Firewall Server 7.2. Release Notes. What's New in Firewall Server 7.2

Transcription

1 Firewall Server 7.2 Release Notes BorderWare Technologies is pleased to announce the release of version 7.2 of the Firewall Server. This release includes the following new features and improvements. What's New in Firewall Server 7.2 Spyware Detection BorderWare Firewall Server 7.2 introduces new Spyware filtering making it the first perimeter firewall to include extensive Spyware detection and blocking capabilities. Spyware programs are typically Trojan-horse type applications that may not cause any harm to the computer itself (such as a virus or worm), but can be used to hijack system resources, transmit sensitive information such as credit card numbers and passwords to external sources, monitor a user's activities, hijack web browser sessions, and download intrusive and potentially dangerous adware applications. The recent growth of these non-viral but potentially hostile programs that can be used to attack users or hijack their systems for malicious purposes has necessitated the need for additional scanning capabilities to detect these types of programs. These spyware detection capabilities are built-in to the Kaspersky Anti-Virus engine and database and no additional configuration is required. Anti-Virus Traffic Management Administrators can configure more granular control over the types of network traffic that will be scanned by the anti-virus scanning engine. For each traffic type, such as SMTP , HTTP downloads, and FTP uploads and downloads, administrators can define exceptions to the scanning policy by defining lists of IP addresses, domains, addresses, media types, file extensions, and spyware names that will not be scanned by the anti-virus engine. Administrators can define Anti-Virus scanning exceptions using the following properties: IP addresses and entire networks Hostnames and domains addresses and domains

2 File Type (such as.exe) Media type (such as application/pdf) Spyware Name New Anti-Virus Traffic Type Options The following new options have been added to the Anti-Virus scanner's HTTP Proxy and Server traffic types: HTTP Proxy Maximum File Size: This value specifies, in kilobytes, the maximum file size that will be scanned by the anti-virus scanner when downloaded through the HTTP proxy. This option prevents very large files from causing latency with the anti-virus scanner. The maximum value that can be set is KB (1 GB). Set this value to "0" for unlimited size. The default is KB (20 MB). If the file is larger than this value, the file will be rejected. Server Whitelist on unopenable attachment: Select the check box to prevent messages with attachments that are encrypted or password protected from being blocked by the anti-virus scanner. Encrypted or Password protected attachments cannot be opened for anti-virus scanning and will be automatically considered malicious and the configured action will apply unless the Whitelist on unopenable attachment option is selected. Network Adapter Support Support has been added for the Intel Pro 1000 GT and the SysKonnect SK-9821 network adapters. Features Added in 7.1 Service Patch 1 and 2 Firewall Server 7.2 also includes new SMTP Mail Server and Direct Packet features that were added in Service Patch 1 and 2 for Firewall Server 7.1. The following new options appear in the General Mail Settings screen. Reject on Unauth Pipelining Rejects mail when the client sends SMTP commands ahead of the message where it is not allowed or without knowledge that the mail server supports ESMTP command pipelining. This feature blocks mail from bulk mail software that uses ESMTP command pipelining improperly to speed up deliveries. Reject on Unknown Sender Domain Rejects mail when the "MAIL FROM" address domain does not appear in DNS as an A or MX record. The following new options appear in the Advanced section of the General Mail Settings screen. Disable SMTP Pipelining If enabled, the Firewall's SMTP Mail server will not send SMTP pipelining commands when delivering mail. Some mail servers may experience problems with SMTP command pipelining, and you may have to disable pipelining if required. 2

3 Bounce queue lifetimes (hours) The maximum time (in hours) a bounce message (an undeliverable message returned to the sender) is queued before it is considered undeliverable. Bounce message size limit (Kb) The maximum amount of original message text (in kilobytes) that is sent in an undeliverable bounce message notification. Direct Packet Exclusion Rules Exclusion rules allow administrators to define traffic which will be excluded from the Direct Packet Option (DPO). When using DPO, it is sometimes necessary to create exclusions to existing rules to ensure that access to specific networks are not inadvertently opened up for access. Exclusion rules are configured via Proxies Direct Packet Exclusion Rules. Product Notes BWClient version or later is required to configure the new Firewall Server 7.2 features such as Anti-Virus Traffic Management and Traffic Type options. Support for a diskette backup and restore has been removed for version 7.2. Backup and restore is now only supported using the XML method. Issues Fixed In This Release The following issues have been fixed in version 7.2 since the release of Firewall Server 7.1: General In certain environments, the session count values were not properly reported by the super proxy process. The Firewall Server was reporting the 3Com Gigabit SK card's speed as 100 Mbps full duplex when using autoselect mode. The Firewall now properly recognizes the card as 1000 Mbps at full duplex. Squid Reports are not sent to a configured alias. Uploading files fails via the HTTP super_proxy and causes high CPU utilization to occur. Modifications in the BWClient Admin menu disable sending logs to Syslog. Using a combination of the Firewall console and BWClient to view and load patches results in the patches not displaying in the BWClient interface. HALO Offloading does not work in all cases when the system is using IPSec connections. 3

