1 / 95

What’s New in Fireware XTM v11.8

What’s New in Fireware XTM v11.8. What’s New in XTM 11.8. Proxies and Services DLP (Data Loss Prevention) YouTube for Schools WatchGuard AP Enhancements Authentication Indirect LDAP Query Support SSO with the new Exchange Monitor SSO Port Tester Enhanced Support for IPv6 Updated Web UI

bluma
Download Presentation

What’s New in Fireware XTM v11.8

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. What’s New inFireware XTM v11.8

  2. What’s New in XTM 11.8 • Proxies and Services • DLP (Data Loss Prevention) • YouTube for Schools • WatchGuard AP Enhancements • Authentication • Indirect LDAP Query Support • SSO with the new Exchange Monitor • SSO Port Tester • Enhanced Support for IPv6 • Updated Web UI • FireWatch • Front Panel • VPN • Branch Office VPN Virtual Interface • Management Tunnel over SSL • SHA2 Support • Mobile VPN with SSL VPN client password control • Other • Multiple PPPoE sessions per interface • Global setting to clear connections that use an SNAT action you modify.

  3. XTM Data Loss Prevention

  4. What is DLP? • A service that prevents costly data breaches by scanning and detecting the transfer of sensitive information over email, web, and FTP. • DLP detects information in categories such as: • Financial Data (Bank routing numbers) • HIPAA (PHI, patient forms) • PII (Personally Identifiable Information) • Drivers’ licenses • Ethnicity terms • National ID/insurance • Email addresses • Postal addresses

  5. DLP — How it Works • DLP scans proxied SMTP, FTP, and HTTP connections. • HTTPS can be scanned if deep inspection is enabled in the HTTPS proxy action. • DLP uses Sophos libraries for two purposes: • Text Extraction • Extracts plain text from over 30 file formats, including PDF, HTML, Microsoft Word, Excel, Visio, and Project. • Content Analysis • Detects over 200 different patterns, known as content control rules

  6. DLP — How it Works • The same process handles AV scanning and DLP scanning. • When a proxy sends a scan request, it can be for AV, DLP, or both. • Each scan request includes a list of content control rules to use. • AV scan result actions take precedence over DLP.

  7. DLP — Content Control Rules • Content control rules match a pattern multiple times. • The quantity for each rule is a measure of the weighted number of matches the rule must find to identify content as a DLP violation. • Because the DLP rules use multiple expressions to find matching text, and use weights to adjust the rule sensitivity, the quantity shown does not always correspond exactly to the number of text matches required to trigger the rule. • To see DLP rules and quantities go to http://www.watchguard.com/SecurityPortal.

  8. DLP – Support by Model • This table shows you signature set and text extraction available for each model.

  9. DLP — Scanning and Performance • Available DLP rule sets vary by device • XTM 2, XTM 3, and XTM 5 Series (Standard) • XTMv, XTM 8 Series and higher (Enterprise) • Just as with AV, DLP scanning consumes resources • Performance impact can vary by configuration • Performance varies by number and type of selected rules • Avoid selecting unnecessary rules

  10. DLP — Configuration Workflow • Update feature key • Enable Data Loss Prevention • Add a DLP Sensor using the wizard • Apply sensor to proxy policies • Select content control rules • Select actions to take when content is detected in email and non-email traffic.

  11. DLP - Configuration Workflow • Edit Sensors • Enable/disable rules • Configure sensor actions by source and destination • Configure sensor settings • Set actions for items that cannot be scanned due to: • Size exceeds scan limit • Scan error • File is password protected • Set the file scan limit

  12. DLP — Built-In Sensors • DLP includes two built-in sensors • HIPAA Audit Sensor • Detects content related to compliance with HIPAA security standards • PCI Audit Sensor • Detects content related to compliance with PCI security standards

  13. YouTube for Schools

  14. YouTube for Schools — Overview • YouTube Education Filter • Schools need YouTube, but want to be able to control access to specific content • YouTube created to support EDU-only content, instead of having schools deny YouTube overall • How it works • School administrator obtains ID from YouTube • They must log in using their school’s Google account. • https://www.youtube.com/schools • X-YouTube-Edu-Filter header added to HTTP requests • HTTPS with DPI

  15. YouTube for Schools — Configuration • Enable YouTube for Schoolsin the HTTP Proxy Action • Type the School ID

  16. YouTube for Schools — Example • HTTP request • Original request headers • GET /feed/dK0sTdv5FonSsAOcx83YBw12947736341343 HTTP/1.1 • Host: www.youtube.com • New request headers • GET /feed/dK0sTdv5FonSsAOcx83YBw12947736341343 HTTP/1.1 • X-YouTube-Edu-Filter: P4SHoKOOZOJDQU8PRSCXtA • Host: www.youtube.com • By handling this on the XTM device, the school does not need to deal with configuration of various machines, including BYOD

  17. AP Enhancements

  18. AP Enhancements — Overview • Select radio channel (72135) • Set maximum data rate • Management VLAN tagging (71403) • “Updating” Status (72628) • New firmware

  19. AP Enhancements — Radio Settings • Preferred Channel • Update the list of available AP channels. • Select the preferred channel. • Rate • Set the maximum speed at which wireless clients can send data.

