CloudPassage Halo - 04 June 2012
The 04 June 2012 release of CloudPassage® Halo® is a major release that introduces an important new GhostPorts capability providing extra convenience for GhostPorts users. The release also includes several user-experience enhancements to the Halo Portal.
New Features in this Release
GhostPorts Authentication With SMS One-Time Passwords
The convenience and security of the popular GhostPorts multi-factor authentication feature for CloudPassage Halo is greatly expanded in this release, with the addition of SMS-based authentication.
SMS authentication offers a convenient option for users with an SMS-enabled device. This type of authentication uses a one-time password generated dynamically by Halo and transmitted to the GhostPorts user's mobile phone through SMS text messaging.
Both the SMS and YubiKey options now require multifactor authentication—the GhostPorts user must always log into the Halo Portal with a password before authenticating to GhostPorts. The SMS and YubiKey authentication methods are both easy, fast, and secure; you can choose which method an individual GhostPorts user should have based on personal preferences or workplace policies.
In this release, The SMS authentication feature of GhostPorts is supported for U.S., Canada, and United Kingdom phone numbers.
"All GhostPorts Users" selection in a firewall rule
When constructing a firewall rule to allow access to GhostPorts users, it was previously necessary to create a separate rule for each individual GhostPorts user. It is now possible to include all GhostPorts users in a single rule, by selecting All GhostPorts Users as the rule's Source attribute.
Manually Closing GhostPorts
For increased security, a GhostPorts user can now manually close GhostPorts when finished accessing a server, rather than waiting for the ports to close automatically after 4 hours.
For details and instructions on using GhostPorts, including its new SMS authentication feature, see the GhostPorts User Guide.
Editable IP Zones
With this release, it is now possible to edit the contents of individual IP Zones (used as Source attributes for firewall rules). This feature is especially useful for Halo users who previously had to create new IP Zones to replace old ones each time their IP addresses changed.
Note: For descriptions of other minor enhancements introduced in this release, see Resolved Issues.
New Features in Previous Minor Releases
10 May 2012
The 10 May 2012 release of CloudPassage® Halo® includes changes to the CloudPassage Daily Status emails, changes to the registration confirmation email, and a variety of minor bug fixes and UI enhancements, including a version specification for the ICMP service for Windows firewall.
Changes to hidden DNS firewall rules
Whenever you create a firewall policy in the Halo Portal, Halo adds a set of basic firewall rules that are required for the Daemon to operate. These rules are "hidden"—they do not appear in the Portal and you cannot edit them, although you can view them if you export the firewall policy.
Enhancements have been made to DNS-related hidden firewall rules to improve security for servers that communicate with name servers and for DNS clients and servers themselves.
Support added for multiple IP addresses per server
When you include a server group as a source in a firewall rule, Halo behavior has been to include, for each server, only the IP address that its daemon uses when communicating with the Halo Grid. With this release, all IP addresses of all interfaces used by the server are included.
Improved functionality for Windows firewall rules
Previously, it was possible to create an IP zone with a host address value of 0.0.0.0/0, which would cause installation of a Windows firewall containing that IP zone to fail. With this release, Halo changes existing IP zone addresses of that value to "ANY" if they are applied to a Windows firewall policy, and it prevents the user from creating a new IP zone that includes that address.
Handling duplicate names for IP zones and network interfaces
It has been possible to create an IP zone or network interface with a given name, and then—while creating a firewall rule—create another IP zone or interface with the same name. To enforce uniqueness of names, Halo no longer permits a newly created zone or interface to have the same name as an existing one.
Improved support for custom ICMP firewall rules
Halo now supports, and where necessary creates corresponding outbound rules for, custom ICMP types ping (icmp/8), timestamp (icmp/13), and address_mask (icmp/17) services. Also supported is icmp/all, which includes all three types.
23 April 2012
The 23 April 2012 release of CloudPassage Halo™ includes changes to the CloudPassage Daily Status emails, changes to the registration confirmation email, and a variety of minor bug fixes and UI enhancements, including a version specification for the ICMP service for Windows firewall.
CloudPassage Daily Status email changes
The CloudPassage Daily Status emails contain information regarding configuration scans, which apply only to Linux users. To improve the experience for Windows users, the daily emails are disabled by default for all new Halo users, pending a redesign. (Users can enable the daily emails manually by going to Settings > My Account.)
GhostPorts-only users have been receiving Daily Status emails, even though they have no Portal access and the emails are not meaningful to them. As of this release, the daily emails are no longer sent to GhostPorts-only users.
Registration confirmation email changes
The registration confirmation email sent to new Halo users has been modified to include content of interest to Windows users.
Corrected implementation of ICMP for Windows firewalls
The Halo support for users to select the Internet Control Message Protocol (ICMP) as a service in a Windows firewall rule has been clarified. Halo currently supports ICMP v4 only.
New link to Getting Started popup
The Getting Started With Halo popup dialog is now accessible from the menu item Support > Getting Started, instead of from a button in the menubar.
Corrections to sorting order in Firewall Management table
Sorting of the Firewall Status column in the Firewall Management table on the Dashboard has been improved. In descending order, servers with no firewall now sort to the top, followed by servers with active assigned firewalls.
15 April 2012
The 15 April 2012 release of CloudPassage Halo™ includes improved access to the Open GhostPorts page, enhancements to configuration policies and File Integrity Monitoring, user-experience improvements to notifications and list sorting, and increased password security.
Clearer access to GhostPorts page
The menu link to the GhostPorts authentication page (Settings > GhostPorts) has been supplemented with a button (Open GhostPorts) in the main menu bar that opens the same page.
Improved "File ACL check" in configuration policies
The configuration policy check that verifies file access control lists has been enhanced so that it now functions correctly with filenames that are symbolic links.
File Integrity Monitoring now handles filenames with "+"
The File Integrity Monitoring module has been enhanced so that it now properly detects changes to files or directories whose names include a plus character ("+").
Improved "You don't have any servers yet!" notification
On the Dashboard page, the notification that appears when a user has not yet installed any Daemons now includes an Install daemons now link that takes the user to the Choose Daemon page to begin installing.
The following issues are among those resolved in this release.
- Searching in configuration policies and templates was breaking when a specific search term (two characters followed by a period) was applied. The issue has been fixed.
- The CloudPassage API documentation for creating
firewall_targetattributes was incomplete. Instruction and examples have now been added.
- Enhancements have been made to the UsersTab on the Site Administration page in the Halo Portal:
- The column previously labeled Admin? is now called Portal access, and can have the values Admin, User, or None.
- The column previously labeled GhostPorts? is now called GhostPorts, and can have the values SMS, YubiKey, or None.
- A new event type, "GhostPorts Provisioning", has been added to the list of security event types that users can filter in the Halo Portal. This event type includes all provisioning-related GhostPorts events, such as inviting new users, de-provisioning, changing SMS phone numbers, and SMS phone-number verification. It does not include events related to using GhostPorts, such as login, login failure, and close.
- In the Halo Portal, improvements have been made to the sorting behavior of the GhostPorts Users category in the Source column of a firewall rule. User names are now sorted alphabetically, and the special name All GhostPorts users is always at the top of the list.
The following issues are among those that remain unresolved as of this release. Any known workarounds are described.
- As of this release, Halo for Windows runs only on Windows Server 2008 R2. Specifically, it is not supported on Windows Server 2008 R1 or Windows Server 2003.
- In this release, file integrity monitoring scans cannot detect block/character devices or fifo files, and cannot detect changes to file permissions or file attributes of any files.
- False-positive file integrity security events can occur in Linux systems in which the
prelinkutility regularly resolves links to dynamic libraries in executable files and stores the results in the executable files, thereby modifying them. This action can create differences between the servers of a scan group and the baseline (golden master) server, thereby causing the false positives.
Workarounds. Take either of the following steps:
- Manually run
prelinkon the baseline server before running the baseline scan. That should eliminate most or all false security events related to
- Turn off pre-linking on all of your servers.