Stormshield Firmware 3.9.0
Wdrożyłem na wszystkich urządzeniach którymi zarządzam wersję oprogramowania 3.9.0. Poniżej podaję listę zmian od wersji poprzedniej.
New features in version 3.9.0
Initial configuration via USB
The mechanism that handles initial configurations via USB drives on firewalls in factory configuration has been improved.
Apart from functions already available in previous firmware versions, such as license imports (files with a “.licence” extension), firmware updates (files with a “.maj” extension), configuration backup imports (files with a “.na” extension), and imports of SMC server connecting packages (files with a “.pack” extension), this mechanism adds functions that import PKCS#12 certificates, import files containing the admin super administrator’s password, and run files containing additional configuration commands (CSV file) which allow, among other functions, high availability clusters to be built.
- Improved management of configuration file backups
- Whenever several firmware versions are on the USB drive, only the most recent version will be applied to the firewall as long as it is from the same major version or the next major version.
Restoring a defective cluster node remotely
The improvements to the mechanism mentioned above, which manages initial configurations via USB drives, combined with the possibility of deleting a secondary node from a cluster without having to enter its serial number, make it possible to replace and configure a defective cluster member remotely.
Certificates and PKI
SCEP (Simple Certificate Enrollment Protocol) aims to facilitate and automate the secure deployment of certificates within a public key infrastructure.
The first implementation of SCEP on SNS firewalls was based on the IETF Draft Nourse specification. This evolution of the SCEP implementation is based on the IETF Draft Gutmann specification, which followed the Nourse draft.
SCEP uses various types of requests encapsulated in HTTP to perform the following operations:
- Distribution of the public key of the certificate authority (CA) that signs certificates,
- Certificate creation or renewal requests by the PKI administrator,
- Certificate creation or renewal requests by the certificate holder (enrollment),
A “profile” that groups the parameters needed in the various SCEP requests (CA name, etc.) can be called up whenever these commands are run in order to simplify their syntax.
The SCEP implementation also includes the polling mechanism that makes it possible to track the evolution of requests to the server that hosts the CAs whenever it is unable to process requests immediately.
In SNS version 3.9.0, these operations can only be performed using PKI SCEP CLI commands. For more information on the syntax of these commands, please refer to the CLI SERVERD Commands Reference Guide.
Stormshield Network SN710, SN910, SN2000 and SN3000
SN710, SN910, SN2000 and SN3000 firewall models support Intel XL710 4-port fiber-optic 10 GbE adapters.
The command HA CLUSTER REMOVE accepts the generic “remote” parameter to designate the cluster’s secondary node without the need to know its serial number:
HA CLUSTER REMOVE serial=”remote”
For more information on the syntax of these commands, please refer to the CLI SERVERD Commands Reference Guide.
Stormshield Management Center
SNS version 3.9.0 allows the firewall to embed an SMC connecting package specifying several administration servers as well as the network interfaces on the firewall that need to be used for the link with each SMC server.
The intrusion prevention engine handles the analysis of the Stream Control Transmission Protocol (SCTP). This protocol, which is used in signaling networks over IP, handles in particular the concept of multi-homing (distribution of traffic to several IP addresses).
The internal DHCP server on firewalls includes two advanced options for the configuration of clients via Bootstrap (BOOTP):
- next-server: IP address of the TFTP server that hosts the client’s configuration file.
- filename: name of the configuration file to be retrieved on the server that was declared earlier.
Web administration interface
Logs (Audit logs) – Alarms and system events
The configuration of Alarms or System events can be accessed directly from a row of logs selected in the respective views.
The link to the SSL proxy’s certificate authority (CA) has been added to the authentication portal’s logout page.
Filter – NAT
Clicking on Search in logs or Search in monitoring to search for a rule with an undefined name would display a message indicating that the search for a nameless rule was unsuccessful.
A search field has been added to the following monitoring modules:
- SSL VPN,
- Black lists / white lists.
Certificates and PKI
New probes regarding the validity dates and statuses of certificate authorities and certificates used in the firewall’s configuration have been added to the firewall’s health indicator (displayed in the upper banner of the we administration interface).
For more information on these probes, please refer to the SNS User guide v3.