ArticlesArticles Most Popular ArticlesMost Popular Articles Most Helpful ArticlesMost Helpful Articles
RSS Feeds
DrillDown Icon Table of Contents Back
 . . . . . . . . . . . . .
DrillDown Icon Home
DrillDown Icon Cyberoam Security Appliances (UTM and NGFW)
DrillDown Icon Common Criteria (EAL4+) Compliant CyberoamOS
DrillDown Icon Version 10.X
DrillDown Icon Migrating to V 10.X
DrillDown Icon Release Notes
DrillDown Icon Release Notes 10.6.X Build XXX
DrillDown Icon Release Notes 10.04.X Build XXX
DrillDown Icon Release Notes 10.02.X Build XXX
DrillDown Icon Release Notes 10.01.X Build XXX
DrillDown Icon V 10.01.2 Build 158
DrillDown Icon V 10.01.2 Build 124, 133
DrillDown Icon V 10.01.2 Build 059, 065
DrillDown Icon V 10.01.1 Build 023, 027
DrillDown Icon V 10.01.0 Build 739
DrillDown Icon V 10.01.0 Build 674, 678
DrillDown Icon V 10.01 build 0667
DrillDown Icon V 10.01 build 0472
DrillDown Icon V 10.01 build 0286
DrillDown Icon V 10.00 build 0310
DrillDown Icon 10.00.0309
DrillDown Icon 10.00.0301/302
DrillDown Icon 10.00.0273
DrillDown Icon 10.0 - For CR15wi, CR15i, CR25i only
DrillDown Icon 10.0
DrillDown Icon Guides
DrillDown Icon Virtual Security on the Amazon Cloud
DrillDown Icon Quick Start Guides
DrillDown Icon Cyberoam CA Certificate Management
DrillDown Icon Product Datasheets & Techsheets
DrillDown Icon Version 9.x
DrillDown Icon IPS Release Notes
DrillDown Icon Application Filter Release Notes
DrillDown Icon Cyberoam Migration Assistant Guide
DrillDown Icon Cyberoam Virtual Appliances
DrillDown Icon Cyberoam Central Console
DrillDown Icon Cyberoam's On-Cloud Management Service
DrillDown Icon Cyberoam iView – Logging & Reporting
DrillDown Icon Clients
  Email This ArticlePrint PreviewPrint Current Article and All Sub-Articles
 
V 10.0

Release Dates

Version 10.00 Build 227 – 29th March, 2010

Release Information  
 
Release Type: General Availability
Compatible versions: 9.6.0 Build 78 onwards
Upgrade prerequisite: 24 x 7 OR 8 x 5 valid Support license
Applicable to: All the Cyberoam Appliance models except CR15i and CR25i
 

Upgrade Information

Upgrade type: Manual upgrade

Upgrade procedure

1.   Go to Web Admin Console and take backup of v 9.6.x.x from System > Manage Data > Backup Data. For real-time conversion of v9 backup to v10 compatible backup, browse to data migration site (http://v9migration.cyberoam.com) and upload v9 backup file.

Note: If you are upgrading fresh v9.x appliance i.e. without custom configuration and data, skip step 1.

2.       Download Appliance model-specific firmware from http://customer.cyberoam.com.

3.       Upload the firmware (downloaded in step 2) from Web Admin console (menu Help > Upload Upgrade).

4.       Once the file is uploaded successfully, log on to CLI console and go to the menu “Option 6 Upgrade Version” and follow the on-screen instructions to upgrade.

5.       Appliance will be uploaded with factory default firmware i.e. appliance will come up with the factory default setting.
 
Note: If you are upgrading fresh v9.x appliance i.e. without custom configuration and data, skip rest of the steps. After this step, your appliance is ready for use.

6.       Restore the V 10 compatible backup from Web Admin console (menu System > Maintenance > Backup & Restore).
 
7. To view the version 9.x reports, browse to http://<Cyberoam IP>/reports and to view reports generated after version upgrade go to Logs & Reports > View Reports. This option will not be available for CR15i models.

8.       To view the version 9.x quarantined mails go to Antivirus > Quarantine > V 9 Quarantine while to view the mails quarantined after version upgrade go to Antivirus > Quarantine > Quarantine.

For further details on migration, refer Migrate from v9.6.x.x to v10 document.
 
Note: It is mandatory to upgrade to verion 10.00 build 227 prior to any further upgrades.
Compatibility issues
Appliance model-specific firmware and hence firmware of one model will not be applicable on another model. Upgrade will not be successful and you will receive error if you are trying to upgrade Appliance model CR100i with firmware for model CR500i.
 

Introduction

This document contains the release notes for Cyberoam version 10.00 build 0227. The following sections describe the release in detail.
This will be a key release with architectural changes, new features, and several bug fixes that improves quality, reliability, and performance.

Features and Enhancements

1. Firmware-based Upgrades

All the upgrades after this version will now be firmware based i.e. version can be upgraded directly to the latest version. Firmware will be Appliance-specific and hence firmware of one model will not be applicable on another model.

For example, if the latest released version is 10.1.0.16 and current version in your Appliance is 10.0.0.2 then with this upgrade you will be able to directly upgrade to the latest version 10.1.0.16 instead of upgrading each intermediate version individually.

There will be support of multiple firmware residing on the appliance, so the Administrator will be able to switch between the firmware if needed. Apart from that, upgrade and downgrade will now also be more stable and robust as entire Operating system is converted into bootable firmware (Starting from boot up sequence / BIOS).

2.  GUI Revamp

To improvise usability, a good portion of Web UI has been re-organized. This will also provide a more user-friendly approach to layout, menu and screens. New GUI will be based on Web 2.0 concept and components.

3.  GUI Themes 

Cyberoam now provides Themes page to quickly switch between predefined themes. Each theme comes with its own custom skin, which provides the color scheme and font style for entire GUI i.e. navigation frame, tabs and buttons.

You can choose from two themes – Cyberoam Standard and Cyberoam Classic.

Configuration
The default “Cyberoam Standard” theme can be changed from Options under System menu from Web Admin Console.

4.  Role Based Access Control

To offer greater granular access control and flexibility, from this version onwards, Cyberoam provides role-based administration capabilities.

It allows an organization to separate super administrator's capabilities and assign through Profiles. Profiles are a function of an organization's security needs and can be set up for special-purpose administrators in areas such as firewall administration, network administration, logs administration. Profiles allow to assign permissions to individual administrators depending on their role or job need in organization.

The profile separates Cyberoam features into access control categories for which you can enable none, read only, or read-write access.

For ease of use by default, Cyberoam provides 4 profiles:

·         Administrator – super administrator with full privileges
·         Security Admin – read-write privileges for all features except Profiles and Log & Reports
·         Audit Admin – read-write privileges for Logs & Reports only
·         Crypto Admin – read-write privileges for Certificate configuration only
 
Configuration
1.       Custom profiles can be created and managed from the Profile page of Administration menu
2.       Assign profile (created in step 1) to user from the User page of Identity menu
 
 
5.  Multiple Authentication support
 
This feature allows administrator to configure authentication based on the type of user – Firewall, VPN and SSL VPN and with multiple servers.
User level authentication can now be performed using local user database, RADIUS, LDAP, Active Directory or any combination of these.

Combination of external and local authentication is useful in the large networks where it is required to provide guest user accounts for temporary access while a different authentication mechanism like RADIUS for VPN and SSL VPN users provides better security as password is not exchanged over the wire.

In case of multiple servers, administrator can designate the primary and optionally the secondary server. If primary server cannot authenticate the user then only secondary server will try to authenticate. If secondary server cannot authenticate the user then Cyberoam refuses the access.

By default, primary authentication method is “Local” while secondary authentication method is “None”.

Configuration
1.       Configure authentication server i.e. RADIUS, LDAP or Active Directory
2.       Integrate external authentication server with Cyberoam and configure primary and secondary authentication method for Firewall, VPN and SSL VPN traffic from Authentication page of Identity menu from Web Admin console.
 
 

6.  Thin Client Support

Cyberoam can now authenticate hosts connecting remotely through Microsoft Terminal Server (Microsoft TSE) – Windows server 2003 and Citrix Presentation Server and apply all the identity-based security policies to monitor and control the access.

Solution can be implemented for all the user types – HTTP, Single Sign On (SSO) and Clientless SSO (CTAS).

Configuration
1.       Download Client from http://download.cyberoam.com/beta/catc and install on Microsoft Terminal Server (Microsoft TSE) or Citrix Presentation Server
2.       Configure Cyberoam for communication between the two from CLI using the command: cyberoam auth thin-client add citrix-ip <ip address of citrix server>

7.  IM Logging and Control for Yahoo and WLM

All Instant Messaging communication happening over Yahoo IM and Windows Live Messenger traffic can now be scanned, logged and controlled too.

Cyberoam also provides an option to enable inspection of IM traffic on non-standard ports. For details, refer to section Traffic Inspection on non-standard port.

The feature would allow Administrators to

1.       Log all communication between specific set of users, over either Yahoo or WLM.
2.       Control who can chat with whom
3.       Have granular control over the form of communication i.e. chat, voice or video.
4.       For example, chat can be allowed between Sales and Marketing team but it can be denied between Sales and Accounts team.

Configuration
1.       Add IM contacts or IM Group for whom rules are to be created
2.       Define Conversation rule to allow or deny 1-to-1 or group Chat conversation between IM contacts added in step 1
3.       Define File transfer rule to allow or deny file transfers between IM contacts added in step 1
4.       Define Webcam rule to allow or deny the usage of Web camera between IM contacts added in step 1
5.       Define Login rules to allow specific Yahoo/MSN contacts to login to their servers. By default, access to Yahoo and MSN chat is denied to all the contacts.
6.       Define content filtering rules

The scanned IM logs can be viewed from Log Viewer page.  

Limitations
1.       File transfer and web camera usage not supported for Windows Live Messenger v 2009
2.       No support for File transfer logging
3.       No file archive support
4.       Yahoo traffic will be scanned only if HTTP scanning is enabled.

8.  IPv6 Traffic Forwarding support

From this version onwards, Cyberoam supports forwarding of IPv6 traffic and Appliances will be “IPv6 Ready” certified for Phase II.

IPv6 is version 6 of the Internet Protocol. It is an Internet Layer protocol for packet-switched internetworks. It has a larger address space than standard IPv4 hence can provide billions more unique IP addresses than IPv4. This results from the use of a 128-bit address, whereas IPv4 uses only 32 bits. The internet is currently in transition from IPv4 to IPv6 addressing.

Cyberoam allows configuring IP address using following notations:

Standard notation

Represent the address as eight groups of 4 hexadecimal digits

For example: 0EDC:BA98:0332:0000:CF8A:000C:2154:7313

Compressed notation

If a 4 digit group is 0000, it may be omitted.

For example:

3f2e:6c8b:78a3:0000:1725:6a2f:0370:6234 can be written as 3f2e:6c8b:78a3::1725:6a2f:0370:6234
 
4f7e:6c8b:79a3:0000:1725:0000:0370:6234 can be written as 4f7e:6c8b:79a3::1725::0370:6234

Mixed notation

IPv4 addresses that are encapsulated in IPv6 addresses can be represented using the original IPv4 ``.'' notation as follows:

For example:
 
0:0:0:0:0:0:127.32.67.15
0:0:0:0:0:FFFF:127.32.67.15

It is also possible to use the compressed notation, so the addresses above would be represented as:

::127.32.67.15

::FFFF:127.32.67.15

Configuration
To Implement IPv6, one simply needs to assign IPv6 IP addresses to an Interfaces using CLI command as
 
cyberoam ipv6 interface Port <port number> <ip address>

E.g. cyberoam ipv6 interface PortB address add 3ffe:501:ffff:101:290:fbff:fe18:5968/64

