Embedded NGX 7.0 Release Notes General Availability Version Contents

Embedded NGX 7.0 Release Notes General Availability Version

December 2007 – Document Revision 10

Contents

INTRODUCTION...... 3

Highlights of This Version...... 3

Supported Platforms...... 3

Availability...... 3

CHANGES FROM 7.0 TO 7.0.52...... 5

7.0.52...... 5

7.0.48...... 5

7.0.45...... 6

7.0.41...... 6

7.0.39...... 7

7.0.33...... 8

7.0.31...... 9

7.0.27...... 9

NEW FEATURES ...... 11

New Security Features ...... 11

New Wireless Features...... 18

New Networking Features ...... 19

Introduction This document contains a summary of new features in Embedded NGX 7.0 GA Version and describes the differences between Embedded NGX 7.0 GA and previous versions.

Highlights of This Version

Embedded NGX 7.0 incorporates a host of new and improved features, including:

• Bridge Mode • WDS (Wireless Distribution System) & Wireless Roaming • Remote Desktop • USB Dialup & Cellular Modem Support

Supported Platforms

Embedded NGX 7.0 GA supports the following hardware platforms: • Check Point Safe@Office 100B series • Check Point Safe@Office 200 series • Check Point Safe@Office 400W series • Check Point Safe@Office 500 series • Check Point VPN-1 Edge X series • Check Point VPN-1 Edge W series • Check Point ZoneAlarm Z100G • NEC SecureBlade 300

Availability • Embedded NGX 7.0 GA is available to existing Embedded NGX customers with a valid software subscription contract. For additional information and documentation, click here .

Changes from 7.0 to 7.0.52

7.0.52

New Features • USB Modems : Sierra Wireless Aircard 595U USB modem is now supported.

Issues resolved

Firewall and SmartDefense • Resolved issue : In some cases, SmartDefense falsely rejected long CIFS sessions.

802.1x authentication • Resolved issue : When using WPA-Enterprise, the "master-key-update-interval" parameter determines the 802.1X rekeying period. The value of this parameter was ignored, and the default of 802.1X negotiation every 1 hour was used. The parameter is now handled correctly. • Resolved issue : When using 802.1x, "set port lan1 security eap-reauth-period none" resulted in reauthentication after one hour, rather than never requiring reauthentication. The parameter is now handled correctly.

7.0.48

New Features New SmartDefense Protection: Checksum Verification When this protection is enabled, SmartDefense will identify and drop IP, TCP, or UDP packets with incorrect checksums.

New SmartDefense Protection: Urgent Flag Clearing The URG flag is used to indicate that urgent data exists in a TCP stream, and that the data should be delivered with high priority. Since handling of the URG flag is inconsistent between different operating systems, allowing the URG flag may enable an attacker to conceal certain attacks.

By default, SmartDefense automatically clears the URG flag to ensure security. To allow the URG flag, in the SmartDefense tree's TCP > Flags node, set the URG Flag field to Allow. To prevent the URG flag from being used, set the URG Flag field to Clear.

Issues resolved ADSL • Resolved issue : In certain rare cases, ADSL appliances may reboot unexpectedly, and may revert to their backup ADSL firmware.

Wireless • Resolved issue : In certain rare cases, the wireless access point may cease to respond following a wireless configuration change or an appliance reboot.

Firewall and SmartDefense • Resolved issue : Hotspot authentication does not function as expected for networks with Hide-NAT disabled. • Resolved issue: OfficeMode VPN clients may be unreachable from certain networks unless the client initiate traffic towards this network.

7.0.45

Issues resolved Firewall and SmartDefense • Resolved issue : A compatibility issue between ZoneAlarm Security Suite 3rd party cookie protection and Embedded NGX diagnostics tools. • Resolved issue : Remote desktop feature does not work when the appliance is behind a NAT device. • Resolved Issue: Appliance may fail to respond after installing certain X.509 security certificates. • Resolved issue: Cross site request forgery may be possible when browsing https://my.firewall and a malicious site simultaneously within a single browser.

