Firewall Server 7.2
Release Notes
BorderWare Technologies is pleased to announce the release of version 7.2 of the Firewall Server. This release includes the following new features and improvements.
What's New in Firewall Server 7.2
Spyware DetectionBorderWare Firewall Server 7.2 introduces new Spyware filtering making it the first
perimeter firewall to include extensive Spyware detection and blocking capabilities. Spyware programs are typically Trojan-horse type applications that may not cause any harm to the computer itself (such as a virus or worm), but can be used to hijack system resources, transmit sensitive information such as credit card numbers and passwords to external sources, monitor a user's activities, hijack web browser sessions, and download intrusive and potentially dangerous adware applications.
The recent growth of these non-viral but potentially hostile programs that can be used to attack users or hijack their systems for malicious purposes has necessitated the need for additional scanning capabilities to detect these types of programs.
These spyware detection capabilities are built-in to the Kaspersky Anti-Virus engine and database and no additional configuration is required.
Anti-Virus Traffic Management
Administrators can configure more granular control over the types of network traffic that will be scanned by the anti-virus scanning engine. For each traffic type, such as SMTP E-mail, HTTP downloads, and FTP uploads and downloads, administrators can define exceptions to the scanning policy by defining lists of IP addresses, domains, e-mail
addresses, media types, file extensions, and spyware names that will not be scanned by the anti-virus engine.
Administrators can define Anti-Virus scanning exceptions using the following properties:
• IP addresses and entire networks • Hostnames and domains
• File Type (such as .exe)
• Media type (such as application/pdf) • Spyware Name
New Anti-Virus Traffic Type Options
The following new options have been added to the Anti-Virus scanner's HTTP Proxy and E-Mail Server traffic types:
• HTTP Proxy – Maximum File Size: This value specifies, in kilobytes, the
maximum file size that will be scanned by the anti-virus scanner when downloaded through the HTTP proxy. This option prevents very large files from causing latency with the anti-virus scanner. The maximum value that can be set is 1000000 KB (1 GB). Set this value to "0" for unlimited size. The default is 20000 KB (20 MB). If the file is larger than this value, the file will be rejected.
• E-Mail Server – Whitelist on unopenable attachment: Select the check box to
prevent messages with attachments that are encrypted or password protected from being blocked by the anti-virus scanner. Encrypted or Password protected
attachments cannot be opened for anti-virus scanning and will be automatically considered malicious and the configured action will apply unless the Whitelist on
unopenable attachment option is selected. Network Adapter Support
Support has been added for the Intel Pro 1000 GT and the SysKonnect SK-9821 network adapters.
Features Added in 7.1 Service Patch 1 and 2
Firewall Server 7.2 also includes new SMTP Mail Server and Direct Packet features that were added in Service Patch 1 and 2 for Firewall Server 7.1.
The following new options appear in the General Mail Settings screen.
• Reject on Unauth Pipelining – Rejects mail when the client sends SMTP
commands ahead of the message where it is not allowed or without knowledge that the mail server supports ESMTP command pipelining. This feature blocks mail from bulk mail software that uses ESMTP command pipelining improperly to speed up deliveries.
• Reject on Unknown Sender Domain – Rejects mail when the "MAIL FROM"
address domain does not appear in DNS as an A or MX record.
The following new options appear in the Advanced section of the General Mail Settings screen.
• Disable SMTP Pipelining – If enabled, the Firewall's SMTP Mail server will not
send SMTP pipelining commands when delivering mail. Some mail servers may experience problems with SMTP command pipelining, and you may have to disable pipelining if required.
• Bounce queue lifetimes (hours) – The maximum time (in hours) a bounce
message (an undeliverable message returned to the sender) is queued before it is considered undeliverable.
• Bounce message size limit (Kb) – The maximum amount of original message text
(in kilobytes) that is sent in an undeliverable bounce message notification. Direct Packet Exclusion Rules
Exclusion rules allow administrators to define traffic which will be excluded from the Direct Packet Option (DPO). When using DPO, it is sometimes necessary to create exclusions to existing rules to ensure that access to specific networks are not inadvertently opened up for access. Exclusion rules are configured via Proxies → Direct Packet → Exclusion Rules.
Product Notes
• BWClient version 2.2.5 or later is required to configure the new Firewall Server 7.2
features such as Anti-Virus Traffic Management and Traffic Type options.
• Support for a diskette backup and restore has been removed for version 7.2. Backup
and restore is now only supported using the XML method.
Issues Fixed In This Release
The following issues have been fixed in version 7.2 since the release of Firewall Server 7.1: General
• In certain environments, the session count values were not properly reported by the
super proxy process.
• The Firewall Server was reporting the 3Com Gigabit SK card's speed as 100 Mbps
full duplex when using autoselect mode. The Firewall now properly recognizes the card as 1000 Mbps at full duplex.
• Squid Reports are not sent to a configured alias.
• Uploading files fails via the HTTP super_proxy and causes high CPU utilization to
occur.
• Modifications in the BWClient Admin menu disable sending logs to Syslog.
• Using a combination of the Firewall console and BWClient to view and load patches
results in the patches not displaying in the BWClient interface.
• HALO Offloading does not work in all cases when the system is using IPSec
• When dynamic DNS is enabled, a record was automatically added to the matching
internal zone when added into the external zone. Mail Server
• In some cases, the external SMTP server would not time out an SMTP connection in
the correct time.
• The change in order of operations for the Mail Server resulted in mail not being
delivered to local POP accounts when a mail route matched the organization's domain.
• Mail Aliases that have uppercase letters could not be edited or deleted.
• Mail Aliases with uppercase letters are not converted to lower case upon a restore
causing delivery problems.
• The CRLF.CRLF sequence within the DATA section of an email message was not
being handled properly.
