File Release Notes and Changelog
Release Name: -0.1.1
Notes:
Changes: September 11, 2008 - John A. Sullivan III ChangeLog for iscs-0.1.1 This is a bug fix release. Bug fixes: Fixed bug where all change commits on PostgreSQL based systems failed Fixed several invalid cursors, specifically, when calling adapt2model() when creating a new PEP and when adding a new resource where service="" Fixed bugs where database transactions were not committed, specifically in when creating new Access Groups and when adding Resources to Resource Groups Fixed bug where Resource menu options were not appearing in the Resources menu July 17, 2008 - John A. Sullivan III ChangeLog for iscs-0.1.0 This is a major step forward in that almost all access control functionality is now available via the GUI and does not require direct database manipulation, i.e., ISCS is almost ready for regular use. New features: Support for PostgreSQL (tested on version 8.3.3) and MySQL 5 (tested on version 5.0.51) Support for Linux 2.6 kernel IPSec VPN packets are identified by packet marking; KLIPS (ipsec interfaces) is no longer required Search feature for Servers, Services or Resources among Resource Groups and Resources Ability to delete and edit PEPs and PEP networks Ability to delete and edit Servers and Resources Ability to delete Services from Servers Ability to delete Resources from Services Networks can share physical interfaces Inbound and outbound antispoof protection are handled separately Network naming convention now supports subnets with same base address, e.g., 192.168.1.0/24 ad 192.168.1.0/25 Allow deletion of nested Locations Major bug fixes: Fixed segmentation fault when deleting PEPs Fixed possible database corruption in best_match_res_ip table when editing a server Implemented checks to ensure that PublicTTL overrides always have IP Addresses Fixed bugs where NAT group box was disabled for new server IP addresses Resource and Access groups could not accept an edit to only the comment field Many fixes for network NAT In some cases, the dynamic PEP updates did not reset iptables properly Fixed segmentation fault when clicking on PEP network interface button Fixed bug where one update thread could corrupt the PEP list in another update thread Added missing error codes to update threads Fixed bug where FW rules for protocols with no ports were being written multiple times and causing a dynamic update failure Fixed bugs when toggling best match Fixed bug where Must121 was not properly detected for affected SuperRanges when a new SubRange was added Fixed bug in new Resource code where recovery from an address conflict provokes a database error Fixed bug where subranges were not being deleted from the best_match_res_ip database table when deleting addresses Fixed bug where adding a resource in a new database edit after deleting the last entered resources in the previous database edit without reloading a new edit database maintained an incorrect value for the base ResID Fixed bug where Network NAT functions did not accommodate two networks which are related as subnet and supernet with different NetNATs Fixed bug where NetNAT assumed ipsec interfaces were always the same number as the physical interface, e.g., ipsec0=eth0 Fixed bug where adding a PEP to an unexpanded Location did not paint the previously existing PEPs Fixed bug where NetNAT with multiple public networks sharing a physical interface would cause multiple dynamic NetNAT rules Prevented editing or disabling BestMatch on Network Servers Fixed bug where Resource Overrides on networks using NetNAT display the NAT address rather than the real address in ResourcesListView Fixed bug where adding an IP address to a Server without an IP address provoked a database error Fixed bugs with apostrophes in server names and showing servers with no addresses in ResourcesListView Fixed bug where Must121 NAT was not properly detected for affected SuperRanges when a new SubRange was added Fixed bug making erroneous db entries for containsbestmatch in accessors_ip and all_res_ipranges Fixed display ordering in Resources, RGs and PEPs Fixed bug where comments and time stamps were not recorded in the data/{version}DbChanges file on a remote DBD February 14, 2007 - John A. Sullivan III ChangeLog for iscs-0.0.6.3 Although this is a point release, there has been a major breakthrough in functionality. ISCS now supports the creation of Resource Overrides, i.e., Resources on a server which override some of the parameters of the server, i.e., IP or NAT IP address. New features: Ability to create new Resources under an existing Service, i.e., the creation of "Resource Overrides." Ability to add IP addresses to an existing Server or Resource Override (one cannot yet add an IP address to a Resource using the default server settings). Ability to add, edit and delete NAT addresses on Servers and Resources. ISCS can now accommodate manual rules to allow the use of proxies with iptables on Linux based PEPs. Major bug fixes: Service is now taken into account when determining NAT fragments for NAT mappings. Fixed segmentation fault when changing services in the Resources dialog box. Fixed bug where adding a Resource to a Resource Group or editing a Resource provoked database errors for Resources utilizing netNAT. Fixed bug in Services Manager where common flag toggle was not properly written to database. December 28, 2006 - John A. Sullivan III ChangeLog for iscs-0.0.6.2 New features: Ability to add a new Resource to an existing Service Added support for SecureComputing (CyberGuard) SG570 and sash shell devices Major bug fixes: Fixed bug where editing an unprotected Accessor failed Corrected segfault when adding a top level Location November 2, 2006 - John A. Sullivan III ChangeLog for iscs-0.0.6 New features: Unmanaged PEPs can be used in the SPM for connecting to outside security domains thus bringing ISCS style features to environments that are not 100% ISCS enabled SPM can now manage multiple DBDs on multiple database servers Databases can be named by users Databases can be added and deleted from the SPM Added more CyberGuard SG models PEPs can now be reinitialized from the SPM PEP model changes automatically trigger PEP reinitialization Changed network server object creation to include network base and broadcast addresses for security reasons Disallowed login while an update is in process We have temporarily disabled concurrent usage until we rewrite the way configuration file changes are handled. Major bug fixes: Minimized needless rewrite of DNList thus minimizing access control restarts on the PEPs during updates Eliminated duplicate NETMAP dynamic changes Top level Locations can now be created Edited IP Accessors no longer produce DENY changes when there are no DENY policies Eliminated explicit IP protocol matches in iptables (e.g., -m tcp) as they appear to conflict with multi-port. Fixed bug with missing space in iptables port designation Fixed bug in calculating the base network for automatically created network server objects Fixed reload database functions to refresh SPM Fixed bug where Resource Group and Policy tool bars disappeared Fixed bug where a Resource or Access Group moved to another group was not painted in the new parent had been expanded and then closed PEPForm now checks for invalid entry "ALL" in the PEPNameLineEdit when lostFocus() is emitted Bug fix for duplicate Accessors created in copied Access Group Bug fix for PEP model not clearing when moving from a PEP to a Location in LocationListView Bug fix for BestMatch check box not changing in the IP Accessors Table when it is toggled Fixed bug with RGListView not properly reparenting in the Policies tab Fixed bug where netNAT was applied to all addresses using the original address instead of just those on the PEP doing netNAT Fixed bug where public service was passed instead of private service during Resource creation Activated indirect conflict checks for NAT February 16, 2006 - John A. Sullivan III ChangeLog for iscs-0.0.5 New features: Ability to add interfaces and networks to existing PEPs - all Resources and network server objects are properly created Network server objects automatically created when PEP network or interface is created "Unrestricted" Access Group added DNList oid search order now optimized Generates DNLists in both RFC2253 and non-RFC2253 syntax Support for automatic updates of CyberGuard SG580 and other bash based devices running firmware 3.1.2 or greater DHCP Relay now refers to general network traffic rather than dhcp-over-ipsec Multiple VPN types allowed per model Added support for OpenVPN as a remote access VPN technology with support for X.509 Accessors Non-fatal PEP update errors are now captured and displayed Major bug fixes: Adding new Resources to an unexpanded Resource Group no longer prevents display of pre-existing Resources Duplicate Resource creation is now caught and prevented Dynamic DNAT rules for single IP addresses now always have correct syntax PEPs are now properly noted as managed or unmanaged DNList no longer has extra empty first line and now includes chain prefix DNListDENY now created properly ACCESS_GROUPS and ACCESS_GROUPS_DENY insertions now are properly before rule 4 rather than rule 1 Fixed spaces and lines problem in DNList files PEP at current database level status fixed PEP reinitialization now produces configuration files even if there are no other changes ProxyARP files properly created and distributed ProxyARP changes processed even during PEP initialization Requesting Commit Changes during shutdown no longer shuts down before changes are finished Resources added to unexpanded Resource Group are no longer displayed twice August 9, 2005 - John A. Sullivan III ChangeLog for iscs-0.0.4.1 New features: Included documentation for installation on CyberGuard SG devices Major bug fixes: Heavily debugged routines for handling dynamic access control rules for X.509 Accessors July 9, 2005 - John A. Sullivan III ChangeLog for iscs-0.0.4 New features: Beginnings of system settings. A setting to save the normally deleted temporary files has been added. The framework is in place to create configurable settings for many hard coded parameters. CyberGuard iptables configuration files are collapsed into the single ipfwrules expected by SnapGear. The out-of-band authentication routines for X.509 accessors now check the issuing CA as well as the DN. Major bug fixes: All unsigned long int have been replaced with either Q_UINT32 or uint32_t to eliminate bit twiddling errors on 64 bit systems. All but one instance of manipulation of the current working directory have been eliminated thus removing some very confusing errors when the update threads would change the current working directory from underneath the main thread or on one another. Flush rules were added to the CyberGuard iptables files to prevent redundant loading of the rules. All iptables chain names now start with a prefix (defaults to "c") to work around an iptables bug that prevents proper flushing when chains start with a number. June 21, 2005 - John A. Sullivan III ChangeLog for iscs-0.0.3.1 New features: Preliminary support for CyberGuard SG devices Support for iptables based devices which use iptables-batch rather than iptables-restore Major bug fixes: Threaded update code was completely broken - all objects in threads are now thread-safe or re-entrant Threads no longer make changes to the application working directory Redundant NAT rule creation eliminated Threads no longer overwrite share objects Some minor bug fixes October 13, 2004 - John A. Sullivan III ChangeLog for iscs-0.0.3 Major bug fixes. Creation of ARP entries now works NAT fragments are now properly returned when Best Match is toggled off of a Resource when creating a new Resource Many minor bug fixes. August 31, 2004 - John A. Sullivan III ChangeLog for iscs-0.0.2 Delete Access Group function works properly Added Delete Resource Group and Remove Resource From Resource Group functions Added missing code to initiate access control for a packet, i.e., the jumps from ACCESS_GROUPS and ACCESS_GROUPS_DENY Changed the ssh calls to the PEP to use the -i parameter instead of ssh-agent Fixed problem with dynamic changes not setting ipranges properly Corrected iptables rule creation to handle ports of type xx:xx,yy:yy Added checks for existing ./pgpass file to Pgdbcopy script
