Dear CheckPoint – When are you going to enhance MDM?

posted Oct 15, 2011 5:00 AM by Michael Endrizzi                                                                                               [

It should be obvious by now that I’m a MDS freak. I actually was dreaming about this stuff last night and had to get up at 5am to document it. Love it. I just wish Check Point would love their MDS as much as I do. It has been years since they’ve adding any major enhancements to MDS (IPS).
Dear CheckPoint,
This is my Xmas wishlist for MDS.
0) MDS API: for OPSEC partners to add more features into MDS.
1) Don’t cannablize your OPSEC partners by incorporating the features they create and build. They usually
    do it better than CP can because they are focused on it.
1) Global Provisioning: Create another tab in global policies and/or SDM for provisioning GROUPS of firewalls (setting routes, updating passwords, adding users, running scripts). I’ve heard that IPSO had great provisioning…
you have the code use it.
2) Global Monitoring: SmartMonitor on a global basis for groups of firewalls. Example: We have 500 firewalls. Give me the list of firewalls that have 90%+ disk full.
3) Licensing: Oh yeah….the elephant in the room. Licensing is like the US Health Care system. It
is sooo complex, soooo broke, sooo expensive and its killing its clients. And don’t fix it with another
round of ‘simplification’.  It’s like Obamacare. Marketing makes it sound like a Christmas present, but the reality it’s
more complex and expensive. Find another model that works and use that. Then use aggressive
license auditing to make sure customers don’t cheat.
4) Fix Global SmartUpdate.
5) Global CLI: Look at SmartSplat and build something like it so you can command line into groups of SPLATs
    all from one view.
6) SQL Database backend: I hesitate on this because debugging configuration files is so much easier than dealing
   with databases….but we really need a database to enable multiple admins to access global policies concurrently
7) Global Logging: One SmartTracker interface for all firewalls. SmartEvent is OK, but not for debugging.
8) Force MDS IPS: Force domains to implement Global IPS policy
9) GlobalBackup: There should be a panel with one button to backup the whole environment and provide status on global backups
10) More flexible GlobalObjects in Local Rules. Can’t be deleted, renamed, etc. This might be fixed if you could build a SQL backend. This is limiting the scope of usefullness of global policy
11) Global Objects local to its Global Policy: Instead of global objects global to the world…have the objects of
    making them local to the encompasing global policy they are defined in. Programming 101. Might consider
    using some Object Oriented scoping rules.
12) Granularize administrative permissions so that NOC people can REASSIGN policy and more granular on who can install vs assign.
13) Oh yeah ASSIGN vs REASSIGN….geez louise please rename these to “DESTROYYOURMDSINFRASTRUCTURE” and “REASSIGN POLICY”…and make it extra hard to install on the ASSIGN. Or at least do an autobackup of the DOMAIN to FIREWALL mapping before you ASSIGN.
14) OneClickSync: Right now in HA environments you have to synch each Domain. Would be cool if you could click on the MDM and do a one-click sync for all the Domains. This can be used in case you are going to bring one MDS offline and need to synch back to a single MDS. Also, its not totally obvious which MDS you are synching to/from, might want to change icons to arrows or something to show direction of synch.
14) OK, here is one of my product ideas. How do you keep your network infrastructure in sync with your firewall’s view of the network infrastructure. The routing people randomly delete and add routes. What if they take a DMZ route and add it to the CORE. Now your firewall rule will allow data going to the DMZ to be routed to the core. Life’s a bitch.
Gather all the routing tables from all the firewalls. Now gather all the routes from all your routers. First make sure the firewall routes actually exist in the infrastructure. THEN make sure all the firewall network objects actually have real routes in the infrastructure. You have to establish a baseline with this information to make sure your firewal view reflects reality with the network infrastructure. Next: MDS should run a daily report and report on CHANGES between the firewall view and what the routers are reporting. At least now you know if your firewall is in synch with your infrastructure.
16) Aesthetics: You know those section titles in the rulebased. Could you have them have the option of being indented so that you can have the option of nesting rules within subsections?
17) Obviously cut and paste between domains would be really cool
18) Permissions to limit INSTALL ON to only specific admins
19) Option to NOT permit globals in local policy or to scan for them and report in one big spreadsheet or to have a Verify before install that would warn you about them or disallow it.
20) What is HA if your primary can never fail? If the primary blows up, there has to
 be some easy way to promote the secondary into a primary. I’m sure there are about
100 edits of *.C files that will get you there, but it should be a click of a button by now.
21) From P1, be able to click on a domain, firewall and right click and open a putty or web to the LOM interface, WebUI, putty ssh, winscp.
22) Build groups of admins, groups of domains, groups of firewalls and apply security permissions to them. In general how as humans can we keep track of let’s say millions of objects? Via groups and labels. A MDM that can scale has to be able to us groups, labels, hierarchy’s, etc to group objects and let us search for these groups and individual objects.
23) Compile for 64-bit so runs faster in huge environments
24) Provisioning: I haven’t looked at this for a while. But the ability to execute a command on all systems is so critical. Obviously it is a double edge sword: one could wipe the drives and go home. But evil people will figure out some way of corrupting the system. Things like setup NTP, backups, user permissions and passwords, setting times, disk cleanup, or performing forensics on logs, mass file FTPs, gathering info to put into CSV sheets for asset inventory using perl scripts, system performance you can’t get from SNMP using perl scripts….Need I go on?
Mama CP, if you could just add one or two of these I’d love you forever.
I’m sure I’ll think of more in tommorrow’s nights sleep.
Post a comment or leave a trackback: Trackback URL.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: