M-Guard is an XML guard that is used at a network boundary to control traffic. An M-Guard instance is an application level data diode, with traffic flowing in one direction only. Commonly, M-Guard instances will be deployed in pairs, one controlling flow in each direction. The following is a list of the new capabilties introduced in version 1.5.
M-Guard Certificate Authority
M-Guard uses X.509 certificates to verify peers. It does not use CRL checking or OCSP to check for certificate revocation as the network connections to do this would lead to an unacceptable security risk. This means that in the event of certificate compromise the whole PKI needs to be replaced. This essentially means that each M-Guard instance needs its own PKI.
M-Guard product has added a product-specific certificate authority (CA) to manage certificates used to authenticate GCXP peers. This provides a convenient way to manage the PKI for each M-Guard deployment.
The M-Guard CA functionality is provided in M-Guard Console.
Guard Isolation Support
Guard instances are now isolated from each other and other processes on the M-Guard Appliance. This is built on the FreeBSD “Jail” capability. It increases the protection of each guard instance. Each guard now has independent IP addressing.
System Integrity Verification
The M-Guard Appliance system software now includes a manifest of system files with cryptographic hashes for each file. M-Guard Appliance verifies the current system against this manifest at boot and at regular intervals (hourly by default) to provide notice of any detected changes to the system files.
M-Guard Console can be used to verify system integrity of an M-Guard Appliance against a separately distributed, signed manifest, which enables regular and more robust checking for changes to system files. Customers may implement additional checks against this signed manifest.
Release Artifact Signatures and Signature Verification
All M-Guard release artifacts are digitally signed. These include:
- M-Guard Appliance full and update images;
- M-Guard Appliance manifest, release information, and release notes;
- M-Guard Console image;
- M-Guard Console release information and release notes; and
- M-Guard Admin Guide.
M-Guard Console supports verification of release artifact signatures to ensure their integrity.