Tài liệu Embedded NGX 7.5 Release Notes General Availability Version March 2008 – Document Revision pdf

Introduction Highlights of This Version Embedded NGX 7.5 incorporates a host of new and improved features, including: • Internet Connection Load Balancing • Advanced Firewall Rules • Adv

Embedded NGX 7.5 Release Notes General Availability Version

March 2008 – Document Revision 11

Contents

CONTENTS 2

INTRODUCTION 3

Highlights of This Version 3

Supported Platforms 3

Availability 4

Copyright 4

CHANGES FROM 7.5 TO 7.5.55 5

7.5.55 5

7.5.51 6

7.5.48 7

7.5.45 7

NEW FEATURES 9

New Security Features 9

New Networking Features 14

New Usability Features 19

APPENDIX A: SUPPORTED PERIPHERALS 21

Introduction

Highlights of This Version

Embedded NGX 7.5 incorporates a host of new and improved features, including:

• Internet Connection Load Balancing

• Advanced Firewall Rules

• Advanced NAT Rules

• Reusable Network Service Objects

• Service-Based Routing

• Web Rules

• Enhanced SIP VoIP Support

Supported Platforms

Embedded NGX 7.5 EA supports the following hardware platforms:

• Check Point Safe@Office 100B series

• Check Point Safe@Office 200 series

• Check Point Safe@Office 400W series

• Check Point Safe@Office 500 series

• Check Point UTM-1 Edge (VPN-1 UTM Edge) X series

• Check Point UTM-1 Edge (VPN-1 UTM Edge) W series

• Check Point ZoneAlarm Z100G

• NEC SecureBlade 300

• Nokia IP60

© Copyright 2007 SofaWare Technologies Ltd

SofaWare is a registered trademark of SofaWare Technologies Ltd

Check Point is a registered trademark of Check Point Software Technologies Ltd

Changes from 7.5 to 7.5.55

7.5.55

New Features

Additional USB modems

Support was added for the following USB modems:

• Resolved issue : Dead Connection Detection set on the primary Internet

connection coupled with a secondary PPP Internet connection in Demand mode, may fail to operate as expected

Connect-on-VPN

• Resolved issue : DHCP relay does not function as expected when used from a bridged network over a VPN link

• Resolved issue: In rare cases, remote HTTPS and SSH connections to the

appliance IP address over VPN may be abnormally terminated

• Resolved issue: When using more than 10 VPN tunnels simultaneously,

connections scanned by VStream Antivirus are sometimes cut

• Resolved Issue: When using WPA security, Windows Vista clients may fail

obtaining an IP address using DHCP, and certain broadcast packets may be encrypted with an incorrect key

• Resolved issue: During an appliance reboot, the gateway continues to appear as

“connected” in the Service Center (SMP/SmartCenter)

• Resolved issue: When downloading a CLI scripts from the Service Center, the managed items are not correctly marked as “Remotely Managed”

Firewall and Smart Defense

• Resolved issue : SIP ALG does not work correctly through a VPN tunnel

• Resolved issue : SIP support for Cisco VoIP phones improved

• Resolved issue: As a normal side effect, SIP ALG processing or IPSEC decryption may sometimes cause shortening of packets In rare cases, fragmented packets that were shortened, may be silently dropped or incorrectly transmitted

VPN

• Resolved issue : In certain cases, IKE Phase1 failures may cause a memory leak

• Resolved issue : Disconnects when using L2TP VPN with Apple IPhone clients

• Resolved issue : When using VPN in “Route all Traffic” mode, certain connections are not established correctly

• Resolved issue : When configured in a managed VPN community (Enterprise Site), the appliance may fail to connect to externally managed gateways requiring shared secret authentication

Wireless

• Resolved issue : Wireless LAN may operate unreliably when using certain wireless devices supporting power save mode (such as Blackberry)

7.5.48

Issues resolved

Firewall and Smart Defense

• Resolved issue : In certain cases, the appliance may restart when processing SIP IP telephony packets

Vstream Anti-Virus

• Resolved issue : Specific EXE files are scanned slowly

Management and settings

• Resolved issue : When upgrading from firmware, 7.0 VPN sites and SNMP settings revert to disabled

• Resolved issue : A potential security vulnerability corrected in the SNMP server

7.5.45

New Features

Additional USB modems

Support was added for the following USB modems:

