Release Notes CSG 7.0.0
Collax Security Gateway
To install this update please follow the following steps:
- It is highly recommended to backup of all server data with the Collax backup system before proceeding. Check that the backup was successful before proceeding with the update (this can be done within the backup information email).
- In the administration interface go to System → System Operation → Software → System Update and press Get Package List. This will download the listed update packages. If successful the message Done! will be displayed on the screen.
- Click Get Packages to download the update packages.
- Click Install. This installs the update. The end of this process is indicated by the message Done!.
- A new kernel will now be installed. The system will reboot automatically after installing the update. An appropriate note will be shown if the update process is completed.
New in this Version
Security: Linux Kernel 4.4.24
Collax Server V7 includes the new long time support (LTS) Kernel 4.4.
Security: System Security
The new Collax V7 Server is a system which is almost 100% (97%) deterministic/reproducable. The collax build system guarantees that binary-files and system-packages (.deb) are build deterministically. All Collax Servers are hardened to reduce the vulnerability and secure the system.
Security: Improved Protection for ssh Denial-Of-Service Attacks
Within this Update the protection for Denial-Of-Service (DoS) and Brute-Force-Attacks for ssh has been improved. The new function allows to ban the IP address from an offender after a certain number of login attempts.
With this update the Web interface is going to be improved and more detailed. Based on the recommendation from Google and the tenets and specifics of material design.
GUI: Network Groups
Within this release network groups can be used. Network groups offer a new configuration approach. In the past, permissions have been configured using the user groups. Network and service permissions have been used in one group together. From now on network groups are created and can be used seperately. All services on the Collax Server whose permissions are assigned exclusively on the basis of an IP address from now on use network groups. If a permission is set, the respective network port is opened in the firewall for the associated networks or hosts.
GUI: Transparent user and network permissions
Within this release permissions for users and permissions for networks are differentiated. So there are user groups and network groups from now on. A number of network groups are created by default. The Internet group contains the “Internet” network as member, i.e. all IP addresses outside the local network ranges. Thus, all permissions granted over this network group apply to all computers anywhere on the Internet.
There are various input boxes where ip addresses have been used in the previous version. Within this release the usage of ip addresses has been renewed. Collax Server V7 now uses host-elements. The term “host” refers to individual computers that are known to the Server. A host as an existing element is needed for various settings regarding the services. Host-elements replace the input boxes for ip addresses.
Web Proxy: Web Proxy and Web Proxy Rules
Please note that the rule set in Collax Server V7 is beeing rewritten. Important: The rewritten rule set should be checked after upgrading the Server.
Web Proxy: Transparent proxy
The transparent proxy can be activated for the service http. Data packages for destination port 80 will be redirected from the firewall to the web-proxy service. Until now the configuration of the transparent proxy was done using the firewall matrix. Within this release, the transparent proxy is being configured through the basic settings of the web-proxy-server under “Services -> Web-Proxy -> Web-Proxy-Server”. By enabling the transparent proxy mode, a DNAT-rule for the service http will be created under “Network -> Firewall -> DNAT/Port Forwarding”.
Web Proxy: No proxy for these hosts
Through the introduction of host-elements, from now on you can configure proxy exceptions for hosts using the select boxes. This dialogue is located under Services -> Web-Proxy -> Web-Proxy-Server in the Options tab. Here you can select the hosts for which no proxy is to be used.
Web Proxy: Sequence of filter rules and drag n drop
The dialog for defining filter rules is located under Services -> Web-Proxy -> Rules. A rule determines which URL lists are valid at what times and whether the URLs in the lists are blocked or allowed. The sequence of the rules is governed by different priorities and can from now on be changed easily using a new drag n drop action.
Net: Firewall Matrix
The firewall matrix is a visual representation of the integrated firewall. From this version on, the matrix can exclusively be used for network groups instead of networks. The upside using network groups insted of networks is a better grouping and better view of the ruleset. Network groups are used for accessing services and relevant for traversing data packets using the Matrix.
Net: Optimized network-stack
Changes in the netlink socket for networking connections are beeing improved within this relases.
Net: Host Analysis
The new function “Host Analsys” located under “System -> Network -> Firewall” can be used to determine the netgroups which are responsible for a given host. You can use that information to determine which netgroup need to be configured to allow access to specific services.
Net: IPv6 Support Preparation ready
All services on the new Collax Server platform are prepared to beeing integrated into IPv6 networks. The IPv6 support will be completed in a future release.
Net: Connection monitoring
The behavior of the “aklinkd” program in some situations has been improved. The new service is rewritten and now called linkd4.
Net: DynDNS behind Router
With dynamic DNS a system with dynamic IP address can be accessed over a host name provided by a dynamic DNS provider. Within this update its possible to have dynamic DNS names updated even if the server is behind another router.
VPN: StrongSwan IPsec
From this version StrongSwan 5.5.0 is going to be implemented.
VPN: iOS and Android VPN
From this version iPhone L2TP and Android StrongSwan support is going to be implemented. IKEv2 and IKE Config mode improve the setup of VPN connections.
