Product Information Bulletin. Clearswift SECURE Gateway 4.7

Similar documents
Frequently Asked Questions (FAQ)

Clearswift & Sandbox Technology. Version 1.1

SEG vs Office 365 Security Features. Feature outline

Clearswift SECURE Exchange Gateway V4.8

Clearswift Gateway Installation & Getting Started Guide. Version 4.1 Document Revision 1.4

Clearswift SECURE Exchange Gateway V4.9

Ports and Protocols. Clearswift SECURE ICAP Gateway v4.3. Version 01 14/03/2016. Clearswift Public

Ports and Protocols. Clearswift SECURE ICAP Gateway v4.8. Version 2.0. July Clearswift Public

Clearswift SECURE Gateway Installation & Getting Started Guide. Version 4.3 Document Revision 1.0

Ports and Protocols. Clearswift SECURE Web Gateway v4.x. Issue /04/2017. Clearswift Public

Ports and Protocols. Clearswift SECURE Web Gateway v4.x. Version 2.2. October Clearswift Public

Clearswift SECURE Gateway V4.x

Ports and Protocols. Clearswift SECURE ICAP Gateway v4.9. Version 2.3. November Clearswift Public

Clearswift SECURE Web Gateway V4.x

Installation & Getting Started Guide. Version Document Revision 1.0

Clearswift SECURE Gateway Installation & Getting Started Guide. Version Document Revision 1.0

Clearswift SECURE Gateway V4.9

Clearswift SECURE Gateways

Clearswift SECURE Gateway Installation & Getting Started Guide. Version Document Revision 1.0

Clearswift SECURE Gateway V4.x

Clearswift SECURE Gateway Installation & Getting Started Guide. Version Document Revision 1.0

SECURE Gateway with Microsoft Azure Installation Guide. Version Document Revision 1.0

icims Browser & Version Support Policy

Clearswift Managed Security Service for

International Packets

Items exceeding one or more of the maximum weight and dimensions of a flat. For maximum dimensions please see the service user guide.

Clearswift SECURE Gateway Installation & Getting Started Guide. Version Document Revision 1.0

Clearswift SECURE Exchange Gateway Installation & Setup Guide. Version 1.0

Sberbank Online User Guide

Clearswift SECURE ICAP Gateway Installation & Getting Started Guide. Version Document Revision 1.0

SECURE Gateway v4.7. TLS configuration guide

Unlimited UK mobile calls and unlimited UK texts Bolt On: Unlimited landlines Poland Bundle (400 minutes to mobiles & landlines) 3.

GUIDELINES FOR THE MANAGEMENT OF ORGANIC PRODUCE CERTIFICATES BY APPROVED CERTIFYING ORGANISATIONS

Country-specific notes on Waste Electrical and Electronic Equipment (WEEE)

Map Reconfiguration Dealer Guide

Analysis of the Interoperability Possibilities of Implemented Governmental e-services EU15

This document is a preview generated by EVS

BASIC PRICE LIST. The price of transportation is added toll in the amount of CZK 1,30 / kg and the current fuel surcharge.

Service withdrawal: Selected IBM ServicePac offerings

International Business Mail Rate Card

GDPR General Data Protection Regulation

International Business Parcels Rate card

Installation & Getting Started Guide. Version Document Revision 1.0

Overcoming the Compliance Challenges of VAT Remittance. 12 April :55 to 16:30 (CEST)

VOICE/DATA SIMCARD USA UNLIMITED

Map Reconfiguration User Guide

Installation & Getting Started Guide. Version Document Revision 1.0

This document is a preview generated by EVS

Countdown to GDPR. Impact on the Security Ecosystem and How to Prepare

ehaction Joint Action to Support the ehealth Network

Connected for less around the world Swisscom lowers its roaming tariffs again. Media teleconference 12 May 2009

ENHANCED INTERIOR GATEWAY ROUTING PROTOCOL STUB ROUTER FUNCTIONALITY

IBM offers Software Maintenance for additional Licensed Program Products

List of nationally authorised medicinal products

Common European Submission Portal

CUSTOMER GUIDE Interoute One Bridge Outlook Plugin Meeting Invite Example Guide

ITS Action Plan Task 1.3 Digital Maps

The Guide Everything you need to know about our mobile services

EU e-marketing requirements

1 kg 5 kg 10 kg 15 kg 20 kg 25 kg 30 kg 40 kg 50 kg

ILNAS-EN ISO :2016

SpectraGuard Sensor SS-300-AT-C-50 Technical Specifications

BASIC PRICE LIST OF TRANSPORT TO BUSINESS ADDRESSES /B2B/

EUREKA European Network in international R&D Cooperation

Bluetooth 2.0+EDR. Bluetooth 2.0+EDR (Enhanced Data Rate)

This document is a preview generated by EVS

TELIA YHTEYS PUHELIMEEN SERVICE DESCRIPTION

Signatories. to the EA Multilateral. and Bilateral Agreements

ETSI Governance and Decision Making

This document is a preview generated by EVS

AN POST SCHEDULE OF CHARGES

CISCO 7304 SERIES ROUTER PORT ADAPTER CARRIER CARD

Operating instructions. CAPBs base handle STm. Read instructions before using device! Observe all safety information!

