------------------------------------------------------------------------

                             Solstice FireWall-1
                         Version 3.0b Release Notes

------------------------------------------------------------------------

                                  Overview

Thank you for using Solstice FireWall-1 Version 3.0b.

This document contains important information not included in the FireWall-1
User Guide. Please review this information before installing or using
FireWall-1.

Product Description

Documentation

New Features

Known Bugs and Restrictions

User Guide Clarifications

Getting Help

------------------------------------------------------------------------

                             Product Description

Solstice FireWall-1 Version 3.0b is a comprehensive security tool that
allows an organization to access the Internet's vast worldwide resources
without compromising internal network security.

A license password is required to activate FireWall-1 after installation.

------------------------------------------------------------------------

                                Documentation

Sun assumes that the customer has access to the FireWall-1 Version 3.0
CD-ROM. The CD-ROM includes a copy of the FireWall-1 User Guide in Adobe
Acrobat Portable Document Format (PDF), as well as Acrobat readers for most
supported platforms. Updated versions of these readers can be downloaded
from Adobe (www.adobe.com). The CD-ROM does not contain an Acrobat reader
for Solaris2-x86. Note - Please be aware that before installing a Vpn or
Vpn/Des package, you need to install the base package which is located under
a separate patch.

------------------------------------------------------------------------

                                New Features

FireWall-1 Version 3.0 includes the following new features:

     1. FireWall-1 support for Solaris 2.6
     2. SecuRemote Version 3.0 including:
        o Client Encapsulation
        o Support for all FireWall-1 authentication schemes
        o Support for Windows 95B
        o Support for Windows 95 Power Management suspend/hibernation
     3. Support for Cisco 11.2 routers management
     4. New Services Support: Connected OnLine Backup, AOL, OnTime
     5. Session Authentication Agent for Windows 3.11

------------------------------------------------------------------------

                         Bugs Fixed in this Version

Version 3.0b fixes bugs that were found in version 3.0a. For a complete list
of the bugs that were fixed in Version 3.0b, please contact Sun.

Bugs fixed in this release include but are not limited to the following:

     1261680 firewall-1 doesn't always handle ftp PASSV correctly: data
     channel is blocked
     1263275 firewall-1 ver2.0b doesn't work with license
     1264199 can't load rules, core dump
     1264798 Firewall-1 doesn't have an rexec class
     1264816 changing Text.MaxDocumentSize to add comments under firewall
     GUI doesn't work
     1267277 FW-1 firewall 2.0e rejects packets at random
     4006688 FireWall-1 fails to generate encryption filter if patch
     103337-05 is installed
     4013122 Firewall_1 drops fragmented udp packets which do not come in
     correct sequence
     4028259 2.1 GUI appears to lose connection w/ inspection module but fwd
     keeps filtering
     4040195 fwui's System View reports Help icon
     4044273 Firewall-1 NT error message FW1:Fwreceive:lookaheadbuffer
     2806>max buffer size 1
     4052718 3.0 fwinfo calls gunzip which is not included in FW or Solaris
     distribution
     4055124 In user authentication you have only one minute for typing in
     password
     4060955 Customers using NT can't license 3.0
     4061216 'Suspend' feature of win95/pc does not work when SecuRemote is
     installed
     4061293 WinGUI cannot print large rulebase - shoves all rules onto one
     page
     4068918 Log viewer reports 'too many logs, lost some' msg after upgrade
     from 2.1 to 3.0
     4073833 firewall-1 3.0a loses license in kernel module after reboot.
     4076069 snmp_trap: can't create variable
     4077906 firewall 3.1/NAT selection for network objects just displays
     background color

------------------------------------------------------------------------

Platform Specific Problems

          Windows NT: Logging stopped after a while

               On Windows NT, the logging was stopped after a while, so no
               log records were written to the log file any longer. When
               this happens, trying to stop the FireWall-1 Service, results
               in system crash (Blue Screen Of Death).