4 When dynamic DNS is enabled, a record was automatically added to the matching internal zone when added into the external zone. Mail Server In some cases, the external SMTP server would not time out an SMTP connection in the correct time. The change in order of operations for the Mail Server resulted in mail not being delivered to local POP accounts when a mail route matched the organization's domain. Mail Aliases that have uppercase letters could not be edited or deleted. Mail Aliases with uppercase letters are not converted to lower case upon a restore causing delivery problems. The CRLF.CRLF sequence within the DATA section of an message was not being handled properly. The SMTP disable pipelining option was also disabling all other ESMTP options. Deleting mail from the mail queue with specific queue ID values results in a "No Such Message" error. On the Firewall Server console, you cannot delete a mail message with queue ID of 1 or 2 digits. Backup and Restore When upgrading a configuration from 6.5, the pre-defined SNMP proxy was missing. After a restore from Firewall 6.5, the SMTP proxy did not initially work. After a configuration restore, the IPSec server license reverts back to evaluation mode. Access rules are not enabled on the SMTP Mail servers when restoring a 6.5A XML configuration via BWClient. XML restores do not restore the EnableTimeOuts and TimeOutPeriod values on some proxies. When a configuration is restored, incorrect IPSec connection priority values are being assigned. 4

5 When a configuration is restored, the default mail route was not being written into the database properly. A configuration restore fails if there is a comma in the VPN Connection Name. After a configuration restore, problems could occur when trying to enable a connection with NAT. The Text configuration backup did not contain updated mail server settings. The Software Updates section in the XML backup file contained duplicate entries. Restoring a 6.5 configuration results in the insertion of access rules on some AUX Servers where there should not be any. Secure GUI configuration on the AUX Servers disappears after restoring 6.5A XML configurations. The remote management user named "admin" could not be deleted after a configuration restore. A Firewall configuration file using PPPoE for the external connection can cause errors on a restore. Direct Packet The Direct Packet Destination NAT Port is set incorrectly in the configuration file in some cases. When using Direct Packet, the Internal network is accessible if the rule is SSN to External with a destination address of "any". SSN network is accessible if a Direct Packet rule is configured for Internal to External with a destination address of "any". IPSec VPN IPSec 4.0 does not have an option to set an unlimited value for Hard and Soft byte counts. Adding or editing VPN connections fails when using special characters for the connection name. Proxies The External MAT to SSN Anonymous FTP proxy could not be modified on the Firewall Console when Passive Mode Only was enabled. 5

6 An error occurs when editing external MAT proxies inbound from the Firewall Server console. A long GET request causes HTTP traffic to partially load web pages. Deleting cached pages from the Proxy Server did not clear all instances. The WWW session count (pre-defined proxy) is inconsistent with the actual system counts. The Proxy Server potentially leaks some internal IP addresses via the HTTP header on carefully formed requests. Anti-Virus Scanning The Anti-Virus notification address is displayed incorrectly in the admin log when updating from the console. Certain FTP clients will send a zero-byte file when Anti-Virus is enabled through the FTP proxy. Security Patches Firewall Server 7.2 includes the following security patches that were released for version 7.1. BIND BIND has been updated to to resolve the following security advisories where a buffer overflow vulnerability could result in a denial of service attack: CAN : Buffer overflow in the code for recursion and glue fetching in BIND and allows remote attackers to cause a denial of service (crash) via queries that trigger the overflow in the q_usedns array that tracks nameservers and addresses. NISCC-UNIRAS : BIND uses a certain array to track nameservers/addresses that have been queried; it is possible to remotely overrun the buffer for this array and cause a denial-of-service. CERT Vulnerability Note VU#327633: A vulnerability in the BIND name server could allow a remote attacker to cause a denial of service against an affected system. Squid 2.5 Stable 8 The Firewall's Squid Proxy Server has been updated to version 2.5 Stable 8. FreeBSD This release resolves FreeBSD security advisory FreeBSD-SA-05:15.tcp where an attacker can cause a denial of service situation by stalling the TCP connection. 6

7 The following are known issues in this release: Known Issues In This Release The SysKonnect network card (sk driver) does not support half-duplex mode. If you select 1000BaseTX in the Firewall Server's media type for this card, the interface will not be assigned an IP address. Administrators must use autoselect mode when using this network interface. After restoring a previous configuration (with the Squid Proxy Server enabled) to a fresh installation of the Firewall Server, the Squid Proxy Server process will not be running. You must disable and then re-enable the squid proxy server after the restore. SecurID authentication does not work with the member server of a HALO configuration because the configuration is not fully replicated from the master to the member system. When using the Firewall Server's IPSec VPN option and the SSH Sentinel VPN Client Build 120, the VPN connection will not work using a dial-up connection to the Internet via modem. The VPN connection will be established, but no traffic will be sent through the tunnel. When sending mail via the SMTP Mail server, the subdomains of addresses are stripped off even when the Strip Internal Headers option is disabled. Any subdomain that should be seen externally in addresses should be listed as a mail route. Mail is accepted for subdomains even though the Route mail for this domain only option is enabled. When manually updating Anti-Virus patterns via the console, the following errors may be displayed. "fs_wall: Error adding ipfw rules: setsockopt IP_FW_DEL:: Invalid argument. No matching processes were found". The error is benign, and the pattern files will be updated properly. 7

8 Installation and Upgrades If this is an initial installation of the Firewall Server, please see the Firewall Server Installation Guide for instructions. If you are upgrading the Firewall Server from a previous version, you must be running version 6.5 or later. Recommended Upgrade Procedure To upgrade from 6.5 or later to version 7.2: 1. Create configuration backup(s) using the XML method. It is also recommended that you also save a copy of the Text configuration. 2. Install and license the Firewall Server 7.2 software. 3. Install and license options, such as IPSec and HALO, if any. 4. Restore the Firewall configuration via XML. For more detailed instructions, please see the How to Upgrade to Version 7.2 document. Last Document Revision: November 4,