Amaranten Security Gateway changes from v8.70.02 to v8.80.00

8.80.00 Release date: 2006-12-20 [ISO]

Please Note: If you are using a Amaranten Loader prior to version 1.07.01, the Amaranten Loader MUST be upgraded before Amaranten CorePlus!

Version 8.80.00 contains a number of new features and some major changes. Here is a list with the most notable changes:
» Integrated Antivirus introduced.

Amaranten’s integrated antivirus solution provides comprehensive and easy to use protection against the latest and most dangerous malware threats on the Internet.

With the antivirus solution, Amaranten Security Gateways are able to detect and block viruses in HTTP, FTP and SMTP payloads.

The antivirus definition files are automatically provided by the Amaranten Service Provisioning Network (CSPN).

To purchase the Antivirus Signature Update Service for your license, please contact your local Amaranten Certified Partner or Amaranten Sales Office.

» SMTP Application Layer Gateway introduced.
» Spanning Tree relaying introduced. To support transparent mode deployments in scenarios where redundant switches with Spanning Tree Protocols are used, the system is able to relay Ethernet frames containing Bridge Protocol Data Units (BPDUs).

 

Contents of this document
  • Summary of changes and problems fixed in v8.80.00
  • Files installed by v8.80.00
  • How to upgrade earlier v8.xx releases to v8.80.00
  • How to upgrade v6.0x/v7.0x releases to v8.xx
  • HA upgrade procedure
  • Amaranten FineTune
    		•  [Changes    
  • Amaranten CorePlus
    		•  [Changes [Problems Fixed] [Known Issues
  • Installation
    		•  [Changes [Problems Fixed  

    For future reference: This document is stored in the "Docs" sub-folder of your Amaranten FineTune installation folder.

    Change logs / release notes for earlier versions of Amaranten Security Gateway are available in the release notes section of www.Amaranten.com/support.



     Summary of changes and problems fixed                       

    Install
      Change: The CorePlus / FineTune installation CD is made bootable.
      Problem fixed: The mini core is too big to fit on a floppy.

    FineTune
      Change: IDP rule user interface updated.

    CorePlus
      Change: Support for relaying of Bridge Protocol Data Units (BPDUs)
      Change: CorePlus sends a gratuitous ARP reply when route fails in route failover.
      Change: CLI command added to make it possible to send gratuitous ARP replies.
      Change: Protection against IP address conflicts.
      Change: Integrated Antivirus.
      Change: SMTP Application Layer Gateway.
      Change: Web Content Filtering: Unknown category renamed to Non-Managed.
      Change: IDPUpdate functionality moved to UpdateCenter.
      Change: UpdateCenter functionality now uses the shared IP when communicating with the CSPN network.
      Change: Pseudorandom number generator algorithm in QuickSec changed from Yarrow to ansi-x9.62.
      Change: Extended IkeSnoop logging
      Problem fixed: HA synchronization problems of IPSec tunnels on SG50 appliances.
      Problem fixed: HA heartbeats are not sent often enough if many interfaces are configured.
      Known problem: HTTP ALG download limitation.
      Known problem: HA: Transparent Mode won't work in HA mode
      Known problem: HA: No state synchronization for ALGs
      Known problem: HA: Tunnels unreachable from inactive node
      Known problem: HA: No state synchronization for L2TP and PPTP
      Known problem: HA: No state synchronization for IDP signature scan states.



     Files installed by v8.80.00                       
    This is a list of files that are new to the v8.80.00 release. All paths are relative to your Amaranten FineTune installation folder.
    » Cores/sgc-8.80.00-full.cfx
    This is the full v8.80.00 of CorePlus. Upload it to your existing Security Gateway, or create new boot media with it. It contains all available functionality.
    » Cores/sgc-8.80.00-sg50.cfx
    This is the v8.80.00 CorePlus for the SG50 appliance. Upload it to your existing Security Gateway. It contains all available functionality.
    » Cores/sgc-8.80.00-mini.cfx
    This is a version of v8.80.00 CorePlus with certain features removed. It is less than half the size of the full version. This version should be used if you would like to start the system on a floppy before copying it over to another media.

