Upgrades

Release notice for Ingate Firewall® 4.4.1 and Ingate SIParator® 4.4.1

Release name: Ingate Firewall® 4.4.1
Ingate SIParator® 4.4.1
Release date: 2006-05-30

This release supports SRTP (SIP media encryption), time-limited evaluation modules, load logging for CPU and memory usage fixes one security problem, several issues related to SIP media setup and reduces the number of updates to flash memory for certain models. Additionally it resolves a few other issues. We recommend that everybody upgrade.

The new version and the user manual can be found at: www.ingate.com/upgrades/

Security improvements

  • A Denial of Service attack against SSL/TLS has been fixed. A remote attacker could perform a carefully crafted SSL/TLS handshake against the SIP module, causing it to crash and restart. This is only possible if TLS is enabled for the SIP module. The attack could also be performed against the webserver if SSL/TLS was enabled. [Tracking ID: 2605]
  • A vulnerability for XSS exploits has been fixed. The security cookie used for accessing the GUI of the product may be stolen and used for logging in to the product from a host or network configured to be accepted for configuration. The attack requires knowledge about the IP address of the Ingate product in use. The administrator must be tricked to follow a link on a malicious web site using the same client and browser he or she uses for accessing the Ingate product. This may enable the malicious site to steal the cookie without the administrator's notice. The timing of the theft is critical, since the security token has a limited lifetime of 10 minutes. The administrator must follow a link on the malicious site within 10 minutes after accessing the Ingate product, or the attack will fail. [Tracking ID: 2174]

New SIP functionality

  • The SIParator can now be configured in a MEDIAtor mode. The MEDIAtor mode enables a Microsoft Live Communication Server Access Proxy to support media traversal for Federated and Remote users. The Ingate SIParator must in this mode be connected in parallel with the LCS AP. Currently this mode requires a specific license file to be loaded on the SIParator. A software plug-in (windows service) needs to be loaded on the LCS AP. Contact sales@ingate.com if you would like to obtain license and plug-in. [Tracking ID: 2274]
  • SRTP transcoding using sdescriptions as key exchange method is now supported. This enables the Ingate product to encrypt and decrypt media using SRTP. [Tracking ID: 2169, 2230]
  • Support for mutual TLS authentication for SIP (X.509 TLS client certificates) has been added. [Tracking ID: 1882]
  • Call Admission Control is now supported by the QoS module. The administrator can reserve bandwidth for SIP media in the QoS module. If the remaining part of the reserved bandwidth is less than what is needed to initiate a new call, the call is not set up, and the response "486 Busy here" is returned to the initiator. [Tracking ID: 1256]
  • Sessions with media failures such as one-way media or an ended media session can now be detected, logged and terminated by the SIP module. [Tracking IDs: 1649, 1650]
  • The performance of the SIP registrar has been improved. [Tracking ID: 294]
  • Several improvements have been made to enable more effective log search for SIP. SIP messages can now be filtered on:
    • Call-ID
    • Method
    • IP address
    • From header URI
    • To header URI
    Messages that are being resent are marked to indicate that. [Tracking ID: 242, 328, 2405]
  • The SIP module can now be configured to listen to other ports in addition to the standard ports 5060 and 5061. [Tracking ID: 1539]
  • Handling of media streams related to SIP servers that are implemented as B2BUAs has been redesigned for the purpose of improved interoperability. [Tracking ID: 2062, 2183, 2200, 2334, 2410]
  • Messages using the tel URI scheme can be routed to the outbound proxy. [Tracking ID: 1615]
  • The SIP module may now be forced to lock on sender IP address for media streams (based on the SIP signaling), ensuring that media arrives from the same endpoint adress that media is sent to. [Tracking ID: 1864]
  • Intermediate CA certificates are now supported by the SIP module and for HTTPS login to the GUI. [Tracking ID: 2604]
  • The order of some SIP routing related features are now configurable. The order of DNS override, Dial plan and the registrar can be configured. [Tracking ID: 2435]
  • RADIUS Accounting may now be done with the SIP module acting as a B2BUA, which enforces SIP signaling not to by-pass the SIP module. [Tracking ID: 2319]
  • The P-Asserted-Identity Header (RFC 3325) is now supported. [Tracking ID: 2337]
  • When the SIP module connects to a SIP server using TLS, it requires that the remote certificate is signed by a configured CA certificate. A configurable option is introduced to allow for checking that the domain specified in the certificate matches the domain that the SIP module tries to connect to. [Tracking ID: 2451]
  • The status of SIP servers being monitored is now displayed on the SIP Status page in the GUI. [Tracking ID: 2430]
  • Wildcard matching in the User Routing table is now supported. This enables users authenticated with a RADIUS server to have incoming calls forwarded to voicemail. [Tracking ID: 2256]
  • SIP messages that lack Content-Type or Contact headers when such headers should be included are now blocked and logged. [Tracking ID: 2181]
  • The fact that the SDP of the response includes fewer media sessions than the SDP of the INVITE is now logged. [Tracking ID: 2431]
  • A restriction of DNS domain length in the SIP module to 86 characters has been removed. The limit is now 255 characters which is the maximum length of a domain name. [Tracking ID: 666]
  • Multiple media sources are now supported if media destination expects multiple streams. [Tracking ID: 2039]
  • Support for the BENOTIFY method has been added. [Tracking ID: 1694]
  • The SIP version number is now checked for all received requests and responses. [Tracking ID: 1114]
  • Absolute URIs are now supported in the Refer-To header. [Tracking ID: 1829]
  • SSLv2 acceptance and usage by the SIP module is now configurable. [Tracking ID: 1771, 1773]
  • Multiple media sections in the SDP header using the same port are now supported. [Tracking ID: 1862]
  • An error control has been added to ensure that a voice mail server is configured when being refered to in the User Routing table. [Tracking ID: 2542]
  • An error control has been added to avoid a configuration with the SIP module enabled, Default Policy set to "local only" and no local SIP domain entered. This configuration causes an error message to be shown in the GUI as the combination prohibits all SIP traffic. [Tracking ID: 2561]
  • An error control has been added to prohibit more than 10 media streams per session. [Tracking ID: 2600]
  • Usage of SIP registrations and SIP traversal licenses are now logged. [Tracking ID: 2713]

Other new functionality

  • A reminder that the preliminary configuration is changed but not applied is now shown in the GUI as soon as a change is made to the preliminary configuration. [Tracking ID: 369]
  • The DHCP client can now be configured to obtain DNS, syslog and NTP server information. [Tracking ID: 264, 265, 266]
  • Active DHCP leases of the internal DHCP server are now displayed in the GUI. [Tracking ID: 444]
  • The builtin DHCP server can now be made to pass on info, like DNS servers, from the DHCP client. [Tracking ID: 1034]
  • The load log has been augmented with information on CPU load and memory usage. [Tracking ID: 2420]
  • IPsec tunnel information and status can now be obtained via an SNMP query. [Tracking ID: 2233]
  • SNMP traps are now sent when IPsec tunnel status changes. [Tracking ID: 2107]
  • The administrator may now configure certain conntrack timeouts.
    • timeout for ICMP connections
    • timeout for established TCP connections
    • timeout for one-way UDP connections
    • timeout for two-way UDP connections
    These settings are found on the Advanced page under Basic Configuration. [Tracking ID: 703]
  • The software modules Advanced SIP Routing, VoIP Survival, Remote SIP Connectivity and QoS can now be made available for limited time for evaluation purposes. Contact sales@ingate.com to obtain evaluation licenses. [Tracking ID: 1467]
  • The Dynamic FTP Management service may now be used for other server ports than 21. [Tracking ID: 757]
  • The name of the unit (defined by the administrator on the Basic Configuration page) is now displayed on the LCD at run time (models 45/1450, 60/1600 and 90/1900). [Tracking ID: 2421]
  • Firewall rules may now be enabled or disabled in the GUI. Each rule may also be given a free text comment. [Tracking ID: 405, 766]
  • Syslog messages can now be sent to multiple syslog servers. [Tracking ID: 2707]
  • A SIParator may now obtain dynamic IP addresses using DHCP or PPPoE. [Tracking ID: 1125]
  • A SIParator can now use all its interfaces when working in DMZ/LAN or Standalone mode. [Tracking ID: 2549]
  • It is from now on possible to downgrade to an older version even though patches have been installed. [Tracking ID: 1240]
  • A special log category for broadcast packets has been added. [Tracking ID: 76]
  • A limit for the time that can be spent on a log search has been implemented on the Logview page. [Tracking ID: 1849]
  • The default status for a new PPTP user is now "On" instead of "Off". [Tracking ID: 2332]
  • The new firewall types "Dynamic RTSP management" and "Dynamic TFTP management" have been added on the Services page. [Tracking IDs: 2398, 2456]
  • When a new row is created in the IPsec peers table new default values are used for the Status, RADIUS and ISAKMP lifetime fields. The new default values are On, Off and 3600 respectively. [Tracking ID: 2574]
  • Web pages (in the Ingate GUI) are now positioned at the table in question when adding rows to a table. The Logview page is positioned at the top log row when a log search has been performed. [Tracking ID: 649, 1703]

Fixed SIP-related problems

  • The source address used for SIP signaling is now more deterministic. Responses are always sent back from the same interface/port as the request was received on. All communication with a specific UA (within a certain time frame) will use the same source address. For new connections, the address specified in the Directly Connected Network table and port 5060/5061 will be used. [Tracking ID: 1440]
  • A bug that caused the SIP module not to add an Expires header when configured to do so and not being the registrar has been fixed. [Tracking ID: 1879]
  • An issue where the SIP module absorbed resent 2xx responses after a lost ACK message has been fixed. [Tracking ID: 2271]
  • A parameter (fent) for internal usage is no longer added to the Request-URI of SIP messages being sent from the firewall/SIParator. [Tracking ID: 2340]
  • An issue related to the SIP module not recognizing a CANCEL to an existing transaction has been fixed. [Tracking ID: 2395]
  • An issue with the Contact header being rewritten differently in re-INVITE than in the original INVITE is now fixed. [Tracking ID: 2403]
  • The option '-' in the DNS Override table has been removed. In configurations where '-' is selected, this will be converted to 'UDP'. [Tracking ID: 2043]
  • An issue with host names in Via or Contact headers has been fixed. [Tracking ID: 1852]
  • An issue with failed TLS connection attempts causing the SIP module to restart has been fixed. [Tracking ID: 2525]
  • An issue with SIP clients behind a far-end NAT trying to make a call using an XF/Register account has been fixed. [Tracking ID: 2568]
  • An issue with the From Domain field in the SIP outbound proxy table has been fixed. [Tracking ID: 2569]
  • Various issues with the Vonage user account have been fixed. [Tracking ID: 2594, 2621, 2625]
  • An issue with bodies containing a NULL '\0' byte has been fixed. [Tracking ID: 1163]
  • A problem causing one-way media in a far-end NAT scenario after a HOLD has been fixed. [Tracking ID: 2426]
  • An issue where traversal licenses are consumed even though media does not traverse the Ingate unit has been fixed. [Tracking ID: 2725]

Other fixed problems

  • An issue that required that the firewall was rebooted to properly remove an IPsec CA has been fixed. IPSec CAs can now be removed without rebooting. [Tracking ID: 1178]
  • An issue with the DynDNS client not being able to update the configured account has been fixed. [Tracking ID: 2638]
  • Packets belonging to a port forwarding relay were always put into the default QoS class, even if the matched a specific class. This has now been fixed. [Tracking ID: 585]
  • The DHCP server now uses persistent storage for the lease file. This increases the possibility of clients retaining their IP address after a reboot of the Ingate unit. This applies to models with hard disk. [Tracking ID: 1422]
  • A VPN issue related to using many private addresses in e.g. IPsec tunneled networks limiting the number of possible IPsec peers has been fixed. [Tracking ID: 2708]
  • In some cases IPsec would not work when PPPoE and/or PPTP was also enabled. This could prevent IPsec tunnels from being negotiated. This has now been fixed. [Tracking ID: 2428]
  • You could get a traceback when viewing the IPsec Status page in the GUI if all peers were located on an interface that use dynamic IP and that interface had not yet acquired an IP address. This has been fixed. [Tracking ID: 2433]
  • When the PPTP server was enabled, TCP port 1723 would be reserved for it on all interface. This has been fixed so that the port is only bound on the configured PPTP server IP address. [Tracking ID: 2464]
  • If the same X.509 certificate was used for both HTTPS and IPsec RADIUS authentication, configuration of the product via HTTPS would not work. This is now fixed. [Tracking ID: 2529]
  • An issue with load log overflow has been fixed. [Tracking ID: 2543]

Removed functionality

  • The IPsec implementation no longer supports Diffie-Hellman group 1 (MODP768).

Known problems

Known VPN-related problems

These problems are only relevant if IPsec or the built-in PPTP server is used.

  • Packets with a destination address that belongs to either end of a tunnel will appear to be encrypted in the log, even when they should not be encrypted. This is a problem with the log only. [Tracking ID: 46]
  • The local endpoint must be chosen so that it is the address closest to the next-hop router for that peer. This means that mobile clients must always connect via the same interface (typically the interface connected to the Internet). [Tracking ID: 508]

Known SIP-related problems

These problems are only relevant if the SIP module is enabled.

  • The SIP module may block while it waits for RADIUS authentication. This effectively means that only RADIUS servers located on a LAN should be used. Additionally the RADIUS server should preferably not enable any brute force attack prevention mechanism that delays the response in case of a faulty username/password combination. [Tracking ID: 1425]

Known Failover-related problems

This problem is only relevant if failover is used.

  • Upgrading a failover team is a complex operation. To upgrade it, you must break the team and upgrade each machine in turn. This will require a number of reboots and network outages. See the separate failover upgrade document which is available on the upgrade web. [Tracking ID: 499]
« BACK
Ingate Firewalls
Ingate SIParators
Other products
 Box 10013, SE-121 26 Stockholm, Sweden  |  +46-(0)8-600 77 50  |  info@ingate.com  |  Contact us  |  webmaster@ingate.com  |  Home  
  How Ingate uses cookies