1.5.1. Release 1.2.2-1

Release date: 13.10.2021

The new changes in this release are the following:

1.5.1.1. openNAC Authentication

  • VPN with WireGuard and possible authentication with SAML.

    • Integration with the new WireGuard VPN technology for creating VPN tunnels using the new openNAC multiplatform agent and openNAC VPN gateway.

    • Allows the use of SAML authentication when using our VPN solution with WireGuard.

  • New multiplatform agent compatible with Windows, Linux (Ubuntu) and macOS.

1.5.1.2. ON Core

  • Business Profiles improvements:

    • Possibility of creating new business profiles based on tag

    • New business profile created by default: “Location”.

  • New captive portal flows: “Guest profiling” and “Third party VPN profiling

    • Guest profiling: Allows people outside the organization to download the soluble agent and send the profile of their equipment without the need to be connected to the corporate network by WiFi or Cable. Security reports can be created of the different teams of a company that send their information with the soluble agent to openNAC.

    • Third-party VPN profiling: Allows you to act as a captive portal for third-party VPNs, forcing the downloading of the agent and allowing or denying access to the VPN pending on the position of the device and the rules defined in the openNAC policies.

      • For this, the client’s FW needs to be compatible with “Force authentication of traffic arriving through an interface”. In this way, our captive portal is configured as “authenticator” of the VPN traffic.

      • Through the use of policies and plugins compatible with the corresponding FW (For example Fortinet) we can “release” the traffic when the equipment enters the policy that we want according to defined security parameters.

  • New agent functionalities:

    • Allow configuring the amount of payloads to save on the server (Total and per device).

    • Added the possibility to download the different agents from the administration portal.

    • Agent Payload Timeline: New agent payload display option. It allows to see the different payloads received, and the changes with the previous ones, for each device.

    • New screen for managing parsing rules for the multiplatform agent.

    • Allows you to open a web browser to a specific URL when connecting to the vpn (Cross Platform Agent).

  • Policies preconditions improvements:

    • New precondition: Session data

    • New “advanced mode” in the preconditions per tag of the policies: It allows complex rules to be modeled between the different tags through the use of different operators and regular expressions.

  • Administration portal new functionalities:

    • Allow admin users to change their password (Only local. No Active Directory).

    • Possibility of configuring different parameters of the user sessions:

      • Maximum number of simultaneous users.

      • Maximum number of concurrent sessions of the same administrator.

      • Maximum session time (active).

      • Maximum session time (inactive).

  • Network Device Compliance Module:

    • Added support for more network devices:

      • Aruba 6200

      • Aruba 6300

      • HP 3COM

      • Cisco 4500

      • HP2626

    • Improved compatibility with supported network devices.

    • Allows notification by email when a new backup has been made.

    • New type of “Custom param”: “Operation”. Allows you to create a “Custom param” through operations carried out with other “Custom Params”.

    • Added the possibility to compare a backup with the previous one.

    • Updated default compliance rules database to the latest version.

    • Now global parameters can be used in the “Custom conditions” of the tests.

    • Ability to run an open port scan on a network device as a task scheduler option.

  • CMDB permits to define your own “MAC Vendors

  • Implemented export and import via XML. It is possible to configure the types of export files that are wanted (JSON and XML).

  • User device profiling improvements:

    • Update all default profiling rules

    • Added “PDP” tags to indicate the “Parent Tag” of the current device type (EPT).

      • “EPT_MOBILE_ANDROID_HUAWEI” will generate the following additional tags:

      • PDP_MOBILE

      • PDP_MOBILE_ANDROID

    • Added profiling accuracy tag (DPA).

      • For example, when meeting 3 profiling rules, the tag “DPA_3” is added

  • Plugins improvements:

    • Plugin update:

      • UserDeviceProfiling: VLANs and Networks are automatically created in the CMDB.

      • FortiGateAccounting:

    • New “maxFailedAuthentication” plugin: Prevents the user from connecting via VPN if a maximum number of failed authentications is exceeded in a period of time (eg 5 minutes) (eg 3 attempts).

      • Synchronous version: Blocks access to the user for a configured amount of time.

      • Asynchronous version: Regenerates the OTP so that it cannot be used again until an operator sends it back to the user.

  • ARP Request Discovery, special case that is only recommended to be activated in specific environments with very specific requirements. Allows discovery of devices connected to the network through ARP traffic of the “Request” type.

  • Healtcheck improvements:

    • Added new check to healthcheck to check if there are elasticsearch indexes (Analytics) in “Read only”.

    • Added a new trend graph to monitor the performance of the redis cache system.