    » Docs/changes-8.70.02-to-8.80.00.html
    This document.
    » Docs/Amaranten EULA.pdf
    The Amaranten End User License Agreement.
    » Docs/Amaranten_CorePlus_Admin_Guide_8_80.pdf
    The Amaranten CorePlus administration guide for the v8.80.00 release.
    » Docs/Amaranten_FineTune_Admin_Guide_8_80.pdf
    The Amaranten FineTune administrators guide for the v8.80.00 release.
    » Docs/Amaranten_Log_Reference_Guide_8_80.pdf
    The log reference guide for the v8.80.00 release.
    » Docs/SG50_Installation_Setup.pdf
    Installation and Setup guide for the SG50 series platform.
    » Docs/SG3100_Installation_Setup.pdf
    Installation and Setup guide for the SG3100 series platform.
    » Docs/SG4200_Installation_Setup.pdf
    Installation and Setup guide for the SG4200 series platform.
    » Docs/SG4400_Installation_Setup.pdf
    Installation and Setup guide for the SG4400 series platform.
    » Docs/SG5500_Installation_Setup.pdf
    Installation and Setup guide for the SG5500 series platform.
    » FineTune.exe
    This is the v8.80.00 Amaranten FineTune executable.
    » SNMP/Amaranten-Traps.mib
    This is the Amaranten v8.80.00 SNMP Traps MIB.
    » SNMP/Amaranten-SMI.mib
    This is the Amaranten v8.80.00 SNMP MIB.


     How to upgrade earlier v8.xx releases to v8.80.00                       

    Please Note: If you are using a Amaranten Loader prior to version 1.07.01, the Amaranten Loader MUST be upgraded before Amaranten CorePlus!

    Upgrading a previous v8.x release to v8.80.00 is completely straightforward.
    First upload the new Amaranten Loader, followed by the new CorePlus, "sgc-8.80.00-full.cfx" (or "sgc-8.80.00-sg50.cfx" for the SG50 Series), to your Security Gateway and restart it.

     HA upgrade procedure                       
    Note: For upgrades from v7.x HA clusters, first follow the HA upgrade procedures outlined in changes-7.0x.xx-to-8.00.02.html.

    Note: Upgrades from versions prior to v8.40.01: Upgrading directly to v8.50.00 or later from a version prior to v8.40.01 will lead to loss of state synchronization. All open states will be closed as a result of the upgrade. If this is acceptable, continue with the upgrade as described below. Otherwise, first upgrade to v8.40.01 or a later v8.4x core and then upgrade to v8.80.00.

    Simply upload the new CorePlus file to the Security Gateways in your cluster and make sure that the first upload and restart is successful before uploading to the second Security Gateway.

    We recommend beginning with the Security Gateway that is currently active, even though this will necessitate two failovers. The reason for this is that ALG sessions are not synchronized.

      The "immediate availability" method
    • Upload the core to the currently active Security Gateway ("Security Gateway A") and restart it.
    • Issue a 'reconfigure' on the Security Gateway B to rapidly fail back to the now upgraded Security Gateway A. Make sure Security Gateway A functions properly.
    • Upload the core to Security Gateway B and restart it.
    • End result: Security Gateway A is now the active node, just as it was before the upgrade procedure.

    Note that this leaves the second Security Gateway untested, even though it most likely will work just as well as the first Security Gateway. If you want to specifically test the second Security Gateway, you can:
    1) cause two failovers manually,   or
    2) connect to it via e.g. the remote console just to make sure it's running,   or
    3) if ALG and tunnel synchronization is not a concern, follow this procedure:

      The "long-term safe" procedure:
    • Upload the core to the currently inactive Security Gateway ("Security Gateway B") and restart it.
    • Issue a 'reconfigure' on Security Gateway A. This causes failover to Security Gateway B. Make sure Security Gateway B functions properly.
    • Upload the core to Security Gateway A and restart it.
    • Issue a 'reconfigure' on Security Gateway B to fall back to Security Gateway A. Make sure Security Gateway A functions properly.
    • End result: Security Gateway A is now the active node, just as it was before the upgrade procedure.
    Note that the "availability" issues affect only synchronization of ALGs and tunnels; there is more information about this in the Known Issues section. All other states are, as usual, fully synchronized and not affected in either procedure.

     Installation Changes                       
    The CorePlus / FineTune installation CD is made bootable.
        Change: To simplify software installations it is now possible to boot directly from the CorePlus / FineTune CD.
        Note: When booting from a read-only system like a CD or USB thumbdrive the only option available will be to transfer the CorePlus system to another media.



     Installation Problems Fixed                       
    The mini core is too big to fit on a floppy.
        Problem: The previous version of the mini core is too big to fit on a floppy.
        Results: An earlier mini core version must be used to be able to transfer the system to a floppy disk.
        Affects: Amaranten CorePlus v8.70.00.
        Solution: Fixed in v8.80.00.



     FineTune Changes                       
    IDP rule user interface updated.
        Change: The IDP rule selection is improved and now features a tree which shows all available signature groups as well as signatures. This helps the administrator to get a better overview of what signatures are available at the moment.



     CorePlus Changes                       
    Support for relaying of Bridge Protocol Data Units (BPDUs)
        Change: To support transparent mode deployments in scenarios where redundant switches with Spanning Tree are used, the system is able to relay Ethernet frames containing Bridge Protocol Data Units (BPDUs).
        Note: CorePlus does not support Spanning Tree protocol, it just has the ability to forward BPDUs.