- HTTPS web server cookies are now marked as “secure cookies”

- HTTPS clients are no longer permitted to select weak 40 and 56 bit ciphers

Enhanced L2TP Support

The L2TP server has been enhanced to support the following cases:

- Windows Vista VPN clients behind a NAT device

- Apple iPhone VPN clients

Issues resolved

HTTP/HTTPS

• Resolve issue: low severity cross side scripting (XSS) attack potentially possible against the configuration web portal This issue is unlikely to be successfully exploited

If desired, you can log attempts to access allowed and blocked Web sites In addition, you can exclude specific IP addresses or address ranges from Web rule enforcement

Wildcards may be used in web rules to

allow partial access to certain web sites

This feature does not require subscription

to the category-based Web Filtering service

and can operate in parallel with the

subscription service, if desired

When a site is blocked, a configurable message is displayed to the user See

“Customizable Web Filtering Page”

Time-Based Rules

It is now possible to define firewall rules

that only take effect during certain hours of

the day

This feature is supported for locally defined firewall rules, for locally defined antivirus rules, and for firewall rules downloaded from Check Point SmartCenter (rules using time objects)

Rule Descriptions

A new Description field allows attaching an explanation or remark to each locally defined firewall and antivirus rule This optional field can be used for naming a rule or for explaining why the rule is needed and under what circumstances

Reusable Network Service Objects

Embedded NGX 7.5 allows defining custom network service objects in the local

Web interface and assigning them unique names The network service objects can then be used in firewall rules, antivirus rules, and policy-based routing rules

Network service objects consist of an IP protocol and either a TCP/UDP port or a port range It is possible to define several non-consecutive port ranges, by separating them with commas

Allow & Forward Rules with Destination IP Address

It is now possible to define “Allow & Forward” rules with a specific destination IP address This allows defining NAT forwarding rules that only take effect when accessing a certain IP address

Embedded NGX 7.5 allows defining

different forwarding rules for each external

IP address For example, consider a case in

which the gateway has two public IP addresses, 62.98.112.1 and 62.98.112.2, and the network contains two private Web servers, A and B It is now possible, to forward all HTTP traffic with the destination 62.98.112.1 to server A, while mapping all HTTP traffic with the destination 62.98.112.2 to server B Previously, this was only possible using static NAT mappings

Advanced users can also use this feature for outgoing traffic, creating

"transparent proxy" rules that divert all traffic that is destined for a certain IP address to a different IP address

Advanced Address Translation Rule Base

Embedded NGX 7.5 allows configuring advanced network address translation (NAT) rules in the local management interface

The Address Translation table is divided into Original Packet and Translated Packet sections The

Original Packet section

specifies the conditions

under which the rule is

applied, and the

Translated Packet

section specifies the

action taken when the

rule is applied You can change the source IP address, the destination IP address, the service, or any combination of the above

When translating an IP address range to another IP address range of the same size, static NAT is performed

When translating an IP address range to a smaller IP address range, static NAT is performed for all but the last address in the translated range, and hide NAT is used to hide all the remaining addresses

in the original range behind the last IP address in the translated range

NAT rules can be implicitly defined though a number of methods: by enabling

“Hide NAT” on an internal network, by creating an “Allow & Forward” firewall rule, or by configuring static NAT for a network object In addition, NAT rules can

be received from the SmartCenter policy editor Implicitly defined NAT rules are displayed in the Address Translation table, but cannot be edited

Note: This feature is not available in the ZoneAlarm Secure Wireless Router Z100G

New SmartDefense Protection: Checksum Verification

When this protection is enabled, SmartDefense will identify and drop IP, TCP, or UDP packets with incorrect checksums

New SmartDefense Protection: Urgent Flag Clearing

The URG flag is used to indicate that urgent data exists in a TCP stream, and that the data should be delivered with high priority Since handling of the URG flag is inconsistent between different operating systems, allowing the URG flag may enable an attacker to conceal certain attacks

By default, SmartDefense automatically clears the URG flag to ensure security

To allow the URG flag, in the SmartDefense tree's TCP > Flags node, set the URG Flag field to Allow To prevent the URG flag from being used, set the URG Flag field to Clear

New SmartDefense Protection: Sequence Number Verifier

When this protection is enabled, Embedded NGX examines each TCP packet's sequence number and checks whether it matches a TCP connection state You can configure how the router handles packets that match a TCP connection in terms of the TCP session but have incorrect sequence numbers

Secure HotSpot: Redirect URL

The Secure HotSpot feature now allows defining an optional “Redirect URL” When a “Redirect URL” is defined, every user who successfully authenticates to the Secure HotSpot will be automatically redirected to the specified URL For example, the “Redirect URL” can be your company’s Web site or a “Welcome” page

This feature is supported in the following platforms: UTM-1 Edge, Safe@Office 500 with Power Pack, Safe@Office 225, and Safe@Office 410/425

Remote Desktop Access Granular Permissions

Embedded NGX includes an integrated client for Microsoft Terminal Services, allowing you to enjoy convenient clientless access to your Windows computers from anywhere, via the my.firewall portal System administrators can remotely access the desktop of each of employee's computer, and even redirect printers

or ports to a remote computer

Starting from Embedded NGX 7.5, granular permissions are now available for Remote Desktop Access,

enabling an administrator to

limit access to the Remote

Desktop Access feature to a

limited set of users

Non-administrator users which

have the “Remote Desktop”

now login to the Embedded NGX web based configuration portal, my.firewall, and gain access to a restricted portal, showing only the “Active Computers” page, and allowing access to the Remote Desktop Access feature

Enhanced SIP Support

Embedded NGX 7.5 now includes a dedicated ALG (Application Level Gateway) for SIP (Session Initiation Protocol), the popular signaling protocol commonly used for IP telephony (VoIP) This ALG enables easy NAT and Firewall traversal Note:

1 Embedded NGX 7.5 supports SIP over UDP SIP over TCP is currently not supported

2 A SIP Proxy must be used, and the proxy must not reside in the same network as the SIP client

Enhanced VPN Topology Display

An enhanced topology viewer is now available, for convenient display of the VPN network topology The VPN topology viewer is accessible from the “Active Tunnels” page in the web user interface

New Networking Features

WAN Load Balancing

Embedded NGX 7.5 supports WAN load balancing When WAN load balancing is enabled, two Internet connections can be used in parallel, and the load is automatically distributed between them, based on available bandwidth

To prevent disruption of stateful protocols, load balancing is performed on a per source IP address and destination IP address basis, meaning that all traffic from a certain source

IP address to a certain destination IP address will

be consistently sent to the same Internet connection In the case of a single client communicating with a single server, no throughput benefits will be realized; however, in typical network conditions, where multiple clients or servers are active, bandwidth-based load balancing can balance the use of both Internet connections exceptionally well, effectively doubling the available bandwidth

By default, the load distribution is symmetric; however, it is possible to achieve non-symmetric balancing by assigning a different weight to each Internet connection

To ensure continuous Internet connectivity, an Internet connection that fails for any reason is automatically excluded from load balancing

Note: This feature is supported in the following platforms: UTM-1 Edge X series, UTM-1 Edge W series, Safe@Office 500, Safe@Office 225, and Safe@Office 425

ADSL Configuration Assistant

Embedded NGX 7.5 ADSL appliances offer an ADSL configuration assistant To use the ADSL Configuration Assistant, choose your country and ISP, then click

OK The appropriate

still change these settings manually at a later time, if needed

The ADSL Configuration Assistant appears in both the ADSL Setup Wizard, and in the Internet Setup page

For the full list of ISPs supported by the ADSL Configuration Assistant, click here Note: This feature is available in all appliance models with an integrated ADSL modem, including UTM-1 Edge X/W ADSL and Safe@Office 500/500W ADSL

ADSL IPoA Support

Embedded NGX 7.5 ADSL appliances now support the IPoA (IP over ATM) connectivity protocol, used by certain ADSL service providers

Bridged / Unnumbered PPPoA Support

Embedded NGX 7.5 ADSL appliances now support bridge mode for PPPoA ADSL internet connections This enables the Embedded NGX ADSL appliance to connect to ISPs who use “Unnumbered” PPPoA mode

Routing Table Report

Embedded NGX 7.5 includes a new Routing Table report, providing an easy view

of the routing table currently in effect The table shows the route's source, destination, gateway IP address, metric, and interface

In addition, the table's Origin field displays the route's type:

• Connected Routes - Routes to networks directly connected to the appliance

• Static Routes - Routes to networks connected through a router

• Dynamic Routes - Routes obtained through a dynamic routing protocol

The same routing table information can also be obtained through the info routes CLI command