Preview only show first 10 pages with watermark. For full document please download

Release Notes For Genugate 9.0

   EMBED

Share

Transcript

Release Notes for genugate 9.0 We are pleased to announce our new genugate version 9.0. We hope that all its new features and security improvements will be beneficial for your business. Information on the genugate 9.0 product family is available in these release notes. Please read this document carefully! Please be aware that this version of genugate is not currently certified according to CC EAL 4+. The certification is in progress. At the moment, we expect the certificate to be granted at the end of 2017. Switching to the certified version is easy. Simply install the corresponding patch. You will receive an email notification, when 9.0 Z is available. Please note that the upgrade requires at least one of the following patch levels of the preceding versions: 8.0p24, 8.2p10, 8.3p2, 8.4p9, 8.5p9, 8.6p6. With versions 8.2p10 and 8.3p2, only the USB installation medium is supported. For genugate 9.0 we support installation with CD-ROM and USB installation media. GENUGATE 9.0 R ELEASE N OTES Page 1 of 34 CONTENTS Contents 1 Contents 5 2 Overview: New Features in genugate 9.0 2.1 Upgrade: Limited Mixed Operation of genugate 9.0 and Older Versions . . 2.2 Changes Requiring Modification of the Configuration . . . . . . . . . . . . 2.2.1 Simplified HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.2 Mail System: Migration from Sendmail to Postfix . . . . . . . . . . 2.2.3 New NTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.4 Secure HA communication via IPsec . . . . . . . . . . . . . . . . . 2.3 Changes in Central Authentication . . . . . . . . . . . . . . . . . . . . . . 2.3.1 Active Directory/LDAP authentication for administrators and users 2.3.2 Single sign on via Kerberos 5 . . . . . . . . . . . . . . . . . . . . . 2.4 Changes in SSL/TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.5 Improved Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.6 Speed of Serial Interfaces Increased . . . . . . . . . . . . . . . . . . . . . 2.7 New Features and Important Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 5 5 5 5 6 6 6 6 6 6 6 7 7 3 Overview: All Changes since genugate 8.6 3.1 Capturing Network Traffic via an Interface 3.2 Real Time Monitoring of Network Traffic . 3.2.1 Terminating Connections . . . . . 3.2.2 Blocking IP Addresses . . . . . . . 3.3 Improved SIP Relay . . . . . . . . . . . . 3.4 NTP Server . . . . . . . . . . . . . . . . . 3.5 Changed Logging of Data in PCAP Files . 3.6 Further Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 7 8 8 8 8 8 9 9 . . . . . . . . . . . . . . . 9 9 10 10 10 10 11 11 11 11 11 12 12 12 12 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 All Changes Between genugate 8.0 and genugate 9.0 4.1 Simplified HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1.1 Upgrade of Existing HA Installations . . . . . . . . . . . . . 4.1.2 OSPF and HA Address are Address Objects Now . . . . . 4.1.3 OSPF Routing Daemon gated Replaced by ospfd . . . . . 4.2 Active Directory/LDAP Authentication for Administrators and Users 4.3 Single Sign-on with Kerberos 5 . . . . . . . . . . . . . . . . . . . . 4.4 Improved Performance . . . . . . . . . . . . . . . . . . . . . . . . . 4.4.1 Improved IP based ACLs . . . . . . . . . . . . . . . . . . . 4.4.2 Improved Handling of Spoofed Packets . . . . . . . . . . . 4.4.3 Improved TLS performance based on TLS session tickets . 4.4.4 Modified Squid defaults . . . . . . . . . . . . . . . . . . . . 4.4.5 Multiple relay child processes . . . . . . . . . . . . . . . . . 4.4.6 Improved relay cipher list . . . . . . . . . . . . . . . . . . . 4.5 Mail System: Migration from Sendmail to Postfix . . . . . . . . . . 4.6 SIEM Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page 2 of 34 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . GENUGATE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.0 R ELEASE N OTES CONTENTS 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18 4.19 4.20 4.21 4.22 4.23 4.24 4.25 4.26 4.27 4.28 4.6.1 SIEM Integration for IBM QRadar . . . . . . . . . . . . . . . . . . . . . . 4.6.2 New Log Files For Packet Filter Messages . . . . . . . . . . . . . . . . . 4.6.3 Accounting Data to Syslog . . . . . . . . . . . . . . . . . . . . . . . . . 4.6.4 Log IDs of Accounting Messages . . . . . . . . . . . . . . . . . . . . . . 4.6.5 Log IDs of Block Messages . . . . . . . . . . . . . . . . . . . . . . . . . 4.6.6 Better Separation Between Request and Connection Accounting . . . . 4.6.7 Improved Connection Accounting GUI . . . . . . . . . . . . . . . . . . . Improved Support for Remote Log Servers . . . . . . . . . . . . . . . . . . . . Protocol Conformity Filter for the UDP Relay . . . . . . . . . . . . . . . . . . . Stricter Protocol Checks for Filter Policies . . . . . . . . . . . . . . . . . . . . . New Policy Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OpenBSD 64 Bit Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Application Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Secure IMAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Command Line Tools for Import/Export of Hosts, Networks and Network ACLs Improved Certificate Verification through OCSP . . . . . . . . . . . . . . . . . . Configurable Hostname in WWW and WWW Server Policies . . . . . . . . . . Signing of Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SSL 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.18.1 SSL 3.0 Connections to the genugate GUI are no Longer Supported . . 4.18.2 Protocol Conformity Filter . . . . . . . . . . . . . . . . . . . . . . . . . . 4.18.3 SSL Enabled Relays and Sendmail . . . . . . . . . . . . . . . . . . . . . New Web Service Policy for SOAP Message Validation . . . . . . . . . . . . . . Secure HA Communication With IPsec . . . . . . . . . . . . . . . . . . . . . . . Static SSL Server Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . Increased Security for Javascript Weeding . . . . . . . . . . . . . . . . . . . . . Detailed HTML-Weeding Was Removed . . . . . . . . . . . . . . . . . . . . . . The GUI Now Conforms to the Current Corporate Design . . . . . . . . . . . . Improved Control in the SSH Relay Over Commands Executed by SSH . . . . Simplified HA Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . Improved Spam Protection by Greylisting . . . . . . . . . . . . . . . . . . . . . Denial of Service Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 13 14 14 14 15 15 15 15 15 15 16 16 16 16 17 17 17 17 17 17 17 18 18 18 18 18 19 19 19 19 19 5 Software Updates and Changed Behavior 19 6 Deprecated Features 23 7 Update Support 7.1 Overview of Supported Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2 Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 24 24 8 Before Upgrading 8.1 System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.2 General Advice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.3 Creating an Installation USB Stick (Windows) . . . . . . . . . . . . . . . . . . . . . . . . . 24 24 25 26 GENUGATE 9.0 R ELEASE N OTES Page 3 of 34 CONTENTS 8.4 Creating an Installation USB Stick (Unix / Linux) . . . . . . . . . . . . . . . . . . . . . . . 8.5 Configuring boot priority for USB installation . . . . . . . . . . . . . . . . . . . . . . . . . . 8.6 Test Upgrade in Multi User Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 27 27 9 Upgrade Installation 9.1 Data Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.2 Minimum Available Disk Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.3 Performing the Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 28 29 29 10 Information on the Web 34 11 How to Contact Us 34 Page 4 of 34 GENUGATE 9.0 R ELEASE N OTES 2 1 OVERVIEW: NEW FEATURES IN GENUGATE 9.0 Contents These release notes describe the changes and new features available when updating to the current version 9.0. The detailed product configuration is described in the genugate 9.0 manual. An electronic version of these release notes, the software itself, and the updated product manuals are available at our support sites www.genua.de respectively in the Internal Support Area. 2 Overview: New Features in genugate 9.0 Version genugate 9.0 contains all changes from versions 8.1 to 8.6, as well as some new features first introduced with version 9.0. All in all, the changes are very extensive, so only the most important changes are stated here. You can find more information about the mentioned items further down the text. In case you are upgrading from version 8.6, section 3 is of primary interest for you. Please note, version genugate 9.0 with patch level 0 is not yet certified. We are currently undergoing the process of certification and expecting the certificate to be issued at the end of 2017. Switching to the certified version is very simple. You only need to install the corresponding patch. You will receive an email notification, when 9.0 Z is available. 2.1 Upgrade: Limited Mixed Operation of genugate 9.0 and Older Versions In genugate 9.0 HA addresses are permanently configured on the systems and will not be removed if the node is taken over by a different HA system. This means, that a mixed operation between versions 9.0 and 8.2 or older is only possible with some restrictions. Under some circumstances, especially after executing hactl -M sysdown in genugate 9.0, nodes are not accepted by older HA peers. 2.2 Changes Requiring Modification of the Configuration These changes probably require the configuration on your system to be changed. 2.2.1 Simplified HA The GUI section High Availability has been completely restructured and the HA variants have been separated more noticeably. Your configuration will be migrated, your HA will be ready to use again right after the upgrade. Depending on whether there are CARP addresses or not, the HA mode will be set to “Custom” or “OSPF”. In the first case it is recommended to change the mode from “Custom” to one of the CARP modes, because of the simplified configuration. Also see section 4.1. 2.2.2 Mail System: Migration from Sendmail to Postfix The local mail server was changed from Sendmail to postfix. The configuration is migrated and you will receive hints regarding configuration changes during the upgrade if necessary. Especially, changes to the conversion of address aliases have been made. After the upgrade, please pay special attention to whether address aliases in mails are correctly resolved. Please read the notes further down the text as well the notes in the genugate knowledge base regarding postfix. For a one-time import of mails from the Sendmail spool directory a script is available. See section 4.5. GENUGATE 9.0 R ELEASE N OTES Page 5 of 34 2 OVERVIEW: NEW FEATURES IN GENUGATE 9.0 2.2.3 New NTP server The ISC NTP server has been replaced by the OpenBSD NTP server. There are a few differences regarding configuration and features. The configuration will be migrated, the new NTP server will be ready to use right after the upgrade. See section 3.4. 2.2.4 Secure HA communication via IPsec The connection between two ALGs within a genugate HA is now secured by IPsec. This requires to generate a key in the HA GUI. See section 4.20. 2.3 2.3.1 Changes in Central Authentication Active Directory/LDAP authentication for administrators and users The authentication to an Active Directory server or an LDAP server has been extended and improved. It is now possible to authenticate administrators against AD/LDAP while logging in to the GUI or the command line. Maintaining local user accounts is no longer necessary. Now, it is also possible to authenticate administrators and users against different AD/LDAP servers. See section 4.2. 2.3.2 Single sign on via Kerberos 5 Along with NTLM, the proxy authentication now also supports Kerberos. See section 4.3. 2.4 Changes in SSL/TLS • The WWW relay now supports TLS session tickets and therefore can reach better performance for SSL bridging. • The list of TLS ciphers has been modernized. Amongst others, RC4, MD5 and 3DES are no longer supported as default settings. Many Elliptic Curve ciphers are now also supported. • The minimum SSL version is now TLS 1.0. SSL 3.0 is no longer supported. This applies to all SSL capable relays, as well as the GUI and the mail system. • It is now possible to use Online OCSP or OCSP stapling. • The WWW relay now supports SSL server certificates. So servers can be protected by the genugate in a more flexible way. 2.5 Improved Logging The logging has been reworked. You are now able to use SIEM systems. IBM QRadar now comes with a complete integration module. Other systems can be connected via syslog. genugate now supports syslog via TCP and also supports encryption. Accounting data can also be transfered via syslog. There are many other improvements with log messages and the logging mechanisms. Page 6 of 34 GENUGATE 9.0 R ELEASE N OTES 3 2.6 OVERVIEW: ALL CHANGES SINCE GENUGATE 8.6 Speed of Serial Interfaces Increased The serial interfaces of the ALG and PFL now use a baud rate of 115200 bits/second. Please ensure that your terminal server is set accordingly before doing an upgrade or fresh installation. 2.7 New Features and Important Improvements • The genugate relay network performance has been improved. The biggest improvement has been made to the WWW relay where the request rate has been increased by up to 270%. The performance of other relays has been increased by around 20 to 30%. • The genugate always operates in 64 bit mode now. This enables the kernel to use larger buffers which leads to a higher bandwidth for individual connections. • genugate now comes with policies for the protocols BGP, IMAP, RDP, SMB, TeamViewer and VNC. Furthermore the Protocol Conformity Filter is a system to easily configure simple custom protocol filters. • The webservice policy enables you to analyze and secure SOAP webservices. • The IMAP policy enables you to secure data transmissions between mail clients and the IMAP server and to scan emails for viruses. • A new feature to mirror traffic to a separate interface has been implemented. With this, systems like IDSs can be connected easily. This feature is also available for encrypted protocols. • Policies now can export and store traffic data in the PCAP format. This can be especially valuable when analyzing network problem with encrypted protocols. • The SIP relay has been expanded and now also supports SIPS and transparent mode. • genugate now comes with a live monitor for network traffic. Via the GUI you can observe which protocol produces how much traffic and you can intervene right away. • With the application filter you can now comfortably allow or restrict access to web applications or web based transmissions like Windows Updates or Microsoft Office Online. 3 3.1 Overview: All Changes since genugate 8.6 Capturing Network Traffic via an Interface It is now possible to mirror network traffic to a separate interface. With this, systems like IDSs can be connected easily. This feature is now also available for encrypted protocols. When using SSL bridging, the plain text data can be added to the analysis. This means, your traffic analyzing devices do not have a blind spot when using TLS. GENUGATE 9.0 R ELEASE N OTES Page 7 of 34 3 OVERVIEW: ALL CHANGES SINCE GENUGATE 8.6 3.2 Real Time Monitoring of Network Traffic The genugate GUI is now able to display the entire network traffic being transferred through the genugate in real time. Individual connections can be terminated and even unwanted client or server IPs can be blocked. 3.2.1 Terminating Connections Active connections can be terminated immediately from the real time monitoring GUI page. Clients can still open new connections to the same servers. 3.2.2 Blocking IP Addresses If you would like to block clients or servers permanently, you can include them in IP blocking lists. These IP blocking lists can now be maintained via the GUI. Additionally, IPs can be blocked from the real time monitoring page. 3.3 Improved SIP Relay The SIP relay has been substantially reworked and extended. The following changes apply: • SIPS (SIP via TLS) now is supported. In this case TCP is automatically used for transferring SIPS. Use the SIPS policy. • SIPS supports static as well as dynamic TLS certificates. • IPv6 is supported. • Transparent connections are supported. This means, IP addresses within SIP packets are not altered. The configuration of attached VoIP devices generally does not need to be changed. • It is possible to create filters based on the SIP user agent. • A component that handled SIP and RTP data on the PFL is no longer available. Please configure the PFL to allow adequate port or address ranges. The behaviour on the ALG is unchanged. Single RTP ports are opened on demand for each connection. • If you are upgrading from a genugate version 8.6 with a patch level newer than 3, these changes should have already been applied. In this case no further configuration is necessary. 3.4 NTP Server The NTP server from http://www.ntp.org has been replaced by the more secure server provided by OpenBSD. It only runs locally and needs to be accessed via a connection rule from the outside. In the time server GUI of genugate 9.0, in addition to the server configuration, a rule must be configured which defines the clients or client networks that are allowed to request the current time from genugate. Your existing configuration will be changed accordingly during the upgrade. Due to the change of the server, local changes implemented via Local Files will no longer work and must be removed. Page 8 of 34 GENUGATE 9.0 R ELEASE N OTES 4 ALL CHANGES BETWEEN GENUGATE 8.0 AND GENUGATE 9.0 The NTP server configuration file is now /etc/ntpd.conf instead of the previously used /etc/ntp.conf. 3.5 Changed Logging of Data in PCAP Files The logging of traffic data to PCAP files has been changed. The communication between client and relay is now combined into one file, as is the communication between relay and server. Before this, one file contained data from before the analysis and the other file contained data from after the analysis. In practice, it is now easier to follow the causes of network problems. 3.6 Further Changes • Support for new network cards: The line of supported Intel network interface cards now also includes cards from the X550 product line. • Avira scanner: New version 4.6: in genugate 9.0 the new version 4.6 of the Avira scanner (SAVAPI) is used. • Zabbix updated to version 3.2.3: The version of Zabbix shipped with genugate 9.0 has been updated to version 3.2.3. • Patches: This version contains all necessary changes and patches from version 8.6 up to and including Patch 6. Please find a detailed list in the file upgrade/G900_000.README on the upgrade media. • OpenBSD: The operating system OpenBSD and all its components have been updated to version 5.9 . • General: As with every release genugate 9.0 also contains minor changes which enhance its usability and stability. The online help and the manual has been altered at several points. 