CloudPassage Halo - April 2012
The April 2012 release of CloudPassage Halo introduces Windows Server support for the Halo Demon as a Beta feature.
Now you can automatically manage Windows host firewalls, protect RDP and other sensitive services with GhostPorts multi-factor authentication, and monitor your Windows cloud servers using Halo's server and cloud security event alerting.
Windows support is available in all Halo packages, including Basic, NetSec, and Professional.
Windows Server Support (Beta)
The April 2012 release marks the expansion of CloudPassage Halo into Windows Server clouds. Halo can now protect your Windows 2008 R2 cloud servers with dynamic server firewalls, with security-event notifications, and with multi-factor authentication for administrator access to your servers.
Installing the Halo Daemon on your servers is fast and simple, using either the CloudPassage installation wizard for Windows or the command-line version for unattended installation. And whether your cloud deployment is pure Windows or a combination of Windows and Linux, Halo can help protect them all.
Windows support is integrated throughout the Halo Portal interface. On every page your servers are identified as either Windows or Linux, and Windows-specific fields and forms are provided as alternatives to Linux wherever appropriate.
To help you get started quickly, CloudPassage has prepared Getting Started With Halo for Windows (now at https://cloudpassage2.zendesk.com/entries/21622197-CloudPassage-Halo-QuickStart), a short document that will help get you up and running and protecting your Windows servers in next to no time.
Note:Although Halo Windows support is currently in Beta, the features are available to all Portal users. You don't have to enable Beta features in Halo in order to see or use its Windows capabilities.
Windows Firewall Support
Now you can use CloudPassage Halo to easily create a Windows firewall policy for any of your server groups that include Windows servers. Server Groups can contain both Windows and Linux servers, and Halo will automatically apply the appropriate policy to each type of server.
Once your Windows firewall policy is active and any server comes online through cloning or re-activation of a Windows server in the firewall's server group, that new server automatically receives the latest appropriate firewall policy from Halo.
You can use the Halo web interface (or its REST API) to conveniently create inbound and outbound firewall rules. You can create as many rules as you need, you can specify default behaviors and logging preferences, and you can export the finished policy in text format.
If you make changes to the firewall policy, the updated policy is automatically sent to all of your servers that use it.
Windows Support for Special Security Events
The Halo special-events alerting system notifies you of unusual occurrences in your cloud installation that may have security implications. For example, if a server unexpectedly restarts, if its IP address changes, or if a firewall configuration changes, it could be a signal that something malicious has happened and you may want to be alerted in real time.
Starting with the April 2012 release, this feature is available to Halo subscribers with Windows cloud servers.
To implement this capability, you create a special events policy, in which you define which events to track, which are to be considered critical, and which ones are highest priority and should generate a real-time email alert to an administrator.
After creating the policy, you assign it to the server group or groups you want to monitor, and it goes into effect immediately.
Windows Support for GhostPorts
Support for the GhostPorts feature of Halo is fully available to Windows server administrators. Halo users with a NetSec or Professional subscription can use GhostPorts to set up strong protection of administrative network access—including multi-factor authentication—to Windows servers. It is the most secure way to control access to administrative services on cloud servers, and it has the flexibility to allow authorized, secure access from anywhere.
With GhostPorts, your administrators can lock down all administrative ports, then dynamically open only specific ports (such as 3389 for RDP) for a specific authenticated user from a given IP address, for a defined period of time. The ports then automatically close when the time period expires.
For more information, see the GhostPorts User Guide.
Halo API Support for Windows
The CloudPassage Halo API allows you to automate server-security tasks and integrate them into your own software. For any Halo feature that is supported on Windows servers, you can use the same Halo API methods to secure your Windows servers and your Linux servers.
For example, the firewall modules of the API allow you to programmatically list, inspect, create and delete firewall policies and individual rules, regardless of whether they are Windows or Linux policies.
Improved "Getting Started" Assistant
The "Getting Started With Halo" assistant, a popup dialog box for new users that floats over the Halo Portal pages, has been improved and expanded in scope for this release. It now gives step-by-step, illustrated assistance for twelve different tasks in four security categories. Like the original assistant, it can be dismissed at any time, retired when no longer needed, and recalled when desired.
- Halo Professional Evaluation users are now able to submit support requests from the Halo Portal. Previously, the New Support Request link on the Help & Support Resources page was not visible to Evaluation users.
- Many improvements to the Halo Portal interface and task flow were made for this release. Among them:
- Ordering of the component icons (Firewall, Events, Access, and so on) on the Dashboard is improved.
- Sorting of firewall status and policy name on the Dashboard are improved.
- Users logging into the Portal for the first time are no longer required to select a default configuration policy before installing Halo Daemons.
- On subsequent logins, users who have not yet installed a Daemon are taken directly to the Daemon installation pages.
- The term "daemon tag" has been replaced by the more accurate term "server tag".
- All Dashboard notification messages have been moved to a consistent location at the top of the page.
The following issues remain unresolved as of the release date. Any known workarounds are described.
- As of this release, Halo for Windows runs only on Windows Server 2008 R2. Specifically, it is not supported on Windows Server 2008 R1 or Windows Server 2003.
- In this release, file integrity monitoring scans cannot detect block/character devices or fifo files, and cannot detect changes to file permissions or file attributes of any files.
- False-positive file integrity security events can occur in Linux systems in which the
prelinkutility regularly resolves links to dynamic libraries in executable files and stores the results in the executable files, thereby modifying them. This action can create differences between the servers of a scan group and the baseline (golden master) server, thereby causing the false positives.
Workarounds.Take either of the following steps:
- Manually run
prelinkon the baseline server before running the baseline scan. That should eliminate most or all false security events related to
- Turn off pre-linking on all of your servers.
Late February 2012 Halo Release: New Features
Getting Started popup implemented for new users
To help new users get started securing their servers, the Portal now by default displays the Getting Started with Halo popup dialog (implemented as a modal light box over the Dashboard page) to all users at login. The popup explains in detail how to perform several basic tasks, including creating a server group and implementing a firewall policy.
The popup can be dismissed at any time, retired when no longer needed, and recalled from retirement if desired.
New API call to create and populate SSH authorized_keys file for a server account
The Server Account object in the Halo API includes the field
ssh_authorized_keys, which can hold an array of SSH keys belonging to the account. When creating or modifying a server account, you can update its set of keys by providing the key array in the request body of the POST or PUT call.
Display preferences on list pages are now persistent
Paginated lists in the Portal (such as Configuration Policy list, Firewall Policy list, and so on) include a control that allows the user to specify how many items (10 to 100) to display on each page. With this release, the user's choice is now persistent across visits to those list pages.
Early February 2012 Halo Release: New Features
Date/time presentation changed for "Scan Finished" messages
The Server Scan Details page for a system configuration scan, software vulnerability scan, or server access scan is accessed through the Details links at Servers > Scan History. That page includes a "Scan Finished" line that specifies the date and time at which the scan completed.
In this release, the date/time display has been enhanced to include a user-friendly text explanation of approximately how long ago the scan completed.
Root privilege indicator added to Server Access Details page
The Server Access Details page (at Servers > Server Access > ServerName) now includes a column that designates which user accounts on the server have root privileges.
The value in the column is Yes if the account has root privileges, and blank if it does not.
User search box added to Site Administration page
A search box has been added to the table of users under the Users tab on the Site Administration page.
You can use it to search for a user by first name, last name, username, or email address. The string you enter is checked against the values in all of those fields, and any matches found are returned.
Changes to "delete firewall rule" behavior
Prior to this release , deleting a firewall policy rule in the Halo Portal required not only clicking the Delete Rule ("X") button beside the rule, and then answering a confirmation dialog, but also clicking Apply before leaving the Edit Firewall Policy page. Many users did not realize that the extra step of clicking Apply would be necessary.
This release clarifies for the user what is needed when deleting a rule. After the user deletes a rule (and verifies it in the confirmation dialog), the rule is replaced on the editing page with the phrase *Click "Apply" to save your changes.
The user is thus reminded to click Apply before leaving the Edit Firewall Policy page.
Deleting checks within a configuration policy rule
Previously, it was not possible to delete an individual check within a rule in a configuration policy. To delete a check, the Halo user needed to delete the entire rule.
The capability to delete individual checks has been added to this release.