7.0.41

New Features • Support Added for EAP-FAST user authentication over RADIUS • Support Added for disabling the WAN hide NAT when using the ADSL port as the WAN connection. • A new CLI command was added in order to configure a delay from the moment the primary Internet connection disconnects until the secondary dial-up connection attempts to connect. The command syntax is: “set net wan demand- connect delay ”

Issues resolved VPN • Resolved issue : SecuRemote / SecureClient connecting to the appliance VPN server fails to connect if the site name in the client side includes a space character. • Resolved issue : Tunnel test packets are sent from the appliance LAN IP address, even if this address is not included in the encryption domain of the appliance.

GUI

• Resolved issue : "Unknown Sites" checkbox in the URL filtering categories page is not changeable using the GUI.

7.0.39

New Features • Bridge Mode Supported in Z100G and Safe@Office: Bridge mode is now supported in additional Embedded NGX appliance models, as shown in the following table.

Concurrent WAN Port can be Bridges used in bridge? ZoneAlarm Z100G 1 No Safe@Office 500 Series 1 Yes Safe@Office 500 (With Power Multiple Yes Pack) VPN-1 Edge X / W Series Multiple Yes

• Bridge Mode in Wireless Wizard: The wireless setup wizard now allows an easy way to configure the wireless LAN in bridge mode. • DHCP Server : An additional DHCP option was added for Thomson VoIP devices. • Secure HotSpot : When using Secure HotSpot with RADIUS authentication, the RADIUS server can now return a session timeout value for each user. • High Availability : When using WAN connection High Availability, A virtual MAC Address is now applied to the WAN ports. • USB Modems : The following additional modems are now supported: Huawei E220, Novatel Wireless Ovation U720 3G. • USB Modem Test A test button was added to the USB modem configuration page.

Issues resolved Firewall and SmartDefense • Resolved issue : In certain cases, IPSEC and L2TP connections cannot pass through the firewall to an internal server (libsw). • Resolved Issue: In certain cases, NBT Domain login does not succeed over VPN. • Resolved Issue: When using HTTPS to login to the appliance with a RADIUS user, the RADIUS authentication occurs every 60 seconds. • Resolved Issue: In certain cases, L2TP VPN connection to a bridged WAN interface may fail. • Resolved Issue: In certain cases, SmartDefense Worm Catcher does not work when managed from SmartCenter.

VPN • Resolved Issue: When downloading a Manual Encryption Domain from SmartCenter, the appliance does not accept the new setting.

Wireless

• Resolved Issue: Super-G 108Mbps connections are incorrectly shown in the UI as 54Mbps.

Networking and High Availability • Resolved Issue: Under some conditions, High Availability (HA) may not operate as expected when used in conjunction with port based VLANs. • Resolved Issue : In some cases, High Availability (HA) may not operate as expected when used over the WAN2 port. • Resolved Issue: Dead Connection Detection (DCD) does not work as expected with high availability (HA). • Resolved Issue: After reboot, Ethernet port link configuration may reset to the default values.

7.0.33

New Features • ADSL : It is now possible to use PPPoA ADSL connections in router mode without NAT.

Issues resolved SmartCenter management (VPN-1 Edge Specific) • Resolved issue : When the appliance is managed from SmartCenter, in certain cases, the SmartDefense settings are not disabled in the local GUI. • Resolved issue: When the appliance is managed from SmartCenter, in certain cases, HTTP Worm Catcher may not operate correctly.

Firewall • Performance improved : performance improved for non TCP/UDP IP protocols when NAT is disabled.

Networking • Resolved issue: when upgrading directly from 6.0 to 7.0, an additional reboot is needed in order to connect to the Internet. • Resolved issue: Source routing may not operate correctly for some connections. • Resolved issue: “DHCP relay” may not work as expected for Internet connections in bridge mode. • Resolved issue: When defining a new directly connected network while using OSPF dynamic routing, the route is not redistributed until the appliance is restarted.

VPN • Resolved issue: When packets are simultaneously received from more than one VPN peer participating in MEP configuration, one of the VPN tunnels may be terminated.

ADSL • Resolved issue: In certain rare conditions, PPPoA ADSL connection may remain in the “Establishing Connection” state.

7.0.31

New Features • VStream Embedded Antivirus : Support added for additional ZIP compression methods. • SmartDefense : Support added for non standard HTTP request headers. • ADSL : A configuration parameter was added to the CLI to control upstream bit swap on the ADSL line (“set port adsl upbitswap”). • Dynamic Routing : Support was added for the OSPF not-so-stubby-area (NSSA). • Connectivity : Connect-on-demand is now supported in all PPP modes. • Wireless : Enhanced auto-adaptation of the signal strength and wireless transmission rate according to the RF noise levels.

Issues resolved Wireless • Resolved issue: In certain rare cases, when using WEP / WPA, wireless stations may seem connected, but unable to pass traffic. • Resolved issue: When WDS is active, and a client computer roams between access points, in some cases previously established connections may be dropped.

GUI • Resolved issue: An administrator viewing the Active Computers or ADSL statistics pages may cause the appliance to restart.

Firewall and Smart Defense • Performance improved : Significant reduction in the connection establishment latency of the web filtering service. • Performance improved : Enhanced performance when handling multicast packets. • Resolved issue: SmartCenter fails to compile security policy with the RPC service. (libsw).

7.0.27

New Features

Connectivity • VLAN tagging can now be enabled on Internet connections (Currently supported in the CLI only). • If a static route is defined to the default gateway of an Internet connection for which “Dead Connection Detection” is enabled, the metric of the static route is automatically increased (tripled) when connection is down. When the connection is up again, the metric returns to normal. • Support was added for additional 3G (third generation) cellular USB modems.

Firewall and SmartDefense • SmartDefense now offers the option to block MSN Messenger 8.0. o Optional: After upgrading from a previous version, go to the Security > SmartDefense page, click on HTTP > Header Rejection, and click “Default” to reset the HTTP header rejection patterns to their defaults. This will remove the deprecated MSN messenger patterns from the list.

• The SmartDefense FTP commands list now includes the CLNT command. • Up to 100 network objects can now be defined on the appliance, increased from 30.

Issues resolved Firewall and Smart Defense • Resolved issue: ISTBAR defense improved for compatibility with Microsoft Windows Vista. • Performance Improved: HTTP Worm catcher performance improved.

VStream Embedded Antivirus • Resolved issue: In certain cases, the traffic direction for blocked viruses was incorrectly reported to the service center.

Connectivity and management • Resolved issue: low memory warnings when connecting to my.firewall using HTTPS.

New Features New Security Features

Transparent Bridge Mode

Embedded NGX 7.0 supports operation in transparent bridge mode. A network bridge is essentially similar to a network hub: it connects multiple network segments at the data-link layer (layer 2 of the OSI model).

Bridge Mode Advantages What makes a bridge “transparent”? Since a bridge operates in layer 2, adding a bridge to an existing network does not require any changes to the network's structure. In other words, you can use a bridge to segment an existing network without reconfiguring the existing network elements.

A bridge also supports transparent roaming. In a routed network, if a host is physically moved from one network area to another, then the host must be configured with a new IP address. In a bridged network, there is no need to reconfigure the host, and work can continue with minimal interruption.

Bridge Firewalling Some scenarios may require the deployment of a firewall within an internal network. In most cases, this can be accomplished easily enough, by dividing the existing subnet into two networks. However, in some deployments, the reconfiguration necessary for the new routing scheme prohibits such a solution.

In Embedded NGX 7.0, a bridge can be configured to operate in one of two modes: “Bridge without Firewall” or “Bridge with Firewall”.

In “Bridge without Firewall ” mode, all network Bridge interfaces assigned to the bridge are directly Without Firewall connected, with no firewall filtering the traffic between them. The network interfaces effectively WLAN LAN operate as if they were connected by a hub or switch.

For example, if you assign the LAN and WLAN networks to a bridge in “Bridge without Firewall ” mode, the two networks will act as a single, Diagram 1: Bridge Without Firewall seamless network. Firewall rules will not be enforced, and traffic between the LAN and WLAN will not be inspected by the

Bridge firewall. At the same time, traffic from the With Firewall LAN and WLAN networks to other networks (for example, the Internet) will be inspected WAN LAN by the firewall, as usual.

More interesting is the “Bridge with Firewall” mode. In this mode, the gateway operates as a regular firewall, inspecting Corporate Network Top Secret Zone traffic and dropping or blocking unauthorized or unsafe traffic. "Bridge with firewall" mode

Diagram 2: Bridge With Firewall can be used to separate your network into multiple, firewall-isolated security zones, without reconfiguring your network.

Bridge Mode and VLANs Bridge mode can also be used in conjunction with virtual LAN networks (VLAN) and virtual access points (VAP) to compartmentalize an existing network into several firewall-isolated security zones, with minimal effort.

If 802.1x dynamic VLAN assignment is employed, the placement of each user in a security zone can be delegated to a centralized RADIUS server. The advantage of doing so becomes clear when you consider the following example.

In the RADIUS server, the administrator assigns the user “Fred” to the “Marketing” group. When Fred logs on to the network, the Embedded NGX appliance queries the RADIUS server, which replies with RADIUS option 81 and the value “Marketing”. This instructs the Embedded NGX appliance to assign Fred’s port to the Marketing network, Bridge With Firewall thus granting Fred access to all the VLAN1 VLAN2 VLAN3 VLAN4 resources of the Marketing team.

Later, the RADIUS server's administrator Finance CEO Office R&D Marketing moves the user “Fred” from the

Diagram 3: Bridge with four VLANs “Marketing” group to the “Finance” group. When Fred logs on again, his computer is moved to the “Finance” network automatically, and he gains access to all the resources of the Finance team, without having to change anything else in the network configuration. Even the IP address of Fred’s computer can remain unchanged.

Bridge Anti-Spoofing In some cases, you may want to limit the IP addresses on a certain bridge network segment to a specific IP address range, for security or administrative reasons. The “Bridge Anti-Spoofing” option enables you to enforce that only IP addresses in the specified “Bridge IP Address Range” can be sent from a specific bridge segment.

For example, if you configure the “Marketing” network segment with the “Bridge Anti-Spoofing” option and set the “Bridge IP Address Range” to “192.162.100.1- 192.162.100.32”, the following things will happen:

• If a host with an IP address outside of the bridge IP address range tries to connect from a port or VLAN that belongs to the “Marketing” network segment, the connection will be blocked and logged as “Spoofed IP”. • If a host with an IP address within the bridge IP address range tries to connect from a port or VLAN that belongs to a network segment other than the “Marketing” segment, the connection will be blocked and logged as “Spoofed IP”.

Notes: 1. The "Bridge IP Address Range" of network segments in the same bridge may overlap. In this case, the overlapping IP addresses can be used on either of the network interfaces. 2. The Embedded NGX DHCP server automatically takes bridge IP address ranges into account when assigning IP addresses. When assigning addresses to machines in a bridged network segment, it only allocates addresses within the specific segment's bridge IP address range.

The Spanning Tree Protocol

To complement bridge mode, Embedded NGX WAN Switch 7.0 includes support for the Spanning Tree Protocol (STP - IEEE 802.1d), which allows multiple bridges or switches to work together. With STP, a bridged network can be made self- WAN WAN configuring and fault tolerant. Bridge Bridge When STP is enabled, each bridge With STP With STP communicates with its neighboring bridges or switches to discover how they are LAN LAN interconnected. This information is then used to eliminate loops, while providing optimal routing

LAN Switch of packets. STP also uses this information to provide fault tolerance, by re-computing the Diagram 4: Dual Redundant Bridges with STP topology in the event that a bridge (Diagram 4) or a network link (Diagram 5) fails.

To enable optimal routing of WAN packets, Embedded NGX 7.0 allows you to assign each port Bridge a "port cost" value. STP With STP chooses the available port with the lowest cost to forward LAN DMZ frames. Faster links should be assigned a lower cost.

LAN Switch with STP

Diagram 5: Link Redundancy with STP

How Bridging Works

Each bridge maintains a forwarding table, which consists of associations. When a packet is received on one of the bridge ports, the forwarding table is automatically updated to map the source MAC address to the network port from which the packet originated.

When a bridge receives an IP packet , the packet is processed by the gateway as follows:

1. The destination MAC address is looked up in the bridge's forwarding table. 2. If the destination MAC address is found in the forwarding table, the packet is forwarded to the corresponding port. 3. If the destination MAC address is not found in the forwarding table, the destination IP address is searched for in all the defined bridge IP address ranges. 4. If the destination IP address is found in the bridge IP address range of exactly one port, the IP address is transmitted to that port. 5. If the IP address is found in the bridge IP address range of more than one port, the packet is dropped. The gateway then sends an ARP query to each of the relevant ports. 6. If a host responds to the ARP request packet with an ARP reply, the forwarding table is updated with the correct association. Subsequent packets will be forwarded using the forwarding table.

If a bridge receives a non-IP packet , and the bridge is configured to forward non- IP protocol Layer-2 traffic, the packet is processed as follows:

Bridge mode is supported in the following products: Safe@Office 500 series with Power Pack, Safe@Office 225/225U, Safe@Office 425/425U, VPN-1 Edge X, and VPN-1 Edge W.

On the following appliance models, bridge mode cannot be used together with port-based VLAN: SBX166-LHGE-2 and SBX166-LHGE-3.

Remote Desktop Embedded NGX 7.0 includes an integrated client for Microsoft Terminal Services, allowing you to enjoy convenient clientless access to your Windows computers from anywhere, via the my.firewall portal. You can remotely access the desktop of each of your computers, and even redirect your printers or ports to a remote computer, so that you can print and transfer files with ease.

Using Remote Desktop To enable remote users to connect to a computer, log on to the computer as an administrator, right-click on My Computer , select Properties , click the Remote tab, and select the Allow users to connect remotely to this computer check box.

To access the remote desktop, log on to the my.firewall portal, click Reports > Active Computers , and then click Remote Desktop next to the computer that you want to access.

Security Considerations The Remote Desktop Protocol (Microsoft RDP) uses TCP Port 3389. You do not need to create specific firewall rules to open this port on the gateway: the port is opened dynamically between the remote desktop client and the server host as needed. This means that the port is not exposed to the Internet, and you can use the remote desktop feature without compromising your security.

By default, the Microsoft RDP protocol is secured with 128-bit RC4 encryption. For the strongest possible security, it is recommended to use Remote Desktop over an IPSEC VPN connection.

To use the remote desktop feature, the client computer must have Microsoft Internet Explorer 6.0 or later installed, and a working Internet connection.

You can use the remote desktop feature to access computers running Windows Server 2003 or Microsoft Windows XP Professional, Media Center, and Tablet PC 2005 Editions. Windows XP Home Edition does not include the Remote Desktop server component.

Centralized Web Filtering Fail-Open/Fail-Closed Embedded NGX 7.0 supports configuring an “on-failure” policy for the Web Filtering service. This setting determines the gateway's behavior when centralized Web Filtering is enabled, but the Service Center is down or unreachable.

In “Fail Closed” mode, all Web surfing will be denied, to ensure that the users do not gain access to undesirable Web sites.

In “Fail Open” mode, all Web surfing will be allowed temporarily without scanning, to ensure continuous availability of the World Wide Web.

By default, Web Filtering is set to “Fail Closed” mode.

This feature is controlled by the “Bypass scanning if Service Center is unavailable” option in the my.firewall portal, and by the following CLI syntax:

set webfilter onfailure fail-open|fail-closed

Centralized Email Scanning Fail-Open/Fail-Closed Embedded NGX 7.0 supports configuring an “on-failure” policy for the centralized Email Filtering service. This setting determines the gateway's behavior when centralized Email Filtering is enabled, but the Service Center is down or unreachable.

In “Fail Closed” mode, email traffic will be denied, to ensure that no messages are sent or received without being scanned.

In “Fail Open” mode, all email traffic will be temporarily allowed without scanning, to ensure constant access to email. This creates a risk of viruses being sent or received, so use this option with caution.

By default, email scanning is set to “Fail Closed” mode.

This feature is controlled by the “Bypass scanning if Service Center is unavailable” option in the my.firewall portal, and by the following CLI syntax:

set antivirus onfailure fail-open|fail-closed

VStream Antivirus Safe and Unsafe Files Display Embedded NGX 7.0 allows the administrator to view the list of unsafe file types for the VStream Antivirus option “Block potentially unsafe file types in email messages”, as well as the list of safe file types for the option “Pass safe file types without scanning”.

Manual Definition of the VPN Internal Encryption Domain The “internal encryption domain” is a list of internal IP addresses on the gateway that are permitted to access Site-to-Site virtual private networks (VPNs).

By default, the VPN internal encryption domain is set to “Automatic”, meaning that all the hosts on the internal networks will be permitted to access the Site-to- Site VPN. Embedded NGX 7.0 also allows the administrator to manually set the VPN internal encryption domain to a specific list of IP address ranges.