4 4.1 All Changes Between genugate 8.0 and genugate 9.0 Simplified HA When configuring a genugate HA installation, a wizard will now guide you step by step. You begin with the most basic settings like HA interface and HA addresses for all systems at HA → C ONFIGURATION → G ENERAL. Afterwards, in the tab HA Mode, you can choose from the modes CARP failover, CARP balancing, OSPF and Custom. The tabs and configuration choices offered subsequently will be limited to the relevant options for the chosen mode. This greatly simplifies the setup and management of your HA installation. The HA mode Custom offers all of the options and possible configurations and is thus intended for experts who need complete freedom to configure special setups. GENUGATE 9.0 R ELEASE N OTES Page 9 of 34 4 ALL CHANGES BETWEEN GENUGATE 8.0 AND GENUGATE 9.0 4.1.1 Upgrade of Existing HA Installations When upgrading an existing HA installation, a HA mode will be set during upgrade. For systems employing only OSPF, the HA mode will also be set to OSPF. For systems using CARP addresses, the mode will be set to Custom. If you are running a CARP HA installation, we recommend to switch to one of the CARP modes when performing configuration changes after the upgrade, although it is possible to continue running in Custom mode. 4.1.2 OSPF and HA Address are Address Objects Now In the course of simplifying the high availability feature of genugate 9.0, the OSPF and HA addresses have been converted into real address objects. These addresses now can be used directly for rules on the genugate without creating a host object for each of these IP addresses first. 4.1.3 OSPF Routing Daemon gated Replaced by ospfd With genugate 9.0 the OSPF routing daemon gated has been replaced with ospfd from the OpenBSD project. Further information about ospfd can be found in the manual pages for ospfd and ospfd.conf. If you are running a special gated configuration with local files these adjustments must be manually adapted to the ospfd configuration after the upgrade. 4.2 Active Directory/LDAP Authentication for Administrators and Users We have improved the handling of LDAP authentication with genugate 9.0. Now there is no longer a need to enter data for each user on the firewall when using LDAP authentication. It is possible to use LDAP authentication for access to the web GUI (adminweb) as well as shell access. The command “sudo” can be used with LDAP to allow local administrators to become root. It is possible to have different LDAP servers for administrators and firewall clients. Connections to LDAP servers can be encrypted using SSL/TLS. We also support multiple fallback servers. We support LDAPv3 in all configurations. Support for LDAPv2 is discontinued. For LDAP authentication, administrators are assigned to firewall accounts by their LDAP group membership. For the web GUI, the LDAP group is mapped to a GUI profile which governs the access rights in the GUI. For shell access, the LDAP group is mapped to a local user account. The usual Unix user concepts and permissions apply. Authentication logs always contain the LDAP user name to make transparent which administrator performed changes. To make the assignment of LDAP users to local accounts easier and to avoid security problems, two new user accounts will be created by the upgrade, if they do not exist already: “ldap_admin” and “ldap_revisor”. Out of security considerations, both accounts do not have a password set. They can not log in to the genugate before a password is assigned. It is also possible to configure LDAP authentication for existing users. Be aware, that users that have local access do not automatically lose the ability to log in with the local credentials. If you do not want to use LDAP for authentication, the newly created users can be safely deleted. The new implementation no longer has support for LDAP responses referring to another LDAP server. This behavior matches the former default configuration which had the option “Noreferrals” activated. Page 10 of 34 GENUGATE 9.0 R ELEASE N OTES 4 ALL CHANGES BETWEEN GENUGATE 8.0 AND GENUGATE 9.0 For administrators which authenticate with LDAP, it is not necessary to have the password for the root account for most tasks. Instead it is possible to use the command “sudo” to gain privileges. The command authenticates against the LDAP server. A detailed description of the SSH login and the sudo configuration when using LDAP is in the administration manual under the topic LDAP authentication. The web proxy Squid also supports LDAP. To make configuration easier and more flexible, it is now possible to supply more configuration options via GUI. 4.3 Single Sign-on with Kerberos 5 genugate 9.0 now offers authentication at the genugate web proxy Squid via Kerberos 5. Authentication at the Squid web proxy then only requires logging on to a Windows workstation in the domain. This proxy authentication method is preferable to (the as yet still available) NTLM authentication. Details on how to configure Kerberos can be found in the administration handbook. 4.4 Improved Performance The performance of all genugate relays was improved in version 8.6. Improvements specifically were focused on the WWW relay, as web traffic usually constitutes a major part of the entire firewall traffic. Our benchmarks, set up with a realistic traffic profile and a secure configuration with detailed ACLs, virus scan, and SSL bridging, measured a performance increase of 270%. The maximum achievable bandwidth of the WWW relay now is 1.5 Gbit/s, and the maximum requests/sec are around 4,000. A definite performance improvement should also be noticeable in real life operation. Further enhancements are planned for the next releases to let genugate capabilities grow with increasing traffic requirements. 4.4.1 Improved IP based ACLs As part of various performance improvements, IP based ACLs were updated. This speeds up the initialization of connections, as numerous IP based ACLs (SRC ACL, DST ACL, spoofing checks) need to be checked at this time. 4.4.2 Improved Handling of Spoofed Packets genugate 9.0 improves the handling of packets with falsified source or target addresses. Previously, these packets were blocked by the kernel. genugate 9.0 uses the OpenBSD packetfilter pf to implement checks if source/ target addresses are permitted for specific interfaces. This as well as the configuration of spoofing rules within a pf anchor makes the logging of these packets much clearer. In addition, the IP addresses are written to the logfiles (/var/log/alg-pflog and /var/log/pfl-pflog) in human readable format. Local files can be used to modify pf rules for special setups. See the manual for details on this. 4.4.3 Improved TLS performance based on TLS session tickets Starting with genugate 9.0 relays use TLS Session Tickets (RFC 5077 - Transport Layer Security (TLS) Session Resumption without Server-Side State), if supported, to connect to the client and the target GENUGATE 9.0 R ELEASE N OTES Page 11 of 34 4 ALL CHANGES BETWEEN GENUGATE 8.0 AND GENUGATE 9.0 server itself. In many cases, a previous TLS connection can be used to initialize a new one. TLS parameters then do not need to be renegotiated. Thus the relay can handle more requests at the same time. 4.4.4 Modified Squid defaults genugate 9.0 will deactivate caching at installation and when configuring a Squid web proxy in the GUI. Squid now is configured to start several parallel processes to handle web requests. The number of CPUs in your genugate hardware will determine the number of processes started. The parallel processes will share the logfiles, but not the authentication helper processes etc. Further documentation is available at http://wiki.squid-cache.org/Features/SmpScale and /cage/squid/usr/local/share/examples/squid/squid.conf.documented. This change was implemented as caching no longer improves performance when handling today’s Internet data traffic. In fact, the comparatively slow disk accesses needed can impact performance. Squid instances configured before the upgrade to genugate 9.0 will not be affected, but can be modified manually. 4.4.5 Multiple relay child processes Most of our systems contain multiple CPU cores, and will add more in the future. To better utilize them, most relays1 now will start a child process on every CPU core. This better uses the available resources. Previously, activating the virus scanner in the WWW relay caused it to only use a single CPU. genugate 9.0 extends the WWW relay to also generate multiple child processes when the virus scanner is activated. 4.4.6 Improved relay cipher list The cipher list for relays was tuned to provide fast and secure ciphers first. Using the CPU feature AES-NI further increased performance. Insufficiently secure ciphers are explicitly forbidden. Especially the insecure ciphers RC4 and 3DES no longer are available in the standard configuration of genugate 9.0. The TLS configuration currently used by the relays on your genugate can be found in the respective relay configuration file. 4.5 Mail System: Migration from Sendmail to Postfix In genugate 9.0 the previous MTA Sendmail has been replaced by Postfix. Postfix has various advantages such as DANE support and a simpler configuration syntax. Migration to Postfix has several effects: • Changed mail queues: Postfix supports only a single mail queue. The Sendmail queues configurable in the GUI have been removed. • TLS configuration in the GUI: Configuration settings required for TLS secured mail delivery now can be made in the GUI, as well as by the previous method of local files. 1 FTP, IMAP, SMTP, SMTP2SMTP, TCP, UDP, WWW Page 12 of 34 GENUGATE 9.0 R ELEASE N OTES 4 ALL CHANGES BETWEEN GENUGATE 8.0 AND GENUGATE 9.0 • Obsolete local files: Postfix does not require the local configuration changes previously necessary in /etc/configfw/local/etc/mail/. The file access will automatically be imported into the registry. The files aliases and generics now must be moved to /etc/configfw/local/etc/postfix. • New local files: In addition to the files for local settings mentioned above, Postfix requires three new files. The default Postfix configuration can be extended in /etc/configfw/local/etc/postfix/main.cf. /etc/configfw/local/etc/postfix/transport modifies mail routing and /etc/configfw/local/etc/postfix/tls_policy configures domain based TLS settings. The update procedure to genugate 9.0 will notify you of any necessary local adjustments. Settings from the registry key mail.access and the file /etc/configfw/local/etc/mail/access are automatically migrated to the new TLS GUI. If undelivered mails still are in one of the Sendmail queues during the update, they can be imported to Postfix with script import_sendmail_queues. Adding the option -r will also remove the mails from the Sendmail queues. 