  • All external data sources have been changed to type AD. The LDAP data source, should be changed manually.

1.5.1.3. ON Analytics

  • Added a new dashboard: Sensor filtered by userid.

  • Added more information collected to analytics about internal component execution times.

  • Possibility of adding a filter by network devices to the dashboards.

1.5.1.4. Security

  • Roles and ACLs:

    • Removed the “user” role.

    • Created an operator role.

    • Created an auditor role.

    • Created ACLs for the different Analytics dashboards.

  • Passwords:

    • Improved the minimum security policy for creating user passwords.

    • Encrypted user credentials.

  • Administration portal security:

    • Added protection against brute force attacks on admin portal login.

    • Eliminated information about errors that could be exploited to carry out attacks.

  • Network Device Compliance:

    • Removed support for Telnet.

    • Improved the performance of the rules management panel.

  • Operating system and internals:

    • Changed OS to Rocky Linux 8.

    • Updated PHP to 7.2.

    • Improvements in memory used when importing / exporting.

    • Multiple performance and security improvements.

    • Security of collectd data between client and server.

1.5.1.5. Usability

  • Network Device Compliance improvements:

    • Redesigned task planning panel.

    • Allow selecting the devices on which a scheduled task will be executed by means of a tag.

    • Added new filters for the list of scheduled tasks.

    • Added new validations and help messages in the creation of compliance rules.

    • Added button on network devices to access your backups.

    • Improved the screen of logs and backup copies of network devices, grouping them by device.

    • Allow downloading of the latest backup from multiple network devices at once.

    • Improved information in the simulator.

  • ON CMDB improvements:

    • Added direct access to the sensor from user devices.

    • Allows editing multiple objects at once (Network Devices, User Devices, Networks, VLANs).

    • Added confirmation message in case of trying to create a new User Data Source without TLS activated.

  • Redesign of the captive portal:

    • Changed the public part so that the flows are followed by steps.

    • Redesigned agent download screen.

    • Optimized layouts to fit window size.

    • Added help messages in the creation of captive portal flows.

    • Added button to show/hide password in registration flows.

  • API doc:

    • Allow access to Doc API on and off.

    • Added link to API Doc from the admin portal.

  • Agent:

    • Agent configuration improvements.

    • Added explanation in VPN profiles.

    • Improvements in the visualization and management of agent logs.

  • Administration portal:

    • When creating local users, all the requirements of the password policy are indicated in case they are not met.

    • Added the ability to change the font color of the administration portal.

    • User sessions can be configured in the administration portal.

    • The administration portal has been translated into Spanish.

  • Policy manager:

    • Improvements in messages and warnings in the creation of policies.

    • Policy ordering improvements.

    • Allows you to modify the status of policies from the contextual menu.

    • Allows you to filter the policies searching by tag.

  • Exportation and importation:

    • Added option to export all import logs at once

    • Added option to remove a specific export from the list.

    • Added message to clarify that in an export the default objects of the system are not included in the exported file.

  • User device profiling:

    • Improved some messages that were given to the user.

    • Added tools that make it easier to create and check a profiling rule.

    • Differentiate the new conditions and those that are inherited in a profiling rule that depends on another.

  • Plugins:

    • Added a description of each plugin in the configuration of these.

    • Added a link to the documentation of each plugin in the doc-opennac.

1.5.1.6. Changes to consider

  • From this version the quarantine policies are based on tags. Now the “ONC_QUARANTINE” tag is used when a device is quarantined. Therefore, the quarantine rules should be put at the top of the list. Previously, quarantine policies could be put anywhere on the list since the other rules were ignored when quarantined devices were evaluated.

  • The non-multiplatform agent parsing rules will be removed in the next version. It has been indicated with a warning message in the corresponding section.

  • The base Operating System has been changed and updated to Rocky Linux 8.

1.5.1.7. Obsolete functionalities deleted

  • Exportation and importation:

    • The import by CSV files has been eliminated.

    • The export in CSV, XLS, XLSX, PDF files has been eliminated.

  • MobileConnect:

    • Removed compatibility with MobileConnect since that service has been discontinued

  • Deprecated code:

    • Removed unused API endpoints

    • Removed references to the old external user portal

    • Removed the “WLC-Captcha” flow from the captive portal, whose functionality has been added as an option to all portal flows.

    • Removed old code that is not in use

  • Policy Manager:

    • Removed implicit quarantine rule. Devices are now quarantined by the “ONC_QUARANTINE” tag. Please see the “Important Notices” on the first page.

    • Removed the ability to use user device groups or network devices.