MDM Architecture

posted Oct 26, 2011 10:21 AM by Michael Endrizzi                                                                                               [

So these are the MDM ultimate questions I’m not sure anyone can answer (art vs science) but I will attempt to anyways.
1) When do I switch from SmartCenter to MDS?
2) How many global policies should I have in MDS?
3) How many domains should I assign to a Global Policy?
4) How many firewalls should I assign to a domain?
5) When do I use global objects vs local objects?
6) When should I start using high availability?
7) When should I start using a multi-domain log server vs. DMS logging?
OK, its like asking “What color should my next car be?”. Not everyone is going to get the same answer.
These are the factors that should guide your decisions:
1) ADMINISTRATION ADMINISTRATION ADMINISTRATION: First and foremost MDM was built to ease administration. ISPs had a tough time keeping
all their managed mom-and-pop rulebases separated in a 24×7 shop with lots of administrators (both ISP and client’s)
over a period of years so administrators came and went. If you are designing an MDS architecture the COMPLICATES administration, then you are going in the wrong direction. HINT: always design for simplified administration.
2) Security: MDM has facilities for global vs. local separation. If you are going at it from a programming point of view, you might be disappointed because its sure not C++, but more like Pascal – version 1 of global vs local scoping rules. So if you are a security nut and you decide to separate everything into 300 CMAs…well on paper it may look good to auditors but look out operationally: backups won’t work, policies will take forever to install, upgrades will kill you if you use global objects wrong, etc. HINT: Only separate if you have too, and use multiple policies in a DMS too. Use global objects with caution.
3) Licenses: Check Point’s achilles heel is licensing. Just assumed its screwed up and go from there. The more complex your environment the more licensing will kill you financially, morally, emotionally, etc. Its broken and everytime they try and fix it, the problem gets more complicated and worse. : HINT: Keep it simple
4) Updates: MDS has a facility for updating your environment on a global basis. Right now its Version 1 so don’t bet your kid’s schoolbooks on it but it is a good first step. HINT: don’t use for now
5) Operations: Remember that the ivory tower architecture was not designed by the people doing 3am assign/installs. MDS will break if you get too complex. Example: Backups. Each domain replicates in entirety, binaries and everything. So 250 domains is 250 sets of duplicate binaries. Backups will fail when you have too many domains.
And when an upgrade goes bad good luck finding which of the 250 domains blew up on you. And then trying to find all locations of that global object you used: CROSS_CMA searches work better but still not quite there. HINT: keep it simple
6) Templates: What information do you want to share across firewalls? MDS has several facilities for sharing
global information, but you need to first figure out what you would like to share…instead of manually replicate over 300 domains. HINT: keep it simple
7) Changing environment: Does your company buy and sell other firms? Do you have to deal with sub-divisions
that are hostile but will be friendly when you fire all their administrators? HINT: Isolate trouble makers.
8) Upgrades: How will you upgrade your MDS environment? In pieces or all at one time. HINT: keep it simple.
9) IPS: remember that MDS cannot!!! enforce IPS policy on domains. It can only offer global templates to use
10) You will be replaced; Remember that the MDM has a life cycle outside of your employment contract. Someday you will move on and this monster you are creating has to be managed by someone else. Now you could ensure job security and also create a testament to your supreme god-like existence on this planet by making the MDM so complex that only you understand it and your organization would be foolish to fire such a god as yourself. But if you value your good name, I suggest you think about TCO and MDM life-cycle after your greatness departs from this earth.
11) Logging: Note that when you have a 1:1 firewall:domain, you can only monitor 1 log file per tracker session. If you merge multiple firewalls into tracker you can watch multiple logs in 1 SmartTracker sessions. If your environment has a lot of problems in 1 set of firewalls, you might want to merge them into 1 domain so all the logs are sent to the same log server.
12) Network subnets: Remember the more firewalls you create the more subnets you create the more traceroutes you have to do to debug. And then when the subnets change, you have to change the network objects in SmartDashboard. So increasing the complexity in the name of security also increases network operational security.
Now remember I’m an MDM addict. It is by far the BEST enterprise management solution in the market. But it has its limits.
So my #1 advice is KEEP IT SIMPLE!!!! And ask yourself, are the security nutjubs going to be there at 3am when backups fail?
Mikes Motto: A security system that can’t be managed is inherently insecure!!!!
So going to MDS will ease you administrative headaches if you have 200 firewalls all in 1 SmartCenter server. But 200 domains hosted in MDS will NOT NOT NOT ease your total overall administrative headaches (although on paper it seems more secure because of the separation), because you will kill yourself trying to manage the beast…and will probably make mistakes that make the entire architecture insecure because its soooo complex you can’t analyze it.
So its easy for anyone to sit and cry WOLF!!, but coming up with solutions separates the men/women from the boys/girls.
Hold on as I check my manhood in future editions
Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: