product information bulletin - clearswift · 2020-03-18 · product information bulletin clearswift...
TRANSCRIPT
Product Information Bulletin Clearswift SECURE Email Gateway 4.4
Issue 1.0
June 2016
Clearswift SECURE Email Gateway V4.4
Page 2 of 14
2
Contents Overview ............................................................................................................. 3
Kaspersky Cloud Lookups .................................................................................. 3
Anti-virus heuristics enabled by default .............................................................. 3
Simplified offline Kaspersky updates ................................................................... 4
TLS Enhancements ........................................................................................... 4
Enforced inbound TLS connections .................................................................. 4
Selectable TLS modes .................................................................................... 5
Exclude hosts from opportunistic TLS connections ........................................... 6
Content rule enhancements ............................................................................... 6
Copy to Message Area .................................................................................... 6
Domain Rewriting on Relay event ................................................................... 7
Malware content rule ..................................................................................... 8
Script and malware detection enhancements ...................................................... 9
Strong admin password ..................................................................................... 9
System console changes .................................................................................. 10
Message Delivery parallelization ....................................................................... 11
Enhancement requests ....................................................................................... 12
Bug fixes ........................................................................................................... 13
Availability ......................................................................................................... 13
Interoperability .................................................................................................. 13
End of life .......................................................................................................... 13
Platform support ................................................................................................ 13
Packaging .......................................................................................................... 14
Clearswift SECURE Email Gateway V4.4
Page 3 of 14
3
Overview This new release delivers a number of customer enhancement requests, as well as additional security features for the Clearswift SECURE Email Gateway. The new features are briefly summarized below, and examined in more detail on the following pages.
Kaspersky cloud lookups Anti-virus heuristics
TLS enhancements Content rule options Extended detection of potentially malicious files System password strength System console upgrades
Kaspersky Cloud Lookups
With thousands of new malware samples created daily, the AV engines now exploit cloud-based lookups to supplement the standard signature update mechanism. As soon as Kaspersky have finished their analysis of the latest malware, they are available via a cloud lookup thus enabling protection from new strains of malware before the next scheduled AV update. Unless the Gateways are operating in a closed network with no public Internet access, then the process of checking the cloud lookups is handled automatically. From a privacy perspective, only file hashes are communicated over a public network which cannot be used to gather any information from the original file. It should be noted that customers running SEG 4.2 with Sophos AV already have a similar feature.
Anti-virus heuristics enabled by default
The Email Gateway now enables some of the heuristics detection options in the configured AV engines to detect malware that have similarities (to known malware) by analyzing how the code behaves. For example if a file is being checked and the
Key points:
Cloud lookups to detect new malware before signature updates occur
Improved detection of new threats
Heuristics now applied
Clearswift SECURE Email Gateway V4.4
Page 4 of 14
4
AV tool detects it trying to modify another executable then it will be flagged as highly suspicious.
Simplified offline Kaspersky updates
For customers in closed environments, the process for updating the Anti-virus has been simplified greatly. The steps to perform the updates are
Create the directory /var/cs-gateway/kav/prefetched/ Download from one of Kav mirrors1 the file latest.tgz
TLS Enhancements
There have been a number of enhancements to TLS to improve security and usability.
Enforced inbound TLS connections
In Version 4.2.1 the Gateway could enforce mandatory TLS connections to another server or domain. If a TLS connection could not be established then the message would not be delivered. In this release, any connection coming from that defined server or domain will also have to be sent over TLS for it to be accepted by the SEG. Domains/hosts that are rejected for not being able to send messages over TLS will find evidence of this fact in their system logfiles and senders should also receive a Non-delivery report (NDR).
1 http://kav-update-8-#.clearswift.net/KAV_85_TGZ/, where # is 1-6
Key points:
Improved system security
Enforced inbound connections
Choice of TLS modes
Ability to exclude hosts from opportunistic TLS
Clearswift SECURE Email Gateway V4.4
Page 5 of 14
5
Selectable TLS modes
The selection of TLS versions has been extended to allow customers to specify which versions of TLS protocols are enabled.
PCI-DSS 3.1 targeted for 30th June 2018 has mandated the use of TLS 1.1 and 1.2 for communication between client and servers.
Ciphers for the User Interface have also been upgraded to support TLS 1.2 only, most current browsers support this by default.
Browser TLS 1.0 TLS 1.1 TLS 1.2
IE8(Win7) yes off off
IE9(WIn7) yes off off
IE10(Win7) yes off off
IE11(Win7/Win8) yes yes yes
IE11(Win10) yes yes yes
Microsoft Edge (Win 10) yes yes yes
Safari 8+ (OSX) yes yes yes
Chrome 45+ yes yes yes
Firefox 24 yes off off
Firefox 34+ yes yes yes
If customers are using legacy browser, the use of TLS 1.1 and 1.2 can be enabled through Group Policy or reconfiguration of the browser.
Clearswift SECURE Email Gateway V4.4
Page 6 of 14
6
Exclude hosts from opportunistic TLS connections
Customers have reported issues when using opportunistic TLS connecting to external mail relays that fail to negotiate correctly, meaning that a connection is never established. This release now permits customers to enter IP addresses or hostnames that will be excluded from trying to establish an opportunistic TLS connection.
Content rule enhancements
There are a number of enhancements to the content rules and message processing options to aid migration from MIMEsweeper to the SEG. Obviously these features will also benefit other customers who require that functionality.
Copy to Message Area
Customers who wish to use a message area as a short term archiving area for monitoring and compliance purposes can now do so using the “Archive to Server” content rule and selecting a new “What To Do” action.
