UpgradesRelease notice for Ingate Firewall® 6.0.1 and Ingate SIParator® 6.0.1
| Release name: |
Ingate Firewall® 6.0.1
Ingate SIParator® 6.0.1 |
The new version can be found here
Release notice for Ingate Firewall(R) 6.0.1 and Ingate SIParator(R) 6.0.1
Release name: Ingate Firewall(R) 6.0.1
Ingate SIParator(R) 6.0.1
Release date: July 11, 2017
The new version and User Manuals can be found at:
https://www.ingate.com/Upgrades.php
This is a major release with new functions and features, security and other
enhancements and improvements as well as including earlier customer requested
patches. All currently supported hardware (not the old FW1190/S19), and the
Software SIParator/Firewall (after switching hypervisor support to 64 bit, in
case being set to 32 bit). Customers previously using patches, should check
"Integrates patch:" notices below, to see whether a new setting is
available/required for invoking the patch function. We recommend everybody to
upgrade.
THE MAJOR NEW FUNCTIONS AND FEATURES ARE:
* WebSockets and Secure WebSockets WS/WSS are now supported for SIP Transport
allowing web browser based SIP clients and popular often open ports 80 for HTTP
and 443 for HTTPS to be used.
* A general high capacity media proxy supporting transcoding of WebRTC type of
media (DTLS-SRTP) to SIP type of media (RTP/SRTP), using ICE or not, and
RTCP-MUX termination.
This allows the SIParator (including its SIP Proxy and SIP Registrar etc.) to
be used in demanding WebRTC to/from SIP Gateway services with over 10 000 voice
media sessions capacity, currently only limited by CCS session licenses (which
may change). (TURN Support and more WebRTC related functions are in progress.)
* Full IPv6 support, for SIP and other functionality including VPN and general
firewall functions.
* All Transports: UDP, TCP, TLS, WS, WSS can independently be used for SIP
signaling passing the SIParator SIP Proxy Interfaces, using IPv4 or IPv6.
* Media is independently converted between IPv6 and IPv4 (through the media
proxy), if required.
* Further strengthening the already powerful firewall data and SIP security and
protection capabilities, especially for large cloud SIP and WebRTC services
where TLS and WSS are used:
- CPU saturation protection and multi core SSL initialization offload (very
resilient for DOS/DDOS attacks).
- Brute Force SIP Authentication protection now also active with
SIParator/Firewall in SIP Proxy pass-through mode and protection enhanced by
silence timer.
- Enhanced SIP IDS/IPS protection, with installed and customer extendable rule
pack and SIP signaling rate limiting in two levels (IP address and regular
expression match, allowing enterprises with many users signaling from the same
IP address).
This magnitude increase in protection and privacy of SIP and WebRTC signaling,
combined with up to 20,000 media sessions or 10,000 WebRTC – SIP transcoding
media sessions (as well as built-in SIP registrar for 100 thousands of users),
makes the SIParator ideal for the largest cloud services.
The SIParator GUI Help texts may reveal further details.
* General **************************************************************
*** Licenses can be applied without rebooting the unit.
[Tracking ID: 5422]
*** System-wide support for IPv6.
*** Switch to 64-bit architecture for all supported hardware
Users running a Software SIParator/Firewall must make sure their
hypervisors are set to support 64-bit Linux before upgrade.
* SIP Networking Enhancements ******************************************
*** Support IPv6->IPv4 and vice versa for signaling and UDP media (using
SIParator mode).
* SIP & WebRTC related functional enhancements *************************
*** Support for the WebSocket protocol (WS/WSS) (RFC 7118).
*** Support for DTLS-SRTP transcoding.
*** Support ICE termination.
*** Support RTCP-MUX termination.
*** Support for more than 100 SIP Trunk Groups (up to 2000 if sufficient
resources are available)
*** General DOS/DDOS protection for WSS/WS/TLS/TCP/UDP connections by
monitoring CPU load.
*** Multiple CPU core SSL initialization offload further enhancing resilience
against DOS/DDOS attacks.
* SIP Security, Protection and Privacy related enhancements ************
*** Support for writing custom IDS/IPS packet filter rules.
[Tracking ID: 4953]
*** Enhanced SIP IDS/IPS protection by SIP signaling rate limiting in two
levels (IP address and regular expression match, allowing enterprises with many
users signaling from the same IP address).
*** Support for Brute Force Protection for proxied SIP authentication attempts
through SIParator/Firewall (and not only for authentication attempts by
the SIParator/Firewall).
*** Setting for Brute Force Authentication Protection to stop responding after
some seconds.
"SIP Traffic" > "Authentication and Accounting"
*** Setting to hide sensitive SIP info in the log.
"SIP Services" > "Basic" > "SIP Logging": "Hide sensitive data".
[Tracking ID: 2222]
*** Support for AES-256 cryptos and their transcoding (RFC 6188).
AES_256_CM_HMAC_SHA1_80
AES_256_CM_HMAC_SHA1_32
*** Media Encryption uses a Network instead of an Interface.
Allows for more fine-grained policies.
Interfaces can be defined in Networks and Computers by only
specifying an Interface/VLAN and leaving the Lower/Upper Limit fields
empty.
[Tracking ID: 3900]
*** Interop setting to Prefer RTP/AVP (together with sdescriptions).
"SIP Services" > "Media Encryption" > "RTP Profile"
(allows negotiation of encrypted media if supported). [Tracking ID: 4997]
*** Interop setting for AVP/SAVP multi profile support (several m-lines).
A non-standard RTP profile negotiation method.
"SIP Services" > "Media Encryption" > "Multi Profile".
[Tracking ID: 5235]
*** Interop setting to Keep established crypto within a dialog.
"SIP Services" > "Media Encryption" > "Keep established crypto within a
dialog".
[Tracking ID: 5051]
*** Interop setting for whether or not to exclude cryptos from the B2BUA.
"SIP Services" > "Media Encryption" > "Add Cryptos in the B2BUA".
[Tracking ID: 5411]
* Further SIP Interoperability enhancements ****************************
*** Setting to always relay SIP media.
"SIP Services" > "Sessions and Media" > "Always Relay Media"
*** Support non-SDP content-types in the B2BUA, also in a multi-part fashion.
See "SIP Traffic" > "Filtering" > "Content Type Filter Rules"
[Tracking ID: 2865]
*** Setting to allow REFER through the SIP Trunk.
"SIP Trunks" > "Forward outgoing REFER" / "Forward incoming REFER".
(Otherwise REFERs are changed to RE-INVITE.)
[Tracking ID: 4566]
*** Interop setting to disable translation of the Refer-To header in SIP REFER.
"SIP Services" > "Interoperability" > "Translate Refer-To".
[Tracking ID: 5433]
*** Interop setting for whether or not to update username mapping on Refer-To.
"SIP Services" > "Interoperability" > "Update Username Mapping on Refer-To".
[Tracking ID: 5255]
*** Interop setting to only inhibit hold for clients behind remote NAT
"SIP Services" > "Interoperability" >
"Only inhibit hold for clients behind remote NAT"
*** Settings to allow Preloaded routes.
"SIP Traffic" > "Filtering" > "Preloaded Route Rules".
[Tracking ID: 3922]
*** Setting to limit Max-Forwards.
"SIP Services" > "Sessions and Media" > "Limit Max-Forwards".
[Tracking ID: 5259]
*** Added a table to Strip SDP lines using Reg Expr.
"SIP Services" > "Sessions and Media" > "Strip SDP Lines".
[Tracking ID: 5221]
*** Reuse port numbers even when IP has changed.
Interoperability setting that only works together with the B2BUA.
[Tracking ID: 5273]
*** Setting for alias IP in the "Forward To" table in the Dial Plan.
This column replaces the ;ixnc= parameter.
;ixnc= must use an IP address (e.g. ;ixnc=10.20.30.40).
[Tracking ID: 5087]
*** Support Forward To Trunk together with Reg Expr in the Dial Plan.
[Tracking ID: 5168]
*** Setting added for modification of the Request-URI in DNS Override.
"SIP Traffic" > "Routing" > "DNS Override For SIP Requests" > "Modify RURI".
[Tracking ID: 4701]
*** New GHM variable "cport".
Same as port but prepended with colon ':'.
Useful when one wants to use optional variables.
E.g. ?foo=example.com$([from.cport])
will only expand to ":port" if the From header contains a port.
[Tracking ID: 5362]
*** New GHM (Generic Header Manipulation) variable "cpassword".
Same as password but prepended with colon ':'.
Useful when one wants to use optional variables.
E.g. ?foo=bar$([from.userinfo.cpassword])@example.com
will only expand to ":password" if the From header's
userinfo contains a password.
[Tracking ID: 5363]
*** New GHM (Generic Header Manipulation) variable "userinfoat".
Same as userinfo but appends '@'.
Useful when one wants to use optional variables.
E.g. ?foo=$([from.userinfoat])example.com
will only expand to "userinfo@" if the From header contains userinfo.
[Tracking ID: 5364]
* Further Interoperability enhancements integrating previous patches ***
*** Setting to rewrite From headers for REGISTERs through the Dial Plan.
"SIP Traffic" > "Dial Plan" > "REGISTER in Dial Plan".
Integrates patch: dp-rewrite-reg-from.
[Tracking ID: 4932]
*** Interop setting to remove the SDP from 1xx responses.
"SIP Services" > "Interoperability" > "Remove SDP from 1xx Responses".
