New features and enhancements in SNS 5.0.2 EA

Captive portal, SSL VPN and permission management with Microsoft Entra ID authentication

SNS version 5.0 introduces support for the OpenID Connect (OIDC) authorization protocol, to enable compatibility with Microsoft Entra ID SSO authentication.

This allows users to authenticate with their Microsoft Entra ID accounts, and depending on the permissions defined, allows them to be granted access to the firewall's captive portal and web administration interface, and set up tunnels over the Stormshield SSL VPN, or to be recognized in filter rules that require authentication.

IPsec VPN - Hybrid cryptography for post-quantum encryption

As of SNS version 5.0, hybrid cryptography can be used to protect against quantum attacks, by using hybrid algorithms that are standardized by NIST in the Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM).

You can use algorithms that are resistant to post-quantum attacks, in addition to the usual algorithm, to protect the key exchange from quantum attacks. Do note that symmetric cryptography is not vulnerable to such attacks.

The following algorithms are supported in SNS version 5.0:

  • ML-KEM-512,
  • ML-KEM-768,
  • ML-KEM-1024.

Two encryption profiles that use these algorithms in hybrid mode are now offered in the Encryption profiles tab of the IPsec VPN module:

  • PQCEncryption: for configurations with peers using exclusively this new hybrid post-quantum encryption,
  • PQCTransition: for configurations currently transitioning to this new hybrid post-quantum encryption.

SSL VPN - Performance

The SSL VPN service now includes the Data Channel Offload (DCO) module: when DCO is enabled, encryption/decryption operations on data packets passing through SSL VPN tunnels are processed in the operating system kernel, instead of the firewall's SSL VPN service. This improves performance, and enables the SSL VPN service to process the setup of many more SSL VPN tunnels.

Do note that DCO:

  • Is compatible only with UDP-based SSL VPN tunnels,
  • Is not enabled by default when an existing configuration is migrated,
  • Requires the selection of the AES-GCM encryption suite.

IPsec VPN - DR transition mode

In Diffusion Restreinte (DR) mode, which was introduced in SNS version 4.2, policies that comply with IPsec DR specifications set by the ANSSI are not allowed to coexist with policies that comply with the IPsec standard (RFC 7292 IKEv2bis).

In SNS version 5.0, IPsec VPN tunnels that behave like tunnels in DR mode can be configured, while retaining the possibility of setting up IPsec VPN tunnels that comply with the standard. This feature, known as "DR transition mode", applies to complex architectures in which the process of making them DR-compliant has to go through a transitional phase, during which IPsec DR and standard (non-DR) policies are made to coexist.

For more information on DR transition mode, refer to the technical note Using DR Transition Mode: making an IPsec architecture compatible with DR mode.

Configuration REST API

SNS version 5.0 provides an initial REST API foundation to enable interaction with your firewalls through orchestration tools.

This initial version makes it possible to perform operations on blacklists of hosts that have been quarantined by the administrator.

This API will be enriched with every new SNS version released.

For more information on activating the REST API and handling API keys, refer to the SNS v5 user guide and SNS REST API documentation.

Quality of Service (QoS)

QoS is no longer an early-access feature.

For further information on QoS, refer to the technical note Configuring QoS on SNS firewalls.

Increased security

Hardening of the system

As part of the process of hardening the SNS operating system, privilege management has been strengthened for maintenance operations, firewall updates, and the use of certain services (SNMP agent, e-mail sending, etc.).

Certificates signed with SHA1

As of SNS version 5.0, certificates that have been signed with SHA1 are no longer supported, and can no longer be used in the various modules that allow the use of certificates (SSL VPN, telemetry, automatic backups, etc.).

Verifying the activation of Secure Boot

The web administration interface displays a warning message when Secure Boot is not enabled on the firewall. Do note that Secure Boot imposes constraints once it is enabled: to assess these constraints and follow the procedure to enable Secure Boot, refer to the technical note Managing Secure Boot in firewalls' UEFI.

Password policy

The password policy now allows a combination of upper/lower case alphanumeric characters, and special characters to be used. This option is selected by default on firewalls in factory configuration,

Factory configuration - Editing DNS servers used by the firewall

In factory configuration, SNS firewalls now use DNS servers that are suggested by the European service dns0.eu.

Integration into various environments

SD-WAN

Monitoring of available SD-WAN gateways has been improved to be better equipped to factor in specific cases of network failures in environments with multiple WAN access authorizations.

For further information on configuring SD-WAN, refer to the Technical note SD-WAN - Selecting the best the network link.

