Table of Contents
- 1. Preface
- 2. Security features
- 2.1. Xmlsec proxy for the SOAP protocol
- 2.2. Encryption support and SSL offloading
- 2.3. SSL support for every proxy
- 2.4. URL classification and filtering in HTTP
- 2.5. Support for smartcard-based authentication mechanisms
- 2.6. Protecting information in LDAP based directory services
- 2.7. Support for SOCKS4 and SOCKS5
- 2.8. FTP improvements
- 3. Performance improvements
- 4. Hardware support
- 5. General improvements and changes
Welcome to Zorp Professional (Zorp) version 3.4 and thank you for choosing our product. This document describes the new features and most important changes since the latest release of Zorp. The main aim of this paper is to aid system administrators in planning the migration to the new version of Zorp. The following sections describe the news and highlights of Zorp 3.4, including the changes introduced in the Zorp 3.3FR1 feature release.
This document covers the Zorp Professional 3.4 product and its related components.
The latest release of Zorp Professional focuses on performance, security and stability improvements, in order to ensure reliable and controlled connectivity of your network infrastructure, while also delivering unique security features based on Zorp's proxy technology.
A number of proxies received updates and new features that can be applied in your environment to improve security. A number of new proxies were also added, bringing the number of protocols directly supported by application level gateways to 25, the largest number in proxy based security gateway products.
![[Note]](./note.png) |
Note |
|---|---|
For step-by-step instructions on upgrading to 3.4 see the How to upgrade to Zorp Professional 3.4 at http://www.balabit.com/support/documentation/. |
Zorp supports the following new protocol proxies and protocol-features.
This new proxy extends the security features of Zorp into a new domain, providing control over SOAP and XML documents, commonly used by enterprise information systems to exchange data. Zorp fully supports SOAP, implements digital signature validation of XML documents and makes it also possible to investigate or change the XML contents on the fly.
It is possible to log the complete XML exchange into the system log, but with customization, it is also possible to log only the relevant parts to make information available for reporting.
Zorp 3.4 can validate XML objects which are commonly used for data exchange between different services and applications, for example, using the SOAP protocol.
The Xmlsec proxy can validate the well-formedness of the XML, verify that it is a valid SOAP request, and also check the digital signature of the object. For details on using the Xmlsec proxy, see the Section 4.29, Module Xmlsec in
Zorp has always supported controlling the encrypted versions of HTTP SMTP, IMAP, POP3, NNTP and LDAP, and the possibility to offload the encryption from the server to Zorp, making possible to reach higher throughput. Zorp 3.4 adds support for the STARTTLS extension in the SMTP and FTP protocols, as described in RFC2487 (SMTP) and RFC4217 (FTP). Handling the encrypted connections is transparent to the user, and the same security controls can be applied to the encrypted and the non-encrypted versions of the protocols.
For details on using the new SSL framework, see the Chapter 3, The Zorp SSL framework in
For details, on using STARTTLS in the SMTP protocol, see the Section 4.20, Module Smtp in
For details, on using STARTTLS in the FTP protocol, see the Section 4.6, Module Ftp in
SSL support has been integrated into the proxy core, thus all proxies are now SSL-capable by default. SSL parameters can be set up using the self.ssl.* attributes in each proxy without having to stack the proxy into a Pssl proxy. For details, see the Chapter 3, The Zorp SSL framework in
Zorp 3.4 allows you to control what kind of content is available for users accessing the Internet. Each URL is categorized based on the supplied database. Access can be allowed or rejected based on the category.
For details, see the Section 4.7.2.11, URL filtering in HTTP in
The authentication system in Zorp has traditionally supported X.509 based authentication using its out-band authentication mechanism via the Zorp Authentication Agent. Zorp 3.4 adds X.509-based authentication support for the RDP and SSH proxies, making it possible to integrate with enterprise PKI systems.
Directory services play a special role in enterprise environments: they contain all the user accounts, roles, groups and other vital information that helps system administrators to manage networks with tens of thousands of users. The information in LDAP is important; protecting it is even more important. The Zorp LDAP proxy now allows you to protect this information even further by making it possible to limit the number of records that is returned by the LDAP server.
Zorp is traditionally used in transparent mode, without having to install a client on user workstations. The SOCKS protocol is an alternative: clients can request a SOCKS gateway to open a connection to the outside world on behalf of the client. The new SOCKS proxy can be used to implement a SOCKS-based gateway on Zorp. Both SOCKSv4 and SOCKSv5 versions are supported. Zorp can also perform password based, inband authentication.
For details on using the Socks proxy, see the Section 4.21, Module Socks in
The new feature in the Zorp FTP proxy allows the proxy to authenticate the user, and make any access control decision based on user name and group information. Also, the Ftp proxy includes the following new features and corrections:
The Ftp proxy now supports the FTPS (FTP over SSL) connections.
In-band authentication is now supported. The USER/PASS FTP commands can now be used for both FTP and Zorp authentication.
Connections were dropped when a PASV command failed. This has been corrected.
For details, see the Section 4.6, Module Ftp in
Performance improvements were also a focus in the development of Zorp 3.4. The following changes serve this purpose:
The new kernel of Zorp features improved packet processing speed and better scalability to multiple CPUs.
Zorp 3.4 is built on a fully 64-bit operating system, which allows to fully exploit the features in current server-grade Intel and AMD CPUs.
The packages in the new operating system were also upgraded, including the Glib, libc6 and Python libraries which contain performance enhancements as well.
The updated operating system provides support for a large number of new devices, making it much easier to deploy Zorp on current server hardware. The support for 32-bit CPUs is discontinued. For details about the effects of this change, see Section 4, Main changes of the system resulting from the upgrade in
The new version of the iptables packet filtering utility includes some important changes that may effect your packet-filtering rules. For details, see Section 7, Main changes in the Zorp configuration in
How to upgrade to Zorp Professional 3.4 .New push-options can be set for OpenVPN connections, including , , and several flags for the option. For details, see Section 18.4.2, SSL options in
Zorp 3.4 Administrator's Guide .The statistics returned by zorpctl includes the following new elements: number of sessions started, average connection rate per service, average and maximum number of parallel connections per service, number of sessions per zone
A new, simplified installer is available for Zorp 3.4. For details, see Zorp 3.4 Installation Guide.
The
/proc/tcp_looseoption is set to 0 by default to prevent the CONNTRACK table from filling up.The order of looking up dispatchers for incoming connections has changed: instead of interface groups, the interface matches are selected first. That way, exceptions to interface groups can be handled more easily.
The
client_enable_renegotiationandserver_enable_renegotiationoptions of SSL-encrypted connections are not needed any more and are therefore unsupported in Zorp 3.4.