No Active Directory Necessary for AE 5.0.2 & Other Features, Changes

As we bid farewell to a 2020, we welcome 2021 with a brand new AccessEnforcer release! This release introduces a slew of new Gatekeeper features and many exciting changes. We've listened to your feedback and no longer require active directory, can protect Internet of Things devices, and so much more. Let's dive  into the nuts and bolts of AccessEnforcer v5.0.2!

No Active Directory? No Problem!

By popular demand, Gatekeeper no longer requires Active Directory to work! You can now create users directly on AccessEnforcer itself using the "Local (Gatekeeper)" type, and you will be able to use them for Gatekeeper.

Setting up Gatekeeper for local users is as simple as 1-2-3:

  1. Add users on the Users > User Management page; specify "Local (Gatekeeper)" as their User Type
  2. Create a Gatekeeper portal and select Local as the Backend Type
  3. Invite the users to Gatekeeper like you normally would!
On Users > User Management:
On Security > Network > Gatekeeper:

➡️ Learn how to set up a portal with Gatekeeper's new Local Backend

Protect the Internet of Things with Gatekeeper HTTPS!

When we first introduced Gatekeeper, we made it to protect RDP. By enabling users to authenticate against Gatekeeper before accessing RDP, our Gatekeeper users' RDP services are shielded from the Internet, away from cybercriminals and ransomware peddlers. Gatekeeper also allowed many users to work from home, thus staying safe in the midst of the current pandemic. We're super proud of these achievements which is why we're also super excited to share the next evolution of Gatekeeper!

Apart from RDP, there is a myriad of things exposed to the Internet:

  • Webservers
  • Security cameras
  • DVRs
  • Managed switches
  • IP power controllers
  • Phone systems and PBXes
  • HVAC systems
  • Integrated Dell Remote Access Controllers (iDRAC)
  • HP Integrated Lights-Out (ILO) servers
  • Network Access Storage (NAS) devices
  • Backup systems
  • Virtual machine hosts (e.g. ESXi)
  • Alarm systems
  • Postage meters (e.g. Pitney Bowes)
  • Door controllers
  • And on and on...

Often these are exposed via port forwarding rules over the HTTP or HTTPS ports without any access control. As a result, these services are probed and end up on sites like Shodan which allow anyone to search for them and perform all sorts of malicious things -- including the very same cybercriminal gangs who target RDP. Scary!

What should we do?

Enter Gatekeeper. Starting with this release, Gatekeeper now supports the HTTPS protocol so you can protect these HTTPS-based services with the same ease of use and simplicity that Gatekeeper is known for.

You can even define the URLs so that your end users have convenient clickable links to access after authentication. With HTTPS, users see a timer to indicate how much time they have in order to complete their task.

See for yourself how easy it is for end users to securely access your HTTPS devices with Gatekeeper!

We have recently learned from the SolarWinds incident how persistent our wily adversaries are, so every step we can take to defend our clients' networks will collectively make a huge difference... and keep us out of Shodan!

➡️ Learn more about the new Gatekeeper HTTPS rule type

Gatekeeper: VNC and SFTP Protocols

RDP and HTTPS are not the only protocols we support for Gatekeeper.

Do you have Mac or Linux users who don't use RDP but need graphical access to their systems? This release allows Gatekeeper to work with VNC too.

The Gatekeeper VNC connection options allow the user to specify the VNC username, password, and whether to connect in view-only mode:

If you have Linux/UNIX users who want to use SFTP, Gatekeeper now also supports SFTP for secure file transfers over SSH too.

The Gatekeeper SFTP connection options allow the user to specify the username that should be the SFTP connection.

Gatekeeper: RDP Password Change Prompts

Prior to this release, some users reported some difficulties when the RDP server prompts them to change their password while they're connected over Gatekeeper.

Based on that valuable feedback we have improved Gatekeeper in this release so that the password change process is more seamless than before.

Selecting a Domain Name/Cert for the AccessEnforcer GUI

The Setup > Network > Domain Names and Certificates page now has a new button called the "Use for web GUI". This lets you pick the domain and cert that you want to use for the AccessEnforcer GUI, instead of Gatekeeper.

New DHCP Clients page

The Home > DHCP Clients page has been totally rewritten to add some powerful new features! Now you can make reservations directly from the page!

