10.0.0 Changelog

From Edge Threat Management Wiki - Arista
Revision as of 15:42, 5 May 2016 by Dmorris (talk | contribs) (→‎10.0 Upgrade)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Overview

10.0 is major release including some large architectural changes to Untangle. It includes a new "HTTPS Inspector" applications which allows on-the-fly HTTPS decryption for full HTTPS processing by the other applications. 10.0 also includes many new minor features.

Major Features / Changes

HTTPS Inspector

HTTPS Inspector allows for full HTTPS decryption. When installed and configured it will decrypt HTTPS so that all the HTTP-scanning applications (Web Filter, Virus Blocker, Ad Blocker, etc) can scan HTTPS traffic just like normal HTTP traffic.

HTTPS Inspector does this by presenting a false certificate signed by a root Certificate Authority that must be installed on each host if HTTPS decryption is to take place without a browser warning. After presenting the certificate it will endpoint the SSL connection, send the unencrypted HTTP traffic through all the applications, then create a new SSL connection on the other side.

HTTPS Inspector can be installed only on certain racks, if only certain HTTPS traffic should be unencrypted by policy (user, group, time of day, IP, etc). Also HTTPS Inspector contains rules allowing certain HTTPS traffic to be bypassed.

Networking

There is a new networking implementation that replaces the old networking implementation. The new networking layer has a new UI and improved & reorganized functionality as well as a simpler backend implementation. The factory defaults now have all interfaces aside from "External" and "Internal" disabled by default. The third interface is no longer called "DMZ."

Benefits:

IPv6 configurability

Interfaces can now be configured with IPv6 addresses. WANs can be configured statically or with SLAAC. non-WANs are configured statically. Router advertisement is allowed on non-WANs.

802.1q tagged alias support

Can create 802.1q tagged interfaces. These are custom "alias interfaces" that appear just like physical interfaces but only handle traffic with the appropriate 802.1q tagged. Any packets sent on this alias also get the appropriate 802.1q tag.

DHCP configuration per interface

DHCP configuration now lives in the interface setting allowing for easily configuring different DHCP scopes on different interfaces.

Simpler and more powerful NAT implementation

Removed NAT policies. Each WAN has an option to NAT traffic leaving this interface (default ON). Each non-WAN has a option to NAT traffic from this interface (defaults OFF so internal networks can talk). This allows easy control over when/where NAT occurs. Additionally NAT Rules now allow for specific NATting of certain traffic to a certain address just like NAT policies except they are evaluated in order and global and have more options than just source address.

Better PPPoE support

PPPoE support is improved with the goal of eventually having full functionality for PPPoE interfaces such as QoS, WAN Failover, and WAN Balancer with PPPoE interfaces.

Settings are store like apps so past revisions are stored

Settings are stored just like all other apps. This makes settings manipulation much simpler and auditing of past changes much easier.

Can now disable unused interfaces

Settings now have a "DISABLED" interface. This is highly convenient and encouraged for unused interfaces. This guarantees that they will not interfere with proper operation.

Can now rename interfaces

Interfaces can now be renamed to anything. As such, the third interface is no longer "DMZ" by default but can be called whatever the user wants ("Guest Network", "Dorms", "Wireless" etc).

systemDev is now the primary key for a device

System Device (ie "eth0") is now the primary key for devices. MAC address is no longer important. This makes restoring settings on different devices easier as eth0 will be treated as eth0 even if the MAC address is different.

New Debian/Kernel

Untangle is now based on Debian 6.0 (squeeze) and 2.6.32 kernel. This should result in slightly better hardware support and updated libraries for developers.

Backup/Restore

Backup/Restore has a new format. The new format includes the version of the backup within the backup file and restore will check the version file. Restores of unsupported past versions will now be explicitly disallowed instead of doing a "best effort." 9.x backups are not supported in 10.x. Restore now requires all required apps to be installed on the server before the restore will be performed. Restoring without networking settings is now an option. This allows for maintaining a "standard configuration" when you can push the standard configure to several Untangle boxes but still keep their local network configurations.

Attack Blocker

Attack Blocker has been moved into the Untangle Platform and can now be configured in Config > System > Shield. "Attack Blocker" or now referred to as simply the "Shield." It is a critical part of any Untangle deployment. "Attack Blocker" working as an application encouraged users to run without it which is not a recommended configuration. It can still be disabled, but this is not a recommended configuration although it is useful for troubleshooting. It also receives a new implementation with a new updated rule structure.

Spyware Blocker / Ad Blocker

Spyware Blocker has been merged with Ad Blocker and remaining obsolete functionality has been removed. Spyware Blocker had many functions. It had two URL lists, one was community maintained and one was maintained by google. The google v1 API which is used by Spyware Blocker has been shut down so this checkbox no longer performs any action and has been removed. (However The v2 google API list is a subset of the "Malware" category in Web Filter.) The community list has been removed as it is so obsolete that it does more harm than good. The ad/tracking cookie blocking has been improved and a newer list of cookies has been imported. The ActiveX functionality is obsolete and has been removed. The Ad Blocking functionality has been improved and updated to work with the new ad blocking list formats. An update button has been added allowing the user to fetch new ad and cookie signatures easily directly from the source (AdBlockPlus/Ghostery).

WAN Balancer

WAN Balancer has a new simplified implementation. The UI remains mostly unchanged with the exception of new updated rule structure in the Route Rules. This allows for balancing based on things other than source IP. Now you can route traffic to certain WANs based on port (ie port 25) or even more advanced things like O/S type, penalty boxed, hostname, etc.

OpenVPN

OpenVPN receives a new simplified implementation. OpenVPN no longer operates in a client or server mode. You can configure both remote clients that connect to Untangle and remote servers for Untangle to connect to. The UI has been redesigned and simplified.

The distributed client has been ported to OpenVPN 2.3.2 by Webfool. This should improve windows 7/8/vista support for remote windows clients as well as fix some other issues in the old v2.2.2 client.

Application Control

The Application Control classification engine has been upgraded to a new version and should detect more applications and do so more effectively.

POP/IMAP Parsing Removed

POP and IMAP scanning functionality has been removed from the platform. Unencrypted POP and IMAP across WAN links is becoming increasingly rare, and additionally the extra delay added for POP/IMAP scanning in real-time made for spam and virus scanning made for a non-ideal solution. Given these considerations the POP/IMAP functionality was removed to maintain a smaller code footprint and focus on more important matters.

10.0 Upgrade

Unlike previous Untangle version no upgrades from 9.x to 10.0 will be available. 9.4.x will continue to function and receive signature and security updates. This decision is based on a combination of factors.

  1. With the new networking layer, the old networking settings do not map 1:1 to the new networking settings so a 100% correct conversion is not possible. Even a 99% correct conversion is totally unacceptable.
  2. With the new networking layer, its simply too dangerous to allow an upgrade. Historically any tiny change in functionality in the networking layer, no matter how logical and well documented, creates tons of emails, posts, complaints, and support cases. Since 10.0 is a complete rewrite of that layer its changes are major and the upgrade would simply create chaos.
  3. 10.0 is based of Debian squeeze unlike 9.x which is based on Debian lenny. Upgrading from lenny to squeeze is major operation. Given the plethora of hardware and configurations a change this big is simply too dangerous.
  4. A vocal set of customers provide feedback that they are frustrated by upgrades and do not want access to new versions.

Given these factors, 10.0 is only available as a new install.

Other Features

Platform

  • Can now change HTTP port (used for HTTP services like blockpage, administration, captive portal, etc)
  • The UI now lists all timezones (pulled from the underlying O/S).
  • FTP events have been added.
  • Added a Warning in Email configuration if port 465 is configured. (SMTPS is not supported.)

Captive Portal

  • Captive Portal has some new custom examples.
    • Pay-for-internet paypal example
    • Create-an-account example
    • Limited login-count example
  • Idle timeout now uses the last session date in the global host table, effectively making idle timeout global.