          HP-UX: SYNDefender

               Using SYNDefender can crash FireWall machine.

          HP-UX: BTLAN Support

               BTLAN Network Interface Cards are now supported.

          HP-UX: On some 10.20 machines FireWall-1 failed to attach

               Installing on some 10.20 platforms, FireWall driver failed to
               operate.

Services Support

          SQL*Net v2

               Allowing SQL*Net version 2 through Windows NT can crash the
               machine. It also did not work properly on Solaris2 for x86.

          StreamWorks

               Address Translation was not supported.

          UDP

               General support for UDP address translation.

User Interface

X/Motif GUI

          X/Motif Memory Usage

               When using the X/Motif Log Viewer and/or System Status, the X
               Server process allocates a lot of memory until the X system
               hangs.

          Motif GUI crashes when changing resources.
          Motif GUI crashes on RADIUS Server dialog box.

               Defining a RADIUS Server was causing the X/MOTIF GUI to
               crash.

Windows and X/Motif GUI

          Refresh button did not work.
          Deleting an object from a group did not have the expected effect.

               Deleting an object from a group through the GUI was not
               removing them from the FireWall tables.

          Rule Base printing

               Rule base was printed on one page only, resulting with
               unreadable printing when the rule base include many rules.

          Monitor-Only User was allowed to purge Log Files.

Security Servers

General:

          "Not in" on sources and destinations was not checked correctly by
          security servers

OPSEC CVP+UFP Problems:

          HTTP+FTP did not work properly with Symantec Anti-Virus.
          HTTP wrong log for virus detection (showed accept).
          FTP did not work with CVP in PASV mode.

HTTP:

          HTTP Security Server failed from www.on.com and others
          HTTP translated '//' to '/' , resulting in broken GIF files

FTP:

          FTP Time-out cause connection to be closed on large files
          FTP Security Server hangs under heavy load
          FTP Welcome message did not work

SMTP:

          Mail dequeuer stuck after 25 failures.
          Security Server removes <> around a mail path.
          When setting error server, error messages were sent to postmaster
          instead of the sender
          On Windows NT, files were not removed from spool directory in some
          cases.
          On error messages, the from address was not compliant with RFC821.

          Improved parsing used for rewriting header fields. Bugs fixed.
          No matching by header was done in case of REJECT or DROP
          Strip MIME did not process correctly lists (e.g. {image,
          application} )

Authentication Methods

SecurID

          New PIN mode behavior changed.

               Now you must proceed with the New PIN mode session before you
               can log in.

S/Key

          S/Key File printing (Motif + Windows)

               When printing S/Key file, only some of the lines were printed
               properly.

AXENT

          Add backup AXENT Server

               Now you can specify a secondary AXENT server to be connected
               when the primary server goes down.

RADIUS

          Support for dbimport/dbexport
          RADIUS Authentication stopped after 256 connections

Client Authentication

          Client Authentication with Logical Servers integration.

               Allowing the user to specify a Logical Server name when
               prompt for destination

          Client Authentication with resources is now allowed
          Client authentication upon session authentication

               When using client authentication upon session authentication,
               the time-out was set to 60 seconds instead of what was
               defined in the Client Authentication properties.

Encryption

VPN

General:

          NFS did not work with encryption.

FWZ

          fwd crashes after loading policy when using FWZ

               When policy was reloaded while an encryption session was
               taking place, the fwd process crashed.

SKIP:

          Remote Object SKIP keys

               Fetching remote objects' SKIP Key modifies network object
               name and corrupts objects.C file.

          Windows NT FireWall-1 runs out of memory

               A memory leak with SKIP and Manual IPSec packet handling
               resulted in Windows NT gets out of memory and gets stack
               after a while.

SPI Key Generation

               SPI Key Generation did not work on Windows and Motif GUI.