4.6 SIEM Logging During the development of genugate 9.0 the logging has been reworked to improve the cooperation with log analyzing software. Log messages are now classified consistently, can be exported by syslog easily and are optimized for automatic analysis. 4.6.1 SIEM Integration for IBM QRadar While improving the genugate logging capabilities, the option to integrate the genugate into a SIEM system like IBM QRadar has been developed. This means that both normal log messages and accounting messages of the relays can be sent via syslog to QRadar. For doing this the so called LEEF format (Log Event Extended Format) is used. For reducing the amount of local log data now it is also possible to only log messages with a severity of error and higher locally. 4.6.2 New Log Files For Packet Filter Messages The bulky hexadecimal packet filer log format was replaced with a decimal presentation like in genuscreen. They now also include detailed information about which packet filter rule triggered the message. The log messages are now found in /var/log/alg-pflog for the ALG and /var/log/pfl-pflog for the PFL. The log files /var/log/algscreen and /var/log/screen were removed. Log messages which were not triggered by the packet filter and which were written to the now deleted log files, are now written into /var/log/kern for the ALG and /var/log/pfl for the PFL. If you are analyzing your log files with custom scripts, they need to be modified accordingly. GENUGATE 9.0 R ELEASE N OTES Page 13 of 34 4 ALL CHANGES BETWEEN GENUGATE 8.0 AND GENUGATE 9.0 4.6.3 Accounting Data to Syslog With genugate 9.0 it is possible, to send the accounting data messages to the file /var/log/relay by using syslog. The use of syslog eases the remote logging of accounting data. Accounting data is sent in an human readable format instead of a binary format. This option can be activated under S YSTEM → S YSADMIN → L OGGING → L OCAL. 4.6.4 Log IDs of Accounting Messages In genugate 9.0 the common log ID 4039 for accounting log messages was split into several IDs. That simplifies the automated analysis with SIEM appliances and other tools for log analysis. Accounting messages now have IDs from 4100 to 4149. Following events got their own IDs: • Accept • Connect • Request • Disconnect Additionally, the IDs represent the status like OK, denied, Error, Virus or Timeout. A complete list of the log messages can be found in appendix C of the administration manual. 4.6.5 Log IDs of Block Messages During the refactoring of the logging in genugate 9.0 also the messages trigged by blocked requests were revised. Similar to the accounting log IDs, new and unique IDs which represent the block type were introduced. The genugate now distinguishes between following classes of block messages: • Policy-based restrictions • Protocol errors • Errors on the client side • Errors on the server side • SSL negotiation errors on the client side • SSL negotiation errors on the server side • Internal errors on the genugate itself This simplifies the automated analysis of block messages since the log ID already explains why a request or connection was blocked by the genugate. Page 14 of 34 GENUGATE 9.0 R ELEASE N OTES 4 4.6.6 ALL CHANGES BETWEEN GENUGATE 8.0 AND GENUGATE 9.0 Better Separation Between Request and Connection Accounting genugate 9.0 improves the accounting in a way that now the differentiation between “request” and “disconnect” messages is much clearer. Both can be activated separately to restrict the logging to the desired information. The “disconnect” messages in the connection accounting now only contain information and statistics which are related to the entire connection. All information and statistics concerning the single requests within a connection can be now found in the “request” messages. Requests are the combination of HTTP-request and answer for WWW, the file transfer for FTP, the transfer of single messages for NNTP and POP, the transfer of an email including the protocol dialogs for sender and recipient for SMTP and the transfer of single messages or parts of single messages with the APPEND or FETCH command for IMAP. 4.6.7 Improved Connection Accounting GUI The usability of the GUI page displaying accounting messages was improved. Clicking on the client address now shows you all messages related to this client. Additionally, you can now display all accounting messages related to a connection by clicking on the entry in the “rnum” column. 4.7 Improved Support for Remote Log Servers With genugate 9.0 the support for remote log servers has been revised. In addition to UDP, it is now possible to forward log messages to remote log servers by TCP with or without TLS encryption. TCP guarantees that packet loss does not lead to lost log messages. 4.8 Protocol Conformity Filter for the UDP Relay The Protocol Conformity Filter known from the TCP relay is now also available for the UDP relay. Thus the genugate 9.0 can now enforce dedicated protocols for UDP connections. There is a preconfigured filter for DNS. The Protocol Conformity Filter for the UDP relay can be configured in the filter tab of the UDP policy. 4.9 Stricter Protocol Checks for Filter Policies Parallel to the improved application recognition of the genugate 9.0 the protocol checks for filter policies were also improved. We now enforce the correct protocol for the DNS, LDAP, MSSQL, MySQL, PostgreSQL and PPTP policies. Should there be problems or incompatibilities, these protocol checks can be disabled by deactivating the filter module in the policy GUI. 4.10 New Policy Types The genugate 9.0 now features additional policies for the protocols BGP, IMAP, RDP, SMB, TeamViewer and VNC. The policies automatically use the protocol’s default port. Additionally they have protocol conformity filters configured. GENUGATE 9.0 R ELEASE N OTES Page 15 of 34 4 ALL CHANGES BETWEEN GENUGATE 8.0 AND GENUGATE 9.0 4.11 OpenBSD 64 Bit Support genugate 9.0 now runs natively on 64-bit architectures. A significantly larger amount of memory is now available for the applications on the ALG. The upgrade converts the statistics databases (RRD) into a 64-bit compatible version to carry on showing long-term trends. 4.12 Application Filter genugate 9.0 introduces the Application Filter for the WWW Relay. Using the application filter, the common task of allowing or restricting network access for prevalent applications or services like software updates is fast and easy. Technically, the application detection is based on the analysis of HTTP requests. Depending on the application, the request itself and its headers are checked. To date, the genugate supports the following list of applications: • Cloud Storage: Box, Dropbox, Google Drive and Docs, OneDrive (Microsoft Cloud), Strato High Drive, Telekom Cloud • Conferencing: Cisco WebEx • Peer-To-Peer: Skype • Remote Access: TeamViewer • Software Updates: Adobe, Apple, Avira, Bitdefender, Kaspersky, McAfee, Sophos, Symantec Endpoint Security, Ubuntu, Windows Updates • Web Applications: Google Maps, Youtube, Microsoft Office Online 4.13 Secure IMAP With genugate 9.0 a relay for the secure retrieval of email via IMAP is introduced. The genugate protects this communication against errors in the IMAP protocol and provides a reliable virus protection. If a virus is found, the user can be notified with a freely configurable text, which replaces the original email. The IMAP relay ensures that only commands which are considered valid are allowed to pass the firewall. Exotic IMAP dialects are prevented without bothering the user. Additionally, the genugate rewrites client requests to gain enough context for content analysis. This is the only way to reliably detect viruses. The IMAP relay supports SSL bridging for IMAP over SSL and STARTTLS. The supported version of IMAP is 4rev1 (RFC 3501). 4.14 Command Line Tools for Import/Export of Hosts, Networks and Network ACLs With genugate 9.0 there are now two additional command line tools available on the genugate which allow the export of existing hosts, networks and network ACLs and the integration of those into the existing configuration of other genugates. In addition, it is also possible to integrate data exported by genucenter. Page 16 of 34 GENUGATE 9.0 R ELEASE N OTES 4 ALL CHANGES BETWEEN GENUGATE 8.0 AND GENUGATE 9.0 These tools are config_dump for writing the data into a file and config_merge for reading configuration data from a file and merging it into the current configuration. config_merge includes an interactive mode for checking and adjusting the data to be imported if needed. Further information can be found in the manual pages and the genugate manual in the sections 3.15, 4.14.14 and 4.14.15. 4.15 Improved Certificate Verification through OCSP With genugate 9.0 the validity check of certificates used by relays when inspecting SSL connections also includes a revocation check using OCSP (Online Certificate Status Protocol). Therefore the genugate sends OCSP requests to the URL specified as OCSP responder inside the certificate. For better performance it requests an OCSP response already while contacting the server. If the server supports this OCSP stapling, the number of requests to external OCSP responders can be reduced. If available, the Squid proxy on port 8000 of the genugate is used for sending these OCSP requests. If it is missing and the genugate does not have a direct connection to the Internet, a proxy for OCSP requests can be configured under C ONNECTIONS → P OLICIES → SSL → OCSP W EB P ROXY. The previously existing revocation check using CRL (Certificate Revocation Lists) can still be used. 4.16 Configurable Hostname in WWW and WWW Server Policies In the Options tab of WWW and WWW server policies the hostname used by the policy is configurable with the option External Visible Hostname. This allows you to hide the real hostname of the genugate. The hostname is used for error pages, the transfer state page and inside the Via header of the HTTP protocol. 4.17 Signing of Patches Since genugate 9.0 patches are signed with a new 4096 bit RSA key which guarantees a higher level of security. 4.18 SSL 3.0 4.18.1 SSL 3.0 Connections to the genugate GUI are no Longer Supported With genugate 9.0 connections to the user interface are only possible with TLS 1.0 or higher. By that measure, attacks through vulnerabilities in older protocol versions (i.e. CVE-2014-3566, Poodle) can be avoided. 4.18.2 Protocol Conformity Filter By using the protocol conformity filter SSL_no_v3, protocol version TLS 1.0 or higher can be enforced in TCP connections. 4.18.3 SSL Enabled Relays and Sendmail For all SSL enabled relays and Sendmail, the lowest allowed SSL version was set to TLS 1.0. GENUGATE 9.0 R ELEASE N OTES Page 17 of 34 4 ALL CHANGES BETWEEN GENUGATE 8.0 AND GENUGATE 9.0 4.19 New Web Service Policy for SOAP Message Validation genugate 9.0 introduces the new Web service policy. It is used to validate SOAP messages, which are typically exchanged by Web services, against given XML schemas. The check is independent from the actual application, the values can be further restricted if needed and attacks do not even reach the application. The Web service policy supports the SOAP protocol versions 1.1 and 1.2. The protocols HTTP, HTTPS and WebSocket are used to transmit the data. 4.20 Secure HA Communication With IPsec With genugate 9.0 the communication between the HA peers can be secured by IPsec. This allows distributed HA systems across facility boundaries without the need to implement special security on the HA connections. When upgrading, please keep in mind that IPsec will only be activated after an IPsec key has been configured in the HA GUI. Furthermore with the introduction of IPsec also the behavior of the HA addresses has changed. They are now permanently configured on the system instead of being removed if the HA node is taken over by another HA peer. Because of this mixed operation of genugate 9.0 and older versions is limited. Under certain circumstances, especially after running hactl -M sysdown under genugate 9.0 older systems will not take over the node. 4.21 Static SSL Server Certificates The SSL bridging mode now also supports static server certificates. With this setting, the genugate always presents the same certificate to the SSL client. The certificate itself can be configured in advance. The configuration is done in the policy’s SSL mode. With this setting, the FTP policy offers additional possibilities to check the content and to forward the connection dynamically when using encrypted FTPS traffic. 4.22 Increased Security for Javascript Weeding If weeding is enabled, genugate 9.0 will restrict the execution of Javascript and other active content additionally by using the HTML5 Content Security Policy headers. Since not all browsers support these headers, genugate 9.0 will still remove active content as before. For sites already sending Content Security Policy headers in their responses, these headers are modified to add the additional restrictions. 4.23 Detailed HTML-Weeding Was Removed The WWW relay allowed configuring a detailed weeding mode to remove content from HTML pages. The configuration settings had a complex syntax and were seldom used. While introducing the content security policy, the simple weeding was improved. Since there is no security benefit anymore, the detailed weeding was removed. Page 18 of 34 GENUGATE 9.0 R ELEASE N OTES 5 4.24 SOFTWARE UPDATES AND CHANGED BEHAVIOR The GUI Now Conforms to the Current Corporate Design The genugate GUI was modified to match genua’s current corporate design. Thus, several navigation links were moved. 4.25 Improved Control in the SSH Relay Over Commands Executed by SSH With genugate 9.0 the control over commands executed through SSH has been improved in the SSH relay. Instead of just allowing or denying any commands, a new ACL allows to specify the allowed commands with regular expressions. It is also possible to match on the command’s parameters. 4.26 Simplified HA Maintenance Mode genugate HA clusters can now be brought into maintenance mode using the hactl -M sysdown command, no matter if they use CARP or OSPF. The CARP-specific passive mode has been removed. 4.27 Improved Spam Protection by Greylisting Greylisting on genugate 9.0 now supports Bounce Address Tag Validation (BATV) and Sender Rewriting Schema (SRS). In addition, communication of servers with the genugate via IPv6 now is supported. 4.28 Denial of Service Protection The number of new connections by a specific source can be limited to a maximum per time unit. This limit can be set for all connections based on TCP via the ALG. This will prevent denial of service attacks. 5 Software Updates and Changed Behavior • WWW Relay: The configuration keys ALLOW and DENY have been removed. They were only accessible by using a local file. Furthermore the functionality to stop animation in GIF images has been removed too. • SSH Relay: The SSH relay now supports protocol logging for SCP. • FTP Relay: The FTP relay now supports FTPS (FTP over SSL). SSL bridging has to be enabled at the relay’s policy to be able to determine dynamically used FTP ports. • SIP-Relay: The SIP relay now makes it possible to deploy internal phones which are registered at an external SIP domain. Calls can be placed to, or accepted from the outside. • Perfect Forward Secrecy: This version now automatically uses Perfect Forward Secrecy (PFS) for SSL connections. This ensures that recorded SSL data cannot be decrypted in the future even if the secret key had been obtained. If this new behavior should cause any problems, the used SSL ciphers can be configured in the registry by setting hidden_ssl_cipher_list_server and hidden_ssl_cipher_list_client for the policy. The syntax for these options can be found under http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT. GENUGATE 9.0 R ELEASE N OTES Page 19 of 34 5 SOFTWARE UPDATES AND CHANGED BEHAVIOR The possible cipher suites can be found under http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS. • X509 Certificates Now With SHA-256 Signature: Since this version X509 certificates used for SSL bridging or the Adminweb now are signed with SHA-256 instead of SHA-1. • New Root Certificates for X509: With this version of genugate 9.0 an up-to-date list of X509 root certificates is shipped. All these new certificates are trusted by default. The trust can be changed under C ONNECTION → P OLICIES → SSL → AUTHORITIES. • External Logservers: Starting with genugate 9.0 it is possible to configure more than one external logserver in the GUI. All log messages will be sent to all configured external logservers at the same time. • Virus Scanner: Sophos AntiVirus is discontinued. Upgrading to genugate 9.0 with Sophos installed is not possible, the upgrader will exit with a warning. Please contact genua or your distributor for information on switching over to an alternative virus scanner. • Ramdisk for Virus Scanner: As a result of the change to 64 bit the support for the ramdisk for the virus scanner has been discontinued. • Hostname adjustable: The hostname of the genugate can now be adjusted in the GUI under S YSTEM → S YSADMIN → P REFERENCES → H OSTNAME. • Manuals accessible from management GUI: The manuals shipped with genugate 9.0 are now accessible from the management GUI. The links can be found in the upper right corner, next to the Help link. • OSPF Graph: Since all current browsers have support for vector graphics in SVG format by now, this format will be used exclusively for displaying the OSPF graphs. Support for the formats GIF and PNG for older browsers has been removed. • WWW Relay Performance Improvements: The WWW relay now re-compresses data which has been decompressed for content analysis before it forwards the data to the client. In some cases it also compresses data which was served uncompressed by the server. This improves the performance, especially for low bandwidth connections. • Improved GUI Help: The link to the online help, especially in the policy GUI, will now lead to the matching online help page if Javascript is activated in your browser. Additionally, you will find a small information icon next to many input fields. Moving the mouse pointer on it will show a short help text. • tcpdump on the PFL: genugate 9.0 provides the command line tool tcpdump on the PFL. The debug kernel is no longer needed for using it. • Improved random number generator of the kernel: With version genugate 9.0 the random number generator of the kernel is already seeded by the boot loader. This applies to the ALG as well as to the PFL. If your PFL boot image type is set to “USB remote upgrade”, you are recommended to completely reinitialize your PFL during the upgrade. Page 20 of 34 GENUGATE 9.0 R ELEASE N OTES 5 SOFTWARE UPDATES AND CHANGED BEHAVIOR • Bash Shell Now in the Util Package: Since the bash shell is no genugate core component, it has been moved to the Util option package. Furthermore using the bash as a login shell is no longer supported. Users and user profiles using bash will have their shell upgraded to ksh. • genugate data diode: The one way functionality of the packet filter (PFL) has been replaced by the vs-diode which offers higher security. The classic genugate data diode is not available anymore. • Email: The Autocrypt feature has been removed. • Speed of Serial Interfaces on ALG and PFL Increased: With genugate 9.0 now the serial interfaces of the ALG and PFL use a baud rate of 115200 bits/second. Please ensure that your terminal server is set accordingly before doing an upgrade or fresh installation. • MIME Type ACL for Virus Scanner in IMAP and IMAPS policies: The MIME Type ACL for