Key points:
Assists customers to migrate from MIMEsweeper for SMTP
Additional flexibility
Improved security
Clearswift SECURE Email Gateway V4.4
Page 7 of 14
7
Customers wishing to archive messages for longer periods of time should consider products such as Cryoserver which provides a more resilient system, intelligent searching and eDiscovery.
Domain Rewriting on Relay event
Some customers have a requirement whereby a copy of a message needs to go to another system, but with the recipient address details modified at the domain level.
Clearswift SECURE Email Gateway V4.4
Page 8 of 14
8
In order to achieve this, the customer configures a Relay disposal action and adds the new target domain to the relay server properties.
All messages relayed to this defined server will subsequently be re-written.
Malware content rule
It is no longer possible to change the format types scanned by the “Virus Detection” rules. The gateways now use the built-in decompression routines in the anti-virus products so the selection of format types is no longer necessary. This increases the file formats where malware can be detected and also provides benefits where the AV engines have signatures for malware in compressed files which can be detected without having to decompress the container file.
Please contact Technical Support if this causes a specific issue to you.
Clearswift SECURE Email Gateway V4.4
Page 9 of 14
9
Script and malware detection enhancements
There have been a number of enhancements regarding active code detection in MS Office formats such as MSO. The Gateways now recognize more file formats to help detect against malicious scripts. Content rule media selection has been extended to display the new specific script formats.
Strong admin password
Key points:
Recognition of new script formats
Support for MSO files
Scan scripts using Detect Lexical Expression
Key points:
Strong password policy applied to all new installations
Not implemented for software installs (when the product is installed on an existing RHEL deployment)
The feature can be disabled if not required
Can be enabled for customers upgrading from an earlier version
Clearswift SECURE Email Gateway V4.4
Page 10 of 14
10
During the installation process, you are now forced to setup a strong admin password. This is to ensure that if someone does gain physical or remote access to the Gateway, the chances of them guessing the password is significantly reduced. Customers can disable this for demonstration or test systems, but for production systems Clearswift recommends the use of strong passwords for system accounts that have OS access.
If you wish to disable this feature on an installed system, or enable on an upgraded system, please see the online help article: http://clearswifthelp.clearswift.com/SEG/440/en/SEG.htm#Sections/ConceptTopics/CONCEPTPasswordPolicyManualChange.htm?Highlight=password
System console changes
The system console has received a number of improvements in data validation and usability. In particular, completing the DNS server configuration has been made easier and we now annotate interfaces making identification easier.
Key points:
Improved DNS servers
Tagged interfaces
Clearswift SECURE Email Gateway V4.4
Page 11 of 14
11
Message Delivery parallelization
For most organizations, the standard mail delivery algorithms prove to be deliver fast throughput and low latency even when there may be a queue of messages to be delivered. However customers who send messages to a large volume of recipients with many hundreds of recipients in the same message may not get the best delivery performance. In order to achieve faster delivery in this scenario, customers can force the message to be split based on the number of recipients. By splitting the message into smaller recipient groups, the Sendmail MTA can process more messages in parallel. The splitting algorithm will also group the same delivery domain over true recipient count to further optimize delivery. The point at which messages are split is configured in the System > Advanced Settings > Message Settings
Key points:
Improve delivery time when dealing with large mail volumes
Customer configurable parameter
Clearswift SECURE Email Gateway V4.4
Page 12 of 14
12
Enhancement requests
The following customer reported enhancement requests have been implemented in this release.
ER# Summary
Mail-1932 OOOs with empty RFC2821 from field are quarantined by
BATV
Mail-4304 Local account password settings
Mail-6997 Ability to exclude IP-Address/Hostname/Domain name from
opportunistic TLS communication
Mail-5878 Request to disable the "Remember me Option" in
https://<pmm-server>/PMM/Login.jsp while logging in
Mail-7552 Improve parallelization of mail delivery
Mail-7864 Provide short term archive for all messages using Message
Area
Mail-7865 Permit domain re-writing on Relay-to messages
Mail-8154 Support for the new PCI/DSS standard
Mail-8234 MSO attachments not scanned for Active Content
Clearswift SECURE Email Gateway V4.4
Page 13 of 14
13
Bug fixes
A number of client-reported bugs have been fixed in this release. Please see the
release notes for more information.
Availability
Phase Date
General Availability 7th July 2016
Interoperability
It is possible to peer a Version 4.4 Gateway with an existing Version 3.x Gateway although it will not be possible to share policy due to the different levels of functionality in the later products. It will be possible to import a 3.8 configuration into a V4.4 system thus saving deploying a V4.0 (or 4.1 to 4.3) and then upgrading that to V4.4.
End of life
This release will signal the start of the SEG 4.2 end of life program. Version 4.2’s EOL program will last 12 months (as defined in the Support Services handbook) and will reach end of life on 7 July 2017.
Platform support
Clients with low memory and low disk space systems may find that their hardware is no longer suitable and may need to refresh their hardware / virtual systems. Clearswift recommends that systems have a minimum of 4Gb RAM, multi-core processors that support 64bit instructions and over 250Gb+ of disk space for low volume production environments. For customers with a greater workload the recommended minimum would be 6-8Gb RAM, single or dual multi-core processors and 250Gb+ of redundant disk storage.
Clearswift SECURE Email Gateway V4.4
Page 14 of 14
14
Packaging
This release will NOT be available as a patch for all systems running 3.x to automatically download. Clients using 4.0 to 4.3 will be able to upgrade their system through the Admin console. Clients who want to migrate from 3.x must install a new system and migrate their existing configuration to the new system. They will typically deploy the solution in a test mode initially and then deploy a production system. Clients will be able to import a V3.8.* policy file to replicate their policy or a V3.8.* full system backup if they want to import reporting data, quarantine messages, logs and policy. To make the installation process easier, clients will be able to request professional services from Clearswift to assist in the deployment of this new version.