Stonesoft Clamps Down on Evolving Security Threats with Firewall

It can be tedious and time consuming for administrators to constantly monitor network activity logs to determine if an attack is happening or a worm is having its way with a WAN. With this in mind, Stonesoft last week launched a new release of its StoneGate Security suite that make it easier for administrators to spot sudden changes in activity. It is also including new autonomics in its firewall that tighten filtering in response to network events.

The Linux-based StoneGate Suite encompasses a three-tiered security architecture that includes a central server component, called the StoneGate Management Center, which provides a GUI and runs directly on the iSeries; the StoneGate Firewall/VPN, which provides packet filtering, stateful connection tracking, and application-level security, and also runs directly on the iSeries; and the StoneGate Intrusion Prevention System (IPS), which is available as an integrated appliance or a separate application running on an Intel box, but does not run on the iSeries’ Power processors.

The StoneGate Firewall/VPN product, which debuted on the iSeries in the winter of 2004, is the only internal firewall that runs across the entire iSeries/i5 product line. Symantec had its Linux-based firewall certified for the iSeries Model 270 in 2003, but never made it available for other iSeries models. It does not appear to be a big seller for the Silicon Valley firm. Stonesoft, which is headquartered in Finland and has its American offices in the iSeries hotbed of Atlanta, worked closely with IBM to move StoneGate from the zSeries environment to the iSeries environment. IBM needed an iSeries-based firewall, since it ended support for its OS/400 native Firewall for AS/400.

Juha Harkonen, the CEO of Stonesoft’s American operations, says server consolidation and the introduction of new workloads on the iSeries make it important that users have an internal firewall they can install on their iSeries. “Now that the iSeries user is driving more value out of their iSeries box, with new applications, their sphere of influence is increasing,” Harkonen says. “The expanded use of the iSeries platform is introducing new issues that haven’t been there in the past.”

iSeries shops will gain additional security protections from the new products that Stonesoft announced last week, including StoneGate Management Center version 3.2, StoneGate Firewall/VPN version 2.6, and StoneGate IPS version 1.2.

In StoneGate Management Center 3.2, administrators gain the capability to spot and locate short-term problem areas thanks to a new network layout diagram that shows the real-time status of all the nodes being protected by StoneGate, including firewalls and IPS engines, log servers, and management servers.

StoneGate Management Center also gains new real-time statistical information. Administrators can select which nodes they want to monitor, at what interval they want the data collected, and how they want the information presented (bar chart, pie chart, etc.), and the software will automatically plot the information and keep it current. Reporting was not this fluid in previous releases, the company says. In addition to helping with short-term situations, this reporting capability can also be used to spot long-term trends, the company says.

Stonesoft has also added a new “blacklisting” feature to its StoneGate Firewall/VPN that will dynamically tighten the firewall’s security policy based on identifiable threats . For example, the blacklisting feature could be used to quarantine a portion of the network that has been infected with a virus or a worm, or it could also block certain applications’ access through the firewall if it detects suspicious network traffic. Stonesoft’s new blacklisting feature in the Firewall/VPN also works in conjunction with the IPS. If the IPS and its sensors detect abnormal or suspicious network activity, it can instruct the firewall to batten down the hatches. A “whitelisting” feature is also available for applications that must never be mistakenly blacklisted by the software.

StoneGate’s VPN functionality has also been improved. With this release, new VPN client configurations are automatically downloaded to the users’ desktop. Previously, it was a hassle for administrators to inform all their users–road warriors and telecommuters, in particular–to download a new version of their VPN client whenever a change was made to the network topology, Stonesoft says.

New agents have also been added to the StoneGate Firewall/VPN making it easier to safely use Microsoft Exchange Server in a security-conscious environment. Stonesoft says the RPCs used by Exchange have a tendency to “open a large range of ports” when communicating with Outlook clients. These “big gaping holes can be a serious security risk.” The new Exchange protocol agent ensures that the fewest number of ports are opened for Exchange. New agents have also been introduced for TFTP and TCP proxies.

Stonesoft has also made it easier for users to analyze their Firewall/VPN and IPS logs with third-party products. By allowing users to export their logs in CSV or XML formats, users can send their log data to products such as IBM’s Tivoli Risk Manager for deeper analysis.

A new “dynamic update notification” system from Stonesoft will help keep the StoneGate IPS up-to-date with the latest vector fingerprints, and keep StoneGate IPS users protected from the latest threats, without requiring administrators to continually check the StoneGate Web site for updates.

Pricing for the StoneGate Management Center and Firewall/VPN running on iSeries starts at $6,000, which provides a maximum throughput of 50 megabits per second, and ranges up to $30,000, which provides unlimited throughput. For more information, visit www.stonesoft.com.