Release Notes CSG 7.0.0

Collax Security Gateway
27.10.2016

Installation Notes

Update Instructions

To install this update please follow the following steps:

Procedure

  1. It is highly recommended to backup of all server data with the Collax backup system before proceeding. Check that the backup was successful before proceeding with the update (this can be done within the backup information email).
  2. In the administration interface go to System → System Operation → Software → System Update and press Get Package List. This will download the listed update packages. If successful the message Done! will be displayed on the screen.
  3. Click Get Packages to download the update packages.
  4. Click Install. This installs the update. The end of this process is indicated by the message Done!.
  5. A new kernel will now be installed. The system will reboot automatically after installing the update. An appropriate note will be shown if the update process is completed.

New in this Version

Security: Linux Kernel 4.4.24

Collax Server V7 includes the new long time support (LTS) Kernel 4.4.

Security: System Security

The new Collax V7 Server is a system which is almost 100% (97%) deterministic/reproducable. The collax build system guarantees that binary-files and system-packages (.deb) are build deterministically. All Collax Servers are hardened to reduce the vulnerability and secure the system.

Security: Improved Protection for ssh Denial-Of-Service Attacks

Within this Update the protection for Denial-Of-Service (DoS) and Brute-Force-Attacks for ssh has been improved. The new function allows to ban the IP address from an offender after a certain number of login attempts.

GUI: GUI-Design

With this update the Web interface is going to be improved and more detailed. Based on the recommendation from Google and the tenets and specifics of material design.

GUI: Network Groups

Within this release network groups can be used. Network groups offer a new configuration approach. In the past, permissions have been configured using the user groups. Network and service permissions have been used in one group together. From now on network groups are created and can be used seperately. All services on the Collax Server whose permissions are assigned exclusively on the basis of an IP address from now on use network groups. If a permission is set, the respective network port is opened in the firewall for the associated networks or hosts.

GUI: Transparent user and network permissions

Within this release permissions for users and permissions for networks are differentiated. So there are user groups and network groups from now on. A number of network groups are created by default. The Internet group contains the “Internet” network as member, i.e. all IP addresses outside the local network ranges. Thus, all permissions granted over this network group apply to all computers anywhere on the Internet.

GUI: Host-Elements

There are various input boxes where ip addresses have been used in the previous version. Within this release the usage of ip addresses has been renewed. Collax Server V7 now uses host-elements. The term “host” refers to individual computers that are known to the Server. A host as an existing element is needed for various settings regarding the services. Host-elements replace the input boxes for ip addresses.

Web Proxy: Web Proxy and Web Proxy Rules

Please note that the rule set in Collax Server V7 is beeing rewritten. Important: The rewritten rule set should be checked after upgrading the Server.

Web Proxy: Transparent proxy

The transparent proxy can be activated for the service http. Data packages for destination port 80 will be redirected from the firewall to the web-proxy service. Until now the configuration of the transparent proxy was done using the firewall matrix. Within this release, the transparent proxy is being configured through the basic settings of the web-proxy-server under “Services -> Web-Proxy -> Web-Proxy-Server”. By enabling the transparent proxy mode, a DNAT-rule for the service http will be created under “Network -> Firewall -> DNAT/Port Forwarding”.

Web Proxy: No proxy for these hosts

Through the introduction of host-elements, from now on you can configure proxy exceptions for hosts using the select boxes. This dialogue is located under Services -> Web-Proxy -> Web-Proxy-Server in the Options tab. Here you can select the hosts for which no proxy is to be used.

Web Proxy: Sequence of filter rules and drag n drop

The dialog for defining filter rules is located under Services -> Web-Proxy -> Rules. A rule determines which URL lists are valid at what times and whether the URLs in the lists are blocked or allowed. The sequence of the rules is governed by different priorities and can from now on be changed easily using a new drag n drop action.

Net: Firewall Matrix

The firewall matrix is a visual representation of the integrated firewall. From this version on, the matrix can exclusively be used for network groups instead of networks. The upside using network groups insted of networks is a better grouping and better view of the ruleset. Network groups are used for accessing services and relevant for traversing data packets using the Matrix.

Net: Optimized network-stack

Changes in the netlink socket for networking connections are beeing improved within this relases.

Net: Host Analysis

The new function “Host Analsys” located under “System -> Network -> Firewall” can be used to determine the netgroups which are responsible for a given host. You can use that information to determine which netgroup need to be configured to allow access to specific services.

Net: IPv6 Support Preparation ready

All services on the new Collax Server platform are prepared to beeing integrated into IPv6 networks. The IPv6 support will be completed in a future release.

Net: Connection monitoring

The behavior of the “aklinkd” program in some situations has been improved. The new service is rewritten and now called linkd4.

Net: DynDNS behind Router

With dynamic DNS a system with dynamic IP address can be accessed over a host name provided by a dynamic DNS provider. Within this update its possible to have dynamic DNS names updated even if the server is behind another router.

VPN: StrongSwan IPsec

From this version StrongSwan 5.5.0 is going to be implemented.

VPN: iOS and Android VPN

From this version iPhone L2TP and Android StrongSwan support is going to be implemented. IKEv2 and IKE Config mode improve the setup of VPN connections.

VPN: additional DH-Groups

The Diffie and Hellmann method for exchanging keys for VPN connections has been extended. From now on you can use the DH groups 19 - 26 for key exchange (IKE) and data exchange (ESP).

Additional information can be found here .

VPN: new IPSec-proposal

The predefinition of encryption methods and hash algorithms for VPN connections can be assigned to the desired VPN connections. A new and stronger IPsec proposal has been added to the predefined IPsec proposals.

Additional information can be found here .

Authentication: Status of Active Directory Integration

Within this update the integration of Collax Servers into Active-Directory environments have been extended. An additional field with extended runtime information is displayed. Therefore the Active-Directory-Proxy must be activated. Information regarding the connected Domain-Controller (DC) and other useful information is displayed.

Authentication: Importable Active Directory Groups

For groups from the Active Directory management to be displayed, the system must have joined an Active Directory as member, and the Active Directory proxy must be activated on the system. The listed group can be integrated in the local policies after these have been included in the management. The users of the AD groups will continue to be managed via the Active Directory and are not part of the local system. Within this release some improvements have been implemented.

Authentication: Synchronisation with Active Directory

Until now, the synchronisation of directoy objects in Active-Directory (AD) environments stopped, when the Domain Controller wasn’t reachable during a configuration activation. The synchronisation worked only after a restart of the service or another config activation. The behaviour has been improved within this release through frequent runtime checks if the server is reachable again.

Add-on Software: New Version of Collax Virus Protection

The virus scanner Collax Virus Protection offers comprehensive antivirus protection for email services. Within this Collax system update the scanner is updated to the newest version.

Add-on Software: New Version of Avira Antivir

The virus scanner Avira Antivir offers comprehensive antivirus protection for email services. Within this Collax system update the scanner is updated to the newest version.

Add-on Software: New Version of Clam-AV

The Open Source virus scanner Clam-AV offers comprehensive antivirus protection for email services. Within this Collax system update the scanner is updated to the newest version.

Misc: Important System Components

This update will also install/update the following important system components:

  • apache2 2.2.31
  • php5 5.6.26
  • perl5.8 5.22.1
  • python 2.7.12
  • openssl 1.0.2j
  • libc6 2.18
  • kernel 4.4.24
  • mariadb 10.0.27
  • squid 3.5.21
  • samba 4.3.11
  • bind 9.9.9.3
  • dhcpd 4.3.4
  • spamassassin 3.4.1

Misc: SSL/TLS Version and local services

By connecting to various local services like the Webadministration-Service or IMAP, from now on you can choose the encryption method for SSL/TLS. You can either choose “compatible” or “modern” now. Not all clients support modern TLS (TLS 1.2). That’s why due to compatibility reason you can still configure weak TLS (TLS 1.0) for older clients.

Misc: SDK Changes

For information regarding changes to the Collax Software Developement Kit (SDK) please contact our Product Management.

System Management: New Supervisor

A new service supervisor for the Collax platform is beeing implemented. The supervisor manages system processes and services likemonitoring, logging and starting of processes and services.

System Management: Active Monitoring

Within this update the active monitoring (Nagios) is activated per default after installing the system.

Hardware: Partitionschema

Within this release new installations get a new paritionschema. A new minimal size should be 16GB and the service partition will be removed.

Hardware: PVSCSI Driver for VMWare

VMware’s PVSCSI SCSI-driver has been added to simplify the installation in VMWare environments. The driver supporte VMWare’s para virtualized SCSI HBA.

Hardware: VMCI Driver for VMWare

VMware’s Virtual Machine Communication Interface drivers have been added to simplify the installation in VMWare environments. The driver enables high-speed communication through the VMCI-device.

Hardware: Microsoft Hyper-V-Support

Microsofts Hyper-V Linux Integration Services drivers have been added to simplify the installation in Microsoft Hyper-V environments. The driver enables high-speed communication through the VMBus-network-controller and the SCSI-controller.

Hardware: Additional hardware support for NVMe-devices

This update brings support for NVM Express (NVMe) Devices.

Issues Fixed in this Version

Security: ClamAV (32 Bit) lacks Large Files Support

The maximum size of file that can be scanned by ClamAV (32Bit version) is 2GB. If a file bigger than 2GB is downloaded via the web proxy the ClamAV virus scanner will not scan the file. Also the download process will be cancelled.

Notes

Security: Intrusion Detection System (IDS/IPS)

Within this release the network based intrusion detection system (IDS) Snort is not available anymore.

GUI: Event Monitor

Within this release the event monitor prelude is not available anymore.

Link Aggregation for ISDN links is not available any more.

Net: Remote Access via ISDN

Remote Access via ISDN links is not available any more.

Net: Support for Analog Modems

Support for analog modem is not available any more.

Net: Multi Level Firewall

Within this release the Collax Module Multi Level Firewall is not available any more.

Net: Wake on LAN

Wake on LAN (WOL) is not available any more.

Hardware: 32-Bit CPU

Within this release 32-Bit Hardware is not supported any more. This affects installaing and upgrading 32-Bit hardware.

Hardware: HP Smart Array CCISS Driver

The existing Smart Array CCISS-driver is replaced with the new HP Smart Array SCSI (HPSA) driver during the upgrade.

Table of Contents

Newsletter Subscription