VPN: additional DH-Groups
The Diffie and Hellmann method for exchanging keys for VPN connections has been extended. From now on you can use the DH groups 19 - 26 for key exchange (IKE) and data exchange (ESP).
Additional information can be found here .
VPN: new IPSec-proposal
The predefinition of encryption methods and hash algorithms for VPN connections can be assigned to the desired VPN connections. A new and stronger IPsec proposal has been added to the predefined IPsec proposals.
Additional information can be found here .
Authentication: Status of Active Directory Integration
Within this update the integration of Collax Servers into Active-Directory environments have been extended. An additional field with extended runtime information is displayed. Therefore the Active-Directory-Proxy must be activated. Information regarding the connected Domain-Controller (DC) and other useful information is displayed.
Authentication: Importable Active Directory Groups
For groups from the Active Directory management to be displayed, the system must have joined an Active Directory as member, and the Active Directory proxy must be activated on the system. The listed group can be integrated in the local policies after these have been included in the management. The users of the AD groups will continue to be managed via the Active Directory and are not part of the local system. Within this release some improvements have been implemented.
Authentication: Synchronisation with Active Directory
Until now, the synchronisation of directoy objects in Active-Directory (AD) environments stopped, when the Domain Controller wasn’t reachable during a configuration activation. The synchronisation worked only after a restart of the service or another config activation. The behaviour has been improved within this release through frequent runtime checks if the server is reachable again.
Add-on Software: New Version of Collax Virus Protection
The virus scanner Collax Virus Protection offers comprehensive antivirus protection for email services. Within this Collax system update the scanner is updated to the newest version.
Add-on Software: New Version of Avira Antivir
The virus scanner Avira Antivir offers comprehensive antivirus protection for email services. Within this Collax system update the scanner is updated to the newest version.
Add-on Software: New Version of Clam-AV
The Open Source virus scanner Clam-AV offers comprehensive antivirus protection for email services. Within this Collax system update the scanner is updated to the newest version.
Misc: Important System Components
This update will also install/update the following important system components:
- apache2 2.2.31
- php5 5.6.26
- perl5.8 5.22.1
- python 2.7.12
- openssl 1.0.2j
- libc6 2.18
- kernel 4.4.24
- mariadb 10.0.27
- squid 3.5.21
- samba 4.3.11
- bind 184.108.40.206
- dhcpd 4.3.4
- spamassassin 3.4.1
Misc: SSL/TLS Version and local services
By connecting to various local services like the Webadministration-Service or IMAP, from now on you can choose the encryption method for SSL/TLS. You can either choose “compatible” or “modern” now. Not all clients support modern TLS (TLS 1.2). That’s why due to compatibility reason you can still configure weak TLS (TLS 1.0) for older clients.
Misc: SDK Changes
For information regarding changes to the Collax Software Developement Kit (SDK) please contact our Product Management.
System Management: New Supervisor
A new service supervisor for the Collax platform is beeing implemented. The supervisor manages system processes and services likemonitoring, logging and starting of processes and services.
System Management: Active Monitoring
Within this update the active monitoring (Nagios) is activated per default after installing the system.
Within this release new installations get a new paritionschema. A new minimal size should be 16GB and the service partition will be removed.
Hardware: PVSCSI Driver for VMWare
VMware’s PVSCSI SCSI-driver has been added to simplify the installation in VMWare environments. The driver supporte VMWare’s para virtualized SCSI HBA.
Hardware: VMCI Driver for VMWare
VMware’s Virtual Machine Communication Interface drivers have been added to simplify the installation in VMWare environments. The driver enables high-speed communication through the VMCI-device.
Hardware: Microsoft Hyper-V-Support
Microsofts Hyper-V Linux Integration Services drivers have been added to simplify the installation in Microsoft Hyper-V environments. The driver enables high-speed communication through the VMBus-network-controller and the SCSI-controller.
Hardware: Additional hardware support for NVMe-devices
This update brings support for NVM Express (NVMe) Devices.
Issues Fixed in this Version
Security: ClamAV (32 Bit) lacks Large Files Support
The maximum size of file that can be scanned by ClamAV (32Bit version) is 2GB. If a file bigger than 2GB is downloaded via the web proxy the ClamAV virus scanner will not scan the file. Also the download process will be cancelled.
Security: Intrusion Detection System (IDS/IPS)
Within this release the network based intrusion detection system (IDS) Snort is not available anymore.
GUI: Event Monitor
Within this release the event monitor prelude is not available anymore.
Net: ISDN Link Aggregation
Link Aggregation for ISDN links is not available any more.
Net: Remote Access via ISDN
Remote Access via ISDN links is not available any more.
Net: Support for Analog Modems
Support for analog modem is not available any more.
Net: Multi Level Firewall
Within this release the Collax Module Multi Level Firewall is not available any more.
Net: Wake on LAN
Wake on LAN (WOL) is not available any more.
Hardware: 32-Bit CPU
Within this release 32-Bit Hardware is not supported any more. This affects installaing and upgrading 32-Bit hardware.
Hardware: HP Smart Array CCISS Driver
The existing Smart Array CCISS-driver is replaced with the new HP Smart Array SCSI (HPSA) driver during the upgrade.