  20. AP Enhancements — Management VLAN Tagging • Enable management VLAN tagging, and select amanagement VLAN ID. • After the AP device is paired, management connections use the selected VLAN. • An unpaired AP device cannot accept management connections on the VLAN.

  21. “Updating” Status • New AP status in the Firebox System Manager Gateway Wireless Controller tab. • When you save an access point configuration to the XTM device, the XTM device immediately sends the update to the affected AP devices. While the update is in progress, the AP device status changes to Updating. • The update process can take up to a minute to complete. • During this time wireless services might be interrupted on the AP device.

  22. AP Firmware Update • The XTM OS update includes updated firmware for WatchGuard AP devices, to enable the new AP features. • Make sure that automatic updates are enabled in the Gateway Wireless Controller settings so the XTM device updates all paired AP devices. • If you don’t want to enable automatic updates, you can manually upgrade each AP device. • Download the AP device firmware from the Software Downloads site. • Connect to the web UI on the AP device to upgrade the firmware.

  23. LDAP AuthenticationUsing Indirect Queries

  24. LDAP — Background • LDAP Authentication using the “memberOf” group string, or other user attributes, queries the Directory Service for the user object, and identifies group membership based on this attribute of the user. This is considered a direct query. • Some LDAP services, like Novell, use other attributes of the user object to identify group membership. Others, such as OpenLDAP, do not have such an attribute at all unless you enable a “memberOf overlay”. This requires detailed knowledge of the LDAP service being used, or extending the schema. • An alternative to this is an indirect query, where the user is identified, and the entire directory is searched looking at attributes of all groups to find where the user is a member.

  25. LDAP — How it Works • We’ve added support for indirect queries using Object Classes defined in these two RFCs: • RFC2256 — A summary of the X.500 User Schema for use with LDAPv3 defines Object Class “groupOfNames”. Users are identified in the “member” attribute of each group object. • RFC2307 — An approach for using LDAP as a Network Information Service defines Object Classes “posixGroup” and “posixAccount”. The “gidNumber” attribute identifies each group object, and the “memberUid” attribute of each group identifies the users that are members of the group. • There are no visible UI changes to add support for indirect queries in Fireware XTM v11.8. • Triggered by the entry in the “Group String” attribute

  26. LDAP — Using RFC2256 “groupOfNames” • Object Class “groupOfNames” is used to manage groups. Users are identified using the “member” attribute of each group object. • Configure “member” as the Group String for LDAP. • XTM performs two search queries to identify groups: • First search — Identify the DN of this user. • Second search — Identify all entries of groupOfNames where “member” attribute contains the user DN. • Extract the name, “cn” attribute, of each group returned by server.

  27. LDAP — RFC2256 “groupOfNames” Example • Example: User “user2” belongs to group called “market”. • A “member” of groupOfNames object “market” includes the DN for user2.

  28. LDAP — Using RFC2307 “posixGroup” • Object class posixAccount and posixGroup are used to manage groups. Groups are identified by gidNumber and users by memberUid. • Configure “memberUid” or “gidNumber” as the group string for LDAP.

  29. LDAP — Using RFC2307 “posixGroup” • Fireware XTM uses three search queries to retrieve group information. • First search: Identify DN, “uid”, “gidNumber” of the user. • Second search: Get all entries of posixGroup from server with the filter “memberUid=<uid>”. • Extract the name, “cn” attriburte, of each group returned by the server. • Third search: Get one entry of posixGroup from server with the filter “gidNumber=<gid_number>”. • Extract the name, “cn” attribute, of the posix primary group. • This third search is required as LDAP servers will not return the posix primary group, the group that matches the “gidNumber” seen for the user, in the second search. • Combine the groups from the second and third search.

  30. LDAP — Case 3 Solution (continued, XTM Search) • Example: User “pos_group1_user1” belongs to group “pos_group1” and “pos_group3”; its uid is “pos_group1_user1”, its gidNumber is 203.

  31. LDAP — Case 3 Solution (continued, XTM Search) • memberUid of posixGroup “pos_group1” include user “pos_group1_user1”.

  32. LDAP — Case 3 Solution (continued, XTM Search) • “gidNumber” of “pos_group3” is 203.

  33. SSO Authentication Support for Mac OS X

  34. Enhanced SSO Support — Overview • In Fireware XTM v11.8, Single Sign-On (SSO) support has been enhanced: • SSO now supports Mac OS X (RFE64443) • SSO now supports iOS and Android • The SSO Agent can now be used independently with greater accuracy • To provide SSO functionality for these new use cases, the SSO authentication solution includes two new components: • EM (Exchange Monitor) • SSO Client for Mac OS X

  35. Enhanced SSO Support — Overview • Single Sign-On options, at a glance:

  36. Enhanced SSO Support — Exchange Monitor (EM) • EM takes advantage of the close relationship between Microsoft Exchange server and Active Directory server. • For example: An organization uses Microsoft Exchange Server and Active Directory domain server. Everyday the first thing each employee does is to use their office equipment, including PC, laptop, iPhone, iPad and so on, to deal with emails. Afterwards, they access the internet. Users cannot log in their mailboxes until their domain accounts are authenticated by Exchange Server. • Exchange Monitor (EM) • Does not remove or replace the functionality of existing SSO components. Instead, it extends SSO support of logon/logoff functionality to Mac OS X, IOS, Android, and Windows OS • New component in XTM SSO software set • Must be installed on the same server as Microsoft Exchange

  37. Enhanced SSO Support — Exchange Monitor (EM) • What is EM? • EM tightly integrates with Microsoft Exchange • Works only in the environment in which Microsoft Exchange Server is deployed • EM is similar to ELM, running as a Windows service process • EM is responsible for: • Monitoring the logon/logoff action for domain accounts • Notifying the SSO Agent real-time • Responding to the command request( “get user”) sent by the SSO Agent.

  38. Enhanced SSO Support — SSO Client for Mac OS X • What is the SSO Client for Mac OS X? • Works in an environment without Microsoft Exchange Server • Similar to the SSO Client for Windows • Install the client software on workstations in the domain that run Mac OS X • Support Mac OS X 10.6+ • Supports the use case in which a user logs on from his MacBook with his Active Directory domain account.

  39. Enhanced SSO Support — Other Changes • Different SSO Contacts in UI • Different way to get groups • New Session check interval • Applies only to Exchange Monitor and OS X/Android/iOS users

  40. Enhanced SSO Support — Agent Contact Settings • In Fireware XTM v11.8, Agent Contacts include: • SSO client • Event Log Monitor • Exchange Monitor

  41. Enhanced SSO Support — Group Retrieval • Before XTM v11.8, ELM/SSO clients returned group information to the SSO Agent. • With XTM v11.8, ELM/EM/SSO clients return user/domain/IP address information to the SSO Agent. The SSO Agent queries the AD server to get all groups. • Compatibility • XTM v11.8 SSO Agent works with pre-v11.8 SSO Client/ELM • XTM v11.8 ELM/SSO Client/EM does NOT work with pre-v11.8 SSO Agent

  42. Enhanced SSO Support — Session Check Interval • The new Session Check Interval is used for non-Windows clients only. For non-Windows clients, logoff events are detected using Microsoft Exchange internal tables. • For any active client, Exchange Monitor saves the time of last activity. • Exchange Monitor sends logoff event information for any active non-Windows client to the SSO Agent if it cannot detect any activity in the time span specified in the Session Check Interval setting. • The default Session Check Interval is 40 minutes.

  43. Enhanced SSO Support — Session Check Interval • Why is the default Session Check Interval set to 40 minutes? • On Mac OS X mail clients, the default setting for Check for New Messages setting is 30 minutes. • Therefore, the Session Check Interval has to be more than 30 minutes. • In general, we recommend: • Session Check Interval = Max(Check for Message) + 2 • Where Max(Check for Message) is the maximum value of all non-Windows devices running a mail client. 2 minutes is the amount of time that EM requires to detect changes in the IIS log.

  44. Enhanced SSO Support — Test SSO Port • To verify that the SSO Agent can contact the Event Log Monitor and the Exchange Monitor, you can use the SSO Port Tester tool. • In the Clientless SSO Settings, select Test SSO Port. • In the SSO Port Tester, you can test IP addresses and ports for SSO.

  45. IPv6 Support

  46. IPv6 Support • XTM v11.7.4 supported: • IPv6 addresses in packet filter policies • MAC access control for both IPv6 and IPv4 traffic • Inspection of IPv6 traffic received and sent by the same interface • IPv6 addresses in blocked sites and exceptions • Blocked ports configuration applies to IPv6 traffic • TCP SYN checking setting applies to IPv6 traffic • XTM v11.8 adds: • Authentication on https://<IPv6 firebox>:4100 page is now possible • DHCPv6 options available on interfaces that use IPv6 • IPv6 FireCluster Management addresses • IPS and Application Control now apply to IPv6 networks • Default Packet Handling options to block IPSec, IKE, ICMP, SYN, and UDP flood attacks now apply to IPv6 networks

  47. IPv6 Support — Authentication • You can now authenticate to an XTM device configured with an IPv6 address (https://<IPv6 firebox>:4100) • Example: https://[2001::254]:4100

  48. IPv6 Support — Authentication • With Fireware XTM v11.8, users can now connect from an IPv6 address to the IPv6 address of XTM. But XTM still connects to its configured 3rd party authentication server by its IPv4 address. • Some authentication functions are NOT supported in this release: • Single Sign-On • Terminal Services • VPN • Support FQDN for RADIUS and SecurID • Automatic redirect of users to the authentication page

  49. IPv6 Support — DHCPv6 • Use DHCPv6 to request an IPv6 address for an external interface. • Select Enable DHCPv6 Client. • Enable the Rapid Commit option if you want to use a rapid two-message exchange to get an IPv6 address.

  50. IPv6 Support — DHCPv6 • Configure a DHCPv6 Server for a trusted or optional interface.

More Related