Version 14.1 for Imperva On-Premises products was released on April 6th 2020. In this release one of the major changes was the underlying operating system update, which allows Imperva products newer Cloud instances support, security hardening and introducing Next Generation Reverse Proxy, as a new deployment mode for Imperva On-Premises WAF.
Imperva On-Premises WAF and DAM products running version 13 and below are based operating system CentOS 6.3. CentOS 6 will reach End of Life by the end of November 2020. New CentOS version allows better security, stability, as well as ability to deliver patches and new features faster.
There are some important updates in this version for customers who are using Imperva On-Premises WAF and DAM products:
1. SELinux by default
SeLinux (Security Enhanced Linux) is a security enhancement to Linux which allows users and administrators more control over access to the resources. Instead of only being able to specify who can read, write or execute a file, for example, SELinux lets you specify who can unlink, append only, move a file and more. By default, all operations are forbidden, except for the allowed operations. Imperva developers made sure customers daily operations will be allowed without any additional actions needed to perform by the customer. But there can still be cases, where some restrictions are observed. In order to fix that, here’s the set of commands needed to be performed to diagnose the problem and fix it:
If one of the operations is blocked by SELinux, you will find a log about that in /var/log/messages. The log will start with avc: denied.
- impctl platform selinux --show-denials - allows to see the violations of basic SELinux policy that occurred recently and caused denied operations.
- impctl platform selinux --denials-to-policy - allows creating a list (policy) that includes all the denied operations. The policy name will be printed on the screen after executing the command.
- impctl platform selinux --allow-policy POLICY_NAME - allows adding the policy received in previous command output as allowed operations to basic SELinux policy.
More info is available using impctl platform selinux --help.
2. Internal firewall upgrade
Two approaches dominate in the security world to restrict and regulate access to vital system and network resources and infrastructure: blacklisting and whitelisting.
In blacklisting approach the emphasis is on the known threats: known malicious or suspicious entities that shouldn’t be allowed access will be added to the blacklist and blocked.
In whitelisting approach it’s a “zero trust” principle which essentially denies all, and allows only what’s necessary. A whitelist is constructed by a detailed view of all the tasks that users need to perform, and the applications or processes they need, to perform them.
Whitelisting is recommended in high-risk security environments, where the integrity of individual or connected systems is critical and takes precedence over any restrictions that users might suffer in their choice or access to software.
With the upgrade to CentOS 7.5, the firewall approach became whitelisting instead of blacklisting.
The common static ports needed for Imperva On-Premises WAF and DAM operations were added to the allowed ports by default as well as the dynamic ports that are opened when certain actions are performed (WAF installer) or in special deployment modes (Reverse Proxy).
With that, in case additional ports are required to be opened, here’s the list of commands needed to perform in order to achieve that:
impctl portguard allow --port XXX --protocol udp/tcp - to allow an additional port
impctl portguard disallow --port XXX - to block a specific port
See more options using impctl portguard --help
3. New CLI policy
Only 5 SSH sessions open simultaneously are allowed due to the operating system enforcement. It can be changed by updating the configuration file (for more information please open a case with Support).
Since the CentOS update, password policy has changed as well on OS level. Password must contain at least one special character, for example, password could be Imperva12#, but not Imperva12. You can find the logs about violations at /var/log/security.
4. Upgrade process
Due to the change of the operating system, the upgrade process had to change.
- The installation file is not an RPM file anymore, it is a single executable (same as patch) - .X
- The AWS upgrade is consolidated with the regular upgrade procedure - meaning a single upgrade procedure for all Imperva On-Premises platforms
- New image/packages/update files names:
- No rollback when moving between CentOS versions - when upgrading to version 14.1 from lower versions, rollback will not be possible. But in the future when upgrading to a higher version, it will be possible to rollback to 14.1.
- Software update - this is the first version, where Software Update can be used to update all the GWs managed by your MX to version 14.1. If you have a number of GWs, you can use this centralized mechanism. There’s no need to download the new version, login to each GW and also the upgrade process is simple while the monitoring is very easy.
- Additional requirements for CPU and memory were introduced - since the OS is updated, there is a need to allocate more memory. All the additional details appear on docs.imperva.com.
Please share additional information you would like to know about the new version and I will address that in my next blog about version 14.1.