Embedded NGX 7.5 Release Notes General Availability Version

Chia sẻ: Nguyen Tien Lich | Ngày: | Loại File: PDF | Số trang:21

0
77
lượt xem
16
download

Embedded NGX 7.5 Release Notes General Availability Version

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Tham khảo tài liệu 'embedded ngx 7.5 release notes general availability version', công nghệ thông tin, quản trị mạng phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả

Chủ đề:
Lưu

Nội dung Text: Embedded NGX 7.5 Release Notes General Availability Version

  1. Embedded NGX 7.5 Release Notes General Availability Version March 2008 – Document Revision 11 1
  2. Contents CONTENTS ......................................................................................................... 2 INTRODUCTION.................................................................................................. 3 Highlights of This Version ........................................................................................... 3 Supported Platforms .................................................................................................. 3 Availability................................................................................................................. 4 Copyright ................................................................................................................... 4 CHANGES FROM 7.5 TO 7.5.55......................................................................... 5 7.5.55......................................................................................................................... 5 7.5.51......................................................................................................................... 6 7.5.48......................................................................................................................... 7 7.5.45......................................................................................................................... 7 NEW FEATURES ................................................................................................ 9 New Security Features................................................................................................ 9 New Networking Features ........................................................................................ 14 New Usability Features ............................................................................................ 19 APPENDIX A: SUPPORTED PERIPHERALS ...................................................21 2
  3. Introduction Highlights of This Version Embedded NGX 7.5 incorporates a host of new and improved features, including: • Internet Connection Load Balancing • Advanced Firewall Rules • Advanced NAT Rules • Reusable Network Service Objects • Service-Based Routing • Web Rules • Enhanced SIP VoIP Support Supported Platforms Embedded NGX 7.5 EA supports the following hardware platforms: • Check Point Safe@Office 100B series • Check Point Safe@Office 200 series • Check Point Safe@Office 400W series • Check Point Safe@Office 500 series • Check Point UTM-1 Edge (VPN-1 UTM Edge) X series • Check Point UTM-1 Edge (VPN-1 UTM Edge) W series • Check Point ZoneAlarm Z100G • NEC SecureBlade 300 • Nokia IP60 3
  4. Availability • Embedded NGX 7.5 is available to existing Embedded NGX customers with a valid software subscription contract. For additional information and documentation, click here. Copyright © Copyright 2007 SofaWare Technologies Ltd. SofaWare is a registered trademark of SofaWare Technologies Ltd. Check Point is a registered trademark of Check Point Software Technologies Ltd. 4
  5. Changes from 7.5 to 7.5.55 7.5.55 New Features Additional USB modems Support was added for the following USB modems: - Teltonika U3G15S - Qualcomm ZTE MF622 HSDPA Issues resolved Firewall • Resolved issue: When handling large packets, requiring fragmentation, over PPP Internet links, some packets are handled incorrectly. Connectivity • Resolved issue: Dead Connection Detection set on the primary Internet connection coupled with a secondary PPP Internet connection in Connect-on- Demand mode, may fail to operate as expected. VPN • Resolved issue: DHCP relay does not function as expected when used from a bridged network over a VPN link. • Resolved issue: In rare cases, remote HTTPS and SSH connections to the appliance IP address over VPN may be abnormally terminated. • Resolved issue: When using more than 10 VPN tunnels simultaneously, connections scanned by VStream Antivirus are sometimes cut. HTTPS • Resolved Issue: In the web user interface, the logout button now appears in HTTPS mode, when using Internet Explorer or Firefox. Wireless 5
  6. • Resolved Issue: When using WPA security, Windows Vista clients may fail obtaining an IP address using DHCP, and certain broadcast packets may be encrypted with an incorrect key. 7.5.51 Issues resolved Management • Resolved issue: Upgrade from firmware 6.0 directly to 7.5 may cause certain settings to be reset to their default values. • Resolved issue: During an appliance reboot, the gateway continues to appear as “connected” in the Service Center (SMP/SmartCenter). • Resolved issue: When downloading a CLI scripts from the Service Center, the managed items are not correctly marked as “Remotely Managed”. Firewall and Smart Defense • Resolved issue: SIP ALG does not work correctly through a VPN tunnel. • Resolved issue: SIP support for Cisco VoIP phones improved. • Resolved issue: As a normal side effect, SIP ALG processing or IPSEC decryption may sometimes cause shortening of packets. In rare cases, fragmented packets that were shortened, may be silently dropped or incorrectly transmitted. VPN • Resolved issue: In certain cases, IKE Phase1 failures may cause a memory leak. • Resolved issue: Disconnects when using L2TP VPN with Apple IPhone clients. • Resolved issue: W hen using VPN in “Route all Traffic” mode, certain connections are not established correctly. • Resolved issue: When configured in a managed VPN community (Enterprise Site), the appliance may fail to connect to externally managed gateways requiring shared secret authentication. Wireless • Wireless LAN may operate unreliably when using certain wireless Resolved issue: devices supporting power save mode (such as Blackberry). 6
  7. 7.5.48 Issues resolved Firewall and Smart Defense • In certain cases, the appliance may restart when processing SIP IP Resolved issue: telephony packets. Vstream Anti-Virus • Resolved issue: Specific EXE files are scanned slowly. Management and settings • Resolved issue: When upgrading from firmware, 7.0 VPN sites and SNMP settings revert to disabled. • Resolved issue: A potential security vulnerability corrected in the SNMP server. 7.5.45 New Features Additional USB modems Support was added for the following USB modems: - Novatel Ovation MC950D - Novatel U727 SIP support The SIP application level gateway (ALG) can now be optionally disabled. ADSL Norway's ISPs details were added to the ADSL wizard. Enhanced HTTPS Support To increase security, the following changes were done to the HTTPS web configuration portal (https://my.firewall): 7
  8. - HTTPS web server cookies are now marked as “secure cookies”. - HTTPS clients are no longer permitted to select weak 40 and 56 bit ciphers. Enhanced L2TP Support The L2TP server has been enhanced to support the following cases: - Windows Vista VPN clients behind a NAT device. - Apple iPhone VPN clients. Issues resolved HTTP/HTTPS • Resolve issue:low severity cross side scripting (XSS) attack potentially possible against the configuration web portal. This issue is unlikely to be successfully exploited. Vstream Anti-Virus Resolved issue: in certain cases, VStream Antivirus may block valid connections. Firewall • Resolved issue: A memory issue when using DHCP relay. ADSL • Resolved issue: ANNEX B DSL modems support for G.DMT standard. IP60 • Resolved issue: Nokia IP60 GUI layout appears incorrectly. 8
  9. New Features New Security Features Web Rules It is now possible to define Web rules that allow or block access to specific Web sites based on the site’s URL. If desired, you can log attempts to access allowed and blocked Web sites. In addition, you can exclude specific IP addresses or address ranges from Web rule enforcement. Wildcards may be used in web rules to allow partial access to certain web sites. This feature does not require subscription to the category-based Web Filtering service and can operate in parallel with the subscription service, if desired. When a site is blocked, a configurable message is displayed to the user. See “Customizable Web Filtering Page”. Time-Based Rules It is now possible to define firewall rules that only take effect during certain hours of the day. 9
  10. This feature is supported for locally defined firewall rules, for locally defined antivirus rules, and for firewall rules downloaded from Check Point SmartCenter (rules using time objects). Rule Descriptions A new Description field allows attaching an explanation or remark to each locally defined firewall and antivirus rule. This optional field can be used for naming a rule or for explaining why the rule is needed and under what circumstances. Reusable Network Service Objects Embedded NGX 7.5 allows defining custom network service objects in the local Web interface and assigning them unique names. The network service objects can then be used in firewall rules, antivirus rules, and policy-based routing rules. Network service objects consist of an IP protocol and either a TCP/UDP port or a port range. It is possible to define several non-consecutive port ranges, by separating them with commas. Allow & Forward Rules with Destination IP Address It is now possible to define “Allow & Forward” rules with a specific destination IP address. This allows defining NAT forwarding rules that only take effect when accessing a certain IP address. Embedded NGX 7.5 allows defining different forwarding rules for each external IP address. For example, consider a case in 10
