SSL VPN - What’s new in Version 7?

Two of the major players in SSL VPN appliances, F5 (Edge, Firepass) and Juniper (SA) have just released new versions (both version 7) of code. There are some notable (and not so notable) new features included in the new releases which may well whet the appetite of Information Security managers and administrators across the industry – or so the vendors hope.

Firstly, and at a slight tangent, I think it's worth mentioning a bit about F5 and how they have been refocusing their approach to SSL VPNs with the release of their Edge Gateway appliance. The Edge focuses on throughput and download speeds with the consolidation of their existing modules; WAN acceleration (WOM), Web Acceleration (WBA) and Access policy management (APM) into one 'Edge' Package (For datasheet on Edge click here). F5 are continuing development of Firepass, however, conversations I've had with several SEs from F5 allude to it be phased out over the next few years. The Edge itself is essentially the three existing F5 modules mentioned above on Big-IP running on F5's standard hardware. This is sold as a bundle and held together by pretty impressive client-side software specific to Edge.

F5 Firepass

The new version of code for the Firepass contains a few updates for Endpoint functionality, including support for Mac OSX and Linux Antivirus inspectors (something the Juniper SA doesn't do), Endpoint Hardware inspectors which enables access to be locked down by Mac address or HDD ID and the addition of CAPTCHA field to the login page to thwart brute force attacks. Additionally, a major new feature is the ability to run the software as Virtual appliance. The Firepass VE (Virtual Edition) runs on VMware ESX4 and can be licenced for up to 2000 users. F5 seem to be positioning this as a DR option if capacity needs to be boosted during a failure, rather than an SME or scalable option. F5 have also added a java applet for RDP giving the end user the ability to connect to windows machines remotely from any platform, this essentially a feature to catch up with Juniper (although it's quite difficult to configure on Firepass).

Overall, I think that the changes to Firepass in version 7 bring it in-line with other offerings within this space (notably Juniper – rated as the best appliance on the market by Gartner (and my personal preference)) and features such as support for Mac AV checking and java-based RDP on the Endpoint will tip a few decisions with the growing prevalence of the 'business-Mac-user'.

Juniper SA

Version 7 of the Juniper software doesn't add as many features as F5, but focuses on enhancement and transition to the JUNOS platform. One of the 'stand-out' features of the release is the JUNOS Pulse client, which improves upon network connect and is (as the name suggests) JUNOS compatible. As the java RDP client that was used in version 6.x was quite difficult to configure and customers often reported back a poor user experience (normally based around resolution and window sizing, especially on Macs), Juniper have included third-party software from Hobsoft. Hob RDP is now included with 2 concurrent user licences, requirements exceeding this need to be purchased through Juniper or a reseller. I have only just started testing this myself as I may recommend this to a customer who's unhappy with the standard script. However, looking at comments in general on the J-Net forum, the feedback seems to be pretty positive. Although, it appears that it's not possible to force the use of Hob RDP for windows users, it defaults to the older platform-specific version for windows, meaning the end user experience is still different on Mac and Linux. Like F5, Juniper has also invested in creating a virtual appliance. Their focus for this lies in scalability and there is no limit on user licences unlike with F5.

Another feature that Juniper has added is the ability to open multiple user session. This feature is very handy if you use multiple machines at the same time and wish to complete two tasks on the VPN concurrently, although, I am struggling to think of too many scenarios where this would be useful. One situation that springs to mind is when logged into the VPN and wanting to initiate a secure meeting. This was not possible previous (and still isn't from a single machine) to version 7 as it was strictly one session per-user. After picking the brains of my colleagues as to a circumstance when this could be useful, we decided that the preclusion of multiple sessions could restrict use from smart phones or disparate devices (or iPads / iPhones when the JUNOS Pulse app is released in July). Two more minor features that caught my eye on the release notes were RDP7 support (which is fairly self-explanatory) and the ability to present legal disclaimers or MOTD to users through the portal. In large estates this feature could be very useful, as we all know that people don't read emails or SharePoint messages boards religiously.

