Stonesoft Unveils New Generation of Firewall, IPS Products

Corrected: May 2, 2006

by Alex Woodie

Stonesoft this week unveiled its second generation of network security products, including its software- or hardware-based firewall, which runs on iSeries and zSeries partitions, and its hardware-based intrusion prevention system (IPS). The new firewall/virtual private network (VPN) products focus on securing new voice over IP (VOIP) and video traffic workloads, and sport features like deep packet inspection for HTTP that blurs the lines with IPS and detection systems. The IPS, meanwhile, gains some muscle, and can finally live up to its billing as a digital bouncer.

Stonesoft is a publicly traded Finnish company that has been building network security tools since 1990. In 2004, at the urging of IBM, which had ceased development of the integrated OS/400 firewall, the company developed a version of its StoneGate Firewall/VPN for zSeries product that ran in a Linux partition on an iSeries. Instead of scattering multiple dedicated firewalls across the enterprise, the thinking goes, the StoneGate Firewall/VPN, with its load-balancing and scaling capabilities, can protect an organization's headquarters, as well as up to 16 branch office nodes, from a single location.

While the company has racked up just a handful of iSeries customers worldwide since that version of StoneGate finally shipped last year, the company is enjoying more success outside the iSeries market. It has more than 10,000 installations in 60 countries, contributing to 2005 sales of $26 million. Europe is currently the company's biggest market, but it foresees North America contributing the largest chunk of business in several years.

If the company achieves this goal, the success will be attributable to the new generation of the StoneGate Security Platform announced this week, including StoneGate Firewall/VPN 3.0, StoneGate IPS 2.0, and StoneGate Management Center 3.5. The products are slated to ship in early June.

Firewall Redux

The new release of the Firewall/VPN adds some fairly significant new capabilities, says Mark Boltz, Stonesoft's senior solutions architect, who is based at the company's U.S. headquarters in Atlanta. Among these is the new agent for Session Initiation Protocol (SIP), the key technology enabling the new generation of integrated communication solutions, such as VoIP telephony, video conferencing, and instant messaging.

While many organizations deploying "soft phone" VoIP systems are doing so on their own private networks, some users are deploying them to remote offices using the public Internet. This poses a security risk, Boltz says, because third parties can easily intercept this traffic using sniffer tools that are readily found on the Internet. By incorporating this traffic into a VPN and regularly performing inspections on the traffic, the new StoneGate Firewall/VPN protects against eavesdropping and from SIP pathways being used as conduits for other attacks.

"SIP, as a call signaling protocol, opens up a lot of ports dynamically, depending on where you're calling," Boltz says. "It will dynamically open and close the ports as needed." By cleaning up after the SIP apps, the StoneGate product reduces the threat of P2P-type applications from installing malware that turns your server into a zombie bot for denial of service (DOS) attacks.

Another new feature is support for quality of service (QoS) and "bandwidth shaping," which gives users more control over the amount of network capacity VoIP, video conferencing, and other "hungry" applications consume. Administrators can also restrict the number of phone calls users can make with their soft phones (a feature that fathers of teenage daughters have been requesting, unsuccessfully, for years).

This release also brings support for "deep packet" inspection of HTTP packets, in which the Firewall/VPN product can recognize certain types of attacks that might otherwise slip through the firewall. It will use the same attack signatures that Stonesoft develops and keeps updated for its IPS. This feature is particularly important because it protects users from a wide range of attacks, and gives them a greater window of protection in lieu of the creation and distribution of patches from vendors with the faulty products.

IPS Grows Teeth

The industry is moving toward the convergence of firewall and IPS capabilities onto the firewall, but that doesn't mean the IPS goes away, Boltz says. "You have to look at security as a process. It's a cyclical thing," he says. "You can set up various protections--a firewall, antivirus, etc.--but you'll never be able to protect the network from every conceivable threat, known and unknown. You're going to need to have detection capabilities, and to be able to react to [changing threats] quickly." That means keeping the roles of firewalls and IPSs separate, he says. At least for now.

To that end, the company has evolved the StoneGate IPS appliance beyond its beginning as something more than an intrusion detection system (IDS) but less than a full-blown IPS. The new feature enabling this shift is what the company calls support for "inline mode," which is critical for stopping worms and other malicious traffic, not just identifying the threats.

"Without inline mode, you're a passive observer. Inline mode gives you the capability to stop it in its tracks," Boltz says. "You could always restart, and blacklist, connections [in previous releases]. It was never just passive listening. It was more than an IDS, not quite an IPS, but it is [an IPS] now."

This release also bolsters the IPS policy editor, which is used to set up security policies enacted by the IPS. Common tasks, such as defining policy definitions, have been streamlined with this release, the company says, and new access rules give administrators greater control when watching specific types of traffic, and different actions to execute. Users can now easily define actions in response to certain types of attacks, the company says.

End to End Security

The main graphical console, called the StoneGate Management Center, also received some new goodies to improve the manageability of the products. With version 3.5, the Java-based product, which runs on Windows, Linux, and Solaris and is used to manage both the Firewall/VPN and IPS solutions, now comes with a task scheduler that lets administrators pick the best times to perform backups or updates. This release also brings monitoring capabilities, such as the capability to monitor in real-time VPN tunnel status connections between StoneGate components. It can collect and report on netlink and VPN statistics, the company says.

Auditors, chief security officers, and other obsessive/compulsive types should take note of the new incident case management capabilities in the SMC, which lets users access all the pertinent information related to an incident--including logs, policy snapshots, memos, and files--from a single location. Audit trails for journal entries and time stamps for each entry round out the list of features that bolster the security of the security products themselves.

Because some of Stonesoft's second-generation security products are sold as integrated hardware-software solutions, there are new appliances to talk about, with new SKUs.

On the Firewall/VPN side, there is the StoneGate SG-3100, which features 12 copper Gigabit Ethernet connections, and the SG-3100-F, which sports four Fiber Channel gigabit and eight copper gigabit interfaces. Both of these are 2U, rack-mountable appliances that can support large central sites with thousands of users. There is also the smaller SG-1100, which includes eight Gigabit Ethernet interfaces, and which is designed for smaller sites with hundreds to thousands of users. On the StoneGate IPS side, the company is launching the new SGI-2000S, SGI-200S, and SGI-200C appliances; the new SGI-200N, which can be used with external by-pass devices or as a passive IDS sensor; and the new SGI-200-ANZ, which provides event correlation.

Pricing for the StoneGate Firewall/VPN appliances start at $990, while the StoneGate IPS appliances start at $4,950. Pricing for the software version of the Firewall/VPN that installs on the iSeries starts at $6,500, while pricing for the version that installs on Intel-based servers starts at $490. For more information, go to www.stonesoft.com.

This article has been corrected. The pricing for the version of the Firewall/VPN software that installs on the iSeries starts at $6,500, not $490. IT Jungle regrets the error.