As we bid farewell to a 2020, we welcome 2021 with a brand new AccessEnforcer release! This release introduces a slew of new Gatekeeper features and many exciting changes. We've listened to your feedback and no longer require active directory, can protect Internet of Things devices, and so much more. Let's dive into the nuts and bolts of AccessEnforcer v5.0.2!
By popular demand, Gatekeeper no longer requires Active Directory to work! You can now create users directly on AccessEnforcer itself using the "Local (Gatekeeper)" type, and you will be able to use them for Gatekeeper.
Setting up Gatekeeper for local users is as simple as 1-2-3:
|On Users > User Management:
||On Security > Network > Gatekeeper:
When we first introduced Gatekeeper, we made it to protect RDP. By enabling users to authenticate against Gatekeeper before accessing RDP, our Gatekeeper users' RDP services are shielded from the Internet, away from cybercriminals and ransomware peddlers. Gatekeeper also allowed many users to work from home, thus staying safe in the midst of the current pandemic. We're super proud of these achievements which is why we're also super excited to share the next evolution of Gatekeeper!
Apart from RDP, there is a myriad of things exposed to the Internet:
Often these are exposed via port forwarding rules over the HTTP or HTTPS ports without any access control. As a result, these services are probed and end up on sites like Shodan which allow anyone to search for them and perform all sorts of malicious things -- including the very same cybercriminal gangs who target RDP. Scary!
What should we do?
Enter Gatekeeper. Starting with this release, Gatekeeper now supports the HTTPS protocol so you can protect these HTTPS-based services with the same ease of use and simplicity that Gatekeeper is known for.
You can even define the URLs so that your end users have convenient clickable links to access after authentication. With HTTPS, users see a timer to indicate how much time they have in order to complete their task.
See for yourself how easy it is for end users to securely access your HTTPS devices with Gatekeeper!
We have recently learned from the SolarWinds incident how persistent our wily adversaries are, so every step we can take to defend our clients' networks will collectively make a huge difference... and keep us out of Shodan!
RDP and HTTPS are not the only protocols we support for Gatekeeper.
Do you have Mac or Linux users who don't use RDP but need graphical access to their systems? This release allows Gatekeeper to work with VNC too.
The Gatekeeper VNC connection options allow the user to specify the VNC username, password, and whether to connect in view-only mode:
If you have Linux/UNIX users who want to use SFTP, Gatekeeper now also supports SFTP for secure file transfers over SSH too.
The Gatekeeper SFTP connection options allow the user to specify the username that should be the SFTP connection.
Prior to this release, some users reported some difficulties when the RDP server prompts them to change their password while they're connected over Gatekeeper.
Based on that valuable feedback we have improved Gatekeeper in this release so that the password change process is more seamless than before.
The Setup > Network > Domain Names and Certificates page now has a new button called the "Use for web GUI". This lets you pick the domain and cert that you want to use for the AccessEnforcer GUI, instead of Gatekeeper.
The Home > DHCP Clients page has been totally rewritten to add some powerful new features! Now you can make reservations directly from the page!
There's now a new "DHCP Info" column shows whether the lease on the table is a regular lease or a reservation.
But the biggest and most requested feature is you can now create DHCP reservations directly from the page itself!
The new "Controls" column now includes two new options:
So now you can easily create and delete DHCP reservations without reservation!
Brace yourselves -- crypto algorithms ahead!
We've added a boatload of new algorithms to the IPsec feature to help ensure that you can set up IPsec tunnels to whatever devices are out there.
Starting with this release IPsec now supports AES-GCM (Galois Counter Mode) as an option for the Phase 2 Traffic Encryption Algorithm. AES-GCM does both encryption and authentication in one step so it tends to be faster than the regular AES operation modes. We also added support for AES-CTR (Counter Mode).
In addition, we also added a bunch of Diffie-Hellman groups: Elliptic Curve Groups module Prime (ECP), Brainpool, and X25519.
In total, we added 18 new algorithms!
|New Phase 2 Traffic Encryption Algorithms:
New Phase 2 Traffic Authentication Algorithms:
|New Phase 1 and 2 Diffie-Hellman Groups:
We made a few tweaks too, like marking the old Diffie-Hellman groups 1, 2, and 5 as "Not recommended" because they are vulnerable to the Logjam vulnerability. We also removed the never-used Authentication Header (AH) mode.
We also made a lot of fixes and improvements in Multi-WAN. It's pretty nitty-gritty stuff, but the end result is that AccessEnforcers that use Multi-WAN will be more reliable than before, especially in failover situations.
Here's what we did to improve failover on Multi-WAN systems:
Apart from that, we also fixed two minor bugs:
Lastly, we made a bunch of internal security improvements. These are not visible to the user but we felt that we should briefly mention them too:
Find out what one of our customers has to say about the value of AccessEnforcer. Download our latest case study today!