Category: Cross Domain

Posted on

Red/Black – 2.1 New Capabilities

Overview

This release adds important new functionality and adds further device drivers to Red/Black, a management tool that allows you to monitor and control devices and servers across a network, with a particular focus on HF Radio Systems.  A general summary is given in the white paper Red/Black Overview.

Rules

Red/Black 2.1 adds a Rules capability that allows rules to be specified in the Lua programming language, which allows flexible control.    Standard rules are provided along with sample rules to help creation of rules useful for a deployment.  There are a number of rule capabilities:

  • A basic rule capability is control based on device parameter values.   Rules can generate alerts, for example to alert at operator at selected severity when a message queue exceeds a certain size.
  • For devices with parameters that clearly show faults or exception status,  standard device type rules are provided that will alert the operator to the fault condition.   This standard rule can be selected for devices of that type.
  • Rules can set parameters on devices, including control of device actions.   For example, this can be used to turn off  a device when a thermometer device records a high temperature.
  • Rules can reference devices connected in the communications chain.  For example a rule can be created to alert an operator if the frequency used on a radio does not match the supported frequency range of a connected antenna.
  • Rules can be used to reconfigure (soft) connectivity, for example to switch in a replacement device when a device fails.

Snapshot

Configuration snapshots can be taken, reflecting the current Red/Black configuration, and Red/Black configuration can be reset to a snapshot. The capability is intended to record standard operational status of a setup to allow convenient reversion after temporary changes.

eLogic/Leonardo Radio Gateway driver

The eLogic/Leonardo Radio Gateway provides conversion between synchronous serial and TCP, with multiple convertors in a single SNMP-managed box.  A key target for this is data connectivity to remote Tx/Rx sites.  The Red/Black driver enables configuration as TCP to Serial and Serial to TCP modes, enabling a Red/Black operator to change selected modem/radios.  

Web (http) Drivers

Red/Black 2.1 has added an internal Isode framework which allows drivers to manage devices or servers via HTTP(S). This is being used in a number of new drivers, and is Isode’s preferred approach for managing devices. New drivers are:

  1. M-Link.   Allows monitoring of M-Link servers, showing:
    1. Number of connected users.
    2. Number of peer connections.
    3. Number of queued stanzas.
  2. Icon-5066.  Controlling  STANAG 5066 product:
    1. Enable/Disable node
    2. Show STANAG 5066 Address
    3. Show Number connected SIS clients
    4. Show If flow is on or off
  3. Icon-PEP.  Providing:
    1. Enable/Disable service
    2. Show number of TCP connections
    3. Show current transfer rate
  4. Sodium Sync.   Providing:
    1. Number of synchronizations
    2. Last synchronization that made changes
    3. List of synchronizations not working correctly
    4. Alerts for failed synchronizations
  5. Supported Modems.   This replaces drivers working directly with modems included in Icon-5066 3.0.   The new driver talks directly to Proxy Modem or to Icon-5066 where Proxy Modem is not used.  This displays a wide range of modem parameters.   Various modem types can be selected to display appropriate information from the connected device:
    1. Narrowband Modem.
    2. Narrowband Modem with ALE.
    3. Wideband Modem.
    4. Modem/Radio combined variants of the previous three types.

Other

  • Parameter Encryption.   Red/Black can securely store parameters, such as passwords, to prevent exposure as command line arguments to device drivers.
  • Device Ordering.   Devices are now listed in alphabetical order.
  • Alert Source.  Alerts now clearly show where they are generated (Red/Black; Rule; Device Driver; Device).
  • Link to device management.   Where Red/Black monitored devices have Web management, the URL of the Web interface can be configured in Red/Black so that the management UI can be accessed with single click from Red/Black.
Posted on

M-Guard 1.5 – New Capabilities

M-Guard is an XML guard that is used at a network boundary to control traffic. An M-Guard instance is an application level data diode, with traffic flowing in one direction only. Commonly, M-Guard instances will be deployed in pairs, one controlling flow in each direction. The following is a list of the new capabilties introduced in version 1.5.

M-Guard Certificate Authority

M-Guard uses X.509 certificates to verify peers. It does not use CRL checking or OCSP to check for certificate revocation as the network connections to do this would lead to an unacceptable security risk. This means that in the event of certificate compromise the whole PKI needs to be replaced. This essentially means that each M-Guard instance needs its own PKI.   

M-Guard product has added a product-specific certificate authority (CA) to manage certificates used to authenticate GCXP peers. This provides a convenient way to manage the PKI for each M-Guard deployment.

The M-Guard CA functionality is provided in M-Guard Console. 

Guard Isolation Support

Guard instances are now isolated from each other and other processes on the M-Guard Appliance. This is built on the FreeBSD “Jail” capability. It increases the protection of each guard instance.  Each guard now has independent IP addressing.

System Integrity Verification 

The M-Guard Appliance system software now includes a manifest of system files with cryptographic hashes for each file. M-Guard Appliance verifies the current system against this manifest at boot and at regular intervals (hourly by default) to provide notice of any detected changes to the system files.

M-Guard Console can be used to verify system integrity of an M-Guard Appliance against a separately distributed, signed manifest, which enables regular and more robust checking for changes to system files. Customers may implement additional checks against this signed manifest.

Release Artifact Signatures and Signature Verification 

All M-Guard release artifacts are digitally signed. These include:

  • M-Guard Appliance full and update images;
  • M-Guard Appliance manifest, release information, and release notes;
  • M-Guard Console image;
  • M-Guard Console release information and release notes; and
  • M-Guard Admin Guide.

M-Guard Console supports verification of release artifact signatures to ensure their integrity.

Posted on

M-Guard 1.4 New Capabilities

M-Guard 1.4 is a platform support update release for M-Guard Console and M-Guard Appliance. M-Guard Appliance has been updated to use UEFI instead of BIOS for key system services.

Platform Support

The M-Guard Appliance now supports running on Netgate 6100 and 6100 MAX appliance systems.

M-Guard Appliance on Hyper-V now uses Generation 2 virtual machines.

M-Guard Appliance on VirtualBox now uses EFI.

Use of BIOS for booting is deprecated in favor of UEFI.

Base Operation System Upgraded 

The M-Guard Appliance operating system is now powered by FreeBSD 13.1.

Notice

Upgrading earlier installations requires special steps.  Contact Isode support for assistance.