Summary

To conclude, I believe that both vendors are making steps in the right direction to improving the user experience. Although, in this release I feel that Firepass is playing catch-up and Juniper is smoothing the cracks that appear when you create a product with such granularity of control. It's disappointing also, that F5 have not updated a horrible Windows 95'esque GUI, but I believe a complete re-write isn't going to be imminent as the Edge Gateway moves closer into focus.

Can I Un-Google My Online Habits and Identity? Yes.

As any IT Geek, Nerd or Professional will tell you, Google knows all (at least when it comes to Internet browsing trends). Even if you’re not logged into one of their accounts, Google knows everything you've ever searched for, the search results you’ve clicked, the news and current affairs sites you frequent and every location you have searched for on Google Maps. Additionally, if you have a Gmail account, they have access to every email you’ve ever sent or received even if it’s been deleted. Cross-referencing this information intelligently is what Google is best at, be afraid!

Given the promiscuity of Google’s information gathering and analysis, it’s quite worrying what information they can profile about any Internet user based on this data references against an IP address. Is there anything that you can do if you feel ‘stalked’?

Enter ‘GoogleSharing’. GoogleSharing is, in essence, a proxying process that obfuscates user information that is sent to Google by mixing multiple users’ requests and metadata together and adding in false requests for good measure. This process ONLY filters out any data being sent to Google and does not affect other traffic passing through the proxy. The solution is open source and consists of a proxy server (already running in the cloud) and a Firefox add-in. As the ‘icing on the cake’ feature, all traffic sent to the GoogleSharing proxy server is encrypted using HTTPS.

For more information visit: http://www.googlesharing.net

I’m currently in the process of testing the GoogleSharing proxy and comparing HTTP responses from filtered and unfiltered traffic. Further information regarding my findings will follow.

The fallacy of cloned machine SIDs

(Inspired by Mark Russinovic’s Blog entry “The Machine SID Duplication Myth”)

On the 3rd November 2009, Sysinternals retired ‘NewSID’, a utility that changes a computers machine Security Identifier (machine SID), but why?

What is a SID?

A Security Identifier (commonly abbreviated to SID) is a unique name (an alphanumeric character string) which is assigned by a Windows Domain controller during the log on process that is used to identify a subject, such as a user or a group of users in a network of NT/2000 systems.

How are duplicate SIDs created?

For those who are unfamiliar with the concept, when machines are cloned using imaged systems the new machine will contain the same SID as the original. If two machines have the same machine SID, then accounts or groups on those systems might have the same SID.

Common sense in de-duplication?

As most IT professionals who work with virtual technologies will attest, when creating virtual machines from templates, conventional wisdom dictates that the new machine’s SID must be changed as the clone retains a facsimile of the parent’s. However, Mark Russinovic (Microsoft Fellow, OS Guru and creator of ‘NewSID’)and Microsoft have delved deeper into this idea and concluded that changing the SID of machines that contain facsimile entries is unnecessary. This came to light when Mark was investigating bugs with NewSID in windows Vista, he realised that he could not conceive of a scenario where duplicate SIDs could cause a security risk / vulnerability. Mark took this concept to Microsoft’s Windows security and deployment teams and no one could come up with a scenario where two systems with the same machine SID, whether in a Workgroup or a Domain, would cause an issue – further investigation by Microsoft is yet to find such a risk. Food for thought next time you clone a machine.

To view the entire article, please see Mark’s blog:

http://blogs.technet.com/markrussinovich/archive/2009/11/03/3291024.aspx

Welcome!

Hello and welcome to my blog - 418 I'm a teapot! Feel free to add any posts or comments that you like and I hope you enjoy the blog find some of the post interesting.

This is my first attempt at a Security blog and I hope it will prove useful.