If a host outside of the VPN internal encryption domain attempts to access the VPN, the connection will pass unencrypted (if such connections are allowed by the security policy), and it will not go through VPN processing. Likewise, encrypted connections from a Site-to-Site VPN to hosts that are not in the internal VPN encryption domain will be denied.

Example: To restrict the VPN internal encryption domain to the range “1.2.3.4-1.2.3.255”, use the following CLI commands:

set vpn internal-encryption-domain manual clear vpn internal-encryption-domain ranges add vpn internal-encryption-domain ranges iprange 1.2.3.4-1.2.3.255

Protocol Numbers in User-Defined Rules Embedded NGX 7.0 allows the use of specific IP protocol numbers in user- defined firewall rules, in addition to the list of predefined protocols available in the Firewall Rules Wizard .

New Wireless Features

Wireless Distribution System

Embedded NGX 7.0 includes support for the Wireless Distribution System (WDS) protocol. WDS allows wireless interconnection of access points, and it can be used in combination with bridge mode to extend the range of a wireless network, without any need for a wired backbone to link the access WDS points.

WDS WDS WDS links can be used to create loop- WDS free topologies, such as a star or tree of access points. In addition, WDS links can be used together with bridge mode and Spanning Tree Protocol (STP) to create redundant topologies, such as a loop or mesh of linked access points. WDS Star of Wireless Access Points All base stations in a WDS system must be configured to use the same radio channel for the WDS link. In addition, the base stations can act as wireless access points operating on the same radio channel as the WDS link.

Since the same channel is used for the WDS WDS link and for communicating with STP wireless stations, using WDS may have a WDS negative impact on wireless throughput. WDS STP To achieve the best possible throughput, a STP traditional wired backbone can be used to interconnect the access points, instead of WDS WDS links. STP

Security Considerations Dynamic key exchange security protocols such as WPA/WPA2 cannot be used over WDS links; only WEP encryption can be Redundant Loop of Access Points Linked by WDS and STP used. However, WDS-linked access points can use any supported security protocol to communicate with wireless stations, including the WPA/WPA2 protocols.

WDS is supported in the following products: Safe@Office 500W with Power Pack, Safe@Office 425W, and VPN-1 Edge W.

New Networking Features

USB Dialup & 3G Cellular Modem Support

Embedded NGX 7.0 allows attaching a wide variety of USB-based dialup (PSTN/ISDN) and cellular (GPRS/EVDO) modems to the appliance's USB 2.0 ports. Up to two USB modems can be connected at the same time.

The USB modem can serve as a backup Internet connection. Alternatively, in locations where broadband Internet access is not widely available, in POS (Point of Sale) applications, and in mobile applications, the USB modem can serve as the primary Internet connection.

The modem can be permanently connected (always on), or it can be automatically dialed when needed and disconnected when not in use (dial on demand). Warning: Before attaching a USB modem, ensure that it does not draw As in previous versions, it is also more than 2.5W of power (0.5A at possible to connect an RS232 modem 5V). USB devices that use a higher to your Embedded NGX appliance's current may damage the gateway and serial port, so as to use the RS232 must be connected through a powered modem as a backup Internet USB hub. connection method.

USB Dialup is supported in the following appliance models: Safe@Office 500W, Safe@Office 500W ADSL, Safe@Office 425W/425WU, VPN-1 Edge X ADSL, VPN-1 Edge W, and VPN-1 Edge W ADSL. A supported external modem with a USB interface is required.

Compatible dialup and cellular USB modems can be ordered from Check Point. For more information on pricing and availability, please contact your Check Point representative.

Flexible WAN Ports In Embedded NGX 7.0, it is now also possible to configure an Internet connection to use one of the four LAN ports, instead of one of the WAN ports.

This is useful in certain scenarios. For example: • It is now possible to configure two Ethernet-based Internet connections while the DMZ/WAN2 port is assigned to act as a VLAN trunk. • On Embedded NGX ADSL appliances, it is now possible to disable the ADSL interface, and configure two Ethernet-based Internet connections.

Notes: 1. On the following appliance models the feature is not supported: SBX166- LHGE-2, SBX166-LHGE-3 2. In Safe@Office family appliances, flexible WAN ports require the Power Pack license.