Patch-ID# 105574-01 Keywords: Upgrade, jumbo, patch, 3.0b Synopsis: Solstice FireWall-1 3.0b: Windows GUI: Upgrade/Jumbo (Non-VPN) Date: Nov/04/97 Solaris Release: SunOS Release: Unbundled Product: Solstice Firewall-1 Unbundled Release: 3.0 Relevant Architectures: i386 NOTE:intel BugId's fixed with this patch: Changes incorporated in this version: Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: ./Notes.htm ./Notes.ps ./Notes.txt ./README ./gui/disk1.zip ./gui/disk2.zip Problem Description: ------------------------------------------------------------------------ New Features FireWall-1 Version 3.0 includes the following new features: 1. FireWall-1 support for Solaris 2.6 2. SecuRemote Version 3.0 including: o Client Encapsulation o Support for all FireWall-1 authentication schemes o Support for Windows 95B o Support for Windows 95 Power Management suspend/hibernation 3. Support for Cisco 11.2 routers management 4. New Services Support: Connected OnLine Backup, AOL, OnTime 5. Session Authentication Agent for Windows 3.11 ------------------------------------------------------------------------ Bugs Fixed in this Version Version 3.0b fixes bugs that were found in version 3.0a. Bugs fixed in this release include but are not limited to the following: 1261680 firewall-1 doesn't always handle ftp PASSV correctly: data channel is blocked 1263275 firewall-1 ver2.0b doesn't work with license 1264199 can't load rules, core dump 1264798 Firewall-1 doesn't have an rexec class 1264816 changing Text.MaxDocumentSize to add comments under firewall GUI doesn't work 1267277 FW-1 firewall 2.0e rejects packets at random 4006688 FireWall-1 fails to generate encryption filter if patch 103337-05 is installed 4013122 Firewall_1 drops fragmented udp packets which do not come in correct sequence 4028259 2.1 GUI appears to lose connection w/ inspection module but fwd keeps filtering 4040195 fwui's System View reports Help icon 4044273 Firewall-1 NT error message FW1:Fwreceive:lookaheadbuffer 2806>max buffer size 1 4052718 3.0 fwinfo calls gunzip which is not included in FW or Solaris distribution 4055124 In user authentication you have only one minute for typing in password 4060955 Customers using NT can't license 3.0 4061216 'Suspend' feature of win95/pc does not work when SecuRemote is installed 4061293 WinGUI cannot print large rulebase - shoves all rules onto one page 4068918 Log viewer reports 'too many logs, lost some' msg after upgrade from 2.1 to 3.0 4073833 firewall-1 3.0a loses license in kernel module after reboot. 4076069 snmp_trap: can't create variable 4077906 firewall 3.1/NAT selection for network objects just displays background color ------------------------------------------------------------------------ Platform Specific Problems Windows NT: Logging stopped after a while On Windows NT, the logging was stopped after a while, so no log records were written to the log file any longer. When this happens, trying to stop the FireWall-1 Service, results in system crash (Blue Screen Of Death). HP-UX: SYNDefender Using SYNDefender can crash FireWall machine. HP-UX: BTLAN Support BTLAN Network Interface Cards are now supported. HP-UX: On some 10.20 machines FireWall-1 failed to attach Installing on some 10.20 platforms, FireWall driver failed to operate. Services Support SQL*Net v2 Allowing SQL*Net version 2 through Windows NT can crash the machine. It also did not work properly on Solaris2 for x86. StreamWorks Address Translation was not supported. UDP General support for UDP address translation. User Interface X/Motif GUI X/Motif Memory Usage When using the X/Motif Log Viewer and/or System Status, the X Server process allocates a lot of memory until the X system hangs. Motif GUI crashes when changing resources. Motif GUI crashes on RADIUS Server dialog box. Defining a RADIUS Server was causing the X/MOTIF GUI to crash. Windows and X/Motif GUI Refresh button did not work. Deleting an object from a group did not have the expected effect. Deleting an object from a group through the GUI was not removing them from the FireWall tables. Rule Base printing Rule base was printed on one page only, resulting with unreadable printing when the rule base include many rules. Monitor-Only User was allowed to purge Log Files. Security Servers General: "Not in" on sources and destinations was not checked correctly by security servers OPSEC CVP+UFP Problems: HTTP+FTP did not work properly with Symantec Anti-Virus. HTTP wrong log for virus detection (showed accept). FTP did not work with CVP in PASV mode. HTTP: HTTP Security Server failed from www.on.com and others HTTP translated '//' to '/' , resulting in broken GIF files FTP: FTP Time-out cause connection to be closed on large files FTP Security Server hangs under heavy load FTP Welcome message did not work SMTP: Mail dequeuer stuck after 25 failures. Security Server removes <> around a mail path. When setting error server, error messages were sent to postmaster instead of the sender On Windows NT, files were not removed from spool directory in some cases. On error messages, the from address was not compliant with RFC821. Improved parsing used for rewriting header fields. Bugs fixed. No matching by header was done in case of REJECT or DROP Strip MIME did not process correctly lists (e.g. {image, application} ) Authentication Methods SecurID New PIN mode behavior changed. Now you must proceed with the New PIN mode session before you can log in. S/Key S/Key File printing (Motif + Windows) When printing S/Key file, only some of the lines were printed properly. AXENT Add backup AXENT Server Now you can specify a secondary AXENT server to be connected when the primary server goes down. RADIUS Support for dbimport/dbexport RADIUS Authentication stopped after 256 connections Client Authentication Client Authentication with Logical Servers integration. Allowing the user to specify a Logical Server name when prompt for destination Client Authentication with resources is now allowed Client authentication upon session authentication When using client authentication upon session authentication, the time-out was set to 60 seconds instead of what was defined in the Client Authentication properties. Encryption VPN General: NFS did not work with encryption. FWZ fwd crashes after loading policy when using FWZ When policy was reloaded while an encryption session was taking place, the fwd process crashed. SKIP: Remote Object SKIP keys Fetching remote objects' SKIP Key modifies network object name and corrupts objects.C file. Windows NT FireWall-1 runs out of memory A memory leak with SKIP and Manual IPSec packet handling resulted in Windows NT gets out of memory and gets stack after a while. SPI Key Generation SPI Key Generation did not work on Windows and Motif GUI. SecuRemote SecuRemote RDP Packets The first encrypted packet in SecuRemote session caused, on Windows NT and Solaris2 for x86, an infinite loop of sending messages between fwd and the kernel. Other Code Generation Number of rules limitations The number of rules that can be used in the security policy was significantly increased. Network Object with net-mask 0.0.0.0 did not work properly. Using a network object with net-mask 0.0.0.0 (which is equivalent to "Any") was not treated properly in some cases. Miscellaneous "fw fetch " exits improperly upon failure. When the "fw fetch " command failed due to network time-out (i.e., hostname1 was unreachable), the process exited improperly, without trying to fetch the Security Policy from hostname2. Setting Name Resolving Properties Using the Properties/Resolving dialog box to set the name resolution methods order result with wrong order when more then one option was used. Routers Management Install On "All" does not apply to routers. When using the "All" object in the 'Install On' column, the rule was not enforced on routers. Logging And Alerting Windows NT: Logging stops and machine crashes in fwstop After some time of proper operation, the log records from Firewall Inspection Module are not sent any more. When trying to stop the FireWall-1 at that time, using fwstop, the machine crashes with CANCEL_STATUS_ON_COMPLETED_IRP Blue Screen. Logging Performance on Windows NT improvement The Windows NT logging rate was improved to handle around 1000 log records per second. This should eliminate the 'Log record lost(s)' message from the Event Log. Mail alert default command The default command for Mail alerts was for Solaris2. Now it fits all Operating Systems. Installation No license in the module after upgrading After 'upgrade' mode installation on SunOS4 and Solaris2 systems, the license which was embedded in the FireWall-1 module was deleted, resulting with 'No valid FM license' error when trying to install security policy. This is now fixed and the license is upgraded as well. Windows NT: Licenses installation fails Installation of long licenses (i.e., with a long list of features) through Windows NT FireWall-1 Configuration tool failed, while it succeeded through the command line 'fw putlic'. ------------------------------------------------------------------------ Known Bugs and Restrictions Solaris 2.6 1. FireWall-1 3.0b supports Solaris 2.6. Since previous FireWall-1 versions cannot be installed on Solaris 2.6, you must upgrade your FireWall-1 software to 3.0b before upgrading the Operating System to Solaris 2.6. 2. On Solaris 2.6 there is by default no dumb terminal in /usr/share/lib/terminfo/, which causes two problems: o During FireWall-1 installation, when selecting the Security Servers, the file $FWDIR/conf/fwauthd.conf is not modified (because the command ex -, which is used to edit the file, does not work in the absence of a dumb terminal) and all services remain secured by default. o For the same reason, the /rcS.d/r30rootusr.sh file (a file needed for boot security) is not edited and so there is no boot security. Please contact Sun to obtain a patch for this problem. 3. The X/Motif Log Viewer cannot run on Solaris 2.6. Please contact Sun to get a patch for this problem when it is available. 4. When setting the boot security on Solaris 2.6, the file /etc/rcS.d/S30rootusr.sh gets corrupted, and the system fails to reboot. Before installing the software, please contact Sun for a patch that solves this problem. Solaris 2.x 1. When using encryption on Solaris 2.x machines, you must create certificate keys when defining network objects (you cannot do so during installation). 2. After purging the Log, the Log Viewer is not updated. The Log is updated, but the Log Viewer is not. To update the Log Viewer, refresh the window (move it or resize it, etc.). Windows NT 4.0 FireWall-1 on Windows NT 4.0 with Service Pack 3 does not work properly with RAS. FireWall-1 SecuRemote 1. Initial establishment of a new SecuRemote connection may take some time. Therefore, your first attempt to connect to a FireWall-1 server may fail. Manually typing the password before establishing the connection should help. 2. SecuRemote does not work with static Network Address Translation. 3. SecuRemote installation fails on some portable machines. All Platforms 1. The SMTP Security Server sends an LF symbol rather than a CR-LF for each line. This causes compatibility problems with some SMTP Servers. Please contact Sun for a patch for this problem. 2. When the SMTP Security Server drops a mail message because its length exceeds the maximum size defined in a resource, it does not notify the mail client of the reason. 3. When the SMTP Security Server drops a mail message because a resource does not allow 8 bit characters, it does not notify the mail client of the reason. Please contact Sun to obtain a patch for this problem. 4. A FireWall-1 3.0b Management Station cannot properly manage 3.0 FireWall Modules. You need to upgrade the FireWall Module to 3.0b as well. 5. Using FireWall-1 Synchronization under a heavy load may crash the machine under the heavy load. Contact Sun for a patch that solves this problem. ------------------------------------------------------------------------ User Guide Clarifications The following material clarifies subjects discussed in the FireWall-1 User Guide. Getting Started Installing FireWall-1 Operating Systems In Table 3-8 on page 87, the list of Solaris versions under Operating Systems should read "Solaris 2.3, 2.4, 2.5 and 2.6". Licenses On page 105, any references to "serial number" should read "Certificate Key." Architecture and Administration Security Servers FTP Resources When an FTP connection is mediated by the FireWall-1 FTP Security Server, then the user's requested FTP commands and file names are matched against the FTP Resource defined in the relevant rule. The FTP Security Server is invoked when a rule specifies an FTP Resource in the Service field and/or User Authentication in the Action field. If no FTP Resource is specified in the rule (that is, if the Security Server is invoked because the Action is User Authentication), then an FTP Resource of GET and PUT allowed for all files is applied. FTP Resource Matching FTP Resource matching consists of matching methods and file names. Methods Table1 lists the FTP commands that correspond to the methods specified in the FTP Resource definition. FTP actions and commands method (defined in the FTP applies to these FTP Resource) commands meaning RETR retrieve GET RNFR rename from XMD5 MD5 signature STOR store STOU store unique APPE append RNFR rename from PUT RNTO rename to DELE delete MKD make directory RMD remove directory The FireWall-1 FTP Security Server passes all other FTP commands to the FTP server for execution. File Names File name matching is based on the concatenation of the file name in the command and the current working directory (unless the file name is already a full path name) and comparing the result to the path specified in the FTP Resource definition. When specifying the path name in the FTP Resource definition, only lower case characters and a directory separator character / can be used. The Security Server modifies the file name in the command as follows: * for DOS, the drive letter and the colon (:) is stripped for relative paths * the directory separator character (/ or \) is replaced, if necessary, with the one appropriate to the FTP server's OS In some cases, the Security Server is unable to resolve the file name, that is, it is unable to determine whether the file name in the command matches the file name in the resource. Example - DOS Suppose the current directory is d:\temp and the file name in the resource is c:x. Then the Security Server is unable to determine the absolute path of the file name in the command because the current directory known to the Security Server is on disk D: and the file is on disk c:, which may have a different current directory. Example - Unix If the file name in the command contains .. references which refer to symbolic links, then it's possible that the file name in the command matches the resource's path, but that the two in fact refer to different files. When the Security Server cannot resolve a file name, the action it takes depends on the Action specified in the rule being applied: * If the rule's Action is Reject or Drop, then the rule is applied and its Action taken. * If the rule's Action is Accept, Encrypt or Authenticate, then: If the resource path is * or there is no resource, the rule is applied. Otherwise, the rule is not applied. Instead, FireWall-1 scans the Rule Base and applies the next matching rule (which may be the default rule that drops everything). In this case, a potential problem is that the rules may specify different entries in their Track fields. For example, it may happen that the original rule specifies Accounting in the Track field while the rule that is applied does not. Outgoing Connections User Authentication and Resource rules are applied only to connections incoming to a FireWalled machine. An outgoing connection originating on a FireWalled machine will not be folded into a Security Server on that machine, but will be dropped. Authentication ACE (SecurID) On Windows NT, the sdconf.rec file is in the SYSTEM32 directory under the directory in which Windows NT is installed. Miscellaneous Security Issues Verifying the Default Policy You can verify that the default Security Policy is indeed loaded as follows: 1. Boot the system. 2. Before installing another Security Policy, type the following command: $FWDIR/bin/fw stat The command's output should show that defaultfilter is installed. SYNDefender The following text should be added at the end of the "The TCP SYN Flooding Attack" section. Choosing an Appropriate SYNDefender Method As a first step, you should consider whether you need SYNDefender at all. Since the SYN flooding attack is a "denial of service" attack rather than a security breach, it may be more effective to deploy SYNDefender only after a SYN attack actually occurs. Another "low cost" alternative is to deploy SYNDefender Gateway, and if a SYN attack occurs, to deploy SYNDefender Relay. SYNDefender Gateway vs. SYNDefender Relay SYNDefender Gateway is an effective defense method which divides the cost of the defense between the FireWalled gateway and the server under attack. The overhead for the server is similar to that of an established non-active connection, of which a server can typically handle thousands. This non-active connection only exists for the short timeout period (configured with the GUI). In SYNDefender Relay, the FireWalled gateway completely isolates the server from SYN flooding attacks, that is, the connection is not passed to the server until after its validity is verified. The cost is that the FireWalled gateway must relay (with some overhead) every single TCP packet for the lifetime of the connection. In contrast, with SYNDefender Gateway, the gateway "forgets" about the connection after a short timeout period or after the connection has been established. In addition, problems may arise when a FireWall's Security Policy is uninstalled, or when a FireWall is rebooted. Since every connection was relayed by the FireWall, these connections become "confused," and the network may be overloaded by the servers' futile attempts to resolve this confusion. In summary, if SYNDefender is required, start with SYNDefender Gateway. If you find that your servers are coming under frequent SYN flooding attacks (as apparent from the Log Files), and that your server performance deteriorates as a result of the non-active (short timeout) connections created for each attack attempt, then you should consider the SYNDefender Relay method. Passive SYNDefender Gateway is an inferior method to both SYNDefender Gateway and SYNDefender Relay. The guidelines above refer to SYNDefender Gateway rather than to Passive SYNDefender Gateway. ------------------------------------------------------------------------ Getting Help If you have problems installing or using this product, call the appropriate number listed in "After Installing FireWall-1" in Chapter 3 of Getting Started with FireWall-1. If you cannot locate the number for your location, call 1-800-SUNSOFT (1-800-786-7638) from anywhere in North America. From other countries, call your Authorized Sunsoft Distributor or Reseller. Please have the following information ready when you call: * model number of the system * serial number of the system ------------------------------------------------------------------------ Patch Installation Instructions: -------------------------------- (1) Stop the firewall. (2) Copy the .zip file for the component you wish to install onto the NT system. For agents use session.zip, for fw, disk1.zip and disk2.zip located in the fw subdirectory of the patch distribution, and for agents disk1.zip and disk2.zip from the agents directory in the patch distribution. (3) After copying the zip files into an empty folder on the NT system, unzip the files to expand them, and then run the setup.exe script. This will install everything automatically, prompting the user for anything and everything necessary. It is comprehensive and user-friendly. If the user is upgrading from a prior system, the existing license will automatically be propogated (it is even displayed for the user's perusal in a dialogue box at one point during the install). (4) The system will automatically reboot at the end of the installation. (5) Start the firewall, if it isn't started automatically with your configuration. Special Install Instructions: ----------------------------- Review the ReleaseNotes prior to installation and ensure that a complete BACKUP of the system is performed prior to installing this update.