Release Notes CSG 7.1.0

Collax Security Gateway
28.02.2019

Installation Notes

Update Instructions

To install this update please follow the following steps:

Procedure

  1. It is highly recommended to backup of all server data with the Collax backup system before proceeding. Check that the backup was successful before proceeding with the update (this can be done within the backup information email).
  2. In the administration interface go to System → System Operation → Software → System Update and press Get Package List. This will download the listed update packages. If successful the message Done! will be displayed on the screen.
  3. Click Get Packages to download the update packages.
  4. Click Install. This installs the update. The end of this process is indicated by the message Done!.
  5. A new kernel will now be installed. The system will reboot automatically after installing the update. An appropriate note will be shown if the update process is completed.

New in this Version

E-Mail: Check recipient address on target server

Starting with this version, the system checks whether the mail server to which the mail is forwarded knows the mail addresses of all recipients. If an address is unknown, the e-mail is rejected. Only if all recipients are known will the e-mail be accepted and forwarded. For verification, an SMTP connection is established and the recipients are queried using the RCPT-TO command. All checks are stored in a cache. A cache entry for a known recipient is valid for 31 days, for an unknown recipient for 3 days.

Web Proxy: Squid 4.4 and better system resource utilization

The squid Web proxy will be upgraded to version 4.0.24 with this update. Newly added options will cause squid to fork more processes to better utilize system resources. The “number of worker processes” can be increased to use more processes in parallel. Also, the maximum amount of RAM squid uses to cache websites can be adjusted. The dialog is located under Networking -> Web Proxy -> Options.

Web Proxy: New Web Proxy Blacklists

With this version, the currently installed Web Proxy Blacklists from urlblacklist.com will be replaced, as they are no longer maintained and available. The new lists are from the University of Toulouse and are provided and updated regularly. Please note that the categories and entries were adjusted. If entries are not correct or missing, they can be reported via a web form. You can find the link here . For a comprehensive solution, which also takes into account German-language offers in particular, is still the Protection of Collax Surf Protection powered by Cobion available.

Collax SSL-VPN: SSL-VPN with HMTL5

The new version of the SSL-VPN module replaces the previous SSL VPN. This will be the basic technology of RDP applications and will replace the Java-based technology completely. The new technology works as a completely clientless remote desktop gateway and allows remote access via the webaccess to a desktop or a console in the local network. That means, that no other components need to be installed next to a browser. The graphical user interface or the console is displayed and operated in the browser. It supports standard protocols such as VNC, RDP, SSH and telnet. Additional functions such as uploading and downloading files, zoom or connection sharing are also possible.

VPN: StrongSwan IPSec

Strongswan, the software for establishing VPNs via IPsec, is being updated to version 5.7.1. The crypto Linux modules now load better, so the best hardware support is automatically used. Furthermore, it is now possible to use the encryption algorithm twofish for IKEv1 connections.

Authentication: memberOf Attribut

The OpenLDAP package contains a modified version of the nis.schema, which allows to search for the group affiliation of posixAccounts with the memberOf attribute.

System Management: Additional network services

Within this update the list of all known services is extended. It is about the allocation of an IP protocol to associated source and destination ports that can be selected under the service name in the system in other dialogs.

Hardware: Additional hardware support

This update brings support for SmartRAID Storage Controllers from Microsemi Adaptec. These include the SmartRAID 315x RAID adapters. Please also update to the latest firmare, (1.60B0 at the moment) otherwise performance and instabilitiy problems may occur.

Collax Information & Security Intelligence: Apply retention now

Newly set retention times are not applied until the scheduled process is run for the first time. Using this action, all indexes that are older than the retention time can be closed and deleted immediately.

Issues Fixed in this Version

Security: Important security relevant System Components

This update will also install/update the following important system components:

  • apt
  • SQLite 3.26.0
  • strongSwan 5.7.1

CVE-2019-3462 / SQLite Release 3.26.0 / CVE-2018-16151 / CVE-2018-17540

Misc: Network-/Self-Monitoring

For self-monitoring of the system, Nagios monitoring is installed. The behavior of the Nagios notification was incorrect and generated incorrect alerts when the server was configured to not respond to ICMP echo requests (ping). With this update, a meaningful detection takes place and no unsettling warning messages are sent.

Collax Information & Security Intelligence: Report as PDF period wrong

There are a number of ready-made reports available. If you view a report in the browser, the set period is taken. However, if you download the report as PDF, the period is always set back to 7 days. This will be fixed with this update.

Notes

E-Mail: Collax Virus Protection powered by Kaspersky prior Version 7

Version 7 of the Collax C servers has updated the anti-virus engine and the format of the patterns. This was done to respond to new threats with the best possible protection. Patterns for versions prior to 7.0.0 will be available until December 31, 2017. From 01.01.2018 Kaspersky will not update the patterns for Collax version 5 and older. All installations using the Collax Virus Protection module should therefore, be brought up to date.

E-Mail: Collax Avira AntiVir prior Version 7.0.24

Version 7.0.24 of the Collax C servers has updated the anti-virus engine and the format of the patterns. This was done to respond to new threats with the best possible protection. Patterns for versions prior to 7.0.24 will be available until December 31, 2018. From 01.01.2019 Avira will not update the patterns for Collax version 7.0.22 and older. All installations using the Collax Avira AntiVir module should therefore, be brought up to date.

Collax Information & Security Intelligence: Modified mapping of the indices

When updating Elastic Stack to 6.4.0, the mapping of the indexes was changed. This prevents Filebeat to write the data to the same index before and after the update. Therefore, after the update has been performed, the resulting data will no longer be included in the index. From 0:00 clock on, Elastic Stack will create a new index and all data from this point will be written again to the index. The data between the end of the update and midnight will be lost. If it is better to renounce to the data before the update, from 0:00 until the end of the update, the index for the current day can be deleted after the update via the administration interface. Then all data will be lost after 0:00 and the deletion of the index.

Collax Information & Security Intelligence: Schema change

A schema change in Release 7.1.0 requires that the elastic stack and beats be updated at the same time. To do this, update the server with the elastic stack and the server with the filebeats one after the other.