  11. which the gateway has two public IP addresses, 62.98.112.1 and 62.98.112.2, and the network contains two private Web servers, A and B. It is now possible, to forward all HTTP traffic with the destination 62.98.112.1 to server A, while mapping all HTTP traffic with the destination 62.98.112.2 to server B. Previously, this was only possible using static NAT mappings. Advanced users can also use this feature for outgoing traffic, creating "transparent proxy" rules that divert all traffic that is destined for a certain IP address to a different IP address. Advanced Address Translation Rule Base Embedded NGX 7.5 allows configuring advanced network address translation (NAT) rules in the local management interface. The Address Translation table is divided into Original Packet and Translated Packet sections. The Original Packet section specifies the conditions under which the rule is applied, and the Translated Packet section specifies the action taken when the rule is applied. You can change the source IP address, the destination IP address, the service, or any combination of the above. When translating an IP address range to another IP address range of the same size, static NAT is performed. When translating an IP address range to a smaller IP address range, static NAT is performed for all but the last address in the translated range, and hide NAT is used to hide all the remaining addresses 11
  12. in the original range behind the last IP address in the translated range. NAT rules can be implicitly defined though a number of methods: by enabling “Hide NAT” on an internal network, by creating an “Allow & Forward” firewall rule, or by configuring static NAT for a network object. In addition, NAT rules can be received from the SmartCenter policy editor. Implicitly defined NAT rules are displayed in the Address Translation table, but cannot be edited. Note: This feature is not available in the ZoneAlarm Secure Wireless Router Z100G. New SmartDefense Protection: Checksum Verification When this protection is enabled, SmartDefense will identify and drop IP, TCP, or UDP packets with incorrect checksums. New SmartDefense Protection: Urgent Flag Clearing The URG flag is used to indicate that urgent data exists in a TCP stream, and that the data should be delivered with high priority. Since handling of the URG flag is inconsistent between different operating systems, allowing the URG flag may enable an attacker to conceal certain attacks. 12
  13. By default, SmartDefense automatically clears the URG flag to ensure security. To allow the URG flag, in the SmartDefense tree's TCP > Flags node, set the URG Flag field to Allow. To prevent the URG flag from being used, set the URG Flag field to Clear. New SmartDefense Protection: Sequence Number Verifier When this protection is enabled, Embedded NGX examines each TCP packet's sequence number and checks whether it matches a TCP connection state. You can configure how the router handles packets that match a TCP connection in terms of the TCP session but have incorrect sequence numbers. Secure HotSpot: Redirect URL The Secure HotSpot feature now allows defining an optional “Redirect URL”. When a “Redirect URL” is defined, every user who successfully authenticates to the Secure HotSpot will be automatically redirected to the specified URL. For example, the “Redirect URL” can be your company’s Web site or a “Welcome” page. This feature is supported in the following platforms: UTM-1 Edge, Safe@Office 500 with Power Pack, Safe@Office 225, and Safe@Office 410/425. Remote Desktop Access Granular Permissions Embedded NGX includes an integrated client for Microsoft Terminal Services, allowing you to enjoy convenient clientless access to your Windows computers from anywhere, via the my.firewall portal. System administrators can remotely access the desktop of each of employee's computer, and even redirect printers or ports to a remote computer. Starting from Embedded NGX 7.5, granular permissions are now available for Remote Desktop Access, enabling an administrator to limit access to the Remote Desktop Access feature to a limited set of users. Non-administrator users which have the “Remote Desktop” permission in their profile can 13
