Version 7 constitutes a major advancement for ECOS Appliances and the ECOS SecureBootStick® (SBS) regarding security functions and operability.
Besides various detail improvements, the performance and scalability of ECOS Appliances have been significantly increased by introducing a new indexing technology.

The SBS security functions introduced in version 6 have been revised in version 7 and supplemented by a range of new security functions.
From the new SBS HE variant on, a gradual hardware activation of the different memory partitions and a selective hardware write protection of the partitions are included. The HE variant ranges between the basic CL variant and the smartcard-equipped FX, SX, GX and ZX variants for more sophisticated protection requirements. An essential security feature is the integrated crypto chip providing smartcard functions for a secure storage of key material on the HE variant and implementing crypto operations for hardware encryption for all stick variants from HE on.
In the FX, SX, GX and ZX variants, the key material is stored exclusively on the smartcard, thus achieving an even higher level of security. All variants can only be used with secure 2-factor authentication. For FX, SX, GX and ZX, the PIN must be entered on the integrated hardware keyboard.
GX and ZX complete the available variants with an integrated smartcard reader for use with external smartcards.

The features below have been added for all SBS variants (CL, HE, FX, SX, GX, ZX):

• Hardware fingerprint to check host computers for changes
• Support for several alternative kernels to allow the widest possible use of the user's hardware base
• Encrypted and integer storage in RAM to prevent spying of memory images
• Support for multiple and simultaneously operating smartcard readers
• Bootloader update for improved hardware compatibility
• Improved user guidance during boot process
• Chromium as browser alternative to Firefox for a broader support of current browser applications
• Simplified lifecycle management

As of version 7, the NCP VPN client is no longer supported.

It is possible to use an ECOS SystemManagementAppliance (SMA) of version 6 to manage boot sticks of version 7.

Version 7.0 includes innovations for the Secure Boot Stick as well as for our appliances and web clients.
Versions 7.0.1 to 7.0.9 are developer versions that have been tested in practice in early stages. A workable version is available as of version 7.0.10 (beta), which is also the starting point for the change log below.

Version 7.1.x is approved for processing of data up to classification level VS-NfD by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnologie, BSI).
Version 7.1.x is also approved for processing of data classified EU RESTRICTED and NATO RESTRICTED.
A connection to genua genuscreen via IPsec is mandatory for VPN access in the VS-NfD environment. Further details are regulated by the security operating procedures.
Legacy boot with master boot record (MBR) is no longer permitted in VS-NfD environments and therefore no longer supported in version 7.1.

Until V7.0.57/V7.1.57

The standard development branch of the SBS version 7 is numbered 7.0.x. For the maintenance of version 7.1.x (approved for VS-NfD), the changes of 7.0.x versions, which are progressing in shorter cycles, are included in the development cycle of the 7.1.x versions as far as permitted by the approval conditions. Before release, all 7.1.x versions are BSI-reviewed and released as minor release or BSI-approved as major release.
The versions 7.0.x and 7.1.x are listed chronologically in the section Changes in detail (see below). Deviations or changes that were not adopted in 7.1.x are commented in detail. Uncommented changes in 7.0.x have been included in 7.1.x with the same or following patch number (3rd digit of version numbering).

7.1.x versions differ from 7.0.x versions regarding the required key strength, supported VPN technology, and security-relevant application components (e.g., browser extensions) in order to meet the increased security requirements imposed by VS-NfD approvals. 7.1.x versions are mandatory in the VS-NfD environment. Outside the VS-NfD environment, 7.0.x versions ensure overall interoperability with existing IT infrastructures that may not be set up in a VS-NfD-compliant manner (e.g. SSL VPN gateways).

V7.58.0/V7.58.0+vsnfd and higher

With version V7.58, the versioning scheme has been changed to semantic versioning. Version 7.58.0 is thus the successor of version 7.0.50. The previous distinction between standard versions and VS-NfD-approved versions, marked by the second position of the version number, is no longer applicable and replaced by the build tag +vsnfd behind the patch version number. The current VS-NfD-approved version thus spells 7.58.0+vsnfd.

Versions marked +vsnfd contain only the VPN clients and applications approved for VS-NfD to satisfy the increased security requirements imposed by the VS-NfD approval. +vsnfd versions are mandatory in VS-NfD environments. Outside VS-NfD environments, versions without this build tag grant full interoperability with IT infrastructures that may not be VS-NfD compliant (e.g. SSL VPN gateways).

This update is equally intended for the standard version of the SMA and the VS-NfD-approved version. However, an SMA version 7.0.34/7.1.34 or higher (according to the old version numbering) is required. If older appliance versions are still in use, you must first update your SMA to version 34 (or later).

Likewise, the SMA supports an improved update image compression as of version 7.0.34/7.1.34, which ECOS uses as of version 7.58.0/7.58.0+vsnfd to allow updates to be deployed and processed more efficiently.

SBS updates from versions prior to 7.0.49/7.1.49 to version 7.58.0/7.58.0+vsnfd should always be performed with version 7.0.49/7.1.49 as an intermediate step. This step is mandatory as the intermediate version includes an updated SBS bootloader.

With the next version (planned as version 7.60.0), the support of the included RDP client version 2.0.0 will be dropped. If it is still in use, it must be replaced by a more recent version in the configuration as quickly as possible.

The update can be downloaded from our update server via the appliance or the Secure Boot Stick. To update, execute Actions  Update in the ECOS appliance object on the admin interface of the SMA or select System  Update Software in the SBS desktop menu.

Provided a local update server is configured on the management appliance, updates can be downloaded from the URL in the respective  changelog and then installed on the management appliance. Manual downloads can only be performed using a locally configured update server. The download requires a valid download password. If you have not yet received a download password, please contact our support team (support[at]ecos.de).

If the SMA is directly connected to the Internet (to hz.update.ecos.de), update images can also be downloaded directly with the Software Update Image object. Go to the download tab, enter the specific version number into the version field, e.g. V7.58.0 or V7.58.0+vsnfd (note that 'V' must be a capital letter) and apply.