Virus Scanner is now supported by the IMAP and IMAPS policies. This allows the blocking of email attachments depending on their MIME type. • ospfctl and ospf6ctl on the PFL: For eased debugging of OSPF problems, command line tools ospfctl and ospf6ctl are now available by default on the PFL. • CA Certificates for SSL/TLS: With genugate 9.0 all CA certificates signed with a 1024 bit RSA key only have been removed. Furthermore, the root CA certificates of the China Network Information Center (CNNIC) have been removed too. • Throughput: The maximum kernel buffer size was increased from 256kb to 1MB to enhance the performance of high latency connections. Policies using the performance settings “Dynamic Adjustment” or “Maximum Throughput” utilize the new limit automatically. • PFL Log Messages via TCP: With genugate 9.0 the log messages of the PFL are sent by TCP instead of UDP. This ensures that no messages are lost due to packet loss. • Improved Handling of MIME encodings in the virus scanner: The detection of invalid encodings for mail parts encoded with Base64 or Quoted-Printable has been improved. The virus scanner now blocks non-conforming encodings which are interpreted differently in clients and antivirus products, because they are considered an attempt to bypass the analysis. • Improved gzip detection by the virus scanner: The recognition of files packed with the gzip compression algorithm has been improved and can no longer be evaded with crafted archives. • FTP and FTP Diode Relays: Option MINDATAPORT Removed: The configuration option MINDATAPORT of the FTP and FTP diode relays, which could be used to set the lowest usable port for the data connection, has been removed. These relays now uses the ephemeral ports (49152-65535) as assigned by the Internet Assigned Numbers Authority (IANA). This port range can be adjusted by changing the sysctl variables net.inet.ip.porthifirst and net.inet.ip.porthilast. • OpenSSH no Longer Supports DSA Host Keys By Default: The version of OpenSSH shipped with genugate 9.0 no longer supports DSA host keys if running with default settings. The same applies for the SSH client which is shipped with genugate 9.0 . If you need DSA support for logging GENUGATE 9.0 R ELEASE N OTES Page 21 of 34 5 SOFTWARE UPDATES AND CHANGED BEHAVIOR into a remote system, you have to add -oHostKeyAlgorithms=+ssh-dss to the ssh command line. • Algorithm for Host Key Generation of the SSH Relay Now Configurable: The algorithm used by the SSH relay when generating a dynamic host key can now be configured in the SSH policy in the GUI. Available algorithms are DSA, RSA and ECDSA. As OpenSSH in recent versions does no longer support DSA by default and to maintain maximum compatibility, the default is RSA. • Improved Performance with Many Parallel Connections: With genugate 9.0 the relays have been adjusted to cope better with many parallel connections. • TSAP Policy Discontinued: genugate 9.0 removes the support for the optional TSAP policy and its relay. In case you were using the TSAP policy, you will receive a warning during the dry upgrade. If you receive that warning, it is recommended to remove the TSAP policy before the actual upgrade. • Different Software used for USV Support: The script apc and the corresponding daemon apcd were used to monitor an APC USV. They have been replaced with the apcupsd daemon. It is included in the Util option package. • Monitoring program fw_probes removed: The program fw_probes monitored network traffic, looking for specific patterns. With relay processes on the genugate being able to recognize problematic network traffic better and with more specific log entries, fw_probes was removed. • Upgrade deletes usr directories in the cages: Upgrading from an older version to genugate 9.0 will delete the usr directories in the cages before the new files are unpacked. This does not affect other persistent data on the genugate (such as mail). • vim editor now contained in Util package: genugate 9.0 now supplies vim as part of the Util option package. • GUI: Several smarthosts for outgoing mail: The GUI now permits configuration of more than one smarthost for outgoing mail. • Updated exemptions from virus scanning: Data needed for Google Safebrowsing was added to the default list of virus scanning exemptions. In case you already have modified this default list in a previously configured policy of the type “www” or “wwwserver”, then add the following two entries to the menu field “MIME Types to be Scanned” in the tab “Scanner”: “!application/vnd.google.safebrowsing-chunk” and “!application/vnd.google.safebrowsing-update” This will activate the improvement described above for any already existing configuration. • Improved NTLM integration: The Util option package in genugate 9.0 now contains a start script for winbindd. winbindd will be started if /cage/squid/etc/samba/smb.conf exists. In case of an upgrade, any manually created winbindd start script must be deleted and removed from filecop user.db. In addition, the following steps must be performed: – Delete the .tbd files in /cage/squid: find /cage/squid -name ”*.tdb” | xargs rm Page 22 of 34 GENUGATE 9.0 R ELEASE N OTES 6 DEPRECATED FEATURES – Reduce /cage/squid/etc/samba/smb.conf to: [global] netbios name = security = ADS workgroup = realm = password server = winbind separator = + log file = /var/log/%m.log log level = 1 – Rejoin your Windows domain. As a general rule, we recommend activating secure authentication via kerberos. • NRPE updated: The Nagios Remote Plugin Executor was updated to version 3.0. NRPE 3.0 now contains a new SSL stack. Therefore, Diffie-Hellman with 512 bit keys no longer is supported. To continue monitoring genugate 9.0 with Nagios via an encrypted connection, the check_nrpe plugin on the Nagios server also must be at least version 3.0. 6 Deprecated Features • Crypt-Hashes: For reasons of security, crypt hashes no longer are supported. This applies to system authentication as well as relays. Therefore you cannot log in to the GUI or the system with passwords created on a version prior to 6.0 that have not been changed since. You will be notified during the test upgrade if any accounts on your system are affected. These passwords have to be changed before the upgrade to genugate version 8.4 or higher in the account management section of the GUI or in the userweb. Currently, password files used for relay authentication are not affected by this. However, the removal of insecure password crypt hashes is planned for a future version. • RTSP-Proxy: The RTSP proxy (osrtspproxy) is no longer supported and will be removed in a future version. • Telnet: Console access via Telnet is obsolete and insecure. It has been completely superseded by SSH and will be removed in a future version. • pop/pop3: The retrieval of mails from a genugate via pop3 will not be available in the future. However, only the local service is affected, not the pop3 policy. • nntp-Policy: The Network News Transfer Protocol hardly is used in the Internet anymore. Therefore this policy will be removed in a future version. • S/Key authentication: S/Key authentication is obsolete and will be removed in a future version. • genuauth: The option genuauth will be removed in a future version. GENUGATE 9.0 R ELEASE N OTES Page 23 of 34 8 BEFORE UPGRADING 7 Update Support 7.1 Overview of Supported Versions genugate 9.0 as well as the following genugate versions, are currently provided with patches and security updates: • genugate 8.0 Z: This version was certified for CC EAL4+ in December 2013 and will be supported until the second quarter of 2018 with security updates and patches. • genugate 8.6: This version will be supported until April 2018 with security updates and patches. • genugate 9.0: The current version will be supported until the end of 2021 at the least. As described in our contract conditions, previous software versions are no longer supported, especially genugate 7.0 Z and 8.5. Please upgrade older systems as soon as possible. The next certification is planned for genugate 10.0 Z for the end of 2020. The certified versions will have extended patch support for four years, the intermediate releases include only one year. Please use certified versions with long term support if yearly upgrades are not feasible. 7.2 Training Upon request we also offer release trainings in English. Please visit the “Services” respectively “Workshops & Trainings” section on www.genua.de for more information. 8 Before Upgrading 8.1 System requirements • The upgrade to version 9.0 is supported by the following preceding versions: 8.0, 8.2, 8.3, 8.4, 8.5 and 8.6. Please note that the upgrade requires at least one of the following patch levels of the preceding versions: 8.0p24, 8.2p10, 8.3p2, 8.4p9, 8.5p9, 8.6p6. With versions 8.2p10 and 8.3p2, only the USB installation medium is supported. Version 8.1 can not be upgraded to version 9.0 directly. • genugate 9.0 supports the hardware models 200, 400, 600, 800 in revision 5, 6 and 7 and the models S, M, L in revision 1.0. • A minimum of 2 GB RAM on the ALG and 1 GB RAM on the PFL are recommended to run version 9.0. • Before upgrading please activate ACPI in the BIOS if this is not the case yet. • It is recommended to activate the CPU feature AES-NI in the BIOS for better TLS performance. It is available for the hardware variants L, S and 800, 600 and 400 revisions 7 and 6. Page 24 of 34 GENUGATE 9.0 R ELEASE N OTES 8 BEFORE UPGRADING • Before the actual upgrade starts, a check will be made to determine if the hardware is 64-bit compatible. This check will be positive for any hardware delivered by genua in recent years. • Sufficient hard drive space is needed on the ALG to perform the upgrade. The procedure to determine hard drive space is described in chapter 9.2. • The genugate model 200 revision 5 has higher performance on a 64-bit system with a uniprocessor kernel. The upgrader will install such a kernel if your hardware is affected. • Importing configuration backups is supported for backups made with any genugate version since 8.0. 