Integrates patch: remove-sdp-from-1xx.
[Tracking ID: 4955]
*** Interop setting to use port also when matching Request-URI in Dial Plan.
"SIP Services" > "Interoperability" > "Match also port in Request-URI in Dial Plan".
Integrates patch: port-dp.
[Tracking ID: 4923]
*** Interop setting to use the session ID when comparing endpoint SDPs.
"SIP Services" > "Interoperability" > "Use session ID when comparing
endpoint SDPs".
Integrates patch: endpoint-session-id.
[Tracking ID: 5109]
*** Interop setting to accept late media source change for RSC (Remote SIP
Connectivity/Client).
"SIP Services" > "Interoperability" > "Accept Late Media Source Change for RSC".
Integrates patch: reset-rsc-friend.
[Tracking ID: 5233]
*** Interop setting to allow RTP before answer SDP.
"SIP Services" > "Interoperability" > "Allow RTP before answer SDP".
Integrates patch: rtp-before-sdp.
*** Interop setting to convert all 5xx class SIP responses to 503.
"SIP Services" > "Interoperability" > "Convert 5xx Responses to 503".
Integrates patch: rsp5xxto503-3.
[Tracking ID: 5433]
* VPN enhancement ******************************************************
*** Added support for newer/stronger DH-groups and authentication hashes.
IPsec Peers and IPsec Tunnels can now be configured with stronger
Diffie-Hellman Groups and authentication hashes.
The following Diffie-Hellman Groups are added:
- modp2048 -- Group 14.
- modp3072 -- Group 15.
- modp4096 -- Group 16.
- modp6144 -- Group 17.
- modp8192 -- Group 18.
- dh23 -- Group 23.
- dh24 -- Group 24.
The following authentication hashes are added:
- SHA2-256
- SHA2-512
[Tracking ID: 4934]
*** Give IPsec the AES192 crypto.
[Tracking ID: 5394]
*** Remove support for IPsec ESP NULL encryption.
On upgrade, the NULL encryption will be substituted with 3DES.
*** Added IPsec Advanced settings.
For a given IPsec Peer the following can be set:
- Force NAT Traversal (ESP encapsulated in UDP).
- Enable/Disable Dead Peer Detection.
*** Allow to add multiple VPN authentication servers.
* Failover improvements ************************************************
*** Failover does not function if unit types differ.
An identifier on the failover tab will help the user to determine whether
a failover team can successfully be created. To ensure that the two units
will successfully operate as a failover team both the units should adhere
to the identifier
[Tracking ID: 5339]
*** Failover: type disparity through "change operational mode".
Deny changing operational mode when in a failover team.
[Tracking ID: 5408]
* Other enhancements and improvements **********************************
*** Centralized TLS settings.
Allows to specify custom TLS settings that can be referenced from other pages.
"Basic Configuration" > TLS.
[Tracking ID: 5149]
*** Support of load balanced TLS relays.
[Tracking ID: 5420]
*** Support the import of CA files with multiple certificates.
*** Certificates page outputs all certificates key identifiers.
[Tracking ID: 4357]
*** Added support for displaying SHA1 certificate fingerprint in 'shortinfo'.
*** Support specifying signature algorithm and key length.
Allow to select the signature algorithm and key length when creating a
certificate or certificate request.
[Tracking ID: 5211]
*** Allow for multiple Access Control Configuration Transports.
All protocols are configured in the same table.
[Tracking ID: 4948]
*** Added support for DHCP data types and options in DHCP server.
*** Support re-sending of failed SNMP traps.
*** Added support for sending SNMP trap when failover has occurred.
*** Added GUI option to change the log-in expiry.
"Basic Config" > "Access Control" > "Web Interface Access Settings ".
This setting specifies how long (in seconds) before a logged in web GUI
user needs to re-authenticate. The range is 300-28800 seconds.
[Tracking ID: 5179]
*** Services table should use session management for UDP.
The UDP service is now of filter type 'Dynamic session management'.
[Tracking ID: 892]
*** Support IPv6->IPv4 and vice versa in Relays.
[Tracking ID: 4882, 5369]
*** netlog check (nlck) slow on full 427 log partition.
Don't run log database check if the unit was cleanly shutdown/rebooted.
Use the setting 'Force Checking Log Database on Reboot' (in Restart tab)
in order to force a log database check on reboot.
[Tracking ID: 5088]
*** Have PCAP packet capture facility support gzip.
Downloaded packet captures are now transparently gzipped.
[Tracking ID: 5096]
*** Added a log-cleanse-only option in the admin menu.
The new option 'Clear the log database' in the admin shell can be used to
clear the log database.
[Tracking ID: 5176]
*** Set default broadcast traffic logging to nothing (-).
Network broadcast traffic will not be logged by default.
[Tracking ID: 5413]
|
