IT security environment

SNS firewalls

SNS firewalls are installed in compliance with the current network interconnection policy and are the only passage points between the various networks on which the information flow control policy has to be applied. They are sized according to the capacities of adjacent devices or these devices limit the number of packets per second, set slightly below the maximum processing capacities of each SNS firewalls installed in the network architecture.

Besides the application of security functions, SNS firewalls do not provide any network service other than routing and address translation (e.g., no DHCP, DNS, PKI, application proxies, etc.). SNS firewalls are not configured to forward IPX, Netbios, AppleTalk, PPPoE or IPv6 information flows.

SNS firewalls do not depend on external “online” services (DNS, DHCP, RADIUS, etc.) to apply the information flow control policy.

The IT environment provides:

  • NTP reliable timestamps,

  • Up to date X.509 certificate revocation status, both for peers and administrators,

  • A reliable enrolment infrastructure.

SMC server

A traffic control policy must be applied to the SMC server to allow only its administrators and managed SNS firewalls to log in to it.

The virtual machine must be appropriately scaled (RAM, CPU, disk space) to enable administration on SNS firewalls managed by the SMC server. The SMC operating system must never be modified, so that it can meet needs other than those it was designed to meet.

There must be sufficient and available bandwidth at all times between the SMC server and SNS firewalls so that all administration operations can be performed. The administrator must configure and even disable certain features to meet this requirement, otherwise restrict the number of packets per second to give priority to administration traffic.

The production and distribution of connecting packages, which allow the SMC server to manage SNS firewalls, must be managed and entrusted to individuals who are familiar with security requirements. Such packages must only be shared through secure channels (encrypted e-mails, secured USB keys, etc.) between the SMC server and SNS firewalls.

Interconnectivity

Remote administration workstations are secured and kept up to date on all known vulnerabilities affecting operating systems and hosted applications. They are installed in premises with protected access and are dedicated exclusively to the administration of SNS firewalls, the SMC server and the storage of backups.

Network appliances with which the SNS firewall sets up VPN tunnels are subject to restrictions regarding physical access control, protection and control over their configuration, equivalent to the restrictions placed on SNS firewalls.

Workstations on which the VPN clients of authorized users are launched are subject to restrictions regarding physical access control, protection and control over their configuration, equivalent to the restrictions placed on workstations in trusted networks. They are secured and kept up to date on all known vulnerabilities affecting operating systems and hosted applications.

Configurations and usage mode subject to the evaluation of SNS firewalls

The usage mode subject to evaluation has the following characteristics.

  • The evaluation covers the Stormshield UTM / NG-Firewall Software Suite installed on all versions of Stormshield firewalls, from the SN210 to SN6100 range, including industrial models SNi20 and SNi40. Certain models do not have large local log storage capacities and have to send events via syslog,

  • SNS firewalls have to be stored in a location with secured access. Such measures, as well as organizational procedures for the operating environment, have to guarantee that the only physical access to the SNS firewalls take place under the surveillance of the super administrator,

  • The local console is not used in production. Only the super administrator can log on to it, and hypothetically, such interventions are performed only when a decision has been made to make an exception to the operating context – to conduct a maintenance operation or a re-installation,

  • Workstations on which the web administration interface will be used are secured, dedicated to such use, and up to date on all patches concerning the respective operating systems and the applications installed on them,

  • The Stormshield Network IPsec VPN Client software is not part of the evaluation. Users can use an IPsec VPN client of their choice, however, these client workstations have to be secured as rigorously as remote administration workstations,

  • When external services are used by the SNS firewall, they are not part of the evaluation. However, these servers have to be dedicated to such use, and up to date on all patches concerning the respective operating systems and the applications installed on them. External services are:

    • The NTP time servers,

    • The LDAP administrator and IPSec user directory server,

    • The syslog server,

    • The CRL or OCSP server,

    • The SMC server,

    • The EST certificate enrolment server.

  • Those configuration parameters must remain in their factory (default) states:

    • CRLs: regularly downloaded from a CRL server,

    • Internal clock: regularly synchronized with NTP servers,

    • NSRPC administration services (port 1300/TCP): restricted to loopback,

    • IPv6 routing feature: even though it is supported, the IPv6 feature is disabled by default and must remain so for the duration of the evaluation,

    • ESP Anti-replay windows, IKE re-authentication and IKE PFS (Perfect Forward Secrecy): activated,

    • Maximum SA lifetimes: 24 hours for IKE SA and 4 hours for IPsec SA.

  • Those application analysis functions are the only protocols covered by the certification:

    • FTP over TCP,

    • HTTP over TCP (including WebDAV extensions),

    • SIP over TCP or UDP,

    • SMTP over TCP,

    • DNS over TCP or UDP.

    And industrial protocols:

    • OPC UA over TCP,

    • MODBUS over TCP.

    Others must not be used in the running configuration.

  • The following parameters must not be used in filter policy to associate a filter rule with:

    • An application inspection (HTTP, SMTP, POP3 and FTP proxies),

    • A schedule (Time object),

    • The "decrypt" action (SSL proxy),

    • A host reputation,

    • An FQDN object in source or destination (require external DNS services).

  • The following features may be used, but are not considered security functions:

    • Address translation (network address translation or NAT),

    • Quality of Service,

    • High availability,

    • Embedded reports,

    • Filtering based on Geolocation and IP Reputation,

    • Filtering based on MAC address (Ethernet level),

    • Active Update.

  • The usage mode subject to evaluation excludes the fact that the SNS firewall relies on services other than previously mentioned services. The optional modules provided by Stormshield to manage these services are disabled by default and have to stay that way. Specifically, these are:

    • Modules that allow handling external servers (e.g., Kerberos, RADIUS, etc.),

    • The dynamic routing module,

    • The static multicast routing module,

    • The internal public key infrastructure (PKI),

    • The SSL VPN module (Portal and Tunnel),

    • DNS cache,

    • Antivirus engines,

    • SSH, DHCP, MPD and SNMPD servers,

    • The DHCP client,

    • The DHCP relay,

    • Wifi connection for equipped devices,

    • Host reputation,

    • For SNi40 and SNi20 models: the hardware bypass capabilities,

    • Any custom IPS patterns,

    • FQDN objects (require external DNS services),

    • IPFIX messages,

    • Telemetry,

    • Breathfighter (Sandboxing),

    • Network Vulnerability Manager (SNVM).

    Administration and monitoring tools provide a way of checking at any moment during operation of these modules are disabled.

  • The IKE & IPsec cryptographic algorithms implemented must be:

      Standard IPsec IPsec DR
    Identification Pre-shared key or Certificate with RSA or ECDSA key (1) Certificate with ECDSA or ECSDSA key (2) (3)
    Authentication/Integrity SHA-2 256 or 384 or 512 bit SHA-2 256 bit
    Key negotiation Diffie-Hellman groups 14, 15, 16, 17, 18, 19, 20, 21, 28, 29 and 30 (4) Diffie-Hellman group 28
    Encryption AES 128 or 192 or 256 bit in CBC or CTR or GCM mode AES 256 bit in GCM or CTR mode

    (1): The smallest size of an RSA key must be 2048 bits, or 3072 bits for use beyond 2030.

    (2): The smallest size of a key must be 256 bits.

    (3): Although the use of RSA keys is prohibited in a DR environment, an RSA root certificate can be used to sign an intermediate certificate dedicated to IPsec for example, when the certification authority used as the anchor on the firewall is the intermediate certificate.

    (4): For use beyond 2030, the smallest group to use must be Diffie-Hellman group 15.

     

    These cryptographic algorithms are needed for compliance with the general security guidelines defined by the French National Cybersecurity Agency (ANSSI) in the Référentiel général de sécurité (RGS) document (in French).

     

    Do note that the recommendations on implementing the strengthened IPsec mode called Diffusion Restreinte (DR) mode that complies with ANSSI's reference document for IPsec DR are given in the SNS Technical note "IPsec - Diffusion Restreinte mode".