The Firewall administrator is in charge of instructing users on network security, the equipment which make up the network and the information which passes through it.
Most users in a network are computer novices and even more so in network security. It is thus incumbent upon the administrator or person in charge of network security to organize training sessions or at least programs to create user awareness of network security.
These sessions should be used to state the importance of managing user passwords and the work environment as well as the management of users’ access to the company’s resources, as indicated in the following section.
Initial connection to the appliance
A security procedure must be followed if the initial connection to the appliance takes place through an untrusted network. This operation is not necessary if the administration workstation is plugged in directly to the product.
Access to the administration portal is secured through the SSL/TLS protocol. This protection allows authenticating the portal via a certificate, thereby assuring the administrator that he is indeed logged in to the desired appliance. This certificate can either be the appliance’s default certificate or the certificate entered during the configuration of the appliance (Authentication > Captive portal). The name (CN) of the appliance’s default certificate is the appliance’s serial number and it is signed by two authorities called NETASQ - Secure Internet Connectivity ("O") / NETASQ Firewall Certification Authority ("OU") and Stormshield ("O") / Cloud Services ("OU").
To confirm a secure access, the browser must trust the certification authority that signed the certificate used, which must belong to the browser’s list of trusted certificate authorities. Therefore to confirm the integrity of an appliance, the NETASQ and Stormshield certificate authorities must be added to the browser’s list of trusted certificate authorities before the initial connection. These authorities are available at http://pki.stormshieldcs.eu/netasq/root.crt and http://pki.stormshieldcs.eu/products/root.crt. If a certificate signed by another authority has been configured on the appliance, this authority will need to be added instead of the NETASQ and Stormshield authorities.
As a result, the initial connection to the appliance will no longer raise an alert in the browser regarding the trusted authority. However, a message will continue to warn the user that the certificate is not valid. This is because the certificate defines the Firewall by its serial number instead of its IP address. To stop this warning from appearing, you will need to indicate to the DNS server that the serial number is associated with the IP address of the Firewall.
The default password of the “admin” user (super administrator) must be changed the very first time the product is used in the web administration interface, in the Administrator module (System menu), under the Administrator account tab.
The definition of this password must observe the best practices described in the following section, under User password management.
This password must never be saved in the browser.
User password management
Throughout the evolution of information technologies, numerous authentication mechanisms have been invented and implemented to guarantee that companies’ information systems possess better security. The result of this multiplication of mechanisms is a complexity which contributes to the deterioration of company network security today.
Users (novices and untrained users) tend to choose “simplistic” passwords, in general drawn from their own lives and which often correspond to words found in a dictionary. This behavior, quite understandably, leads to a considerable deterioration of the information system’s security.
Dictionary attacks being an exceedingly powerful tool is a fact that has to be reckoned with. A study conducted in 1993 has already proven this point. The following is a reference to this study: (http://www.klein.com/dvk/publications/). The most disturbing revelation of this study is surely the table set out below (based on 8-character passwords):
|Type of password||Number of characters||Number of passwords||Cracking time|
|English vocabulary 8 char. and +||Special||250000||< 1 second|
|Lowercase only||26||208827064576||9-hour graph|
|Lowercase + 1 uppercase||26/special||1670616516608||3 days|
|Upper- and lowercase||52||53459728531456||96 days|
|Letters + numbers||62||218340105584896||1 year|
|Printable characters||95||6634204312890620||30 years|
|Set of 7-bit ASCII characters||128||72057594037927900||350 years|
Another tendency which has been curbed but which is still happening is worth mentioning: those now-famous post-its pasted under keyboards.
The administrator has to organize actions (training, creating user awareness, etc) in order to modify or correct these “habits”.
- Encourage your users to choose passwords that exceed 7 characters,
- Remind them to use numbers and uppercase characters,
- Make them change their passwords on a regular basis,
- And last but not least, never to note down the password they have just chosen.
One classic method of choosing a good password is to choose a sentence that you know by heart (a verse of poetry, lyrics from a song) and to take the first letter of each word. This set of characters can then be used as a password.
“Stormshield Network, Leading French manufacturer of FIREWALL and VPN appliances…”
The password can then be the following: SNLFmoFaVa.
The ANSSI (French Network and Information Security Agency) offers a set of recommendations for this purpose to assist in defining sufficiently robust passwords.
Users are authenticated via the captive portal by default, through an SSL/TLS access that uses a certificate signed by two authorities not recognized by the browsers. It is therefore necessary to deploy these certificate authorities used by a GPO on users’ browsers. These authorities are by default the NETASQ CA and Stormshield CA, available from the following links:
For further detail, please refer to the previous section Administrator management, under Initial connection to the appliance.
The office is often a place where many people pass through every day, be they from the company or visitors, therefore users have to be aware of the fact that certain persons (suppliers, customers, workers, etc) can access their workspace and by doing so, obtain information about the company.
It is important that the user realizes that he should never disclose his password either by telephone or by e-mail (social engineering) and that he should type his password away from prying eyes.
User access management
To round up this section on creating user awareness of network security, the administrator has to tackle the management of user access. In fact, a Stormshield Network Firewall’s authentication mechanism, like many other systems, is based on a login/password system and does not necessarily mean that when the application enabling this authentication is closed, the user is logged off. This concept may not always be apparent to the uninitiated user. As such, despite having shut down the application in question, the user (who is under the impression that he is no longer connected) remains authenticated. If he leaves his workstation for just a moment, an ill-intentioned person can then usurp his identity and access information contained in the application.
Remind users to lock their sessions before they leave their workstations unattended. This seemingly tedious task can be made easier with the use of authentication mechanisms which automate session locking (for example, a USB token).