There's now a new "DHCP Info" column shows whether the lease on the table is a regular lease or a reservation.

But the biggest and most requested feature is you can now create DHCP reservations directly from the page itself!

The new "Controls" column now includes two new options:

  • Convert Lease to Reservation: This does what it says on the label, which is it lets you convert the current lease into a reservation
  • Delete Reservation: This also does what it says on the label!

So now you can easily create and delete DHCP reservations without reservation!

IPsec VPN Algorithms Galore!

Brace yourselves -- crypto algorithms ahead!

We've added a boatload of new algorithms to the IPsec feature to help ensure that you can set up IPsec tunnels to whatever devices are out there.

Starting with this release IPsec now supports AES-GCM (Galois Counter Mode) as an option for the Phase 2 Traffic Encryption Algorithm. AES-GCM does both encryption and authentication in one step so it tends to be faster than the regular AES operation modes. We also added support for AES-CTR (Counter Mode).

In addition, we also added a bunch of Diffie-Hellman groups: Elliptic Curve Groups module Prime (ECP), Brainpool, and X25519.

In total, we added 18 new algorithms!

New Phase 2 Traffic Encryption Algorithms:

  • 128 bit AES-GCM
  • 192 bit AES-GCM
  • 256 bit AES-GCM
  • AES-CTR (legacy)
  • 128 bit AES-CTR
  • 192 bit AES-CTR
  • 256 bit AES-CTR

New Phase 2 Traffic Authentication Algorithms:

  • HMAC-RIPEMD160 (IKEv2 only)
New Phase 1 and 2 Diffie-Hellman Groups:

  • Group 19 (ECP 256 bits)
  • Group 20 (ECP 384 bits)
  • Group 21 (ECP 521 bits)
  • Group 25 (ECP 192 bits)
  • Group 26 (ECP 224 bits)
  • Group 27 (Brainpool 224 bits)
  • Group 28 (Brainpool 256 bits)
  • Group 29 (Brainpool 384 bits)
  • Group 30 (Brainpool 512 bits)
  • Curve25519 (X25519) (IKEv2 only)

We made a few tweaks too, like marking the old Diffie-Hellman groups 1, 2, and 5 as "Not recommended" because they are vulnerable to the Logjam vulnerability. We also removed the never-used Authentication Header (AH) mode.

Multi-WAN Improvements

We also made a lot of fixes and improvements in Multi-WAN. It's pretty nitty-gritty stuff, but the end result is that AccessEnforcers that use Multi-WAN will be more reliable than before, especially in failover situations.

Here's what we did to improve failover on Multi-WAN systems:

  • We fixed a bug where the outbound filtering rules might not apply to the correct WAN interfaces after a WAN interface link/Internet status has changed.
  • We fixed a bug where outbound DNS traffic might fail if one WAN interface loses Internet connectivity.
  • We fixed a bug to prevent "stray" packets from appearing on a WAN interface after a WAN interface link/Internet status has changed.
  • We ensured that the latest network interface states are used when outbound filtering rules are generated.

Apart from that, we also fixed two minor bugs:

  • where the duplex information of a network interface is not shown under certain conditions.
  • where the WAN interface gateway could not be obtained under certain conditions.

Security improvements

Lastly, we made a bunch of internal security improvements. These are not visible to the user but we felt that we should briefly mention them too:

  • The AccessEnforcer GUI's HTTPS server now uses these new security response headers: Content-Security-Policy, X-Content-Type-Options, and X-XSS-Protection. This will help mitigate possible web application vulnerabilities and improve PCI compliance.
  • The AccessEnforcer GUI now uses better authentication token management.
  • Internal passwords for SMTP filtering now use an improved hashing algorithm.
  • We applied multiple OpenBSD errata.

Spread the Word

We hope you enjoy this release of AccessEnforcer! We've already started working on the next great release! In the meantime, we would really appreciate your reviews on Google, or Facebook.

Find out what one of our customers has to say about the value of AccessEnforcer. Download our latest case study today!

Written by Calyptix

 - January 29, 2021

About Us

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology. Our customers do not waste time with security products designed for large enterprises. Instead, we make it easy for SMBs to protect and manage networks of up to 350 users.
call us
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram