?IBM Proventia Network Multi-Function Security (MFS) - README ===================================================================== Last modified: 11/9/2010 Copyright (c) 1994-2010 Internet Security Systems, Inc. All rights reserved worldwide. PLEASE READ THIS DOCUMENT IN ITS ENTIRETY. ===================================================================== CONTENTS ===================================================================== - Description - Compatibility - Applying the Update - Getting the latest Readme and RELATED DOCUMENTATION - Customer Support - Reporting product issues - Files included with The Update - Update history DESCRIPTION ===================================================================== This is a cumulative patch containing all recommended Proventia M hotfixes since the release of Firmware 4.6. The following changes are implemented in this patch: Firewall ======== - Guards against a possible null pointer during queueing of L2 packets - Fixes mss clamping of local and proxy connections - Guards against a possible null pointer dereference during certain policy save operations - Adds parameter to enable a preview of L2 support for Microsoft NLB: - Name: "tfw.nlb.mcast_support" - Type: Boolean - Value: True (feature is disabled unless this parameter is explicitly set) - Please see compatibility section for current status of this feature set - Adds protection and diagnostic logic for a possible crash in L2 mode - Corrects a byte-order problem when processing DPD messages - Fixes a problem with validating received DPD replies - Fixes a problem with IKE improperly deleting an SA after QM completed - More improvements to IPSec/DPD logging - Addresses a possible problem with removal of the PPP adapter - Enhanced logging for DPD messages - Added a new script called 'vpntrace' that turns on tracing for the IPSEC VPN module (Note: use instead of igtrace) - Tuning parameter to limit the inital sequence number in DPD nodes to prevent the possiblity or wrapping. - Fixes a problem where a self signed certificate could fail to upload - Fixes a problem where SSH management traffic uses unclamped segments - Adds advanced firewall tuning parameter 'lbfo.usearp' to change method from ICMP ping to arp ping to check lbfo interface status. - Changed firewall component to lessen the chance of crashing the userspace applications used by CRM to pull certificate data. - Addressed an issue where duplicate GUIDs received in a Network Objects policy from SiteProtector would leave the appliance in an unstable state. - Prevents a kernel panic that could occur during diagnostic procedures - Addresses layer 2 problem where pre-existing traffic was not blocked after a reject rule was added. - Fixed a signal 11 crash of the iked process that could occur when starting the process with more than 1 Remote Client VPN entry configured. - Addressed a defect that caused DNAT to not apply correctly when PPPoE is in use. - Corrected a problem where the firewall statistics were not updating for http, ftp, smtp, or pop3 traffic. - Fixed a problem where firewall statistics were not being updated when packet was dropped due to DENY policy match. - Improved logic for the use_strict_mss tuning parameter - Adds a tuning parameter to control RFC compliance for DOI field on R_U_THERE DPD exchanges: - Name: "fw.dpd.r_u_there.ipsec_doi" - Type: Boolean - Value: True (IPSec DOI is used for R_U_THERE only when this is set) Content Filtering and Anti-Spam =============================== - Addresses a possible condition where communications between processes breakdown and cause the sensor to go into an error state. - Fixes an issue with the "Last Update" time not updating in the anti-spam statistics. - Anti-spam module fails to restart after crash due to a lock file issue - Parsing error in SMTP messages containing certain message-id formats - Fixes a logging issue when the Web Filter Module blocks a request to a long URL. - Moved 'dstname' value to the end of all syslog messages Configuration and Response Module ================================= -Addresses an issue where NTP fails if the specified FQDN has both IPv4 and IPv6 addresses in DNS -Addresses an issue where an event could receive an improper timestamp under extremely rare conditions -Addresses an issue where traffic does not route correctly with multiple external interfaces configured -Fixes a problem where comments are not preserved in the routing policy Licensing and Update Module =========================== -Fixes a signaling issue which could cause LUM to stop downloading updates after encountering certain network errors -Fixes a problem where updates could be scheduled in the past Kernel Changes ============== -Implements fixes for the local attacks described in CVE-2009-2692 & CVE-2008-4210 -Improved error handling in the sk98lin driver -Improved e1000 driver to address link speed inconsistencies Local Management Interface ========================== -Implements a fix for the Denial