SecuRemote

SecuRemote RDP Packets

               The first encrypted packet in SecuRemote session caused, on
               Windows NT and Solaris2 for x86, an infinite loop of sending
               messages between fwd and the kernel.

Other

Code Generation

          Number of rules limitations

               The number of rules that can be used in the security policy
               was significantly increased.

          Network Object with net-mask 0.0.0.0 did not work properly.

               Using a network object with net-mask 0.0.0.0 (which is
               equivalent to "Any") was not treated properly in some cases.

Miscellaneous

"fw fetch <hostname>" exits improperly upon failure.

               When the "fw fetch <hostname1> <hostname2>" command failed
               due to network time-out (i.e., hostname1 was unreachable),
               the process exited improperly, without trying to fetch the
               Security Policy from hostname2.

          Setting Name Resolving Properties

               Using the Properties/Resolving dialog box to set the name
               resolution methods order result with wrong order when more
               then one option was used.

Routers Management

          Install On "All" does not apply to routers.

               When using the "All" object in the 'Install On' column, the
               rule was not enforced on routers.

Logging And Alerting

          Windows NT: Logging stops and machine crashes in fwstop

               After some time of proper operation, the log records from
               Firewall Inspection Module are not sent any more. When trying
               to stop the FireWall-1 at that time, using fwstop, the
               machine crashes with CANCEL_STATUS_ON_COMPLETED_IRP Blue
               Screen.

          Logging Performance on Windows NT improvement

               The Windows NT logging rate was improved to handle around
               1000 log records per second. This should eliminate the 'Log
               record lost(s)' message from the Event Log.

          Mail alert default command

               The default command for Mail alerts was for Solaris2. Now it
               fits all Operating Systems.

Installation

          No license in the module after upgrading

               After 'upgrade' mode installation on SunOS4 and Solaris2
               systems, the license which was embedded in the FireWall-1
               module was deleted, resulting with 'No valid FM license'
               error when trying to install security policy. This is now
               fixed and the license is upgraded as well.

          Windows NT: Licenses installation fails

               Installation of long licenses (i.e., with a long list of
               features) through Windows NT FireWall-1 Configuration tool
               failed, while it succeeded through the command line 'fw
               putlic'.

------------------------------------------------------------------------

                         Known Bugs and Restrictions

Solaris 2.6

     1. FireWall-1 3.0b supports Solaris 2.6. Since previous FireWall-1
     versions cannot be installed on Solaris 2.6, you must upgrade your
     FireWall-1 software to 3.0b before upgrading the Operating System to
     Solaris 2.6.
     2. On Solaris 2.6 there is by default no dumb terminal in
     /usr/share/lib/terminfo/, which causes two problems:
        o During FireWall-1 installation, when selecting the Security
          Servers, the file $FWDIR/conf/fwauthd.conf is not modified
          (because the command ex -, which is used to edit the file, does
          not work in the absence of a dumb terminal) and all services
          remain secured by default.
        o For the same reason, the /rcS.d/r30rootusr.sh file (a file needed
          for boot security) is not edited and so there is no boot security.

          Please contact Sun to obtain a patch for this problem.
     3. The X/Motif Log Viewer cannot run on Solaris 2.6. Please contact Sun
     to get a patch for this problem when it is available.
     4. When setting the boot security on Solaris 2.6, the file
     /etc/rcS.d/S30rootusr.sh gets corrupted, and the system fails to
     reboot. Before installing the software, please contact Sun for a patch
     that solves this problem.

Solaris 2.x

     1. When using encryption on Solaris 2.x machines, you must create
     certificate keys when defining network objects (you cannot do so during
     installation).
     2. After purging the Log, the Log Viewer is not updated.
     The Log is updated, but the Log Viewer is not. To update the Log
     Viewer, refresh the window (move it or resize it, etc.).

Windows NT 4.0

FireWall-1 on Windows NT 4.0 with Service Pack 3 does not work properly with
RAS.

