Garphic Airlock Secure Access Hub

Airlock Gateway 8.6

Now with OpenShift support

Airlock Gateway 8.6 strengthens protection, improves automation and reduces operational effort across key areas. The release introduces major improvements to Airlock Anomaly Shield, adds support for Red Hat OpenShift Virtualization, enhances DoS protection, extends ACME automation to the Configuration Center, and expands REST API capabilities.

Airlock Anomaly Shield: More accurate detection with less operational effort

Airlock Anomaly Shield now detects suspicious behaviour more accurately while reducing operational effort. Gateway 8.6 improves model quality, extends the available data basis and optimizes model evaluation to reduce false positives, improve detection precision and simplify upgrades.

The improved Client Behaviour feature significantly reduces false positives. This has been achieved through enhancements to the underlying model algorithms, as well as refinements in the way models are trained.

In addition, an extended data collection now includes request and response content types, enabling more precise analysis and improved detection accuracy.

A new URL Model further improves behavioural analysis. It evaluates transitions between request paths and compares them with learned usage patterns. If a session deviates significantly from expected navigation flows, Anomaly Shield identifies it as anomalous. This helps detect suspicious behaviour more effectively.

Optimized model evaluation improves performance. Anomaly Shield now evaluates models only as long as the classification of a session remains uncertain. Once it confidently identifies a session as normal, it stops further model evaluation. This reduces unnecessary processing and improves overall efficiency.

Pre-packaged models make upgrades to the latest Airlock Gateway version smoother. They eliminate the need for immediate model training after the upgrade and make the process faster and more efficient. If the training task uses the recommended setting “retrain and enforce”, Anomaly Shield automatically retrains models during the first night after the upgrade. After 35 days, once enough data has been collected, it performs a full retraining automatically. We recommend enabling both “retrain and enforce” and “training data collection” to keep operational effort low and ensure optimal model performance.

Enhanced Redis Monitoring automatically manages database cleanup based on current conditions. It dynamically adapts cleanup behaviour to both the fill level of the Redis database and the current traffic load. This ensures efficient resource usage and stable system performance.

Red Hat OpenShift Virtualization: Run Gateway on OpenShift

With Gateway 8.6, Airlock Gateway can be operated with Red Hat OpenShift Virtualization. This allows customers to standardize on OpenShift as their Kubernetes platform and "lift & shift" existing workloads while keeping a proven security gateway in place.

Running Airlock Gateway on OpenShift enables a more declarative, Kubernetes-native deployment approach.

Key benefits:

  • OpenShift support: Operate Airlock Gateway in Red Hat OpenShift and move forward with a consistent Kubernetes strategy.
  • Declarative deployment: Benefit from Kubernetes-native configuration for predictable and repeatable rollouts.
  • Migrate to Microgateway: Since Microgateway is OpenShift certified, customers can migrate service by service from Airlock Gateway to Airlock Microgateway at their own pace.

This extension strengthens Airlock Gateway’s fit for modern platform teams. Standardize on OpenShift today, and keep a clear, incremental path toward Airlock Microgateway tomorrow.

DoS protection – Protects backends from attacks

Airlock Gateway strengthens protection against denial of service (DoS) attacks and helps shield backend systems from such traffic. By blocking malicious actors already on Layer 3, unwanted traffic can be stopped using less resources, improving overall performance and reducing unnecessary load on backend services. 

  • Higher performance: Block DoS attacks early on Layer 3 to reduce load and improve overall efficiency.
  • Backend protection: Keep backend services available and resilient under attack.
  • Better insights: Benefit from operational improvements that provide clearer visibility into attack situations and protection behaviour.

This feature was built in close exchange with selected customers, ensuring it addresses real-world requirements from modern operations and security teams.

ACME Services: Certificate Automation for the Configuration Center

With Gateway 8.6, we are extending ACME automation to the management interface. In addition to automating certificates for protected web applications, Gateway can now provision and renew certificates for the Configuration Center using DNS-01. The DNS-01 support is especially useful for endpoints that are not publicly reachable.

Key benefits:

  • Automated certificates for the Configuration Center: Use DNS-01 to provision ACME-based certificates for the management interface.
  • Consistent certificate lifecycle management: Manage certificates for protected web applications and the Configuration Center with the same automated approach.
  • Reduced operational effort and risk: Fully automated issuance and renewal helps prevent expired certificates on critical administrative access paths.

This improvement strengthens security for administrative access while further reducing manual certificate maintenance.

REST API enhancements: More automation, less effort

Airlock Gateway’s REST API is a key building block for automating configuration tasks in large environments. The automation toolkit now offers customers and partners more control in the following areas:

  • Mapping import: Optional strict mode makes automated workflows safer and more predictable by failing on unresolved references. 
  • Allow Rules: These can now be created and updated using the REST API
  • ICAP: The same ICAP service can now be used multiple times within a single mapping for more flexible inspection flows.
  • Access roles: New dedicated roles for read-only and full access provide clearer separation of privileges and safer operations in automated environments.
  • Documentation: Various refinements to the documentation make implementation and day-to-day work smoother.

These enhancements make the REST API an even more powerful tool for fully automated configuration workflows.

Add-on Tomcat: Tomcat 11 only (Java 17+ required)

As announced in the Gateway 8.5 release communication, starting with Gateway 8.6 the Add-on Tomcat is available exclusively in version 11.

Upgrade behaviour:

  • An upgrade is possible if no Add-on Tomcat is installed or if Add-on Tomcat 11 is installed.
  • An upgrade is not possible if Add-on Tomcat 9 is installed.

Starting with Gateway 8.6, only Tomcat 11 is supported. It requires Java 17 or newer. Please update your applications accordingly or deploy them externally on an older Tomcat version.

End of life

NTLM support: End of Life

NTLM has been part of Windows authentication for more than three decades, but it no longer meets modern security expectations. Microsoft classifies NTLM as deprecated and is moving Windows toward Kerberos-based authentication. Network NTLM is planned to be disabled by default in future Windows releases.

Microsoft highlights several security risks associated with NTLM, including weak cryptography, missing server authentication and exposure to replay, relay, pass-the-hash and man-in-the-middle attacks. 

This industry shift also affects the software ecosystem around Airlock Gateway. Libraries used by Gateway, such as Curl, are phasing out NTLM support. As a result, Airlock Gateway is ending support for NTLM-based integration scenarios.

This affects:

  • Front-side NTLM: Authentication of clients against Airlock IAM using NTLM 
  • NTLM passthrough: Clients authenticate with back-end systems through Airlock Gateway.
  • NTLM SSO credential propagation: User identities are propagated to back-end systems using NTLM.

Airlock Gateway 8.6 is the last release supporting front-side NTLM, NTLM passthrough and NTLM SSO credential propagation. These features will be removed in the next Gateway release. 

We recommend migrating to modern and more secure authentication protocols such as OIDC or Kerberos.

Hardened filter rules thanks to bug bounties

Last but not least, our Airlock Bug Bounty Program, successfully running since 2020, has led to numerous security improvements, which are now included in this release. We thank the white-hat hackers who share their findings with us. Learn more about the Airlock Bug Bounty Program here.

Updating is easy

Airlock Gateway 8.6 is now available on the Airlock Techzone. Updating to this minor version requires no manual adjustments – your existing configuration can be easily migrated and activated. A detailed overview of all updates and fixes can be found in the release notes.

Airlock Gateway 8.6

Release video

In our release video you learn all the details about Airlock Gateway 8.6.

Information for you

-Our whitepapers-
White paper: The puzzle pieces of modern authentication

White paper: The puzzle pieces of modern authentication

Identity management is like a puzzle: you have to understand the big picture, identify the relevant pieces and put them together in the right order. This white paper shows how to do that.

 

Request white paper

Whitepaper: How to make cIAM a success

Increasing requirements for security and user-friendliness make Customer Identity and Access Management an essential. Read our whitepaper to find out how you can secure your competitive advantage with the right CIAM strategy.

 

Request whitepaper

Whitepaper: Security for cloud-native applications

You can read about how companies can ensure the security of web applications and APIs in Kubernetes in the white paper "Security for cloud-native applications", which was created in collaboration between heise and Airlock.

 

Request whitepaper

Whitepaper: Zero Trust is a journey

The ongoing digital transformation of the world is progressing and having a profound impact on our personal and professional lives in ways that were difficult to imagine just a few years ago.


This white paper discusses the effects of continuous digitalization and its impact.

Request free of charge

Off to DevSecOps

In this white paper, you will learn the most important insights into how you can implement DevSecOps successfully and efficiently, which security components are required for this and the advantages of a microgateway architecture.

 

Request free of charge

Airlock 2FA - Strong authentication. Simple.

Double security - this is what two-factor authentication offers in the field of IT security.


Find out more about strong authentication and the possibilities offered by Airlock in our white paper.

Download for free

Further whitepapers

We provide you with free white papers on these and other topics:

 

  • Successful IAM projects
  • compliance
  • Data protection (DSGVO)
  • Introduction of PSD2
  • PCI DSS requirementsPCI DSS requirements
Request free of charge