8.2 General Advice High Availability The following procedure is recommended when upgrading an HA cluster: • Always start with the master. • Transfer the master’s nodes to the slaves by issuing the command hactl -M sysdown. • Perform the upgrade as described below. • Remove the sysdown flag after the upgrade completed successfully. • Your cluster is now operating in mixed mode. If mixed mode is not possible or limited for technical reasons, this will be listed in these release notes. • Repeat the procedure for the slave(s). Bash Using bash as a login shell is no longer supported since genugate 8.2. Users and user profiles using bash will have their shell changed to ksh. You will be notified during the test upgrade if any accounts on your system are affected. Local Customization for Syslog and Logwatch These steps are only necessary if the upgrade has been started from genugate 8.0. Because the way logging works has changed with genugate 8.2, local customizations (local files) of the files /etc/syslog.conf and /etc/logwatch.conf are incompatible to the new version. If those files have been modified on your system, you will be notified during the test upgrade. These notifications have to be confirmed. If your installation is an HA system these two files will automatically be removed from the HA file transfer. The local files will be removed during the upgrade. Backups of the files are saved to /etc/configfw/local/etc/syslog.conf.G900_000 and /etc/configfw/local/etc/logwatch.conf.G900_000. If these files are still needed, you must create them by hand after the upgrade. In case of an HA system, add them to the HA file transfer. As before, the GENUGATE 9.0 R ELEASE N OTES Page 25 of 34 8 BEFORE UPGRADING content of the file /etc/configfw/local/etc/logwatch.conf is appended to the automatically generated configuration in /etc/logwatch.conf. The HA Option and CryptoCard Login These steps are only necessary when upgrading from genugate 8.0. Due to changes in the format of the database needed for the CryptoCard login for genugate 8.2, this database is converted to the new format. On systems with the HA option, the file synchronization will copy the converted database to the other peers. Logging in using CryptoCard is not possible until all systems of the HA cluster have been upgraded to the new version genugate 9.0. A mixed operation of genugate 9.0 and genugate 8.0 is not possible in this case. Backup We strongly recommend performing a configuration backup of your genugate system before upgrading. Detailed instructions on how to perform this in the course of the upgrade are available in section 9 of these release notes. Mirroring The models genugate 400, 600, 800, M and L are equipped with mirror disks. During the upgrade procedure, systems with mirror disks (offline mirror) will DEACTIVATE mirroring. This enables testing of the upgrade. The upgrade of systems with mirroring is performed as follows: • Upgrade system as described in section 9. The mirror update is automatically deactivated. • Test: It usually is sufficient to let the upgraded system run under normal conditions for a few days. • Reactivate mirror: After testing, delete the file /var/db/.NOMIRROR. This reactivates the automatic mirror update and synchronizes the mirror at the next cron job run (nightly at 2.05 a.m.). 8.3 Creating an Installation USB Stick (Windows) You can use the open source program Rufus on Windows workstations to create a genugate installation USB stick. Rufus can be obtained at https://rufus.akeo.ie. The program does not require installation, a double click is sufficient to execute it. However, it does require administrative privileges to be able to write a boot record to the USB stick. After you have downloaded Rufus, you have to perform the following steps: 1. Download the current genugate installation image from https://www.genua.de → S UPPORT → D OWNLOADS → R ELEASE D OWNLOADS → GENUGATE. 2. Insert the USB stick into your workstation 3. Start Rufus 4. Select the USB stick from the “Device” list Page 26 of 34 GENUGATE 9.0 R ELEASE N OTES 8 BEFORE UPGRADING 5. Check the “Create a bootable disk using” select box 6. Choose “DD Image” 7. Click on the CD icon and select the downloaded genugate installation image 8. Start the USB stick creation with a click on “Start” 8.4 Creating an Installation USB Stick (Unix / Linux) Users of Unix-like operating systems can use the dd command. You usually need root privileges to be able to write to the USB stick. # dd if=/path/to/gg-image of=/dev/usb-stick bs=1m The paths have to be adjusted according to your environment. 8.5 Configuring boot priority for USB installation In our knowledge base (https://www.genua.de/en/support), you will find the topic “Installation via USB flash drive”. It contains instructions on how to change the boot priority for all hardware variants. 8.6 Test Upgrade in Multi User Mode Please note that the upgrade requires at least one of the following patch levels of the preceding versions: 8.0p24, 8.2p10, 8.3p2, 8.4p9, 8.5p9, 8.6p6. With versions 8.2p10 and 8.3p2, only the USB installation medium is supported. A “test upgrade” of the genugate system is necessary to detect and handle problems and inconsistencies. The procedure is as follows: Remove all media from the ALG and insert the genugate 9.0 installation medium. Log on to the system as the user “admin”, and become “root” with the command su. admin@gg:~# su Password: Mar 18 13:33:37 gg su: admin to root on /dev/console root@gg:~# Enter the command ggupgrade to start the upgrade. You can check for published patches for genugate 9.0 already here by typing yes. root@gg:~# ggupgrade Executing upgrade script from cdrom / USB stick. Starting /cdrom/usr/local/gg/sbin/ggupgrade ... Vor dem Upgrade werden jetzt die Patches für das neue Release geladen. Daher wird Ihre genugate nach dem Upgrade gleich mit dem aktuellsten Patchlevel arbeiten. Before the upgrade will be started, patches for the new release are GENUGATE 9.0 R ELEASE N OTES Page 27 of 34 9 UPGRADE INSTALLATION fetched now. That way your genugate will start working with the latest patchlevel right after upgrade. Get upgrade patch from USB stick ... Retrieving G900_000.tar Extracting G900_000.tar Die Patches für die neue Version können über das Internet von genua geholt werden. The patches for the new version can be fetched from genua over the Internet. Patches von genua holen (ja nein) [ja]? Patches from genua (yes no) [yes]? yes There is a notification that there may be further questions or warnings. Simply enter [RETURN] here. Over the course of the upgrade, you will be asked some specific questions or you have to confirm certain notifications depending on your system configuration. It is also possible to retrieve new virus scanner patterns during the test upgrade. Alternatively, you can do this after the upgrade is finished. The first thing the test upgrade does is to convert the registry and write the result to the human readable file /etc/configfw/fw.cfg.pretty-G900_000. The running system’s registry itself is not modified. Any occurring inconsistencies will trigger error messages, which must be explicitly acknowledged if necessary. Please note the test upgrade cannot diagnose if there is sufficient hard drive space in older hardware. To determine needed space, follow the procedure described in chapter 9.2. After the registry test conversion, the command configfw is executed to check if configuration files are correctly generated from the converted data. Afterwards, normal system operation can continue with the original, unconverted configuration, or the actual upgrade can be performed as described in chapter 9. Please contact your service partner for further support. Detailed information is available in the files /var/gg/patches/G900_000.log (registry upgrade) and /var/gg/patches/G900_000.configfw.log. 9 Upgrade Installation The upgrade to version 9.0 is supported by the following preceding versions: 8.0, 8.2, 8.3, 8.4, 8.5 and 8.6. Please note that the upgrade requires at least one of the following patch levels of the preceding versions: 8.0p24, 8.2p10, 8.3p2, 8.4p9, 8.5p9, 8.6p6. With versions 8.2p10 and 8.3p2, only the USB installation medium is supported. 9.1 Data Backup The upgrade to genugate 9.0 will not affect log files and e-mails in the system spool directory. Nevertheless, please back up your configuration before upgrade with: # cfgbu -s -F ‹/path/filename› Page 28 of 34 GENUGATE 9.0 R ELEASE N OTES 9 UPGRADE INSTALLATION To back up log files and e-mails, the configuration backup must be extended as described in the product manual, chapter “Extending the Configuration Backup”. 9.2 Minimum Available Disk Space Sufficient space in the partitions on the hard drive is needed for a successful upgrade. Above all, the partitions / and /usr should use at maximum 33 percent of the available (“capacity”). Enter the command df -h to determine file system usage: admin@gg:~# df -h Filesystem Size /dev/sd0a 500M /dev/sd0f 2.6G mfs:6239 61.3M /dev/sd0d 2.6G /dev/sd0e 1.3G 9.3 Used 64.0M 126M 6.0K 328M 84.8M Avail Capacity 411M 13% 2.3G 5% 58.3M 0% 2.1G 13% 1.1G 7% Mounted on / /cage /tmp /usr /var Performing the Upgrade Please note: Physical access to the genugate system itself is necessary, as installation and backup media need to be inserted or switched. Insert the genugate 9.0 installation medium, log on to the system as the user “admin”, and become “root” with the command su. admin@gg:~$ su Password: root@gg:~# Reboot the system now. root@gg:~# reboot /etc/rc.shutdown in progress... 