Solstice FireWall-1
Version 3.0b Release Notes

Overview

 Thank you for using Solstice FireWall-1 Version 3.0b.

This document contains important information not included in the FireWall-1 User Guide. Please review this information before installing or using FireWall-1.

Product Description

Documentation

New Features

Known Bugs and Restrictions

User Guide Clarifications

Getting Help

Product Description

 Solstice FireWall-1 Version 3.0b is a comprehensive security tool that allows an organization to access the Internet's vast worldwide resources without compromising internal network security.

A license password is required to activate FireWall-1 after installation.

Documentation

 Sun assumes that the customer has access to the FireWall-1 Version 3.0 CD-ROM. The CD-ROM includes a copy of the FireWall-1 User Guide in Adobe Acrobat Portable Document Format (PDF), as well as Acrobat readers for most supported platforms. Updated versions of these readers can be downloaded from Adobe (www.adobe.com). The CD-ROM does not contain an Acrobat reader for Solaris2-x86. Note - Please be aware that before installing a Vpn or Vpn/Des package, you need to install the base package which is located under a separate patch.

New Features

 FireWall-1 Version 3.0 includes the following new features:

1. FireWall-1 support for Solaris 2.6
2. SecuRemote Version 3.0 including:
3. Support for Cisco 11.2 routers management
4. New Services Support: Connected OnLine Backup, AOL, OnTime
5. Session Authentication Agent for Windows 3.11

Bugs Fixed in this Version

 Version 3.0b fixes bugs that were found in version 3.0a. For a complete list of the bugs that were fixed in Version 3.0b, please contact Sun.

Bugs fixed in this release include but are not limited to the following:

1261680 firewall-1 doesn't always handle ftp PASSV correctly: data channel is blocked
1263275 firewall-1 ver2.0b doesn't work with license
1264199 can't load rules, core dump
1264798 Firewall-1 doesn't have an rexec class
1264816 changing Text.MaxDocumentSize to add comments under firewall GUI doesn't work
1267277 FW-1 firewall 2.0e rejects packets at random
4006688 FireWall-1 fails to generate encryption filter if patch 103337-05 is installed
4013122 Firewall_1 drops fragmented udp packets which do not come in correct sequence
4028259 2.1 GUI appears to lose connection w/ inspection module but fwd keeps filtering
4040195 fwui's System View reports Help icon
4044273 Firewall-1 NT error message FW1:Fwreceive:lookaheadbuffer 2806>max buffer size 1
4052718 3.0 fwinfo calls gunzip which is not included in FW or Solaris distribution
4055124 In user authentication you have only one minute for typing in password
4060955 Customers using NT can't license 3.0
4061216 'Suspend' feature of win95/pc does not work when SecuRemote is installed
4061293 WinGUI cannot print large rulebase - shoves all rules onto one page
4068918 Log viewer reports 'too many logs, lost some' msg after upgrade from 2.1 to 3.0
4073833 firewall-1 3.0a loses license in kernel module after reboot.
4076069 snmp_trap: can't create variable
4077906 firewall 3.1/NAT selection for network objects just displays background color

Platform Specific Problems


Windows NT: Logging stopped after a while

On Windows NT, the logging was stopped after a while, so no log records were written to the log file any longer. When this happens, trying to stop the FireWall-1 Service, results in system crash (Blue Screen Of Death).

HP-UX: SYNDefender

Using SYNDefender can crash FireWall machine.

HP-UX: BTLAN Support

BTLAN Network Interface Cards are now supported.

HP-UX: On some 10.20 machines FireWall-1 failed to attach

Installing on some 10.20 platforms, FireWall driver failed to operate.

Services Support


SQL*Net v2

Allowing SQL*Net version 2 through Windows NT can crash the machine. It also did not work properly on Solaris2 for x86.

StreamWorks

Address Translation was not supported.

UDP

General support for UDP address translation.

User Interface

X/Motif GUI


X/Motif Memory Usage

When using the X/Motif Log Viewer and/or System Status, the X Server process allocates a lot of memory until the X system hangs.

Motif GUI crashes when changing resources.
Motif GUI crashes on RADIUS Server dialog box.

Defining a RADIUS Server was causing the X/MOTIF GUI to crash.

Windows and X/Motif GUI


Refresh button did not work.
Deleting an object from a group did not have the expected effect.

Deleting an object from a group through the GUI was not removing them from the FireWall tables.

Rule Base printing

Rule base was printed on one page only, resulting with unreadable printing when the rule base include many rules.

Monitor-Only User was allowed to purge Log Files.

Security Servers
General:

"Not in" on sources and destinations was not checked correctly by security servers

OPSEC CVP+UFP Problems:


HTTP+FTP did not work properly with Symantec Anti-Virus.
HTTP wrong log for virus detection (showed accept).
FTP did not work with CVP in PASV mode.

HTTP:


HTTP Security Server failed from www.on.com and others
HTTP translated '//' to '/' , resulting in broken GIF files

FTP:


FTP Time-out cause connection to be closed on large files
FTP Security Server hangs under heavy load
FTP Welcome message did not work

SMTP:


Mail dequeuer stuck after 25 failures.
Security Server removes <> around a mail path.
When setting error server, error messages were sent to postmaster instead of the sender
On Windows NT, files were not removed from spool directory in some cases.
On error messages, the from address was not compliant with RFC821.
Improved parsing used for rewriting header fields. Bugs fixed.
No matching by header was done in case of REJECT or DROP
Strip MIME did not process correctly lists (e.g. {image, application} )

Authentication Methods
SecurID

New PIN mode behavior changed.

Now you must proceed with the New PIN mode session before you can log in.
S/Key

S/Key File printing (Motif + Windows)

When printing S/Key file, only some of the lines were printed properly.
AXENT

Add backup AXENT Server

Now you can specify a secondary AXENT server to be connected when the primary server goes down.
RADIUS

Support for dbimport/dbexport
RADIUS Authentication stopped after 256 connections

Client Authentication


Client Authentication with Logical Servers integration.

Allowing the user to specify a Logical Server name when prompt for destination

Client Authentication with resources is now allowed
Client authentication upon session authentication

When using client authentication upon session authentication, the time-out was set to 60 seconds instead of what was defined in the Client Authentication properties.

Encryption
VPN
General:

NFS did not work with encryption.
FWZ

fwd crashes after loading policy when using FWZ

When policy was reloaded while an encryption session was taking place, the fwd process crashed.
SKIP:

Remote Object SKIP keys

Fetching remote objects' SKIP Key modifies network object name and corrupts objects.C file.

Windows NT FireWall-1 runs out of memory

A memory leak with SKIP and Manual IPSec packet handling resulted in Windows NT gets out of memory and gets stack after a while.
SPI Key Generation

SPI Key Generation did not work on Windows and Motif GUI.

SecuRemote
SecuRemote RDP Packets

The first encrypted packet in SecuRemote session caused, on Windows NT and Solaris2 for x86, an infinite loop of sending messages between fwd and the kernel.

Other

Code Generation


Number of rules limitations

The number of rules that can be used in the security policy was significantly increased.

Network Object with net-mask 0.0.0.0 did not work properly.

Using a network object with net-mask 0.0.0.0 (which is equivalent to "Any") was not treated properly in some cases.

Miscellaneous

 "fw fetch <hostname>" exits improperly upon failure.


When the "fw fetch <hostname1> <hostname2>" command failed due to network time-out (i.e., hostname1 was unreachable), the process exited improperly, without trying to fetch the Security Policy from hostname2.

Setting Name Resolving Properties

Using the Properties/Resolving dialog box to set the name resolution methods order result with wrong order when more then one option was used.

Routers Management


Install On "All" does not apply to routers.

When using the "All" object in the 'Install On' column, the rule was not enforced on routers.

Logging And Alerting


Windows NT: Logging stops and machine crashes in fwstop

After some time of proper operation, the log records from Firewall Inspection Module are not sent any more. When trying to stop the FireWall-1 at that time, using fwstop, the machine crashes with CANCEL_STATUS_ON_COMPLETED_IRP Blue Screen.

Logging Performance on Windows NT improvement

The Windows NT logging rate was improved to handle around 1000 log records per second. This should eliminate the 'Log record lost(s)' message from the Event Log.

Mail alert default command

The default command for Mail alerts was for Solaris2. Now it fits all Operating Systems.

