Day 2 CPX

So once again I spent my time doing 1 on 1’s. I did attend two discussions for GAIA  2013 and the 2013 Roadmap:

Roadmap: Last year we heard a lot about 3d and The Security Company. No such words this year. This year its about:

1) Security Access Control
2) Threat Prevention (AV, Threat Cloud, Antibot, DDOS, IPS, etc)

75% of the talks are on Threat prevention. You will even see this in the new management environment. They will divide the GUI into Security and Threat Prevention.

The new management environment for 2014 looks great. Fine grain access control for admins (finally) down to the object and rule. Scalability up to 50 million objects in test environment. They will make it easier to import and export. Still two levels of scope, global and local. I can’t get a good answer if they are merging SDM and SmartDashboard which would be critical to me but I should know more May 6th or so.

So I asked about the whole global objects in local policy problem. Right now if you use global objects in local policy, upgrading or moving domains is a pain because you have to extract the global objects before migration. They still don’t have a good answer. But one trick is to use dynamic global objects instead that instantiate themselves into the local policy. Haven’t thought how that would all work and if it could migrate cleanly. Just thought I’d pass on.

Threat management and Threat cloud was all pretty obvious stuff because its been around forever. The CP advantage is it is managed from all one platform. So first lets see if the management environment is 1/2 decent (example: Can you manage the whole environment or just individual domains like now).  If the management environment is good, then give the actual sensors a year or so to mature and make sure they actually work. IPS is in pretty good shape. I haven’t been exposed to the other blades so not sure if they work.

Mobile Security: I missed most of this, but something about encrypting a document based on classification and only the need-to-know clients have keys to decrypt it. Hopefully I’ll be fully retired before I have to implement anything like this.  Not just CP, but any vendor trying something like this would be a $250/hour rate that I’d charge. Just way too complex and to many integration issues in the real world. Desktops are just too non-standard, and then your solution also has to work with mobile apps.

Licensing tidbit: So this explains why licensing is so horrible, but doesn’t justify it. From Day 1 they wanted to know what customers were using so they could devote resources to that product line. So if customers registered 1 million Mac OS Identity Awareness blades, then they’d swing support and R&D on it. Suggestion: Isn’t that what your sales systems CRM/SAP systems for? Why are they dumping on us techies trying to keep the train running.

GAIA: GAIA is getting better in small steps.

1) Auto updates small hotfixes. You can manage how this is done.
2) Upgrades: FINALLY you will be able to upgrade GAIA and then it will do some self-tests. If the tests fail, it will uninstall and revert. About time. Juniper been doing this for years.
3) NOTE: Splat only supported 1.2M connections no matter how much memory you jammed in. GAIA expands connection table as you jam in more memory. I still want to know what the supported and theoretical MAX are. I had to run so couldn’t ask.

4) Emergency disk. Hey they finally have an emergency USB that you canbuild with GAIA in case you need to recover passwords or a disk crash.

I had 1:1’s with more Identity Awareness (see my other blog) and with advanced routing/clustering.

Advanced Routing/Clustering: So if you have this turned on before R75.46 you probably know what I’m going to say. #1 if you can avoid routing on a firewall please do. If you really want to do routing, they do it on a standalone system. If you really want to avoid phone calls, then upgrade to R75.46. Routed seems stable and the memory leaks seems to have slowed down.  Note they haven’t figured out full connectivity upgrades yet with routing. Routed does not sync routes with the higher version member so even though the state tables sync, the routing does not and the routes have to converge which will take several seconds.

SUMMARY: Once again you just have to attend CPX for the 1 on 1’s and building relationships. The crew doing the work really want your feedback and are trying hard to do it right. It works both ways, you don’t give feedback, then they don’t know what to fix.

As last year remember that many staff do not speak native English so speak slowly and purposefully and slow down.  They may seem inattentive, but its hard being put into the hot seat being grilled when you don’t speak the language or know the culture. Try and establish a friendly dialogue before you ask your questions. Pace yourself. (Oh yeah, don’t forget to complain about licensing – just don’t yell!).

That’s it for CPX 2013!

dreez

How Identity Awareness Works

4/30/2013: This is what I took out of my meetings with Amnon Perlmutter who is heading up Identity Awareness. I have not tested any of this so put a grain of salt on it.

So I figured out how Identity Awareness works. CP talks about the components of IA, but I never saw it explained like this. This should help debugging IA when its starts losing identities.

Gotta run to conference so here is the quickie.

So first thing you have to remember is how CP evaluates how a packet is associated with a user. The gateway goes through an evaluation process in this order. Whenever something does not work, make sure you go through these steps in your head.