    CorePlus sends a gratuitous ARP reply when route fails in route failover.
        Change: CorePlus sends a gratuitous ARP reply to notify other equipment that the MAC address has changed when a route failover occurs.

    CLI command added to make it possible to send gratuitous ARP replies.
        Change: A CLI command is added which makes it possible for the administrator the force the transmission of a gratuitous ARP reply.

    Protection against IP address conflicts.
        Change: To protect against IP address conflicts, CorePlus sends unsolicited ARP replies when it detects that another equipment sends ARP messages with the Amaranten Security Gateway IP as source.

    Integrated Antivirus.
        Change: Integrated Antivirus scanning is implemented as a part of the Application Layer Gateways and is supported for HTTP, FTP and SMTP.
    The AV scan engine supports on-the-fly decompression of ZIP and GZIP data streams. It also supports decoding of multiple encoding formats.
    The AV scan engine supports on-the-fly stream based scanning of gigabyte sized files without increased latency.

    SMTP Application Layer Gateway.
        Change: An SMTP Application Layer Gateway has been added to improve the possibility to control mail transactions.

    Web Content Filtering: Unknown category renamed to Non-Managed.
        Change: To correctly describe it's purpose the category is now renamed to Non-Managed. All sites that are outside the scope of the other categories will be defined as Non-Managed. In most network environments it is recommended to always allow users to access Non-Managed websites.

    IDPUpdate functionality moved to UpdateCenter.
        Change: To streamline IDP and Antivirus update functionality an UpdateCenter CLI command is added to handle all automatic updates.

    UpdateCenter functionality now uses the shared IP when communicating with the CSPN network.
        Change: To deprecate the need to have public IP addresses for both nodes in a HA scenario the UpdateCenter functionality now uses the shared IP when communicating with the CSPN network.

    Pseudorandom number generator algorithm in QuickSec changed from Yarrow to ansi-x9.62.
        Change: The Pseudorandom number generator in QuickSec has been changed from Yarrow to ANSI X9.62 to comply with ICSA specifications.

    Extended IkeSnoop logging
        Change: IkeSnoop has been updated with timestamps and a new set of messages describing dropped packets as well as internal errors.



     CorePlus Problems Fixed                       
    HA synchronization problems of IPSec tunnels on SG50 appliances.
        Problem: HA synchronization of IPSec tunnels did not work correctly on SG50 appliances, leading to problems renegotiating tunnels after a HA hand-over.
        Result: IPSec tunnels were not correctly synchronized in the HA cluster.
        Affects: Amaranten CorePlus v8.70.02
        Solution: Fixed in v8.80.00

    HA heartbeats are not sent often enough if many interfaces are configured.
        Problem: HA cluster heartbeats are not sent often enough on each interface on security gateways with many configured interfaces.
        Result: Could result in an unstable system if there are connection problems between the gateways.
        Affects: Amaranten CorePlus v8.70.02
        Solution: Fixed in v8.80.00



     CorePlus Known Issues                       
    HA: Transparent Mode won't work in HA mode
        Problem: There is no state synchronization for Transparent Mode and there is no loop avoidance.
        Results: Transparent Mode won't work in HA mode. There is no state synchronization and loop avoidance is not in place.

    HA: No state synchronization for ALGs
        Problem: No aspect of ALGs are state synchronized
        Results: This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer. If, however, the cluster fails back over to the original peer within approximately half a minute, frozen sessions (and associated transfers) should begin working again.
    Note that such failover (and consequent fallback) occurs each time a new configuration is uploaded.

    HA: Tunnels unreachable from inactive node
        Problem: The inactive node in a HA cluster cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as such tunnels are established to/from the active node.
        Results:
    » Inactive HA member cannot send log events over tunnels.
    » Inactive HA member cannot be managed / monitored over tunnels.
    » OSPF: If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state, OSPF failover over tunnels uses normal OSPF failover rather than accelerated (<1s) failover. This means 20-30 seconds with default settings, and 3-4 seconds with more aggressively tuned OSPF timings.

    HA: No state synchronization for L2TP and PPTP
        Problem: There is no state synchronization for L2TP and PPTP tunnels.
        Results: On failover, incoming clients will re-establish their tunnels after the tunnels are deemed non-functional. This timeout is typically in the 30 -- 120 second range.

    HA: No state synchronization for IDP signature scan states.
        Problem: No aspects of the IDP signature states are synchronized.
        Results: This means that there is a small chance that the IDP engine causes false negatives during a HA failover.

    HTTP ALG download limitation.
        Problem: The HTTP ALG currently only handles files up to a size of 4 gigabytes.