2/2 addresses added. /etc/rc.shutdown complete. syncing disks... done rebooting... Be sure the system boots from the inserted genugate 9.0 medium by checking for the message bsd.install at the boot prompt. >> OpenBSD/amd64 BOOT 3.28 boot> booting hd0a:bsd.install: 4088500+1562040+189448+0+585728 [97+371280+232287]=0x6b6918 entry point at 0x1000160 [7205c766, 34000004, 24448b12, d120a304] [ using 604440 bytes of bsd ELF symbol table ] Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2016 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 5.9 (ALG.install) #0: Fri Mar 18 15:10:56 CEST 2016 ... GENUGATE 9.0 R ELEASE N OTES Page 29 of 34 9 UPGRADE INSTALLATION After loading the kernel, the genugate 9.0 installation routine will prompt you for the installation language and keyboard mapping. Afterwards, please select the installation mode upgrade. genugate Installation Sprache auswaehlen. Sprache/Language (de en) [de] ? en Select the layout of the keyboard connected to the genugate. Keyboard layout (us de de.nodead ... cf.nodead lv nl nl.nodead) [de.nodead]? us kbd: keyboard mapping set to us Probing system. Choose installation, upgrade or recovery from backup. Mode (install upgrade recover) [upgrade] ? upgrade The hard drives and file systems are checked, mounts performed and the upgrade is started. Mount hard disk. Select boot hard disk. Detecting hard drives in system. If your system contains a mirror disk, you will be asked to confirm the right disk for the installation of the upgrade. More than one possible hard disk found. You have to choose a drive to install. Boot hard disk (sd0 sd1) [sd0] ? [RETURN] Boot hard disk selected. Unmount all partitions. Read in fstab. Check file systems. /dev/rsd0a: file system /dev/rsd0f: file system /dev/rsd0d: file system /dev/rsd0e: file system is is is is clean; clean; clean; clean; not not not not checking checking checking checking Mount all partitions. Remove flags. Reading random seed from disk. genugate licenses. Initialize license. You are prompted for the genugate license number and hardware serial number. The values from genugate 8.6 are still valid. Press [RETURN] to accept them. Enter license. The value to be entered has the format 1234-GG-ABCD-EFGH-IJKL-MNOP. License [1234-PROD-ABCD-EFGH-IJKL-MNOP] ? [RETURN] Enter serial number. The value to be entered has the format XXXXX-XX-XXXX. Serial number [12345-CD-89AB] ? [RETURN] You can now transfer patches from USB stick, an HA peer or over the network. Page 30 of 34 GENUGATE 9.0 R ELEASE N OTES 9 UPGRADE INSTALLATION Get patches from USB stick. Fetch patches from USB medium (yes no) [no] ? [RETURN] Get patches from HA peer. Fetch patches from HA network (yes no) [no] ? [RETURN] Get patches from genua. Fetch patches from network (yes no) [no] ? [RETURN] The upgrade begins now. The new software is copied to the system and configuration starts. Begin upgrade. Copy upgrade patch from USB. Retrieving G900_000.tar The system is ready for upgrade. Using new ggpatch /var/gg/patches/ggpatch. ... At the end of the upgrade, you are prompted to set new passwords for the administrative accounts “admin” and “root”. Alternatively, keep the existing passwords by pressing [RETURN] to select no. Set administrator passwords. Set passwords (yes no) [no] ? no The upgrade is complete. Press [RETURN] to restart the system, and remove the USB stick. Press to reboot, remove the installation media after the ’rebooting...’ message. Reboot now (reboot) [reboot] ? [RETURN] The system now starts the new software. After the kernel has been loaded, you are prompted for the “root” password, if a bootinstall script needs to be run. Depending on your genugate configuration, bootinstall scripts to upgrade the PFL (packet filter) system component, to upgrade the virus scanner or to do maintenance tasks can be necessary. If you are running the packet filter in remote upgrade mode, the upgrade process will not create a bootinstall script to update the packet filter. Please update the packet filter manually after the upgrade is finished. If there are no bootinstall scripts, you can skip this step. At least one bootinstall script was found. You can only run them as root. You will be asked for the root password now. If you do not know it, enter an empty string three times, and boot will continue without executing the bootinstall scripts. Enter your root password now. You have 60 seconds to authenticate! Enter root password! Password: Select a bootinstall script by its index number or select all bootinstall scripts with *. Start the script by entering [RETURN], y, [RETURN]. GENUGATE 9.0 R ELEASE N OTES Page 31 of 34 9 UPGRADE INSTALLATION Select a list of bootinstall scripts by entering their numbers or by entering * to select all. ================================================================ 1) /var/gg/boot/bootinst.2016.03.18-08.15.00.exe Create PFL bootmedium Auswahl (1) []: 1 1) /var/gg/boot/bootinst.2016.03.18-08.15.00.exe Create PFL bootmedium Is this ok? (y/n) [n]: y Insert the PFL USB stick in an available USB slot of the ALG, and rewrite the PFL medium. Follow the displayed instructions to restart the PFL. After restart, log on to the ALG. A banner will displayed with the new version number. login: admin Password: Welcome to your genugate Firewall System. This system is running genugate Version 9.0 000 based on OpenBSD 5.9 admin@gg:/var/home/admin$ Enter the command su to become “root”, and execute the command configfw. This is necessary to perform syntax checks of configuration files (the upgrade does not perform these checks): root@gg:~# configfw SYSLOG: Mar 18 16:33:56 configfw[2636]: I5200 1364312036 SubSystem: Installiere /etc/licenses SYSLOG: Mar 18 16:33:56 configfw[2636]: I5200 1364312036 SubSystem: Kommando: /usr/local/gg/sbin/licctl -M read -M store SYSLOG: Mar 18 16:34:03 configfw[2636]: I5200 1364312043 SubSystem: Kommando: ln -sf /usr/share/zoneinfo/CET /etc/localtime SYSLOG: Mar 18 16:34:03 configfw[2636]: I5200 1364312043 SubSystem: Installiere /etc/master.passwd SYSLOG: Mar 18 16:34:03 configfw[2636]: I5200 1364312043 SubSystem: Kommando: /usr/sbin/pwd_mkdb -p /etc/master.passwd SYSLOG: Mar 18 16:34:03 configfw[2636]: I5200 1364312043 SubSystem: Kommando: /sbin/pfctl -t badip -T replace -f /etc/badip no changes. SYSLOG: Mar 18 16:34:03 configfw[2636]: I5200 1364312043 SubSystem: Installiere /etc/logwatch.conf SYSLOG: Mar 18 16:34:03 configfw[2636]: I5200 1364312043 SubSystem: Sende Signal 1 an PID 18736 (/var/run/logwatch.pid) SYSLOG: Mar 18 16:34:03 configfw[2636]: I5200 1364312043 SubSystem: Kommando: /usr/local/gg/sbin/watchdog SYSLOG: Mar 18 16:34:03 configfw[2636]: I5200 1364312043 SubSystem: Sende Signal 0 an PID 18461 (/cage/nsd/var/nsd/run/nsd-System_DNS.pid) SYSLOG: Mar 18 16:34:03 configfw[2636]: I5200 1364312043 SubSystem: Sende Signal 0 an PID 26126 (/cage/unbound/var/run/unbound-System_DNS.pid) SYSLOG: Mar 18 16:34:03 configfw[2636]: I5200 1364312043 SubSystem: Installiere /cage/squid/etc/squid/squid-8000.conf SYSLOG: Mar 18 16:34:03 configfw[2636]: I5200 1364312043 SubSystem: Kommando: chroot -u _squid /cage/squid /usr/local/sbin/squid -z -N -f /etc/squid/squid-8000.conf ... To check if all files were correctly installed, run filecop: root@gg:~# filecop filecop: Phase 1 - comparing database(es) with filesystem filecop: Phase 2 - comparing filesystem with database(es) Page 32 of 34 GENUGATE 9.0 R ELEASE N OTES 9 UPGRADE INSTALLATION If the option genuscan is installed on your system, be sure to update the virus scanner if you have not already done this during the test upgrade. As root, execute the command getpatterns -f: root@gg:~# getpatterns -f ... Updating the packet filter If no bootinstall script for updating the packet filter has been created during the upgrade, the packet filter has to be updated manually, because genugate 9.0 got a new bootloader. Bring your system into single user mode (shutdown now) and execute the command bsadm -M all. First you have to confirm that you really want to use the upgrade mode. Insert the USB stick of the PFL in an empty USB slot on the ALG and write the PFL boot media. After finishing this step, plug the USB stick back into the PFL and reboot it. Please note that the described steps with the USB upgrade are absolutely necessary because the bootloader can not be upgraded via remote upgrade. Update of the Mirror Disk Bootloader In genugate 9.0 a new bootloader is used. Thus the bootloader on the mirror disk must be updated after deleting the file /var/db/.NOMIRROR. Bring your system into single user mode (shutdown now) and execute the command mirror-disk -C /etc/mirror-disk.cfg. If you are using a non-standard mirror disk configuration, the path to the configuration file must be modified accordingly. After returning to multi user mode again, the mirroring works as usual. Configuration of the IPsec Passphrase on HA Systems Starting with genugate 8.3, the HA network is meant to be secured with IPsec. Therefore you should configure an IPsec key after the successful update of all HA peer systems. This will automatically enable the IPsec encryption on the HA network. Further information on the setup of an encrypted HA system is available in chapter “Installation and Configuration of an HA Cluster” in the Administration Manual. Enjoy your new genugate system! GENUGATE 9.0 R ELEASE N OTES Page 33 of 34 11 10 HOW TO CONTACT US Information on the Web These release notes are also available on our Web server in the “Support” area: www.genua.de/en/ → S UPPORT → D OWNLOADS → R ELEASE N OTES → GENUGATE. Further information is available in the “Internal Support Area”, P RODUCT S UPPORT → K NOWLEDGE B ASE → GENUGATE (login required). 11 How to Contact Us genua GmbH Domagkstrasse 7, 85551 Kirchheim, Germany phone +49 89 991950-900, fax +49 89 991950-999 [email protected], www.genua.eu  2017 genua GmbH, Kirchheim. All rights reserved. genugate and genua are registered trade marks of genua GmbH. Management board: Dr. Magnus Harlander, Bernhard Schneck, Marc Tesch. Amtsgericht Muenchen HRB 98238 genua is a Bundesdruckerei company. Page 34 of 34 GENUGATE 9.0 R ELEASE N OTES