Installation


No license in the module after upgrading

After 'upgrade' mode installation on SunOS4 and Solaris2 systems, the license which was embedded in the FireWall-1 module was deleted, resulting with 'No valid FM license' error when trying to install security policy. This is now fixed and the license is upgraded as well.

Windows NT: Licenses installation fails

Installation of long licenses (i.e., with a long list of features) through Windows NT FireWall-1 Configuration tool failed, while it succeeded through the command line 'fw putlic'.

Known Bugs and Restrictions

Solaris 2.6

1. FireWall-1 3.0b supports Solaris 2.6. Since previous FireWall-1 versions cannot be installed on Solaris 2.6, you must upgrade your FireWall-1 software to 3.0b before upgrading the Operating System to Solaris 2.6.
2. On Solaris 2.6 there is by default no dumb terminal in
/usr/share/lib/terminfo/, which causes two problems:

Please contact Sun to obtain a patch for this problem.
3. The X/Motif Log Viewer cannot run on Solaris 2.6. Please contact Sun to get a patch for this problem when it is available.
4. When setting the boot security on Solaris 2.6, the file /etc/rcS.d/S30rootusr.sh gets corrupted, and the system fails to reboot. Before installing the software, please contact Sun for a patch that solves this problem.

Solaris 2.x

1. When using encryption on Solaris 2.x machines, you must create certificate keys when defining network objects (you cannot do so during installation).
2. After purging the Log, the Log Viewer is not updated.
The Log is updated, but the Log Viewer is not. To update the Log Viewer, refresh the window (move it or resize it, etc.).

Windows NT 4.0

 FireWall-1 on Windows NT 4.0 with Service Pack 3 does not work properly with RAS.

FireWall-1 SecuRemote

1. Initial establishment of a new SecuRemote connection may take some time. Therefore, your first attempt to connect to a FireWall-1 server may fail. Manually typing the password before establishing the connection should help.
2. SecuRemote does not work with static Network Address Translation.
3. SecuRemote installation fails on some portable machines.

All Platforms

1. The SMTP Security Server sends an LF symbol rather than a CR-LF for each line. This causes compatibility problems with some SMTP Servers. Please contact Sun for a patch for this problem.
2. When the SMTP Security Server drops a mail message because its length exceeds the maximum size defined in a resource, it does not notify the mail client of the reason.
3. When the SMTP Security Server drops a mail message because a resource does not allow 8 bit characters, it does not notify the mail client of the reason. Please contact Sun to obtain a patch for this problem.
4. A FireWall-1 3.0b Management Station cannot properly manage 3.0 FireWall Modules. You need to upgrade the FireWall Module to 3.0b as well.
5. Using FireWall-1 Synchronization under a heavy load may crash the machine under the heavy load. Contact Sun for a patch that solves this problem.

User Guide Clarifications

 The following material clarifies subjects discussed in the FireWall-1 User Guide.

Getting Started

Installing FireWall-1

Operating Systems

 In Table 3-8 on page 87, the list of Solaris versions under Operating Systems should read "Solaris 2.3, 2.4, 2.5 and 2.6".

Licenses

On page 105, any references to "serial number" should read "Certificate Key."

Architecture and Administration

Security Servers

FTP Resources

 When an FTP connection is mediated by the FireWall-1 FTP Security Server, then the user's requested FTP commands and file names are matched against the FTP Resource defined in the relevant rule.

The FTP Security Server is invoked when a rule specifies an FTP Resource in the Service field and/or User Authentication in the Action field. If no FTP Resource is specified in the rule (that is, if the Security Server is invoked because the Action is User Authentication), then an FTP Resource of GET and PUT allowed for all files is applied.

FTP Resource Matching

 FTP Resource matching consists of matching methods and file names.

Methods
Table1 lists the FTP commands that correspond to the methods specified in the FTP Resource definition.
FTP actions and commands
method (defined in the FTP Resource) applies to these FTP commands meaning
GET RETR retrieve
RNFR rename from
XMD5 MD5 signature
PUT STOR store
STOU store unique
APPE append
RNFR rename from
RNTO rename to
DELE delete
MKD make directory
RMD remove directory

The FireWall-1 FTP Security Server passes all other FTP commands to the FTP server for execution.

File Names
File name matching is based on the concatenation of the file name in the command and the current working directory (unless the file name is already a full path name) and comparing the result to the path specified in the FTP Resource definition.

When specifying the path name in the FTP Resource definition, only lower case characters and a directory separator character / can be used.
The Security Server modifies the file name in the command as follows:

In some cases, the Security Server is unable to resolve the file name, that is, it is unable to determine whether the file name in the command matches the file name in the resource.

Example - DOS
Suppose the current directory is d:\temp and the file name in the resource is c:x. Then the Security Server is unable to determine the absolute path of the file name in the command because the current directory known to the Security Server is on disk D: and the file is on disk c:, which may have a different current directory.

Example - Unix
If the file name in the command contains .. references which refer to symbolic links, then it's possible that the file name in the command matches the resource's path, but that the two in fact refer to different files.

When the Security Server cannot resolve a file name, the action it takes depends on the Action specified in the rule being applied:

If the resource path is * or there is no resource, the rule is applied.
Otherwise, the rule is not applied. Instead, FireWall-1 scans the Rule Base and applies the next matching rule (which may be the default rule that drops everything). In this case, a potential problem is that the rules may specify different entries in their Track fields. For example, it may happen that the original rule specifies Accounting in the Track field while the rule that is applied does not.

Outgoing Connections

 User Authentication and Resource rules are applied only to connections incoming to a FireWalled machine. An outgoing connection originating on a FireWalled machine will not be folded into a Security Server on that machine, but will be dropped.

Authentication

ACE (SecurID)

 On Windows NT, the sdconf.rec file is in the SYSTEM32 directory under the directory in which Windows NT is installed.

Miscellaneous Security Issues

Verifying the Default Policy

 You can verify that the default Security Policy is indeed loaded as follows:

1. Boot the system.
2. Before installing another Security Policy, type the following command:
$FWDIR/bin/fw stat
The command's output should show that defaultfilter is installed.

SYNDefender

 The following text should be added at the end of the "The TCP SYN Flooding Attack" section.

Choosing an Appropriate SYNDefender Method

As a first step, you should consider whether you need SYNDefender at all. Since the SYN flooding attack is a "denial of service" attack rather than a security breach, it may be more effective to deploy SYNDefender only after a SYN attack actually occurs.

Another "low cost" alternative is to deploy SYNDefender Gateway, and if a SYN attack occurs, to deploy SYNDefender Relay.

SYNDefender Gateway vs. SYNDefender Relay

SYNDefender Gateway is an effective defense method which divides the cost of the defense between the FireWalled gateway and the server under attack. The overhead for the server is similar to that of an established non-active connection, of which a server can typically handle thousands. This non-active connection only exists for the short timeout period (configured with the GUI).

In SYNDefender Relay, the FireWalled gateway completely isolates the server from SYN flooding attacks, that is, the connection is not passed to the server until after its validity is verified. The cost is that the FireWalled gateway must relay (with some overhead) every single TCP packet for the lifetime of the connection. In contrast, with SYNDefender Gateway, the gateway "forgets" about the connection after a short timeout period or after the connection has been established.

In addition, problems may arise when a FireWall's Security Policy is uninstalled, or when a FireWall is rebooted. Since every connection was relayed by the FireWall, these connections become "confused," and the network may be overloaded by the servers' futile attempts to resolve this confusion.

In summary, if SYNDefender is required, start with SYNDefender Gateway. If you find that your servers are coming under frequent SYN flooding attacks (as apparent from the Log Files), and that your server performance deteriorates as a result of the non-active (short timeout) connections created for each attack attempt, then you should consider the SYNDefender Relay method.

Passive SYNDefender Gateway is an inferior method to both SYNDefender Gateway and SYNDefender Relay. The guidelines above refer to SYNDefender Gateway rather than to Passive SYNDefender Gateway.

Getting Help

 If you have problems installing or using this product, call the appropriate number listed in "After Installing FireWall-1" in Chapter 3 of Getting Started with FireWall-1. If you cannot locate the number for your location, call 1-800-SUNSOFT (1-800-786-7638) from anywhere in North America. From other countries, call your Authorized Sunsoft Distributor or Reseller.

Please have the following information ready when you call:


Copyright © 1997,Sun Microsystems, Inc. All rights reserved.