Isode M-Guard 1.1Major New Features

Isode's M-Guard 1.1 release is a Fully Supported Isode release of Cobalt (see the Supported Releases page for more details).

Read on for the major changes that M-Guard 1.1 introduced.

GCXP Application Profiles

GCXP application profile is a formal functional statement of how an application uses GCXP to transfer content. The profile describes the XML payload, typically using formal schema languages (XSD, RelaxNG, Schematron), describes normalization and other transformations the content provider is expected to perform, and provides mandatory content checks. The profile describes a baseline protocol that is allowed through M-Guard in support of the application. M-Guard uses GCXP application profiles during the configuration of new Guard instances.

Content rules which restrict the baseline protocol described by a profile are managed using content rule catalogs for use with that profile.

Content Normalization

XML provides multiple ways to encode the same application data. Content normalization enforces a single encoding. This has three key benefits:

  1. It prevents alternative encodings being used as a covert channel.
  2. It simplifies rule specification, as a single encoding can be relied on. It also facilitates ensuring there are no mechanisms to bypass the rules.
  3. It eases development of interoperable implementations by avoiding the need to support alternative encodings.

M-Guard 1.1 supports:

  1. XML Transformations (XSLT) to perform application-specific normalizations,
  2. XML Canonicalization: versions 1.0 and 1.1 (recommended), and
  3. Unicode normalization: NFC (recommended) and NFD.

Improved Checking Rules

M-Guard 1.1 provides various enhancements to the rule specification language, to allow for more sophisticated rules to be specified. This includes support for rules which select between multiple values as part of a rule specification. M-Guard 1.1 supports the libxml2 subset of EXSLT functions.

Special support has been provided for XMPP XEP-0258 security labels using ESS format labels. ESS Label Catalogs can be configured and referenced from checking rules.

Appliance Security Enhancements

The security of the M-Guard Appliance is enhanced in various ways:

  1. GCXP and management protocols are restricted to network interfaces they have been explicitly enabled to use.
  2. A host-level firewall is now running on the appliance to restrict all external access to components on an M-Guard Appliance using deny-by-default logic. Ports used for GXCP must be explicitly enabled.
  3. Secure and reliable syslog. Support added for syslog over TLS, Reliable Event Logging Protocol (RELP), and RELP over TLS.