Subscribe to our Release Newsletter
Sign up for our Release Newsletter and stay tuned for the latest product releases, webinars, events, and trends in the IT security industry.
Subscribe now >
Version 7 | Version 8
Version 8 of the ECOS products SBS, SMA, SOS, ACA and TMA replaces the previous version 7. Regarding the VS-NfD-approved SBS and SMA versions, version 8 supersedes the expiring approval of version 7. The BSI has approved version 8 for VS-NfD, which expires on 31 May 2028.
The random number generator (RNG) used on the SBS and the SMA must conform to the DRG.3 classification for VS-NfD. The Linux operating system therefore requires RNG seeding from a reliable source in Linux kernel 5.18 and later. The SBS meets the requirement through its integrated smartcard and can therefore easily adopt newer kernels. The SMA uses kernel 5.15, which, according to current information, will be supplied with security updates until October 2026.
ECOS plans to use more recent kernels on the SMA from 2026 onwards, before kernel 5.15 reaches its end of life. To ensure DRG.3 conformity, the VS-NfD version of the SMA features a security check that forces the seeding of the RNG in conjunction with kernels from 5.18 onwards. Therefore, operators must plan ahead for the provision of a suitable hardware security anchor. The standard solution is to use a smartcard with CardOS 5.4.
The version marked +vsnfd contains only the VPN clients and applications approved for VS-NfD in order to meet the increased security requirements associated with VS-NfD approval. +vsnfd versions are mandatory in VS-NfD environments. Outside VS-NfD environments, versions without the build tag ensure fullinteroperability with existing IT infrastructures that may not be VS-NfD-compliant (e.g. SSL VPN gateways).
Version 8 enables the differentiation between different security zones for connection destinations within a network. This allows destinations reached via a secure network to be separated from those on the public Internet. This allows, for example, authorities to use the BSI-approved SBS to participate in video conferences that are not operated within the secure official network as part of international cooperation with other European authorities. In the private sector environment, the security zones can be used as required in accordance with the requirements of the established confidentiality levels.
For the VS-NfD-approved area, version 8 requires that the Probabilistic Signature Scheme (PSS) padding method is used when using signatures with RSA keys. Older padding methods (PKCS#1 v1.5) are therefore no longer permitted. Signatures with RSA keys are used, for example, for certificate-based authentication at a VPN gateway. As a result, PSS support must be ensured on the VPN gateways used by the operating organization before version 8 is rolled out in the organization. Otherwise, SBSs in the field will no longer be able to establish a VPN connection to the operator network. PKCS#1v1.5 padding can still be used outside the authorized area. However, we recommend switching to PSS padding here too.
The update can now be obtained from our update server via the appliance or the Secure Boot Stick. If the systems do not receive automatic updates, you can install the update via the administration interfaceunder ECOS Appliance → Actions → Update or via the SBS desktop under Start menu → System Update → Software.
If a local update server is set up on the appliance, the updates can be downloaded from the URL specified in the respective changelog and installed on the appliance. Manual downloads can only be carried out in conjunction with a locally set up update server. You need a valid download password for the download. If you have not yet received a download password, please contact our support.
You can also find more information about updates in our admin tutorial Software updates for ECOS appliances and the ECOS SecureBootStick.