Release 2.2.0 introduces options for meeting more of your IT policy requirements and compliance commitments.
- Enhanced PCI-DSS Support. Optional add-on that delivers PCI-DSS certified compliant features and support services, with security policies and additional support processes to reduce retailers’ compliance costs.
- Read Only Domain Controller. A new Domain Controller deployment option that offers hardened security features and policies for remote sites.
This release is applicable to all ProLiant Easy Connect servers.
Release 2.2.0 will be deployed to new ProLiant Easy Connect servers from September 25th 2017. The Support Team will contact IT service providers in order to schedule the date of server upgrades.
For new servers, please download the Release 2.2.0 ISO image from the Easy Connect Commissioning Console, which should then be used for USB-staging the server before installation.
After the release date, the Installation Console will not permit older software versions to be used, in order to assure compatibility with Cloud Management Platform updates.
Enhanced PCI-DSS Support
Easy Connect offers consistent, enterprise-grade security and monitoring that can be used to meet PCI-DSS compliance standards. The new enhanced PCI-DSS support offers a solution for merchants who want to significantly reduce the cost and effort of achieving compliance for their in-store IT.
This add-on product option delivers Easy Connect with enhanced security policies and additional support processes, backed by a PCI-DSS Matrix of Responsibility (MoR) and Attestation of Compliance (AoC).
In order to achieve compliance for the Easy Connect software and services, the PCI-DSS product option adds a number of features to the standard product.
- Implementation of policy and procedures ensuring the Easy Connect Support Team operate as a PCI-DSS Tier 1 Service Provider
- Heightened security event and log auditing by the Easy Connect Support Team
- Provision of Cloud Management Platform resources dedicated to the retailer
- Hardened security features enabled in the Cloud Management Platform and on Easy Connect servers
- Enforcement of compliant intrusion prevention measures such as password policy, failed-logon blocking, and port blocking
In addition to the features that are provided to meet compliance, Easy Connect has been audited to PCI-DSS 3.2 standards by an independent QSA. This allows the PCI-DSS compliant product option to be provided with a Matrix of Responsibility and Attestation of Compliance.
A merchant is responsible for their own PCI-DSS compliance certification. For the parts of the IT environment deployed on Easy Connect, the auditor can refer to the provided Attestation of Compliance. Therefore the Easy Connect PCI-DSS compliance product option significantly reduces the scope, cost and time taken to complete a retail store’s own compliance audit.
Release 2.2 includes the software features and procedures necessary to achieve PCI-DSS compliance. Please note that because the external PCI-DSS audit must be completed on generally available software versions, certification and final versions of the MoR/AoC will follow after the Release 2.2 availability date.
Read Only Domain Controller
For retail and branch-office IT environments, it is a common requirement for an existing Domain Controller to remain in place and for Easy Connect servers to replicate its database. Easy Connect has always been able to join a network with an existing Domain Controller in this way. However, until now the ‘remote’ Domain Controller databases have been writeable and used elevated admin privileges.
In Release 2.2.0 the option of a read-only Domain Controller and reduced local privileges has now been added.
The server has additional security and policy hardening to reduce the vulnerability of the local server as a vector for attacking the wider network. This is achieved by three means:
Read Only Domain Controller. The Easy Connect server’s Active Directory instance is configured as read-only. All changes to the domain are made centrally, with the Easy Connect Active Directory only replicating the Domain Controller database from this central version.
Reduced Admin Privileges. Easy Connect automated processes and support credentials that are required to install and maintain the server will execute with limited privilege domain accounts. Privileged accounts are normally used to support dcpromo and domain join automation. Instead these privileged tasks will be carried out by the customer’s domain admin.
Centralized Admin Tasks. With reduced Easy Connect privileges, certain tasks are transferred to the customer’s domain admin. Control of adding servers to the domain, user management and settings such as replication topology are fully managed and secured by the customer’s own administration credentials.
Combined, these process and polices remove user privileges to make domain changes locally and significantly reduce the ability of a malicious local attack to access the rest of the domain.
Choosing to use the Reduced Privilege Domain Controller option, which can be requested from the Support Team ahead of server roll-out, affects a small number of other service options:
- All user credential management is centralized on the existing Domain Controller, therefore the User Control Console will not provide local user administration functions.
- The Remote Desktop Service option for Easy Connect is not supported, however it is possible to deploy and maintain your own remote desktops locally, hosted in a custom virtual machine.
- The pre-configured Aruba Wi-Fi integration is not currently supported, although this does not affect the ability to use Aruba or any other Wi-Fi access point in the LAN.
With this new feature, enterprises benefit for greater security at remote sites while still ensuring good performance and availability thanks to the locally installed Domain Controller.
Firewall Keep Current Upgrade
Both the included basic firewall and full Gateway product option have been updated to a new major version. Easy Connect firewalls now make use of Untangle version 12.
Easy Connect continues to offer the same next-generation firewall capabilities, making use of Untangle’s ICSA-labs certified next-generation firewall and, in the full Gateway option, commercial anti-virus signatures from Bitdefender and web filter categories from Zvelo.
The most obvious change in this version is the user interface which has been updated with a fresh new look, but access to features and settings continues to use a familiar layout and navigation scheme.
The new user interface includes a customizable dashboard making it quicker and easier to get at the information you regularly need form your firewall statistics and reports.
This is the final version of the basic firewall to include ‘Web Filter Lite’. Please refer to the Deprecated Features section of this release note for more information.
Latest First Cloud Backup Recovery
A minor change to the way files are recovered from Cloud Backup can help businesses recover more rapidly from a major IT outage.
The recovery process now makes it possible to recover the most recently created or modified user files first. During a disaster recovery scenario, the Support Team will always work with the customer to determine priorities for recovering data and applications. This new feature makes it easier to get at the most recent files, more quickly.
VPN Stability Check
As part of the Easy Connect installation process, additional checks are now made to ensure VPN connectivity is permitted by an external firewall or ISP.
Easy Connect servers connect to the Cloud Management Platform by means of a secure VPN connection. In some IT environments 3rd party firewalls will block VPN traffic. However unlike port or destination IP address blocking, firewalls may not immediately identify the presence of the Easy Connect VPN, and will instead monitor traffic and eventually block the connection at some point mid-way through the installation process.
The Easy Connect installation process now opens the VPN connection to test connectivity for a period of time to establish its stability.
In the event that the VPN is blocked even after this stability check period has completed, the installation process has been adapted to make it easier to restart after the necessary changes have been made to permit the VPN connection.
Windows Server and Linux updates have been applied to relevant core server VMs.
Release 2.2.0 includes notification of one deprecated feature, which will be replaced in a future product release, no sooner than January 2018. This provides at least three months advanced notice to allow IT service providers to determine whether any action needs to be taken.
Deprecation of Firewall’s ‘Web Filter Lite’
Web Filter Lite, a feature of the basic firewall provided with all Easy Connect servers, will be replaced by Web Monitor in a future Easy Connect release. Until it is replaced, which will be announced in the relevant Release Note, Web Filter Lite continues to function as normal.
There are two main differences between Web Filter Lite and Web Monitor. Firstly, the ability to block users’ access to restricted web sites is removed, being replaced by logging instances of users accessing blocked site. Secondly, Web Monitor makes use of the same commercial web categorizations as the full Gateway product option, rather than the limited database used by Web Filter Lite.
If web site blocking is required, options available include:
- Upgrade to the full Gateway option, which continues to offer a commercial Web Filter capability.
- Install or make us of web filtering in an external 3rd party gateway device.
If you currently use an external 3rd party firewall and web filter, this change does not affect you.
This change does not affect the full Gateway option, which includes a separate Web Filter feature. The Gateway’s Web Filter continues to be available and fully supported, with commercial web filtering signatures from Zvelo.