Flash Eurobarometer 468. Report. The end of roaming charges one year later

Signatories. to the EA Multilateral. and Bilateral Agreements

Welcome to Baker McKenzie Stockholm Fifth Annual Trade Day. 7 November 2017

Fujitsu Ten Repair Flat Rate Overview

This document is a preview generated by EVS

WORKSHOP ON ALL WEEE FLOWS 14/02/17 Alberto Canni Ferrari ERP Italy Country General Manager

* Please note that recovery will only be provided free-of-charge if you hold valid cover via Honda.

MINUTES AND TEXTS CUSTOMER MOBILE BOLT-ON GUIDE JUNE 2018 BOLT-ON WILL KEEP YOU IN CONTROL OF YOUR COSTS. INTERNATIONAL NUMBERS FROM YOUR MOBILE, THIS

BT One Phone Portal 2018

BoR (10) 13. BEREC report on Alternative Retail Voice and SMS Roaming Tariffs and Retail Data Roaming Tariffs

Mapping of the CVD models in Europe

Clearswift Hosting Options

Cisco Aironet In-Building Wireless Solutions International Power Compliance Chart

PCI Compliance Best Practice:

Signatories. to the EA Multilateral. and Bilateral Agreements

CRE investment weakens in Q as investors struggle to find product in prime markets

This document is a preview generated by EVS

Friedrich Smaxwil CEN President. CEN European Committee for Standardization

activslate Quick Start Guide TP-1692-UK Issue 2 PC and Mac

English Version. Postal Services - Open Standard Interface - Address Data File Format for OCR/VCS Dictionary Generation

For: Ministry of Education From Date: 19 November 18-2 December 18 Venue: M1 Shops

OSCE-UNECE. Pkt 2. Pkt 3. Pkt 1. Bernhard Schrempf - KISC -

TMview - Euroclass Seminar on Community trade mark and design protection Sophia Bonne, ICLAD, OHIM Rospatent, Moscow, Russian Federation 7 March 2012

This document is a preview generated by EVS

iclass SE multiclass SE 125kHz, 13.56MHz 125kHz, 13.56MHz

END-OF-SALE AND END-OF-LIFE ANNOUNCEMENT FOR THE CISCO MEDIA CONVERGENCE SERVER 7845H-2400

1. Camera View. 2. First Time Use

Transcription:

Product Information Bulletin Clearswift SECURE Email Gateway 4.7 November 2017

Copyright Published by Clearswift Ltd. 1995 2017 Clearswift Ltd. All rights reserved. The materials contained herein are the sole property of Clearswift Ltd unless otherwise stated. The property of Clearswift may not be reproduced or disseminated or transmitted in any form or by any means electronic, mechanical, photocopying, recording, or otherwise stored in any retrievable system or otherwise used in any manner whatsoever, in part or in whole, without the express permission of Clearswift Ltd. Information in this document may contain references to fictional persons, companies, products and events for illustrative purposes. Any similarities to real persons, companies, products and events are coincidental and Clearswift shall not be liable for any loss suffered as a result of such similarities. The Clearswift Logo and Clearswift product names are trademarks of Clearswift Ltd. All other trademarks are the property of their respective owners. Clearswift Ltd. (registered number 3367495) is registered in Britain with registered offices at 1310 Waterside, Arlington Business Park, Theale, Reading, Berkshire RG7 4SA, England. Users should ensure that they comply with all national legislation regarding the export, import, and use of cryptography. Clearswift reserves the right to change any part of this document at any time. Page 2 of 14

Contents Overview... 4 New Features... 4 Postfix MTA support... 4 TLS enhancements... 5 STIG hardening... 6 Bypass bad-data error conditions... 7 Sanitize and Redact JPEG image properties... 8 GDPR EU Regional (PII) Policies... 9 Message tracking... 10 Encryption Enhancements... 11 Property Name scanning enhancements... 11 Enhancement requests... 12 Bug fixes... 13 Availability... 13 Interoperability... 13 End of life... 13 Platform support... 14 Packaging... 14 Page 3 of 14

Overview This new release delivers a number of customer enhancement requests, as well as additional security features for the Clearswift SECURE Email Gateway. The new features are briefly summarized below, and examined in more detail on the following pages: Postfix TLS enhancements STIG hardening Bypass bad-data error conditions Sanitize and Redact JPEG image properties GDPR regional PII tokens Message Tracking Retention period Property Name scanning enhancements New Features Postfix MTA support Postfix offers defined interfaces to permit message interception to be simpler Postfix offers more features with good performance Considered a secure MTA for use in Military deployments Sendmail was originally developed in 1982 and, while it has been a common MTA, in recent years its popularity has declined compared to newer MTAs such as Postfix and Exim, which offer better performance and greater security. Top Mail Server Market Share One of the major drawbacks of Sendmail was its monolithic structure. Postfix is more modular with defined APIs permitting easier integration with content inspection technologies in the Gateway. If a security vulnerability is identified, patching Postfix becomes much easier Page 4 of 14

with these defined APIs, enabling customers systems to be made resilient in a much shorter timeframe. The APIs and the number of available Postfix extensions will allow Clearswift to introduce new and innovative features for many more years. TLS enhancements Opportunistic and Mandatory modes More flexible configurations for outbound connections Support for Subject Alternate Names By changing the MTA from Sendmail to Postfix, we provide a number of new features mainly for use in TLS and Address Rewriting. Most people will be using TLS. This has changed in this release so that you can now: Define a default TLS version for outbound connections then override the default version setting on a per-connection basis, which could be for one or more domains Define a default TLS cipher for outbound connections then override the default cipher setting on a per-connection basis, which could be for one or more domains Validate certificates by their Subject Alternate Name certificate details for outbound connections Granular Outbound connection TLS properties As part of the integration of Postfix, the Gateway interface has undergone cosmetic changes to make the deployment of TLS easier for customers. Page 5 of 14

STIG hardening Defined by DISA Guidelines for more secure deployments of standard COTS products (operating systems, web servers & databases) Automatically applied 55 recommendations implemented in 4.7 Ensuring system security is fully maintained against industry best practice is paramount. The Gateways now include conformance to a number of security recommendations created by the Defense Information Systems Agency (DISA), who have crafted the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack. In 4.7 there are 55 recommendations that have been applied, and each Gateway release will contain progressively more. These security recommendations are automatically applied on installation and upgrade, and customers can view the STIGs report by logging into the console and accessing the report here: /opt/csrh/stig/reports/cs-remediation-report.html The report is in HTML so it is advisable to get the file off the Gateway using FTP/SFTP or a similar process. Page 6 of 14

Example STIG report In most cases the Sysadmin will not notice any changes, but some of the more obvious ones are: NTP enabled by default on install and upgrade Increased auditing of user actions in Console and terminal windows New console (not SSH) message prior to login New logon message after login prior to the Console loading Bypass bad-data error conditions Allows customers to enable override file processing failures Bad-data rule split into processing failure and bad-data As part of message processing, the Clearswift Deep Content Inspection (DCI) engine will inspect the structure of the message and any attachments. If the DCI finds errors in the message structure caused by the mail-client that created the message or in the structure of an attachment, the Gateway will legitimately block the message as the errors could in fact be some type of new exploit that may affect the mail client (e.g. Outlook) or the tool used to open the attachment (e.g. Word). There will be some customers who are trying to send out data that might have been created using a 3 rd party PDF tool. Unfortunately, this application creates files with a structure that is technically incorrect and would be blocked by the Gateway, but can still be opened by most PDF clients. Therefore, customers can use the new Detect Malformed Data content rule to determine which file formats to block and which to ignore; in the example above, they would configure the policy to exclude PDF files from being held. Page 7 of 14

Example Exclude PDF files from Message Processing Failures Sanitize and Redact JPEG image properties Allows redaction of image properties Allows sanitization (removal) of image properties Included as part of Data Redaction / Document Sanitization Licenses Previously, the Redaction and Document Sanitization features were limited to Text, Documents, Message bodies, and Web Pages. This version allows customers with the appropriate license to inspect image meta data and optionally redact items or remove properties. This is particularly important to organizations where: the exact location the picture was taken is sensitive the time that the picture was taken is sensitive, or the device used to take the picture is sensitive Page 8 of 14

Example Image meta data showing GPS location where picture was taken The Redaction features can redact specific text from the properties, or some or all of the image meta data may be removed. Example Image properties following redaction of the text iphone GDPR EU Regional (PII) Policies Consistent set of PII tokens to cover Passport, Social Security / Driving License and National Identity (where applicable) Covering 28 countries With heavy penalties for Data Loss under the regulations of GDPR, coming into force in May 2018, customers need to ensure that Personal Identifiable Information (PII) data is controlled. Page 9 of 14

Austria Belguim Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France Germany Greece Hungary Ireland Italy Latvia Lithuania Luxembourg Malta Netherlands Poland Portugal Romania Slovakia Slovenia Spain Sweden UK Passport Social Security Driving License Identity Card 4.6 4.7 PII Tokens added in 4.7 Clearswift products have been extended to support a much wider range of entries, allowing a greater chance to protect employee and customer data from being lost. Message tracking Can be extended to support storing 2 years worth of data Shows inbound TLS traffic Show Log output different as Postfix log file is different from Sendmail Customers can now extend their Tracking and Report retention settings to hold up to 2 years worth of data. This will increase the amount of disk space used by the system, and reports over extended periods of time may have an effect on system performance. When a message was tracked in previous versions, Message Tracking would only show whether TLS was used for outbound connections. It has now been extended to show when a connection is received, if it came over TLS. Page 10 of 14

Encryption Enhancements Uses cryptographic message syntax for better compatibility with other solutions Default S/MIME signature algorithm now SHA256 The SECURE Email Gateway now uses Cryptographic Message Syntax (CMS) by default for S/MIME message processing to provide better compatibility with other cryptographic solutions and advancing compliance requirements. The default for the S/MIME signature algorithm has been changed from SHA1 to SHA256. The new setting is more secure and affects signature processing as well as certificate generation. However, if you have used the Gateway UI to create a CA for S/MIME you may need to recreate it following this change in order to ensure a consistent use of the new algorithm throughout the whole certificate chain. Property Name scanning enhancements Allows customers to search through document/image properties without having to know the exact name Can search all properties except a named property for text Page 11 of 14

In situations where you know that text could exist in a property, but are unsure which property it may be stored, you can simply add a! character in the property name used by the Analyze Properties content rule. For example, to scan all properties to check for the term Secret you can use a single! character. If you want to scan for content in properties, but not the Author property, the! character can be used to negate that property value. Enhancement requests The following customer reported enhancement requests have been implemented in this release. ER# MAIL-6572 MAIL-5307 MAIL-7891 Summary Extension of Retention Time within the Tracking and Report Settings Message Tracking not showing TLS for inbound message Allow peering using NIC not reserved for Web UI use Page 12 of 14

MAIL-7194 MAIL-11104 MAIL-6542 MAIL-6737 MAIL-7561 MAIL-1532 Support the of wildcard in Connection profile for Certificate Subject Validation Add regional keyboard layouts for Greek, Turkey, Norway and Japan Reclassify Action Support for mmap files TLS Handshake failed email not send in clear text Support address rewriting with partially-wild carded users Bug fixes A number of client-reported bugs have been fixed in this release. Please see the release notes for more information. Availability Phase Date General Availability November 2017 Interoperability It is possible 1 to peer a Version 4.7 Gateway with an existing Version 3.x Gateway, although it will not be possible to share policy due to the different levels of functionality in the later products. It will be possible to import a 3.8 configuration into a V4.6 system thus saving deploying a V4.0 (or 4.1 to 4.3) and then upgrading that to V4.7. End of life This release will signal the start of the SEG 4.5 end of life program. Version 4.5 s EOL program will last 12 months (as defined in the Support Services handbook) and will reach end of life on 7 th November 2018. 1 In order to peer a V4.4 or later with SEG 3.8 does require some modification of the TLS ciphers used for Peer communications Page 13 of 14

Platform support Clients with low memory and low disk space systems might find their hardware is no longer suitable and will need to refresh their hardware / virtual systems especially if they intend setup 2 years worth of Message Tracking. Clearswift recommends that systems have a minimum of 4 GB RAM, multi-core processors that support 64bit instructions and over 250 Gb+ of disk space for low volume production environments. For customers with a greater workload the recommended minimum would be 6-8 GB RAM, single or dual multi-core processors and 250Gb+ of redundant disk storage. Packaging This release will NOT be available as a patch for all systems running 3.x to automatically download. Clients using 4.0 to 4.6 will be able to upgrade their system through the Admin Server Console. Clients who want to migrate from 3.x must install a new system and migrate their existing configuration to the new system. They will typically deploy the solution in a test mode initially and then deploy a production system. Clients will be able to import a V3.8.* policy file to replicate their policy or a V3.8.* full system backup if they want to import reporting data, quarantine messages, logs, and policy. To make the installation process easier, clients will be able to request professional services from Clearswift to assist in the deployment of this new version. Page 14 of 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback