• No results found

BorderWare Firewall Server 7.1. Release Notes

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "BorderWare Firewall Server 7.1. Release Notes"

Copied!
8
0
0

Loading.... (view fulltext now)

Download now ( 8 Page )

Full text

(1)

BorderWare Firewall Server 7.1

Release Notes

BorderWare Technologies is pleased to announce the release of version 7.1 of the BorderWare Firewall Server. This release includes following new features and improvements.

New Features and Improvements

Operating System

The operating system kernel has been updated to FreeBSD 4.7 Alarms and SNMP

• Alarms now generate an SNMP trap

• The SNMP community string has been changed to “BTI” from “public”.

Proxy Server

• The proxy server has been upgraded to Squid 2.5 stable1 • All logs can now be forwarded to a remote syslogd server

Mail Server

• The SMTP mail server has been changed from Zmailer to Postfix.

Mail routing now has a KeepOpen option to keep open mail routes to frequently

used mail servers. Enabling this option will give priority to local servers.

(2)

DNS

The following features and improvements have been added to the DNS server:

BIND Upgrade: DNS has been upgraded to BIND 8.4.4.

Dynamic DNS on Internal Interface: Support for Dynamic DNS on the internal

interface has been added. Access control lists (ACL) can be used to limit access for dynamic DNS updates.

Recursive Query ACL: You can now control what hosts can perform recursive

query on an external DNS server via a configurable access control lists (ACL).

External DNS Server Cache Inquiry ACL: ACLs can be set up to restrict which

hosts are allowed to perform queries to the external DNS server cache. All zones hosted on the firewall will allow anyone to query them but the external DNS server's cache can no longer be queried.

SOA Serial Number Increments: The SOA serial number increment behavior

can be modified. When this option is enabled, the serial number increments for each zone in your DNS, resulting in a different serial number for each zone. When disabled, the serial number increments only once for all zones in a particular domain type (such as Internal-Forward), so that each zone in a domain has the same serial number, resulting in less serial numbers per update.

Internationalized Domain Names (IDN): Through BWClient, you can configure

internationalized DNS domain names. This feature will convert a domain name specified in a local language to ASCII format for use with internationalized DNS.

SPF Support: SPF (Sender Policy Framework) allows you to validate the sender

of an email message by comparing the Envelope-from part of the address to the sending domain’s DNS record. This prevents spammers from sending forged emails. For each domain or individual host in your DNS server, you can specify the SPF TXT record.

• The DNS cache can be cleared without rebooting the firewall. This can only be

performed from the Firewall console.

(3)

HALO Load Optimization

HALO (High Availability for Parallel Firewalls) now features load optimization abilities. The MASTER system can be configured to offload specific network traffic and ports to a BACKUP system, and also configure what network traffic and ports to accept if the current master system is in BACKUP mode.

For example, you can assign the MASTER system to accept connections for HTTP port 80 traffic, but offload any FTP traffic to the BACKUP system. The MASTER Firewall Server will still accept all traffic, but any offloaded services will be forwarded to the BACKUP firewall. If the BACKUP system is not available, the MASTER can takeover these services again as part of the failover process.

If a HALO system is in BACKUP mode, it will allow connections on 441, 442 (for BWClient), and port 161 (for SNMP). This allows you to examine the status of a BACKUP system in a HALO cluster.

UDP Session Support

Support for UDP sessions includes double the previous number of allowed connections. Previous maximum for one UDP proxy was 3975 sessions. It has been increased to 8192 if the high port range (49152-65535) is chosen. It will remain at 3975 sessions when the normal port range (1024-5000) is chosen. If multiple UDP proxies pick the same range, the ports will be shared, one port per session on a first come, first serve basis.

Direct Packet Option

The following features and improvements have been added to the Direct Packet Option:

• NAT support has been added for protocols other than TCP, UDP, and ICMP. To

use other protocols, such as ESP (IPSec), the firewall’s private networks (Internal, SSN, AUX) must use a routable IP address.

• Destination NAT has been added for SSN-to-INT traffic. This provides the same

behavior as the SSN-to-INT proxy, and allows optional destination NAT for all directions.

• Inbound Ping (ICMP) traffic is now supported. Note that NAT is not supported

(4)

IPSec VPN Option

The following features and improvements have been added to the IPSec VPN Option:

Policies: This feature allows ciphers, encryption, and other IPSec connection

options to be defined in a policy that can be applied to several connections, instead of configuring these options for each individual connection.

Dynamic Remote Gateway: You can now configure dynamic server-to-server

VPN connections. Previously, these connections could only be static.

Internal IPSec: A local gateway can be configured to protect traffic between

internal (SSN or AUX) hosts and the firewall server.

Bypass Only: This setting can be used to allow ESP traffic to be processed by the

Direct Packet option bypassing IPSec.

LDAP ID Support: You can now use LDAP distinguished name format to

specify connection authentication IDs.

Multiple Remote Authentication IDs: Authentication IDs are required to

identify a remote client. You can now set multiple Remote Authentication IDs for one connection. This feature allows you to create one connection with several authenticated IDs, rather than having to make separate connections for each one.

XAUTH Support: Support has been added for Extended Authentication

(XAUTH), which allows you to select SecurID and RADIUS via PAM as options for secure authentication instead of just clear text passwords.

Forward Packets: This option allows packets that exit a tunnel to be forwarded

through the firewall if the destination is on the other side of the firewall. This option is required when a remote site needs to access the Internal → External proxies on the firewall, even though these packets originate from the Internet and returns to the Internet. For example, and external client may want to use the firewall's proxy server for accessing HTTP over the Internet. The traffic would be sent back to the external interface of the firewall to be filtered through its

application level proxies.

Deny Packets: This feature, if enabled, will prevent non-IPSec encrypted traffic

from leaving the firewall. This is typically used with Responder Only type connections.

Priority: The order of priority for IPSec connections can be modified.

(5)

IP Compression: Support for IP compression has been added to improve

performance over slow network connections.

Path MTU Discovery: MTU is the size restriction for packets during a

transmission. This option helps performance by sending the largest packets possible through MTU discovery. If a smaller MTU is encountered it will decrease the size accordingly. If disabled, there will be no path MTU discovery used for packet delivery.

Responder Only: If enabled, the local end of the VPN will never initiate a VPN

tunnel. If the tunnel is dynamic, and the FQDN of the remote gateway can be reliably resolved, this can be disabled. If the remote gateway is null, this feature should be enabled.

Virtual IP Address: The client can specify a virtual local address when

connecting to a VPN. The address must appear in the Local addresses in the server-side configuration.

• The Proxy server is available via an IPSec tunnel. This allows a remote user

connecting via a client-server or server-server connection to be routed through the proxy server.

• If changes are made to IPSec via BWClient, an IPSec restart is no longer required.

BWClient Enhancements

The following features and improvements have been added to the BWClient administration utility:

• BWClient access is now supported on the AUX interfaces.

• BWClient now includes a management console, which provides an easy way to

view all Firewall Servers in your network and group them together into

Management Groups. Creating management groups allows you to manage several Firewall Servers from a single console, including the ability to copy the

(6)

Enhanced Text Configuration File

The text configuration file now includes information on the following items:

• Squid proxy server • HTTP • Direct Packet • IPSec VPN • URLfilter • Security Connection • Website redirections XML Configuration File

(7)

Installation and Upgrade Notes

If this is an initial installation of the Firewall Server, please see the Firewall Server Installation Guide for instructions.

If you are upgrading the Firewall Server from a previous version, you must be running version 6.1.2 or later.

Recommended Upgrade Procedure

As a general precaution, customers should keep text copies of their BorderWare Firewall configuration and make multiple copies of their backups. It is also recommended that you make both a diskette and an XML backup, if possible.

Upgrade Procedure from 6.1.2 or later to version 7.1. 1. Create configuration backup(s).

2. Install BFS 7.1.

3. Install options (such as SmartGate, IPSec), if any. 4. Restore the configuration (preferably via XML).

Version 7.1 will correctly read backup files created by versions 6.1.2 and later. Important Upgrade Information

The following describes important configuration information for certain firewall server components after the upgrade to 7.1.

SMTP Proxy Internal → External

For upgrades for 6.1.2x to 7.1, you cannot use a backup configuration from diskette, it must be from the XML file. If you are using diskette, you must contact BorderWare technical support to ensure this feature works properly after an upgrade.

Mail Routing

After upgrading to version 7.1, you must examine your mail routes to ensure they are configured properly. The Deliver via Host field must be filled in with your mail server hostname or IP address (if not using DNS).

Manual VPN Connections and Policies

(8)

Client to Server and Responder Only Option

If upgrading from 6.1.2x, or 6.5 and 6.5a with IPSec version 1, any Client to Server connections must have the Responder Only option enabled. This setting can be found under the Miscellaneous tab in the VPN connection settings.

VPN Connection Priorities

When upgrading from a previous version, you must ensure that the VPN connection priorities are listed in the proper order. New connections can be assigned starting from 10000 to 31999. The priority order is from lowest to highest.

The following describes the order in which your connection should appear (after the pre-defined default connections):

1. a) Main-mode connections with remote gateway.

b) Main-mode connections with NAT-traversal connection with a known NAT Device IP address.

2. Aggressive connections with remote gateway IP address and the Remote Authentication IDs using an IP address.

3. a) Main-mode connections without a remote gateway. b) Phase 1 connection should appear before the responder. c) Phase 2 connections.

d) Connections with specific remote addresses should appear before those with a remote address (0.0.0.0/0).

4. Aggressive mode connections with specific remote-addresses. 5. Aggressive mode connections with remote addresses (0.0.0.0/0).

How to Contact Us

BorderWare Technical Support

Telephone: Toll free (USA and Canada): 1-877-814-7900

Europe : +44 208-577-1024

References

Download now ( PDF - 8 Page - 158.23 KB )

Related documents

Liquid gas phase transition at and below the critical point

In the section 2, the starting form of the partition function in the grand canonical distribution is given in terms of collective variables ρ k. The long-range attraction of a Van

10/23/12. Fundamentals of Linux Platform Security. Linux Platform Security. Roadmap. Security Training Course. Module 9 Application Security

If using NAT or a firewall where a gateway changes your address, then the packet will fail to authenticate at the far end as the source IP has changed. This is not to say that

Crestron Electronics, Inc. AirMedia Deployment Guide

Parameters such as the device IP address, remote view settings, connections to control systems, and Crestron Connected devices are set in the Device Administration window..

SOLUTION GUIDE. Radware & CyberGuard Complete Security Solutions offering Load Balancing, High Availability and Bandwidth Management.

Configure a Virtual IP (VIP) address to be used by the FireProof to aggregate outbound NAT addresses from each firewall while also enabling inbound connections (i.e. VPN) to be

Intelligent Procedures for Intra-Day Updating of Call Center Agent Schedules

Given original schedule and the updated forecast of call volumes, calculate service levels for each period. Determine (C1) : cost of calls lost without

Heavy Unit Load Handling Systems. Extensive Technology and Application Knowledge

Finished goods can often be transported at higher speeds than other heavy unit loads, so Dematic offers systems that can increase throughput from receiving to shipping. These

Effects of smoke-free air law on acute myocardial infarction hospitalization in Indianapolis and Marion County, Indiana

Table 1 shows the mean age-adjusted monthly incidence of AMI admissions in Marion County before compared to after the smoke-free air law, overall as well as by demographics (age

UFTP AUTHENTICATION SERVICE

• if you want to place the Auth server behind a UNICORE gateway for easy firewall transversal, you need to configure an entry in the Gateway connections config file, and set