Script for EVA firewalls in VMWare

In a VMware environment, a "user-data" script can now be set when an EVA firewall's OVF template is deployed in vSphere Client.

Zero-touch provisioning (ZTP)

Zero-touch provisioning (ZTP) enrollment process supported with the centralized management console (SMC version 3.8 and higher).

Do note that this feature is not available for firewalls with an internal certificate that is signed by the Netasq CA (firewalls manufactured before 2019).

Changes to performance

Overall performance

SNS version 5 improves the overall performance of Stormshield firewalls.

For more information on firewall performance, refer to the product datasheets that can be found on the Stormshield corporate website.

Proxy

Proxy performance has been enhanced, allowing up to 25% additional throughput.

Asynchronous reloading of filter rules

Filter policies can now be reloaded asynchronously to minimize the impact on network traffic: filter rules are not immediately reassessed, but when they are used.

This mechanism is particularly useful in configurations that contain a significant number of rules and concurrent connections.

This feature is not enabled by default, and must be enabled through the following CLI/Serverd command sequence:

CONFIG SECURITYINSPECTION COMMON STATEFUL AsyncReload=1
CONFIG SECURITYINSPECTION ACTIVATE

For more information on asynchronous reloading of filter rules, refer to the technical note Implementing asynchronous reloading of filter rules.

Improved user experience

Web administration interface

The firewall's web administration interface now makes it possible to simultaneously open a configuration tab and a monitoring tab in the same browser. This makes it easier to check whether the configuration has been correctly applied.

This can be done by clicking on the icon in the Configuration and Monitoring tab headers.

The SNS theme and user interface have been redesigned for smoother browsing.

TPM

TPM processing traffic has been improved, by removing the need to seal the secrets stored in the TPM with the system's new technical characteristics when changes are made to the firewall's UEFI.

IPsec tunnel monitoring

A search bar is now available in the IPsec VPN monitoring module.

Real-time logs

The Real-time logs module makes it possible to view the latest logs stored in memory on firewalls that are not equipped with SD cards.

HTTP protocol

The value of the configuration tokens AuthorizationBearerBuffer and AuthorizationNegotiateBuffer can now be configured in the HTTP protocol analysis configuration module.

Sending e-mails

The e-mail system has been hardened for enhanced security, and message templates can now be customized in the web administration interface, through the use of variables for each template.

BIOS version - CLI/Serverd command

The CLI/Serverd command SYSTEM PROPERTY now returns information regarding the firewall's BIOS, in particular the BIOS version.

SNMP - New table snsMemUsageTable

A new table, snsMemUsageTable, has been added to the STORMSHIELD-SYSTEM-MONITOR-MIB.txt MIB to present the various memory consumption measurements in a format that is easier to use.

Telemetry

New data reported by the telemetry service

The telemetry service in SNS version 5.0 now reports new data:

  • SSD status data:
    • Number of blocks removed from SSD use due to programming or erasing failure,
    • Number of hours SSD has been powered up,
    • Average number of block erasures (number of times the SSD has been completely written),
    • Percentage of remaining lifetime,
    • SSD wear indicator (0 - 100%),
    • Total number of 512 byte sectors written throughout the lifetime of the SSD,
    • Total number of 512 byte sectors read throughout the lifetime of the SSD.
  • Data regarding the filter policy:
    • Number of times the filter policy was reloaded since firewall startup,
    • Status of asynchronous filter rule reloading mode.
  • Data regarding IPsec tunnels:
    • Number of mobile tunnels configured with a Key-Encapsulation Mechanism (KEM) using an algorithm that is resistant to post-quantum attacks,
    • Number of mobile tunnels set up with a KEM using an algorithm that is resistant to post-quantum attacks,
    • Number of site-to-site tunnels configured with a KEM using an algorithm that is resistant to post-quantum attacks,
    • Number of site-to-site tunnels set up with a KEM using an algorithm that is resistant to post-quantum attacks.

By sending such data, which is completely anonymous, you will be helping Stormshield to refine the dimensions and restrictions on future hardware platforms and SNS versions.

More information on telemetry services.

Miscellaneous

  • Operating system: SNS version 5 is based on FreeBSD 14.
  • Intrusion prevention: NPDU and BVLL services are now supported by the BacNet/IP protocol analysis engine.
  • The Energy Efficient Ethernet (EEE) feature, associated with 2.5 Gbit/s Ethernet network cards, is now supported.
  • The OID sysObjectID (1.3.6.1.2.1.1.2) now makes it possible to retrieve the firewall model through an SNMP request.