Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Update of various software packages

This update contains new versions of the Linux kernel, the Avira and F-Secure virusscanners and several system libraries and programs.

Key and certificate management

RSA key-pairs for the VPN server, reverse proxy, mail server and administration interface used to be configured in the menu of the respective server. From now on the new menu "System > Certificate manager > Keyring" servers as the central store for all key-pairs. In the server menus you can choose from the keys in the keyring.
In cluster configurations the RSA key-pairs will not be synchronized until both cluster nodes have been updated.
The special key "DUMMY" serves as a placeholder. It is used in the default configuration, when no real certificate is available. It is also used when the private key is missing, i.e. after swapping the hardware until the backup with the key-pairs has been installed or new keys have been issued. Please note that private keys are still not part of the system backups. Key-pairs have to be exported separately in password protected files.
In this context, the process of requesting a certificate from an external CA has been revised. So it is now possible to transfer certificate requests and certificates with copy-and-paste and certificates may be uploaded in DER format, too.

Let's Encrypt certificates

Certificates can now be updated automatically using the ACME protocol, so you can now use free Let's Encrypt certificates. This new option is available when requesting a new certificate in the "Keyring" menu. For authentication the "http-01" method is used. This requires that the reverse proxy can be reached on port 80 from the Internet and a virtual host is defined for all requested domains with the pre-defined backend "ACME HTTP-Authorization" enabled.

Avira and Kaspersky online query

To bridge the time span between the report of a new threat to the antivirus manufacturer and the download of new signatures, Avira and Kaspersky offer an online service to query the status of suspicious files. For the query a checksum of the file will be computed and sent to the manufacturer.
By default this option is enabled. You can disable it individually for each scanner in menu "Modules > Virusscanner".

Avira macro detection for web proxy

On installations running Avira antivirus, a new option in the web proxy content filter allows blocking office documents containing macros or autostart macros.

LTE support

The USB sticks for mobile Internet via UMTS phase out. The new USB sticks support LTE.
The configuration screen will now show the selected mobile communications provider and offer an option to select a specific mobile phone standard.

Selection of the IKEv2 mode in IPsec connections

In IPsec connections of type "Server" and "Client" the IKEv2 mode can be configured now.

Re-keying of IPsec connections

When a session key was about to expire, IPsec connections of type "client" and passive "server" connections may have initiated a re-keying. Now these connections are completely passive.

Email attachment quarantine

The first problem affects systems which quarantine unwanted attachments by removing them from the email and where additionally the administrator granted recipients access to the quarantine area. If an email had more than one attachment quarantined, the recipient could download only the first attachment.
On individual systems which retain emails with unwanted attachments, no notification emails have been sent to the recipients and the administrator.

IP objects of type "Geolocation"

Previous releases supported only up to 15 country codes per IP object.

URL filter database

IDS/IPS signatures for systems without maintenance contract

Minor bugfixes and improvements

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Update of the Linux kernel and the glibc system library

The safeguard mechanism that separates the different memory areas of a programm can be circumvented. This makes it possible to execute of own code or gain elevated privileges. With the update attacks become more difficult.

RAR unarchiver

The RAR unarchiver is used by the email virusscan module to extract RAR archives. With the help of a crafted RAR archive, an attacker could have executed arbitrary code within the limits of the process' permissions.

OpenVPN

An attacker could have crashed the OpenVPN server with specifically crafted data packets.

Reverse proxy option for email attachment quarantine area

Since 7.0-2.0 the administrator can allow recipients to access filtered emails or attachments themselves, if certain conditions apply. With a new you can now enable reverse proxy access to the quarantine area if that should be necessary.

Email attachment filter

Filenames of attachments using foreign character sets have not been displayed correctly in the administration interface. The same problem affected filenames and email subject in notification emails.
In order to simplify the notification emails, the headers of the original email are no longer part of the text. They are now provided as an attachment.

SPAM folder email report

In the daily email report, listing new mails in the SPAM folder, sender names and subjects may have been truncated. When using foreign character sets, they have not been displayed correctly.
Emails with invalid message-id have not been deleted automatically after the configured period of time.

Monitoring for SSH TCP forwarding

Connections via SSH TCP forwarder are now displayed on a new tab in menu "Monitoring > Network > Status".

Minor bugfixes and improvements

Windows network shares

Clients were able to upload and execute shared libraries if network shares are enabled. If the service "Windows shares" is disabled which is the default, the system cannot be attacked.

NTLM authentication and Windows domain membership

Problems have been reported with NTLM based proxy authentication and the new Samba server installed in 7.0-2.2. On some systems many log messages occured, on other systems the service "Windows domain membership" had to be restarted periodically.
After updating an affected system, please re-join with the Windows domain in menu "Modules > Web proxy > Settings" on tab "NTLM authentication". If the name of your Windows domain is configured as "ActiveDirectory server IP", please change it into the IP address of one of your Windows domain controllers.

Minor bugfixes and improvements

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

IPsec server

An attacker could have used a crafted certificate to crash the IPsec server or even execute arbitrary code.

Intrusion prevention and F-Secure antivirus

The F-Secure updates have partially been blocked by the Intrusion prevention systems since 2017-04-27. Systems with a software maintenance contract and automatic IDS/IPS signature update enabled received new signatures on 2017-04-28. The signatures of all other systems will be fixed with this update.

Update of the Linux kernel

Minor bugfixes and improvements

Intrusion detection / prevention

With carefully crafted packets an attacker could make the IDS/IPS use wrong packets while reassembling the data stream.

IPsec CRL

The IPsec server didn't load certificate revocation lists.

Autostart of service "More servers"

On cluster masters and after uploading a system backup the option to start "More servers" after reboots was not set.

Webmail via reverse proxy

An error occured while submitting emails if the reverse proxy was used to access the webmailer.

Firewall rules with many addresses

In 7.0-2.2 an error could occur while loading firewall rules with lots of IP addresses. The rules were then loaded in a time-consuming stepwise approach, possibly causing temporary access failures.

Minor bugfixes and improvements

Web proxy

While handling conditional requests, a bug allowed internal attackers to receive replies destined for other users, which may contain sensitive information.

Filtering of inbound emails with local domain in sender address

The update fixes several ways to bypass the filters, which have been introduced in 7.0-1.1. For example previously only the email address but not the text part of the "From" header has been examined and only the first of multiple "From" headers has been checked.
The filter will now look at the "Sender" header as well.

Windows services

Several vulnerabilities have been fixed in the samba server. Although we believe that we are not affected, we provide an update.

Logging to syslog server

You can send a copy of most logs to a syslog server now.

Configuration of IP ranges

The administration interface will now accept IP ranges like e.g. "192.168.0.100-192.168.0.120" for many settings.

Cluster with fallback link

We changed the behaviour of cluster master nodes which also have a fallback Internet link. When the primary line looses its network link, the cluster no longer performs a failover. Instead the fallback Internet link is used.

Email attachments in quarantine directory

Attachments with a filename encoded in a certain way have not been listed.

Display of interface table

In the monitoring menu, the interface table was not shown on Hyper-V based systems and on some systems with VDSL interfaces.

Minor bugfixes and improvements

Rejecting emails with unwanted attachments

A new option is available in the mail attachment filter. Instead of quarantining emails with unwanted attachments, these emails will be rejected.
This option is not suitable for systems retrieving inbound emails from a POP or IMAP server.

Import of configuration tables

The import feature introduced in 7.0-2.0 still had some issues. The import failed with Chrome and the data was imported twice when using Internet Explorer. In some cases the last line was rejected as faulty. Finally the import is now more tolerant towards the data format, so it should be possible to modify the data with almost all editors now.

DSL connection after reboot

In some installations the DSL connection failed after a reboot if the DSL interface is used for IPsec.

Backup to NetAPP Windows share

The backup failed if the NTLMv2 Signed option is enabled for the NetAPP share.

Memory leak in the reverse proxy

Minor bugfixes and improvements

Secure

DEFENDO forces a collection of best-of-breed security modules like firewall, VPN, proxies, virus scanner and anti spam system to interact for one purpose:
To be protected from all online threats and unwanted contents like malicious code, spam and hacker attacks.

Flexible

Each IT scenario is different. The DEFENDO product family will adapt precisely to your demands.
DEFENDO applies for simple Internet connections of small companies, for headquarters / branch office WANs, as well as for complex multi-tiered firewall systems.

More good reasons

  • No backdoors
  • More than 20 years of Internet security experience
  • Award-winning product
  • Support by our development engineers
  • Reseller loyalty
  • Made in Germany