of Service (DoS) attack on lighttpd described by CVE-2010-0295 -Resolves a possible deadlocking issue which could cause the Proventia Management Interface to become unresponsive (issasApache patch) -Upgrades the rrdd tools package to prevent malformed images on status pages Application-Level Gateway ========================= -Fixes a problem with the park page when using NTLM authentication -Improved keyword processing -Removed advertisement of pipelining support -Resolved an issue where users of the HTTP ALG could receive 502 errors -Adjusts logic so that max_header_lines exceeded error is not triggered during long downloads Intrusion Prevention Module =========================== -Fixes a possible segmentation fault in a logging facility -Fixes an issue with blocked events being reported as not blocked -Addresses an issue where corrupted statistics could lead to a system hang Common Policy Editor ==================== -Corrects an issue which would cause an Address Group to become uneditable if an Address Name was deleted which was listed in that address group. -Corrects an issue which causes Policy Editor performance to decrease dramatically when viewing a policy with a large number of network objects. Other Additions =============== -A script for enabling advanced debug options has been added for use only as directed by IBM technical support MD5 checksum calculation: - f4061bcf95bcfb7a6d76ddbdddfd14c0 4.6.0.1-TIV-ProvM-FP0002.pkg COMPATIBILITY ===================================================================== This update is applicable only to: IBM Proventia Network Multi-Function Security (MFS) - Firmware 4.6 Support for protecting a Microsoft Network Load Balancer deployment with the Proventia M running in transparent mode is currently a technology preview. The following caveats apply to customers participating in the layer 2 network load balancer support preview: - ICMP ping directed at the cluster's virtual IP triggers ICMP attack detection. Pings should instead be directed at the IP address for a specific NLB node. In its present state, the ICMP protection algorithms will log some or all of the following messages depending on the specific NLB configuration: "IGWL2FWProcessUnicastPkt()-2021-Failure code returned by TrProcess" "ICMP Type: 8 Code: 0, Received duplicate sequence number: 2 from ext n/w" "ICMP echo Reply (echo uninitiated) from corp n/w" - Passive mode FTP transfer through the anti-virus module has a performance issue. (Use of active mode transfer or disabling of AVM is advised for this preview release.) To enable support for transparent protection of Microsoft Network Load Balancer: Step 1 - Login to the L2 M's local management interface (LMI) Step 2 - Browse to the Firewall policy advanced parameters tab Step 3 - Add the following parameter: - Name: "tfw.nlb.mcast_support" - Type: Boolean - Value: True Step 4 - Configure access policy as desired and reboot. Note that the firewall will treat access to the multicast NLB cluster as unicast traffic when the above parameter is configured. APPLYING THE UPDATE ===================================================================== To apply the update: Step 1 - Copy the package to the M-Appliance. (i.e. scp 4.6.0.1-TIV-ProvM-FP0002.pkg root@[ip addr]:. ) Step 2 - Change to the directory where you uploaded the package. Step 3 - Run the following command: hotfix-install 4.6.0.1-TIV-ProvM-FP0002.pkg Step 4 - Reboot the appliance. GETTING THE LATEST README AND RELATED DOCUMENTATION ===================================================================== README Occasionally, the information in this Readme is updated. For the latest version, see: http://www.iss.net/download For the latest IBM Proventia Network Multi-Function Security (MFS) Information: http://www.iss.net/support/documentation/docs.php?product=38&family=12 CUSTOMER SUPPORT FOR NORTH AMERICA ===================================================================== Available 24 hours a day 7 days a week. Standard Support: (1) (888) 447-4861 (toll free) (1) (404) 236-2700 E-mail: support@iss.net Select and Premium Support: Refer to your Welcome kit for this information. INFORMATION REQUIRED FOR REPORTING PRODUCT ISSUES ===================================================================== If you encounter a problem with this product, please make notes that are as detailed as possible about the following: - Build versions - Sensor and console host configurations - Network deployment - Network traffic rates - Network traffic characteristics - Specific failure symptoms or undesirable behavior This information helps us reproduce the problem and resolve it as quickly as possible. FILES INCLUDED ===================================================================== 4.6.0.1-TIV-ProvM-FP0002.zip | |--4.6.0.1-TIV-ProvM-FP0002.pkg | |--4.6.0.1-TIV-ProvM-FP0002_Readme.txt ===================================================================== =====================================================================