FireWall-1 SecuRemote

     1. Initial establishment of a new SecuRemote connection may take some
     time. Therefore, your first attempt to connect to a FireWall-1 server
     may fail. Manually typing the password before establishing the
     connection should help.
     2. SecuRemote does not work with static Network Address Translation.
     3. SecuRemote installation fails on some portable machines.

All Platforms

     1. The SMTP Security Server sends an LF symbol rather than a CR-LF for
     each line. This causes compatibility problems with some SMTP Servers.
     Please contact Sun for a patch for this problem.
     2. When the SMTP Security Server drops a mail message because its
     length exceeds the maximum size defined in a resource, it does not
     notify the mail client of the reason.
     3. When the SMTP Security Server drops a mail message because a
     resource does not allow 8 bit characters, it does not notify the mail
     client of the reason. Please contact Sun to obtain a patch for this
     problem.
     4. A FireWall-1 3.0b Management Station cannot properly manage 3.0
     FireWall Modules. You need to upgrade the FireWall Module to 3.0b as
     well.
     5. Using FireWall-1 Synchronization under a heavy load may crash the
     machine under the heavy load. Contact Sun for a patch that solves this
     problem.

------------------------------------------------------------------------

                          User Guide Clarifications

The following material clarifies subjects discussed in the FireWall-1 User
Guide.

Getting Started

Installing FireWall-1

Operating Systems

In Table 3-8 on page 87, the list of Solaris versions under Operating
Systems should read "Solaris 2.3, 2.4, 2.5 and 2.6".

Licenses

On page 105, any references to "serial number" should read "Certificate
Key."

Architecture and Administration

Security Servers

FTP Resources

When an FTP connection is mediated by the FireWall-1 FTP Security Server,
then the user's requested FTP commands and file names are matched against
the FTP Resource defined in the relevant rule.

     The FTP Security Server is invoked when a rule specifies an FTP
     Resource in the Service field and/or User Authentication in the
     Action field. If no FTP Resource is specified in the rule (that
     is, if the Security Server is invoked because the Action is User
     Authentication), then an FTP Resource of GET and PUT allowed for
     all files is applied.

FTP Resource Matching

FTP Resource matching consists of matching methods and file names.

Methods

Table1 lists the FTP commands that correspond to the methods specified in
the FTP Resource definition.
                          FTP actions and commands

   method (defined in the FTP      applies to these FTP
           Resource)                    commands               meaning
                                RETR                      retrieve
 GET                            RNFR                      rename from
                                XMD5                      MD5 signature
                                STOR                      store
                                STOU                      store unique
                                APPE                      append
                                RNFR                      rename from
 PUT
                                RNTO                      rename to
                                DELE                      delete
                                MKD                       make directory
                                RMD                       remove directory

The FireWall-1 FTP Security Server passes all other FTP commands to the FTP
server for execution.

File Names

File name matching is based on the concatenation of the file name in the
command and the current working directory (unless the file name is already a
full path name) and comparing the result to the path specified in the FTP
Resource definition.

     When specifying the path name in the FTP Resource definition, only
     lower case characters and a directory separator character / can be
     used.

The Security Server modifies the file name in the command as follows:

   * for DOS, the drive letter and the colon (:) is stripped for relative
     paths
   * the directory separator character (/ or \) is replaced, if necessary,
     with the one appropriate to the FTP server's OS

In some cases, the Security Server is unable to resolve the file name, that
is, it is unable to determine whether the file name in the command matches
the file name in the resource.

Example - DOS

Suppose the current directory is d:\temp and the file name in the resource
is c:x. Then the Security Server is unable to determine the absolute path of
the file name in the command because the current directory known to the
Security Server is on disk D: and the file is on disk c:, which may have a
different current directory.

Example - Unix

If the file name in the command contains .. references which refer to
symbolic links, then it's possible that the file name in the command matches
the resource's path, but that the two in fact refer to different files.

