Enhancements V5.4.5427
Register Mobile token without Email/SMS OTP verification
An authenticated user can register/reactivate their mobile token on an authenticator app without having to authenticate with MFA. This change supports use cases where the user’s mobile phone or email is not available in the user directory. The option allows customization at the user level and is set by default to not ask for MFA.
Configurable expiry time for Mobile token
The expiry time for the Mobile token is now customizable. The default time is 5 minutes. This time value establishes the maximum window in which an OTP will be accepted by the gateway, considering the time difference between user’s mobile phone and HySecure.
Support to enable/disable multiple usage of the Mobile token
The same OTP from an authenticator can now be reused multiple time during the “OTP token expiry time”.
Double encryption and authentication of API calls
Considering the ubiquity of TLS interception solutions, it becomes important to encrypt the API call data before it is sent over an encrypted TLS engine. This is to avoid any kind of secret data leakage while TLS is being decrypted and processed for various reasons.
APIv2 is a new protocol supported in this release to encrypt API data at the source and mutually authenticated at both the client as well as the server end.
APIv2 requires new HySecure client software as well. Backward and forward compatibility is available if the HySecure gateway allows it. Some clients and plug-ins may not support APIv2 yet and support for same shall be available in upcoming releases. However, this does not affect user functionality.
Under Global > Server > Server Settings, set the API version to APIv2 to enforce APIv2 clients only. To enable backward compatibility during rollouts, enable APIv1 and APIv2. The default setting is APIv1. Changing the API version requires restarting the gateway services.
Some of the security features enabled by APIv2 are listed below:
- Fixing several security vulnerabilities around session hijacking by the way of traffic interception and modification, request replay attacks
- CAPTCHA
- More secure password change and password reset functions
When APIv2 is enabled, the following functionality breaks:
- Accops Hybrid portal logon.
- If the Hybrid portal log on is used, the setting should be “APIv1” only. This shall be addressed in a future version.
Enhanced AD/LDAP user search
AD/LDAP user search is improved for faster searches.
- All users: Select all users from AD/LDAP (same as All Groups).
- Get All users from Directory Server: This option will fetch the list of the first 500 users from the LDAP/AD servers.
- Search Manually by username: Specify a partial username (minimum 3 characters) to search for the user.
Update the geolocation database
It is now easier to update the geolocation data for geo-fencing controls. The Admin can download the free or paid version of MaxMind (mmdb) database and upload the DB file on the HySecure gateway.
The URL for free database download: https://dev.maxmind.com/geoip/geolite2-free-geolocation-data?lang=en
For paid edition, sign up at the MaxMind website.
Follow the steps listed below to update the geolocation database:
- Place the database file in the /home/fes/ directory.
- The name of the DB file must be GeoLite2-City.mmdb.
- Change the permissions of the above file to 644 apache:fes. To do so, use the following commands:
a) Command to change permissions: chmod 644 GeoLite2-City.mmdb b) Command to change the owner: chown apache:fes GeoLite2-City.mmdb
Support to send backup files with timestamp to FTP server
Backup files are sent to the FTP server with a time stamp to avoid overwriting existing backup files.
License serial key details in the HySecure Management console
The license serial key will now be visible on the license page. This change will be applicable to the existing deployment after the application of the license.
Client Version details in device details
The HySecure client version is now visible under the device details for each device.
Client distribution chart on the HySecure dashboard
A pie chart is available on the HySecure dashboard to show the different client versions currently in use. The devices under considerations are the registered devices. The terminology used is described below:
• HyLite Portal: The number of devices where the user used the clientless portal to login
• Old Clients: Devices running the old HySecure client that does not send version details
!!!Note:
If no devices are registered after applying upgrade patch, existing registered devices will not have client details.
Revamped HySecure Management console UI
The HySecure management user interface and menu items have now been improved to provide a better user experience.
Zero-downtime license change
The license can be applied without moving the HySecure gateway to the configuration state, helping to avoid downtime.
The following operations can be down without any downtime now:
| License Change Type | Restart required |
|---|---|
| Extending a license term | No |
| Increasing license count | No |
| Reducing license count | No |
| Adding a Server Add-on feature (Endpoint Security) | No |
| Removing a Server Add-on feature (Endpoint Security) | No |
When the license is applied to any of the gateway, it will take a few minutes to sync across the cluster. When applying a Named User License, the registered user profiles will be counted to decide the level of compliance to the applied licenses.
If the number of user profiles is more than the number allowed in the applied Named User license, then the following actions shall be taken:
- A set of User profiles will be disabled such that the count of enabled user profiles matches the number allowed by the Named User license installed.
- User profiles are disabled in descending order of the last login. Users who have been inactive will be disabled.
- Security officer and Administrator level users are never disabled
If the number of concurrent users logged in is higher than the concurrent license installed, then users are disconnected randomly.
Improved Archived logs parsing
Log viewing has been improved, especially where a large number of logs need exist.
Windows Update type host scan policy support
In this build, we have added support for a new host scan policy which will allow/block end user logins based on the status of the Windows updates configuration and installed update status of the endpoint. This enhancement checks for the Windows update policies on the endpoint listed below:
• Whether the Windows update service is running
• Last Windows update check time
• Last installed Windows update
• Pending critical/important Windows update
• Automatic update status
• Windows activation status
• Windows License status
!!!Note:
This feature is applicable only for endpoints which have Windows OS. For non-Windows OS, this host scan policy will be skipped.
Manual HyLabs configuration from the backend
HyLabs configuration can now be done from the HySecure Management console. We have provided this option in Settings → Global → Client
Mobile token registration URL expiration
Mobile token registration URL can no longer be reused for security reasons. The user must login again to get a new URL and token, if they have already clicked on the previous URL but have not registered the token.
Self-Service Portal changes
Malicious users using self-service portal will no longer be able to distinguish between valid user profiles existing on the gateway and invalid ones. Whether the profile exists on the gateway or not, the user will get the same message on the self-service portal in case of invalid password change attempt or OTP request.
Upgradation of Web components
Individual Web components of HySecure gateway are updated to their secure versions.
Hardening of SSL cipher suites
Strong ciphers suites have been identified and used.