  14. now login to the Embedded NGX web based configuration portal, my.firewall, and gain access to a restricted portal, showing only the “Active Computers” page, and allowing access to the Remote Desktop Access feature. Enhanced SIP Support Embedded NGX 7.5 now includes a dedicated ALG (Application Level Gateway) for SIP (Session Initiation Protocol), the popular signaling protocol commonly used for IP telephony (VoIP). This ALG enables easy NAT and Firewall traversal. Note: 1. Embedded NGX 7.5 supports SIP over UDP. SIP over TCP is currently not supported. 2. A SIP Proxy must be used, and the proxy must not reside in the same network as the SIP client. Enhanced VPN Topology Display An enhanced topology viewer is now available, for convenient display of the VPN network topology. The VPN topology viewer is accessible from the “Active Tunnels” page in the web user interface. New Networking Features WAN Load Balancing 14
  15. Embedded NGX 7.5 supports WAN load balancing. When WAN load balancing is enabled, two Internet connections can be used in parallel, and the load is automatically distributed between them, based on available bandwidth. To prevent disruption of stateful protocols, load balancing is performed on a per source IP address and destination IP address basis, meaning that all traffic from a certain source IP address to a certain destination IP address will be consistently sent to the same Internet connection. In the case of a single client communicating with a single server, no throughput benefits will be realized; however, in typical network conditions, where multiple clients or servers are active, bandwidth- based load balancing can balance the use of both Internet connections exceptionally well, effectively doubling the available bandwidth. By default, the load distribution is symmetric; however, it is possible to achieve non-symmetric balancing by assigning a different weight to each Internet connection. To ensure continuous Internet connectivity, an Internet connection that fails for any reason is automatically excluded from load balancing. Note: This feature is supported in the following platforms: UTM-1 Edge X series, UTM-1 Edge W series, Safe@Office 500, Safe@Office 225, and Safe@Office 425. ADSL Configuration Assistant Embedded NGX 7.5 ADSL appliances offer an ADSL configuration assistant. To use the ADSL Configuration Assistant, choose your country and ISP, then click OK. The appropriate VPI, VCI, and encapsulation type values for your ISP will be inserted automatically. You can 15
  16. still change these settings manually at a later time, if needed. The ADSL Configuration Assistant appears in both the ADSL Setup Wizard, and in the Internet Setup page. For the full list of ISPs supported by the ADSL Configuration Assistant, click here. Note: This feature is available in all appliance models with an integrated ADSL modem, including UTM-1 Edge X/W ADSL and Safe@Office 500/500W ADSL. ADSL IPoA Support Embedded NGX 7.5 ADSL appliances now support the IPoA (IP over ATM) connectivity protocol, used by certain ADSL service providers. Bridged / Unnumbered PPPoA Support Embedded NGX 7.5 ADSL appliances now support bridge mode for PPPoA ADSL internet connections. This enables the Embedded NGX ADSL appliance to connect to ISPs who use “Unnumbered” PPPoA mode. Routing Table Report Embedded NGX 7.5 includes a new Routing Table report, providing an easy view of the routing table currently in effect. The table shows the route's source, destination, gateway IP address, metric, and interface. In addition, the table's Origin field displays the route's type: • Connected Routes - Routes to networks directly connected to the appliance. • Static Routes - Routes to networks connected through a router. • Dynamic Routes - Routes obtained through a dynamic routing protocol. The same routing table information can also be obtained through the info routes CLI command. 16
  17. Note: This feature is not available in the ZoneAlarm Secure Wireless Router Z100G. Connect On Demand in PPPoA, PPPoE, and PPTP Modes "Connect on Demand" is now supported in all PPP modes, including PPPoA, PPPoE, and PPTP. In "Connect on Demand" mode, the Internet connection will automatically connect as needed, and disconnect during network idle periods. "Connect on Demand" continues to be supported for dialup connections, as in previous Embedded NGX versions. Service-Based Policy Routing Embedded NGX 7.5 allows configuring service-based policy routing. You can use service-based policy routes to direct all traffic matching a particular protocol and port range to a specific Internet connection. For example, you can choose to route all HTTP (TCP Port 80) traffic to the secondary Internet connection, while routing all other traffic to the primary Internet connection. To ensure continuous availability, if the secondary Internet connection is unavailable, this rule is automatically disregarded, and the appliance routes the traffic through the route with the next-lowest metric. Notes: 1. In a service-based route, the source network and destination network fields cannot be specified. 