mGuard Device Manager - Innominate Security Technologies AG
Contents
1. Replacement of Devices The Set Current Device Credentials dialog in the context menu of the device overview table refers to mdm s notion of the device s current passwords and should be used if the passwords have been modified by external means e g through the device s web interface To change the passwords with mdm use the Template or Device configuration dialog mGuard configuration Authentication Administrative Users Passwords instead When a device is physically replaced by a new one with factory default settings some preparation is necessary before SSH uploads can be performed to the new device First of all out of security considerations mdm refuses to upload to a device if its SSH host key has changed so the host key has to be reset Secondly mdm s notion of the device s passwords has to be set to the factory defaults These steps can be performed in the Set Current Device Credentials dialog in the context menu of the device overview table Check the root admin and Reset SSH Host Key boxes and type the root and admin passwords into the respective fields 4 5 Effect of Changing Templates Configuration values that override values in a VPN connection inherited from an ancestor template are retained as long as the ancestor template is assigned If it is deassigned or another parent template is assigned overridden configuration values are lost Likewise pool values change when anoth2. 0224 OpenSSL SSL TLS MITM vulnerability CVE 2014 3513 OpenSSL SRTP memory leak e CVE 2014 3567 OpenSSL session ticket memory leak e CVE 2014 3566 POODLE vulnerability Page 3 Innominate Security Technologies AG mdm Release Notes 3 Upgrading from mdm 1 5 x or 1 6 0 To upgrade from mdm 1 5 x or 1 6 0 to mdm 1 6 1 it is necessary to make irreversible changes to the backing PostgreSQL database Once these changes have been made the database can no longer be accessed with an earlier mdm IDM version Preparation o Stop the mdm IDM server if it is running o Dump the content of the mdm IDM database The command line tools pg_dump or pg_dumpa11 part of the PostgreSQL distribution or another mechanism can be used for this See the PostgreSQL documentation for details o If the mdm IDM CA is used dump the content of the CA database o It is strongly advised to keep a copy of the database dumps as a backup Upgrade o Install the mdm 1 6 1 server o mdm 1 6 1 requires the Java SE 7 Runtime Environment JRE Make sure the java command refers to a JRE of this version or use an appropriate pathname to runa Java SE 7 JRE o Invoke the server with the following command java Xmx1024m jar idm_server jar update preferences xml The server will connect to the PostgreSQL database upgrade it and terminate After this step the database is ready to be used by mdm 1 6 1 i e the mdm 1 6 1 server can now be st
3. cata demi a a Dade tae eee 5 5 1 mdm Does Not Validate Variable Values as Rigidly as the MGuatd eseeeeeeeeeeeeeeees 5 5 2 Support for rs2000 3G DEVICES sa oars ces acca caece ca eects rere Sea seed REN ansehen es 5 5 3 Concurrent Access to Templates and POols cccccccccceeeeeeeeeeeeeeeesesnseseeeaceeeeeeneeneeeoueeserees 5 5 4 JRE Uses IPv4 IPv6 Dual N tWOIk Stack siscsceccoveccessvcnceeessendeeguechcaddtes donteasdssaeseegdeaeadeeeverereet 5 5 5 JRE Prevents Usage of AES 256 Cipher by POIiCy ccccecccecccceecceeeeeeeeeeeeeeeeeeeseeeeeeeaaees 6 5 6 Change from Firmware 7 4 tO 7 5 c cceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeaeaeeeeeeeeeeeeeeesaeeeessaeeeeesaneeeeneas 6 5 7 Exhausted Pools May Cause Unexpected Errors cccccccececeeeeeceeeeeeeeeeeeeeeeeeeeaeeeeeesaaees 6 5 8 Limitations of Referenced Table Variables cece ei eee ete etitteeeeeeeeeesaaaaeeeeeees 6 5 9 Changing Meshed VPN Configuration IS SIOW cccccecccceceeeceaeeeeeeeeeeeeeeeeeeeeeeeeeesaeeeeeseaees 6 5 10 PKCS 12 Files Must Be Password Protected ceeeeeeeeeeeeeeeeneeeeeeeeeeeeeeeeeeeeeteeeeeeeeees 7 5 11 Automatic Configuration of the VPN Peer Device esssssssssssssrrririrrrrrrrresstttrrrrrrereerrrreee 7 5 12 rs2000 Devices Cannot be Used as a VPN Peer De VICE ce eeeceeeeeeeeeeeeeeeeeneaneeteeeeeees 7 5 13 Server Preferences Cannot Be REMOVE sie oxic cscveces cerseas levees dewece erate Ac ececatec
4. Innominate protecting industrial networks Security Technologies mGuard Device Manager Release Notes Version 1 6 1 Innominate Security Technologies AG Rudower Chaussee 13 12489 Berlin Germany Phone 49 30 921028 0 Fax 49 30921028 020 contact innominate com http Iwww innominate com Innominate Security Technologies AG mdm Release Notes Copyright 2006 2014 Innominate Security Technologies AG December 2014 Innominate and mGuard are registered trademarks of Innominate Security Technologies AG All other brand names or product names are trade names service marks trademarks or registered trade marks of their respective owners mGuard technology is protected by the German patents 10138865 and 10305413 Further national and international patent applications are pending No part of this documentation may be reproduced or transmitted in any form by any means without prior written permission of the publisher All information contained in this documentation is subject to change without previous notice Innominate offers no warranty for these documents This also applies without limitation for the implicit assurance of scalability and suitability for specific purposes In addition Innominate is neither liable for errors in this documentation nor for damage accidental or otherwise caused in connection with delivery output or use of these documents This documentation may not be photocopied duplica
5. arted 4 Usage Hints 4 1 Performance of Creating Configuration History Entries mdm 1 6 1 creates a configuration history entry for each affected device after every modification to a device template or VPN group configuration Such a modification can therefore be slow especially if it affects a large number of devices Further improvements to this process will be made in future mdm versions 4 2 Caching Behavior of the mdm Server Any RAM available to the mdm server beyond what it requires is used to cache data It is therefore normal behavior if the memory usage increases to the configured maximum as soon as there is some activity and subsequently remains on that level 4 3 Default Values If a setting is not configured in mdm the factory default setting is assumed It is therefore strongly recommended to configure the mGuard passwords in mdm mGuard configuration Authentication Administrative Users Passwords Otherwise mdm will set them to the factory default passwords If SSH configuration uploads from mdm are to be performed via the mGuards external interfaces shell access must be configured to allow connections from mdm to the mGuards mGuard Page 4 Innominate Security Technologies AG mdm Release Notes configuration Management System Settings Shell access No such access is allowed by default Innominate recommends to configure shell access as restrictive as possible 4 4 Device Credentials
6. cribed in the User s Manual 5 11 Automatic Configuration of the VPN Peer Device Issue The automatic addition of VPN connection settings to a specifiable peer device only works if the peer device has the same or a newer firmware version than the originating device Otherwise the VPN connection is silently omitted from the peer device Solution Ensure that the peer device has the same or a newer firmware version than the originating device It is recommended not to make use of the peer device feature but to use the VPN tunnel group feature 5 12 rs2000 Devices Cannot be Used as a VPN Peer Device Issue The automatic addition of VPN connection settings to a specifiable peer device does not work if the peer device has hardware flavor rs2000 Solution rs2000 devices are not intended as a central gateway in a 1 N VPN topology Use another device type as the central gateway 5 13 Server Preferences Cannot Be Removed Issue It is not possible to remove server configuration settings by removing them from the server configuration file preferences xm1 The contents of the configuration file are copied to a system specific location upon startup so removing entries has no effect Solution To override existing settings specify new values in the configuration file 5 14 Local Time Zone Issue The Java Runtime Environment fails to recognize the local time zone under some circumstances Solution If the timestamps
7. ctaeeden teannen enna 7 sa OC All WSIS ZING sos cee creas eee ate ao bh As ccna ce Arata eden cuscten aden T 7 5 15 Microsoft Windows Installer Does Not Set Up Pull Configuration Feedback 7 5 16 Microsoft Windows Installer Fails to Discover Used TCP Potts 8 5 17 Error Message After Uninstalling cceeccccc ccc ce cee eeceeeeeeeeeeeeeeeeeeeeeeeeeeeseaeaaaaaneeeeeeeeeeeeeegs 8 6 Known mMG ard ISSUES inina e aaa eit gee eae aad Sania aia 8 6 1 mGuard Rejects Configurations For Older Firmware VerSiOns ssseeeeeeeeeeeeeeeaeees 8 6 2 VPN Connections with Pre Shared Secret Authentication 8 6 3 VPN Configuration Managed by Netadmin USE l 0 eee eee teen eniaaaeeeeeaaneeeeeeeeees 8 6 4 Firmware Upgrade Incorrectly Reported as ErrOn OusS cceeeeseeeeeeeeeeeeeeeeeeeeeeeeeaaaaeeeeeees 8 6 5 mdm Cannot Read Flash ID from Guard during SSH Upload ccceceeeeeeeeeeeeeeeeeeeeeaees 9 6 6 Firmware Upgrade with Automatic Target Version Selection cceseeeeteeeeeeeetteeeeeeeeeeeees 9 6 7 SSH Upload Connection Terminated during VPN Reconfiguration 9 Page 2 Innominate Security Technologies AG mdm Release Notes 1 Introduction mGuard Device Manager mdm 1 6 1 supports all mGuard devices running firmware versions 5 0 x 5 1 x 6 0 x 6 1 x 7 0 x 7 1 x 7 2 x 7 3 x 7 4 x 7 5 x 7 6 x 8 0 x or 8 1 x 1 1 System Requirements mdm Client mdm Server md
8. d CA server 5 5 JRE Prevents Usage of AES 256 Cipher by Policy Issue The Java Runtime Environment has a default policy that prevents Java programs from using the AES 256 cipher This affects encrypted configuration profiles and ECS files which mdm encrypts with AES 128 if it is prevented from using AES 256 Note that the generated files are fully interoperable but only have the limited crypto strength Solution Download unrestricted policy files from http www oracle com technetwork java javase downloads jce 7 download 432124 html and install them according to the instructions provided by Oracle 5 6 Change from Firmware 7 4 to 7 5 Issue The variable Network Mode with the possible values Stealth Router PPPOE Modem and the variable Obtain external configuration via DHCP have been replaced with the variable Network Mode with the possible values Stealth or Router and the variable Router Mode Although this change has been made in mGuard firmware 7 0 0 mdm implements it for firmware 7 5 or newer If one of the original variables is defined in a template and the other in an inheriting template or device the mapping may cause unexpected results especially if one of the special Local or None values is involved Solution When changing firmware version 7 4 to 7 5 in mdm make sure the variables are both defined or both inherited or adapt the configuration af
9. er parent template is assigned 5 Known Issues and Limitations 5 1 mdm Does Not Validate Variable Values as Rigidly as the mGuard Issue mdm accepts invalid combinations of variable values that the mGuard rejects Solution When an mGuard rejects a configuration inspect the error messages generated by the mGuard and replace the invalid values with valid ones 5 2 Support for rs2000 3G Devices Issue mdm does not support rs2000 3G devices as a separate hardware flavor Solution Use hardware flavor rs2000 for such devices Set the network mode to Router 5 3 Concurrent Access to Templates and Pools Issue If a user creates a template while another user is editing a pool the template cannot be edited until the pool is closed Likewise if a user creates a pool while another user is editing a template the pool cannot be edited until the template is closed Solution Wait until the concurrently edited pool or template has been closed by the other user 5 4 JRE Uses IPv4 IPv6 Dual Network Stack Issue The Java Runtime Environment uses an IPv4 IPv6 dual network stack be default This can cause long delays Several minutes in an IPv4 only environment A typical phenomenon is that the mdm client appears to hang after connecting to the mdm server Page 5 Innominate Security Technologies AG mdm Release Notes Solution Add Djava net preferIPv4Stack true to the Java command line to start the mdm server client an
10. in the logging panel do not match your system clock set the environment variable TZ to the correct time zone description e g Europe Berlin for Central European Time and restart the mdm server and client 5 15 Microsoft Windows Installer Does Not Set Up Pull Configuration Feedback Issue If mdm is installed with the Microsoft Windows installer and the Windows system is also used as a pull configuration server there is no feedback to the mdm server when mGuard devices apply configurations pulled from the server Solution This functionality will be provided with a future version of the mdm installer Page 7 Innominate Security Technologies AG mdm Release Notes 5 16 Microsoft Windows Installer Fails to Discover Used TCP Ports Issue If mdm is installed with the Microsoft Windows installer and TCP port 443 https or 5432 PostgreSQL service are already used by a service the installation fails instead of aborting before it has started Solution Remove the service using TCP port 443 or 5432 and restart the mdm installer 5 17 Error Message After Uninstalling Issue If mdm has been installed with the Microsoft Windows installer after uninstalling and rebooting the system an error message pertaining to IDMSvc exe may be displayed Solution No user action is required mdm has been uninstalled successfully The message is displayed once by the Microsoft Windows operating system and can be ignored 6 Known mGuard Iss
11. l mdm receives the next configuration pull feedback from the device This feedback contains the correct status and therefore causes mdm to no longer indicate an upgrade failure Page 8 Innominate Security Technologies AG mdm Release Notes 6 5 mdm Cannot Read Flash ID from Guard during SSH Upload Applicable to Firmware version 5 0 0 Issue If an SSH configuration upload is performed to a device with firmware version 5 0 0 mdm cannot read back the Flash ID This prevents licenses from being associated with the device Solution Enter the Flash ID manually in the device configuration dialog or upgrade to firmware 5 0 1 or later 6 6 Firmware Upgrade with Automatic Target Version Selection Applicable to Firmware versions 5 0 x and 5 1 x Issue Firmware upgrades from version 5 1 x or earlier with automatic selection of the target version i e upgrades to latest patches latest minor release or next major version are only triggered by a configuration pull if mdm knows the firmware version on the device when exporting the configuration profile If mdm lacks this information any scheduled firmware upgrade request remains so until the version on the device is known Upgrades triggered by an SSH configuration upload are not affected Soultion Enter the firmware version on the device manually in the device configuration dialog 6 7 SSH Upload Connection Terminated during VPN Reconfiguration Applicable to Firmware versions 5 0
12. m CA A minimum of 512 MB RAM 500 MB free hard disk A minimum of 4 GB RAM 100 GB free hard disk space A minimum of 512 MB RAM 5 GB free hard disk space Java Runtime Environment JRE SE 7 Java Runtime Environment JRE SE 7 e PostgreSQL Version 9 0 or later Hardware space e Color monitor with at least 1280x1024 resolution e Windows 2000 SP2 XP_ Windows 2000 SP2 XP_ Windows 2000 SP2 XP or later Windows or later Windows or later Windows Server Server 2003 or later or Server 2003 or later or 2003 or later or Linux Linux Linux e Java Runtime Software Environment JRE SE 7 e PostgreSQL Version 9 0 or later 2 Version History 2 1 Bug Fixes in mdm 1 6 1 Abug has been fixed that could cause invalid mGuard configuration files to be generated Such configuration files were rejected by the mGuards Abug has been fixed that caused changes in a template from which devices inherit indirectly i e through one or more intermediate templates not to become effective immediately 2 2 Major Enhancements since mdm 1 5 x mdm now supports firmware versions 8 0 x and 8 1 x e Multiple mdm clients using an mdm server instance concurrently are now fully supported 2 3 Security Fixes mdm 1 6 0 and later versions include fixes for the following security vulnerabilities e CVE 2014 0160 OpenSSL Heartbleed data leakage vulnerability e CVE 2014
13. ted or translated into another language either in part or in whole without the previous written permission of Innominate Security Technologies AG Innominate Document Number RN301612C14 063 Page 1 Innominate Security Technologies AG mdm Release Notes Table of Contents 1 NOL CUO coca es eels cratncst i aetna cna a ce teak e ede cum cceeoeh err pees a a EREE 3 TT Systemi Req iemMeENtS seisin ae a e e a a a a a 3 2 VETSION H S O a raa a a a a a 3 2 1 Bug Fixes in Mdm 1 0 L sere e aarde ee a aa eaa Ea aE aa a aana Tea ia 3 2 2 Major Enhancements since mdm 1 5 X ccccceeeeeececeeeeeeeeeeeaeeaeaeeeeeeeeeeeeeeeeeeeeeaeneeeesaeeeeseaees 3 2 3 SOCUMILY FIXE Snae e a ea ae roan Eea a ANEA EEEE E EEEE ia 3 3 Upgrading from mdm L5 X OF 1 6 0i a a a a a o a aee aa Aa 4 A SAG SHINS sesi e e hia a a a a a a a o a ve 4 4 1 Performance of Creating Configuration History Entries ssssssssseeeesssssrrrrrrrrrrrrrrereesrrrre 4 4 2 Caching Behavior of the mdm Servel cceeeeeeeeeeeeeeeeeeeeeeeeeeeeaeaeaaaeeeeeesaeeeeeesaeeeeeseaees 4 4 3 Defa lt VANES irii aani a an aeia E EN L EEEE E E EE ENEE R 4 4 4 Device Credentials Replacement of DEVICES i s s cecceetcseecccnvecevcosencedsmieds es cieuseeees bes cauteeevexes 5 4 5 Effect of Changing Templates cccccccccccceceeeeeeeeeeeeeeeeeeeeeeeeeeeeeaaaaeeeeeeeeeeesaeeessaaeeeeesaaees 5 5 Known ISSUeS and Limitations sss tas velco hatte cada
14. ter changing the firmware version 5 7 Exhausted Pools May Cause Unexpected Errors Issue If a pool is exhausted the may cause unintelligible error messages Affected devices may become invalid Solution Extend pools before they are exhausted 5 8 Limitations of Referenced Table Variables Issue If a table with content that is referenced from elsewhere e g firewall rulesets is switched from Inherited to Custom referencing variables e g targets in firewall rules become invalid Solution Set the referencing variables after switching the referenced table from Inherited to Custom 5 9 Changing Meshed VPN Configuration Is Slow Issue Changing the configuration of a device that is a member of a large VPN mesh i e a VPN group can take several minutes during which the mdm server does not respond to further requests from the client This issue arises when the configuration change affects all devices in the mesh so that history entries for all of them are generated Solution Wait until the history entries have been written Page 6 Innominate Security Technologies AG mdm Release Notes 5 10 PKCS 12 Files Must Be Password Protected Issue Machine certificates in PKCS 12 format can only be imported if the PKCS 12 file is protected by a non empty password Solution If it is necessary to import a machine certificate stored in an unprotected PKCS 12 file convert it to PEM format first as des
15. ues 6 1 mGuard Rejects Configurations For Older Firmware Versions Applicable to Firmware versions 8 1 0 to 8 1 2 Issue If a device s firmware version is set to 7 0 7 1 7 2 7 3 or 7 4 in mdm a push upload to a device with an actual firmware version 8 1 0 to 8 1 2 fails Solution Set the device s firmware version to 7 5 or newer in mdm 6 2 VPN Connections with Pre Shared Secret Authentication Applicable to Firmware versions 7 0 0 or later Issue If pre shared secret authentication is used in a VPN connection the local certificate must be set to No certificate explicitly Solution Configure the VPN connection accordingly 6 3 VPN Configuration Managed by Netadmin User Applicable to Firmware versions 5 0 x and 5 1 x Issue If configuration variables within the Tunnel and Transport Settings of a VPN connection are managed by the Netadmin user on the device i e set to Local in mdm the values set by the Netadmin user are reset to the default values on every configuration upload or pull Solution Upgrade to firmware 6 0 0 or later 6 4 Firmware Upgrade Incorrectly Reported as Erroneous Applicable to Firmware versions 5 0 x and 5 1 x Issue If a firmware upgrade to version 6 0 x is triggered by a configuration pull the device incorrectly reports a firmware upgrade failure to mdm even if the upgrade succeeded mdm will indicate an upgrade failure in the device overview table Solution Wait unti
16. x and 5 1 x Issue If an SSH configuration upload changes the settings of a large number of VPN connections mdm declares the SSH connection dead before the upload is complete Solution Increase the SSH timeout values in the server configuration file preferences xml when working with a lot of VPN connections Page 9
Download Pdf Manuals
Related Search