Generated: not cached yet (either no one has visited the page recently, or something is preventing the cache from being generated).
In the light of the NSA revelations, the previous cutting Edge Firmware release has taken the security of our products to a new level. This update adds a couple of further improvements on top of that. In regards of the new security features, please read the important release notes for the previous Cutting Edge Firmware release (February 10th, 2014 – Version 2014013131/2014020702) which also apply to this release!
This release brings a couple of additional improvements for our February 10th firmware release and is expected to be upgraded to being the new stable firmware branch soon.
This release is fully compatible with the Stable Firmware released on August 12th, 2013 (Version 2013071130/2013080900 (Multichannel VPN Router 500/510: Version 2013071130/2013080900)). It is therefore OK to run the Cutting Edge Firmware on Routers, while the Hubs are running the Stable release. However, many of the improvements in security require support on both sides of the VPN. We therefore recommend updating both the Router and the Hub to this firmware in a timely manner.
List of changes compared to the previous Cutting Edge Firmware Release (2014013131/2014020702) – if you are updating from a Stable Release, please also consult all previous Cutting Edge Release notes since then!
- Multichannel VPN Router 200 is now supported (to be first displayed at CeBIT 2014).
- The new improved security features put a higher load onto the Hub when a channel is established. If a very high number of channels would connect to the Hub at the same time, the very high load would result in a kind of DoS on the Hub, and actually could lead to a load feedback loop: Due to the high load, the SSL handshake of the channels would not complete within the timeout range, and therefore disconnect and reconnect, causing even more load.
You could see this in real life if you would reboot a Hub that is under heavy load with lots of tunnels, for example after a firmware update.
We have now implemented throttling on both the Hub and the Router. If a channel is aborting during connecting to the Hub, it is now throttled instead of hammering the Hub with connects. On the Hub side, under situations of high CPU load, acceptance of new channels is delayed in a way which does not result in timeouts.
With these changes, we are now able to survive a higher channel connection load on the Hub than with the current stable branch firmware (which has less secure SSL handshake). - The behavior of Routers and Hubs during a DoS attack has been improved. If a source or destination host was doing more than 25,000 flows (TCP Connections), it would get blocked. However, if it was the Hub IP being attacked, this would result in the Hub IP itself also getting blocked, making for example the web interface of the Hub unreachable until for example a TCP SYN flood DoS was over. Now, locally bound router IPs are no longer blocked. Also, logging amount during DoS attacks caused significant CPU load. This has been reduced. A blocked host is now only logged once, and again once it is unblocked (which happens if the number of active flows goes below 24,000 again).
- VDSL modules now allow setting a VLAN.
- VDSL modules now support RFC1483 with static IPs, and allow special characters in PPP usernames and passwords.
- With the previous cutting edge firmware if you edit multiple channels at the same time using the Multi-edit feature of the new web interface, after you post your changes all your channels will be using a single (the first) module. Only after the next channel reconnect, each channel would then use the same module; this means that performance may go down the drain hours after you have done the changes. This bug has been fixed.
- Multichannel VPN Routers 511, 512 and 513 now show the correct product name in the web interface.