When the Security Server cannot resolve a file name, the action it takes
depends on the Action specified in the rule being applied:

   * If the rule's Action is Reject or Drop, then the rule is applied and
     its Action taken.
   * If the rule's Action is Accept, Encrypt or Authenticate, then:

     If the resource path is * or there is no resource, the rule is applied.
     Otherwise, the rule is not applied. Instead, FireWall-1 scans the Rule
     Base and applies the next matching rule (which may be the default rule
     that drops everything). In this case, a potential problem is that the
     rules may specify different entries in their Track fields. For example,
     it may happen that the original rule specifies Accounting in the Track
     field while the rule that is applied does not.

Outgoing Connections

User Authentication and Resource rules are applied only to connections
incoming to a FireWalled machine. An outgoing connection originating on a
FireWalled machine will not be folded into a Security Server on that
machine, but will be dropped.

Authentication

ACE (SecurID)

On Windows NT, the sdconf.rec file is in the SYSTEM32 directory under the
directory in which Windows NT is installed.

Miscellaneous Security Issues

Verifying the Default Policy

You can verify that the default Security Policy is indeed loaded as follows:

     1. Boot the system.
     2. Before installing another Security Policy, type the following
     command:
      $FWDIR/bin/fw stat

     The command's output should show that defaultfilter is installed.

SYNDefender

The following text should be added at the end of the "The TCP SYN Flooding
Attack" section.

Choosing an Appropriate SYNDefender Method

As a first step, you should consider whether you need SYNDefender at all.
Since the SYN flooding attack is a "denial of service" attack rather than a
security breach, it may be more effective to deploy SYNDefender only after a
SYN attack actually occurs.

Another "low cost" alternative is to deploy SYNDefender Gateway, and if a
SYN attack occurs, to deploy SYNDefender Relay.

SYNDefender Gateway vs. SYNDefender Relay

SYNDefender Gateway is an effective defense method which divides the cost of
the defense between the FireWalled gateway and the server under attack. The
overhead for the server is similar to that of an established non-active
connection, of which a server can typically handle thousands. This
non-active connection only exists for the short timeout period (configured
with the GUI).

In SYNDefender Relay, the FireWalled gateway completely isolates the server
from SYN flooding attacks, that is, the connection is not passed to the
server until after its validity is verified. The cost is that the FireWalled
gateway must relay (with some overhead) every single TCP packet for the
lifetime of the connection. In contrast, with SYNDefender Gateway, the
gateway "forgets" about the connection after a short timeout period or after
the connection has been established.

In addition, problems may arise when a FireWall's Security Policy is
uninstalled, or when a FireWall is rebooted. Since every connection was
relayed by the FireWall, these connections become "confused," and the
network may be overloaded by the servers' futile attempts to resolve this
confusion.

In summary, if SYNDefender is required, start with SYNDefender Gateway. If
you find that your servers are coming under frequent SYN flooding attacks
(as apparent from the Log Files), and that your server performance
deteriorates as a result of the non-active (short timeout) connections
created for each attack attempt, then you should consider the SYNDefender
Relay method.

Passive SYNDefender Gateway is an inferior method to both SYNDefender
Gateway and SYNDefender Relay. The guidelines above refer to SYNDefender
Gateway rather than to Passive SYNDefender Gateway.

------------------------------------------------------------------------

                                Getting Help

If you have problems installing or using this product, call the appropriate
number listed in "After Installing FireWall-1" in Chapter 3 of Getting
Started with FireWall-1. If you cannot locate the number for your location,
call 1-800-SUNSOFT (1-800-786-7638) from anywhere in North America. From
other countries, call your Authorized Sunsoft Distributor or Reseller.

Please have the following information ready when you call:

   * model number of the system
   * serial number of the system

------------------------------------------------------------------------

Copyright  1997,Sun Microsystems, Inc. All rights reserved.