• The SMTP disable pipelining option was also disabling all other ESMTP options. • Deleting mail from the mail queue with specific queue ID values results in a "No
Such Message" error.
• On the Firewall Server console, you cannot delete a mail message with queue ID of 1
or 2 digits. Backup and Restore
• When upgrading a configuration from 6.5, the pre-defined SNMP proxy was missing. • After a restore from Firewall 6.5, the SMTP proxy did not initially work.
• After a configuration restore, the IPSec server license reverts back to evaluation
mode.
• Access rules are not enabled on the SMTP Mail servers when restoring a 6.5A XML
configuration via BWClient.
• XML restores do not restore the EnableTimeOuts and TimeOutPeriod values on some
proxies.
• When a configuration is restored, incorrect IPSec connection priority values are
• When a configuration is restored, the default mail route was not being written into
the database properly.
• A configuration restore fails if there is a comma in the VPN Connection Name. • After a configuration restore, problems could occur when trying to enable a
connection with NAT.
• The Text configuration backup did not contain updated mail server settings. • The Software Updates section in the XML backup file contained duplicate entries. • Restoring a 6.5 configuration results in the insertion of access rules on some AUX
Servers where there should not be any.
• Secure GUI configuration on the AUX Servers disappears after restoring 6.5A XML
configurations.
• The remote management user named "admin" could not be deleted after a
configuration restore.
• A Firewall configuration file using PPPoE for the external connection can cause
errors on a restore. Direct Packet
• The Direct Packet Destination NAT Port is set incorrectly in the configuration file in
some cases.
• When using Direct Packet, the Internal network is accessible if the rule is SSN to
External with a destination address of "any".
• SSN network is accessible if a Direct Packet rule is configured for Internal to
External with a destination address of "any". IPSec VPN
• IPSec 4.0 does not have an option to set an unlimited value for Hard and Soft byte
counts.
• Adding or editing VPN connections fails when using special characters for the
connection name. Proxies
• The External MAT to SSN Anonymous FTP proxy could not be modified on the
• An error occurs when editing external MAT proxies inbound from the Firewall
Server console.
• A long GET request causes HTTP traffic to partially load web pages. • Deleting cached pages from the Proxy Server did not clear all instances.
• The WWW session count (pre-defined proxy) is inconsistent with the actual system
counts.
• The Proxy Server potentially leaks some internal IP addresses via the HTTP header
on carefully formed requests. Anti-Virus Scanning
• The Anti-Virus notification address is displayed incorrectly in the admin log when
updating from the console.
• Certain FTP clients will send a zero-byte file when Anti-Virus is enabled through the
FTP proxy.
Security Patches
Firewall Server 7.2 includes the following security patches that were released for version 7.1. BIND 8.4.6
BIND has been updated to 8.4.6 to resolve the following security advisories where a buffer overflow vulnerability could result in a denial of service attack:
• CAN-2005-0033: Buffer overflow in the code for recursion and glue fetching in
BIND 8.4.4 and 8.4.5 allows remote attackers to cause a denial of service (crash) via queries that trigger the overflow in the q_usedns array that tracks nameservers and addresses.
• NISCC-UNIRAS 20050125-00059: BIND uses a certain array to track
nameservers/addresses that have been queried; it is possible to remotely overrun the buffer for this array and cause a denial-of-service.
• CERT Vulnerability Note VU#327633: A vulnerability in the BIND name server
could allow a remote attacker to cause a denial of service against an affected system. Squid 2.5 Stable 8
The Firewall's Squid Proxy Server has been updated to version 2.5 Stable 8. FreeBSD
This release resolves FreeBSD security advisory FreeBSD-SA-05:15.tcp where an attacker can cause a denial of service situation by stalling the TCP connection.
Known Issues In This Release
The following are known issues in this release:• The SysKonnect network card (sk driver) does not support half-duplex mode. If you
select 1000BaseTX in the Firewall Server's media type for this card, the interface will not be assigned an IP address. Administrators must use autoselect mode when using this network interface.
• After restoring a previous configuration (with the Squid Proxy Server enabled) to a
fresh installation of the Firewall Server, the Squid Proxy Server process will not be running. You must disable and then re-enable the squid proxy server after the restore.
• SecurID authentication does not work with the member server of a HALO
configuration because the configuration is not fully replicated from the master to the member system.
• When using the Firewall Server's IPSec VPN option and the SSH Sentinel VPN
Client 1.4.1 Build 120, the VPN connection will not work using a dial-up connection to the Internet via modem. The VPN connection will be established, but no traffic will be sent through the tunnel.
• When sending mail via the SMTP Mail server, the subdomains of email addresses are
stripped off even when the Strip Internal Headers option is disabled. Any subdomain that should be seen externally in e-mail addresses should be listed as a mail route.
• Mail is accepted for subdomains even though the Route mail for this domain only option
is enabled.
• When manually updating Anti-Virus patterns via the console, the following errors
may be displayed. "fs_wall: Error adding ipfw rules: setsockopt IP_FW_DEL:: Invalid argument. No matching processes were found". The error is benign, and the pattern files will be updated properly.
Installation and Upgrades
If this is an initial installation of the Firewall Server, please see the Firewall Server Installation Guide for instructions.
If you are upgrading the Firewall Server from a previous version, you must be running version 6.5 or later.
Recommended Upgrade Procedure To upgrade from 6.5 or later to version 7.2:
1. Create configuration backup(s) using the XML method. It is also recommended that you also save a copy of the Text configuration.
2. Install and license the Firewall Server 7.2 software.
3. Install and license options, such as IPSec and HALO, if any. 4. Restore the Firewall configuration via XML.
For more detailed instructions, please see the How to Upgrade to Version 7.2 document.