CloudPassage Halo - January 2012
The January 2012 release of Halo includes several significant feature advances, including the new Halo NetSec membership package, the new File Integrity Monitoring security module, and a completely redesigned set of Core and Extended configuration policies for the most popular Linux platforms. This release also introduces new discounted billing plans and a free trial evaluation for Halo Professional.
Halo NetSec is a new paid Halo package designed to address the most top-of-mind security issues that cloud adopters face when moving out of a private datacenter: the lack of network-based security capabilities such as perimeter firewalls and secure login servers. NetSec offers all the cloud-ready Firewall capabilities and other security features of Halo Basic, and removes the limit on the number of servers protected.
Additionally, NetSec enables GhostPorts one- or two-factor authentication, access to our integration APIs for security automation, and full professional technical support. Halo NetSec pricing starts at 3.5¢ per server-hour and will offer the same volume and monthly commitment discount rates as Halo Professional.
For a detailed feature matrix of our three Halo offerings, see plans and pricing.
File Integrity Monitoring [Beta]
File Integrity Monitoring is a new security module available in Halo Professional. This feature protects the integrity of your cloud servers' systems by constantly monitoring for unauthorized or malicious changes to important system binaries and configuration files.
File Integrity Monitoring first saves a baseline record of the "clean" state of your cloud server systems. It then periodically re-scans each server instance and compares the results to that baseline. Any differences detected are logged and reported to the appropriate administrators.
File Integrity Monitoring is in public Beta through March 2012, after which time it will become a feature of Halo Professional. During the Beta period, support for FIM can be found in our Community Beta forum or through CloudPassage support for Professional customers.
New Core Polices for Operating Systems
To help customers enforce a secure posture for their cloud servers, we are introducing a new set of security configuration policy templates for CentOS, RedHat Enterprise, Fedora, and Ubuntu Linux distributions.
These new templates include both Core and Extended policies. The Core policies focus on critical system checks that are important fundamental practices for any configuration. They address the most basic set of security configurations recommended for any system, and they may fit your cloud implementation without customization. They perform fewer checks than the Extended policies do, and any failures they detect should be considered serious.
The Extended policies check only for more advanced security settings, so you should use them in conjunction with the Core policies. Their complex rules are more likely to need customization to fit your specific implementation without producing false positives (erroneous reporting of issues).
These policy templates also include detailed remediation instructions, usually with specific commands needed to fix any reported issues. As with the checks themselves, it may be necessary for you to adjust these commands to fit your specific system configuration.
You can find these new policies in the list of configuration-policy templates in Halo Portal, with these names:
- CentOS, RHEL, Fedora Linux Core Policy v 2.0
(SupportsCentOS 5.5, 5.6, 5.7, 6.0; RHEL 5.5, 5.7 6.0, 6.1, 6.2; Fedora 15, 16)
- CentOS, RHEL, Fedora Linux Extended Policy v 2.0
(Supports CentOS 5.5, 5.6, 5.7, 6.0; RHEL 5.5, 5.7 6.0, 6.1, 6.2; Fedora 15, 16)
- Ubuntu Linux Core Policy v2.0
(supports Ubuntu 10.x, 11.x)
- Ubuntu Linux Extended Policy v2.0
(supports Ubuntu 10.x, 11.x)
Free Self-Service Evaluation of Halo Professional
If you are a Basic customer and wish to try the features available in Halo Professional – including Halo API access, professional support, and hourly scanning frequency – you now have the ability to request a complementary 30-day evaluation.
During this evaluation period, all Halo Professional (and NetSec) features will be enabled for you, letting you determine which features best meet your needs. At the end of 30 days you can choose to subscribe to one of our flexible pricing plans, or you can revert to the Halo Basic service.
You can start your 30-day evaluation of Halo Professional yourself. In Halo Portal, go to Settings > Manage Subscription > Request a 30-day Halo Professional evaluation.
New Utility Pricing and Monthly Discounts
With this release, CloudPassage introduces a new utility pricing structure for Halo Professional, as well as new monthly discount plans for both Halo Professional and Halo NetSec.
As always, all Halo packages are priced on a server-hour basis. At the end of each monthly billing period, the server-hours used are calculated and your customer account is charged. You pay only for actual hours used per billing period.
Your hourly rate for each billing period will be based on the highest usage threshold crossed during that billing period, giving you the greatest price discount for the period.
You can gain additional discounts by committing to non-refundable payment for a minimum number of server-hours per billing cycle. These prepayment discounts accrue in addition to the volume discounts. You are invoiced each billing period for the minimum monthly fee plus usage fees for any server-hours in excess of the prepaid amount.
For more details, please see plans and pricing.
GhostPorts Available With NetSec and Pro Packages
As of January 31, 2012, the GhostPorts feature is available to Halo users with either the NetSec or the Professional package. If you have the Basic package and wish to use GhostPorts, CloudPassage urges you to upgrade to either NetSec or Professional.
The following issues are among those addressed and resolved for this release.
- Language in the Terms of Service document in the Halo Portal has been updated regarding limitations on the number of servers that can be secured by subscribers to the Halo Basic plan.
- In earlier versions of Halo, the Add New Special Event Policy page and Edit Special Event Policy page included two event types (incorrectly) labeled Server Account Created and Server Account Deleted. The fields are now properly labeled Local Account Created and Local Account Deleted.
- In earlier versions of Halo, the settings pages for the Configuration Scanner, Software Scanner, and File Access Scanner included fields for setting the start time of a scan. Because the start of a scan on each server is actually calculated from the startup time of the Halo Daemon on that server, those fields were unnecessary and have been removed for this release.
- In this release, Halo uses an updated definition of "missing" for a Halo Daemon. Previously, a Daemon was defined as missing if it failed to contact the Halo Grid for three heartbeat periods (approximately 3 minutes). To avoid falsely alerting users of a missing daemon when transient network connectivity issues occur, the definition has been increased to 10 heartbeats.
The following issues remain unresolved as of the release date. Any known workarounds are described.
- In this release, monitoring scans cannot detect block/character devices or fifo files, and cannot detect changes to file permissions or file attributes of any files.
- False-positive file integrity security events can occur in Linux systems in which the
prelinkutility regularly resolves links to dynamic libraries in executable files and stores the results in the executable files, thereby modifying them. This action can create differences between the servers of a scan group and the baseline (golden master) server, thereby causing the false positives.
Workarounds.Take either of the following steps:
- Manually run
prelinkon the baseline server before running the baseline scan. That should eliminate most or all false security events related to
- Turn off pre-linking on all of your servers.