2. Stateful protocols such as passive FTP and SIP will not work as expected with service based routes. 3. This feature is not available in the ZoneAlarm Secure Wireless Router Z100G. Interface-Based Static Routes Embedded NGX 7.5 allows specifying an Internet connection as a static route's next hop, instead of a specific IP address. This feature is useful in cases where the ISP's default gateway IP address is dynamically assigned to the gateway. By specifying the Internet connection's name (primary/secondary) in the Next Hop IP field, you can route traffic to a specific Internet connection, without having to statically specify the ISP's default gateway IP address. 17
  18. Note: This feature is not available in the ZoneAlarm Secure Wireless Router Z100G. Incoming Dialup for Out-of-Band Management Embedded NGX 7.5 supports auto-answering incoming data calls using a dialup modem (PSTN, ISDN or cellular). By dialing into the appliance, an administrator can remotely troubleshoot and reconfigure a device out of band, even if the main Internet connection is inaccessible. When incoming dialup is enabled, the gateway automatically answers incoming data calls, and establishes a connection using PPP (Point to Point Protocol). An IP address is assigned to the client from the OfficeMode IP pool. To secure the device against unauthorized dialers, the session must be authenticated with a username/password combination belonging to a known user with Administrator credentials. To enable Incoming Dialup, check the “Answer Incoming PPP Calls” in the Serial Port setup page, or in the USB modem setup page. Enhanced Cellular Modem Support Embedded NGX 7.5 offers a list of predefined cellular modem types, removing the need to provide a custom initialization string in most cases. 18
  19. In addition, specific fields are provided for entering the Access Point Name (APN) and Personal Identification Number (PIN) code required by a number of cellular networks. Note: USB-based modems (including dialup and cellular modems) are supported in the following appliance models: Safe@Office 500W, Safe@Office 500W ADSL, Safe@Office 425W/425WU, UTM-1 Edge X ADSL, UTM-1 Edge W, and UTM-1 Edge W ADSL. A supported external modem with a USB interface is required. SNMP Traps A trap is a Simple Network Management Protocol (SNMP) notification sent from one application to another. Embedded NGX 7.5 now supports sending the following traps: • Startup / Shutdown • SNMP Authentication Failure • Link Up / Link Down The administrator can choose between SNMPv1, SNMPv2, and SNMP INFORM style traps. The trap destination, community, and UDP port are also configurable. Syslog Support in ZoneAlarm Z100G ZoneAlarm Secure Wireless Router Z100G now includes support for sending log messages through the Syslog protocol. OSPF Simple Authentication Embedded NGX 7.5 supports OSPF “Simple Authentication” mode, in addition to the MD5 authentication mode supported in previous versions. New Usability Features New Look & Feel The UTM-1 Edge and Safe@Office appliances' look & feel has been improved with a new, sleek design. Enhanced CLI Syntax 19
  20. Command line interface (CLI) commands that are not supported by the current hardware type and license are not displayed as options in the CLI help or as possible command completions. Note: The command line interface is not available in the ZoneAlarm Secure Wireless Router Z100G. Configurable Serial Console Port Speed When using the appliance’s serial port in “Console” mode, it is now possible to change the baud rate from its default speed (57600 bps). Note: The serial console port speed feature is not applicable to ZoneAlarm Secure Wireless Router Z100G. Customizable Web Filtering Page It is now possible to customize the message displayed in the “Access Denied” page. This message is used both by the category-based Web Filtering service and by the new Web rules feature. If desired, you can use HTML tags in the message. In addition, you can force the “Access Denied” page to be displayed using secure HTTP (HTTPS), by selecting the Use HTTPS check box. Multiple Concurrent Administrators over HTTP It is now possible for multiple administrators to log on to the my.firewall Web interface concurrently using the HTTP protocol. As in previous Embedded NGX versions, multiple administrators can also log on concurrently using HTTPS. Enhanced Behavior of VPN LED The VPN LED is now a steady green when there are open VPN tunnels but no VPN activity, and it blinks whenever traffic is sent or received over a VPN tunnel. 20
Đồng bộ tài khoản