Additional commands

1. Create Prefix list for the Interface
cyberoam ipv6 interface Port <port number> prefix add <ip address>

E.g. cyberoam ipv6 interface PortC prefix add 3ffe:501:ffff:101::/64

2. Configure IPv6 Routing
Add Router

cyberoam ipv6 route add <ip address>

E.g. cyberoam ipv6 route add 3ffe:501:ffff:101::/64 gateway fe80::210:f3ff:fe08:7d6c interface PortC
 
Configure router advertisement

cyberoam ipv6 interface Port<port number> router-adv send-adv enable

E.g. cyberoam ipv6 interface PortC router-adv send-adv enable

3. Test connection with ping6

ping6 3ffe:501:ffff:100:20d:48ff:fe36:59a4

4. Tunnel IPv6 traffic over an IPv4 network:

cyberoam ipv6 tunnel add <tunnel-name> remote-ip <ip address v4> local-ip <ip address v6>

9. SSL VPN Updates

9.1 Application Access Mode

From this version onwards, Cyberoam now allows remote access to different TCP applications over Application Access Mode. As application is launched in a web browser, it offers a clientless network access.

The feature comprises of an SSL daemon running on the Cyberoam appliance and AAM Client running at the Client side to establish a secure tunnel. AAM Client is a Java Applet Thin client which requires JRE 1.4.2.

Application access allows remote access to different TCP based applications like HTTP, HTTPS, RDP, TELNET e.g. telnet.exe, SSH e.g. putty, secureCRTand FTP (Passive mode) without installing client. 

Server side Configuration

1.       Add Applications as Bookmarks
2.       Select Application Access mode in VPN SSL policy
3.       Assign policy to the User or Group

For administrators, Cyberoam Web Admin console provides SSL VPN management. Administrator can configure SSL VPN users, access method and policies, user bookmarks for network resources, and system and portal settings.

Prerequisite (Remote User)

For remote users, customizable End user Web Portal enables access to resources as per the configured SSL VPN policy.

·         Microsoft Windows supported – Windows 2000, Windows XP, Windows 7, Windows Vista and Windows Server 2003.
·         Admin Rights Required – Remote user must be logged on as Admin user or should have Admin privilege.
·         JRE Installation – Java Runtime Environment V 1.5 or below.

9.2  Save User Credential option for Remote Users

To remove the hassles to type username and password every time for login, option to save username and password is provided on the SSL VPN client.

9.3  Auto-start SSL VPN connection
 
Auto-start SSL VPN option is provided to automatically establish the SSL VPN connection whenever Client system starts. One needs to save username and password to enable auto-start functionality.

10.  3G device support on WAN

With introduction of 3G (Third Generation) support, Cyberoam now delivers twin protection for high-speed secure wireless WAN (WWAN) combined with high-performance UTM. It not only secures the wireless connection but also inspects and encrypts the traffic over the wireless network. Hence, Cyberoam now supports set of security policies over both wired as well as wireless networks.

It works with wireless access points from any vendor to provide security and hence achieve broadband connectivity via high-speed wireless networks where wired-broadband connections are not available.

The WWAN can be used by:
1.       People constantly on the road for business or pleasure and cannot be without web connection
2.       Ideal for users away from home needing to connect virtually anywhere in their coverage area
3.       Temporary network where pre-configured connection is not available like trade-shows
4.       Mobile and cellular networks to utilize cellular technology to securely transfer data or connect to the Internet
5.       WAN failover connection

Wireless WAN support requires a contract with a wireless service provider. Check Appendix A for supported wireless service providers.

Configuration

1.       Pre-requisite – Cyberoam deployed in gateway mode
2.       Enable WWAN from CLI with command: cyberoam wwan enable
3.       Re-login to Web Admin console
4.       Configure WWAN Interface settings from Network > Wireless WAN > Settings page
5.       Once the connection is established, system host - #WWAN1 and WWAN1 Interface will be automatically added with the IP address 0.0.0.0 and
6.       As WWAN1 Interface will be the member of WAN zone, all the firewall rules configured for the WAN zone will be applicable to WWAN1 Interface.
7.       Additional firewall rules can be configured for host - #WWAN1
 
 

11. Integration with Cyberoam-iView for Logging and Reporting

Cyberoam is now integrated with Cyberoam-iView to offer wide spectrum of 1000+ unique user identity-based reporting across applications and protocols and provide in-depth network visibility to help organizations take corrective and preventive measures.

It provides network administrators with the information they need to enable the best protection and security for their networks against attacks and vulnerabilities.

Cyberoam Administrator can also choose to restrict visibility of logs and reports to an administrator who manages Cyberaom-iView through Role base Access Control. For example, create a profile with read-write access for Log & Reports pages and assign to an Administrator who is required to manage reports through Cyberoam-iView. This feature can be very useful in an MSSP scenario.

Cyberoam-iView can be accessed by clicking “Reports” on the topmost button bar on each page or from View Reports page under Logs & Reports menu.

Administrator has to login to Cyberoam-iView with the default username & password for Cyberoam-iView – admin, admin and not with the Cyberoam username and password.

12. Customer My Account Portal for Registration & Subscription

Customer My Account portal (http://customer.cyberoam.com) now supports creation of Customer Account and registration of the Appliance and allows to subscribe to various modules. In the earlier versions, one had to do register and subscribe from the Appliance itself. One can also register additional appliance through the portal itself.

Two step process:

1.       For creation of customer account and registration of appliance, “Registration” option is provided on the home page while to subscribe for modules, one has to login from the home page with the credential - email id and password, set at the time of creating customer account. 
2.       Synchronize the registration and subscription details on Appliance from Web Admin console.

13.  External Authentication support for Administrator

Cyberoam Administrators can now be authenticated by the external authentication server -RADIUS, LDAP, Active Directory. With the support of configuring multiple authentication servers, it is also possible to configure combination of external and local authentication for the administrators.

In case of multiple servers, administrator can designate primary and optionally the secondary server. If primary server cannot authenticate the user then only secondary server will try to authenticate. If secondary server also cannot authenticate the user then Cyberoam refuses the access.

By default, primary authentication method is “Local” while secondary authentication method is “None”.

14. Support to mitigate HTTP-based DDos Attack      

DoS attacks to Web services known as HTTP flood attack pose a serious threat to Web site owners and hosting providers. In this type of attacks, malicious clients send a large number of HTTP-GET requests to the target Web server automatically making it difficult or impossible for legitimate visitors to access it, disrupt server operation and apparently cause costly data transfer and bandwidth overages and can negatively impact the confidence of that site's visitors, doing incalculable damage to the site's reputation.

While simplistic packet-based attacks can be more easily mitigated upstream, with an HTTP-based attack it is often difficult to distinguish attack traffic from legitimate HTTP requests as these HTTP-GET requests have legitimate formats and are sent through normal TCP connections. Hence, Intrusion Detection Systems also cannot detect them.

To detect such attacks, Cyberoam identifies such attacks based on rate of HTTP requests per source IP or number of HTTP requests per TCP connection. Number of requests higher than the configured rate is considered as attack and the traffic is from the said source is dropped. One can either configure allowed number of connections or for granular controls can configure allowed number of requests per Method – GET and PUT.


Configuration
From CLI, set number of connections and HTTP method with the commands:
 
set http_proxy dos add connection <number of connections>

set http_proxy dos add method <GET | POST> <number of requests>

15. Traffic Inspection on non-standard ports

By default, Cyberoam inspects all inbound HTTP, HTTPS, FTP, SMTP, POP and IMAP traffic on the standard ports. However, many applications scan for open ports for malicious purposes. For example, worms and trojans often use non-standard HTTP port to pass remoet commands and fetch data from remote sites. For phishing attempts, fraudulent websites hosted on non-standard HTTP ports to lure customers to submit and disclose their personal information.

To protect from such attacks, Cyberoam now provides option to enable inspection of HTTP, HTTPS, FTP, SMTP, POP, IMAP, IM – MSN and Yahoo traffic on non-standard port also.

Configuration
From CLI, use the command:
set service-param <service> <add | delete> <port number>
 
1.       Maximum 16 ports can be configured per service
2.       Same port cannot be configured for across the services e.g. if HTTP is configured for port 8080 then it cannot be configured for any other service.
3.       Following default ports cannot be configured for any services: 21, 25, 80, 110, 143

16.  Protection of BGP Sessions via the TCP MD5 Signature

Since BGP uses TCP as its transport protocol, it is vulnerable to all security weaknesses of the TCP protocol itself. For a determined attacker, it is possible to forcibly close a BGP session or even hijack it and insert malicious routing information into the BGP data stream.

TCP MD5 Signature is used to secure the BGP session and protect against the introduction of spoofed TCP segments into the connection stream and connection resets.

MD5 checksum added to every packet of a TCP session makes it difficult for the attacker as to hijack the session MD5 key as well as TCP sequence number is needed.

Configuration

From CLI console, go to menu Option 3. Route Configuration > 1. Configuration Unicast Routing > 3. Configure BGP
At the prompt, using the following command to enable MD5 support:
 
enable
configure terminal
router bgp <AS number>
network <network>
neighbor <neighbor address> remote remote-as <AS no of neighbor BGP router>
neighbor <neighbor address> password < MD5 Key >

Currently only ipv4 address are supported.

17.  Module level Logging capability      

From this version, it will be possible to view logs - Admin, Antivirus, Antispam, Authentication, Firewall, IPS, IM, System, Web Filter, from the Web Admin console. To help diagnose the problem, all the configuration changes will also be logged.

18. Miscellaneous Enhancements

18.1 100+ Applications filter support

Cyberoam’s application layer filtering allows enterprises to have advanced control over applications and network protocols. Rather than controlling access through IPS signatures, Cyberoam has added 100+ categories to mitigate the risk from unauthorized applications and reduce bandwidth cost by controlling access to these applications.

One can control access of hundreds of Applications that grouped as per the usage e.g. Instant Messengers like Yahoo Messenger, QQ Messenger , Gtalk, Webmail Chat Attempt etc. are grouped under IM category.

18.2   Web filter support

Cyberoam provides web filtering as a means to control access over the Internet use and improvise on network security and employees productivity.

Cyberoam groups hundreds of web sites into default categories and allows to add custom category as per the network requirement to prevent the access to malicious sites, protect your network from malware, worms, spyware, trojans etc.

Cyberoam also allows allocating bandwidth based on the Web category apart from allocating and prioritizing bandwidth based on users. It will not only improve the network productivity by limiting the bandwidth used by the recreational applications but also guarantee the performance of the critical business application. 

18.3      Configurable Automatic Updates of Web Categories & IPS Signature database

Automatic updates of Web categories and IPS signature database can now be disabled. By default they are enabled and can be disabled from System > Maintenance > Updates page of Web Admin console.

18.4    Support for Firewall rule Name

In the networks where more number of firewall rules are required, it became difficult to identify the firewall rule with its numbered ids. Hence, to easily identify the firewall rule, they can now be named like all other security policies of Cyberoam.

18.5    Appliance Management from Dashboard

For ease of use, rebooting appliance and shutting down appliance option are provided on Dashboard. In version 9.x, one had to either do it from Manage Server page of Web Admin console or CLI.

18.6    Global Administrator support

Apart from the default super admin “cyberoam”, Cyberoam is now shipped with one global superadmin with the credentials – username & password as “admin”. Both the consoles – Web Admin console and CLI, can be access with the same credentials. This administrator is always authenticated locally i.e. by Cyberoam itself. We recommend changing the password for this username immediately after deployment.

In case multiple external authentication servers are configured and both the servers go down, Administrator will not be able to access Web Admin console with default admin “cyberoam”. In such situation, administrator can login with credentials admin/admin.

18.7   Captive Portal page components customization support

As Captive Portal is an entry point to the Corporate network, Cyberoam provides flexibility to customize the Portal page to offer consistent logon/log off page. This page can be exclusive to your business including your business name and logo. It also provides flexibility to customize page color scheme as per your company’s Website.

18.8     Packet Capture log

Packet Capture log now includes details of all the packets and not just the Denied packets details.

18.9    Automatic Certificate regeneration on modification

 

Attachments
Article ID: 287