So this is nothing new. You see this in all the IA documentation. These are the process that filter IA information:

• PEP – Enforces user/machine access according to rulebase
• PDP – Stores user/machine and group session info, this feeds PEP if user has active sessions. NOTE there is SIC between PDP and PEP so that PDP can feed multiple PEPs on different firewalls. Avoids having to hit AD or LDAP servers multiple times.
• LDAP – Retrieves user group information about the user from the associated LDAP server that the user belongs to

Three basic ways of identifying ( packet belongs to Bob) and authenticating ( Bob’s packet was created by a person that new Bob’s password/certificate so I know it belongs to Bob):

1) ADLOG: Retrieves info from AD events log such as login events. If Bob can login to AD, then Bob has valid AD credentials
2) Captive Portal: User uses username/password(or cert) to log into a web browswer hosted on a CP gateway
3) Identity Agent: software running on use desktop or mobile client. god help you if you implement this, don’t call me.

In this menu for the gateway ( you have to enable the Identity Awareness blade), is where you can specify how clients authenticate.

OK, so groups are going to be funky. The business happens when a packet from Bob gets into the gateway and the rule reads (‘Sales’ is allowed for HTTP). so the gateway has to decide “Is Bob in Sales???”. PDP is the process that monitors that. PDP works with the LDAP environment to pull down group information.

This is admittedly complex. Works differently for each LDAP environment. OR if you define all this locally to the Domain on an internal database ( you really should not do this, to much admin).

If the future I want to dig into this further. I’m just touching the surface here.

So here you can see how the groups are built. Ideally you want to use the groups defined on the LDAP server. With CP internal, you have to define groups again! In large environments, this won’t fly.

S

CP works pretty transparently with AD groups. You can see them inside CP Identity Awareness and don’t have to recreate the groups.

If you work with some sort of custom LDAP server, you might have to redefine the groups which would be a pain. This is how you do it. You can actually define a dynamic group search. For example: group=sales for all dn=sales.acme.com email groups.

OK this will seem obvious AFTER you read this. Note that LDAP queries are made while you are creating rules in SmartDashboard as well as when the packet is flying through the firewall. So if it works in SmartDashboard, the gateways are seeing the same thing.

Authentication is transparent for a pure AD environment. PDP pulls down AD event logs looking for login events (and other events like mounting disks, web browser authentication, etc).  NOTE: ADlog only sees login events, there are NO NONE ZIP NADA logout events!!!! Look at me when I tell you this. So if you ever wonder why names seem to mysteriously drop from IA, think about the caching timers, duplicate ID timers, default logout timers and how they all interact.

Also note that PDP can be shared between PEP’s running on multiple gateways. That way all the PEP’s aren’t hitting up a single AD Directory Controller in your environment bringing it to its knees.

If  you don’t run an AD environment or have to support mobile clients, then Captive Portal might be a solution. Users use a web browser to authenticate to the gateway. Captive portal can hook into several different authentication mechanisms to authenticate the user. Here they are

For logging, IA only works with AD. I wish it worked with RADIUS accounting so it can work outside of AD.

I’m testing this because I think it should work with mobile clients and RADIUS somehow, so put a grain of salt on this.

As soon as you enable IA for logging, it tries to integrate it into AD….and nothing else. Bummer…but maybe I’m wrong. Still investigating.

 

So with the above information, it should be easier to debug using the pdp, adlog, pep, test_ad_connectivity tools. Look into those next and map them back to my slides above.

Happy Identity Days!

dreez

 

CPX DC – Day 1

So returned to DC and just finished Day 1 of CPX…and the results are in.

Same as last year. 1:1’s awesome – I’d sell my kids schoolbooks to attend (OK, i have not kids but if I did). Worth every penny. Love all the CP folks sitting in a room talking over resolving issues. They really really want to hear the good bad and ugly and I just love them for it. No attitude, just blunt (polite) discussion on how to improve the product. THANKS!!! We are all on the same team.

CPX as a conference in general. I agree with http://blog.lachmann.org/?p=1950. Maybe they should get a professional to run it. Topics are just not interesting to me anyways.

Here are my summary notes so far:

———————————————————————–

Remember 3D 2011? History. I saw it in one slide

Remember CP The Security Company 2012 ? History. Never mentioned.

Remember GRC 2012? Boring. Time to move on. Briefly mentioned.

CP is a product company and just will always be that way. And they have some awesome products – MDS and Smartlog and SmartDashboard. I really wish they would focus on these.

Gil mostly talked about Threat Cloud. Anti Bot, AV, IPS, etc. Not too exciting,same security speech.

So the biggest news for me was the new MDS coming out in mid 2014. As Gil said – Customers when asked say the #1 thing they like is Centralized Management and Tracker. Then he showed 1 slide of the new MDS and about 1 minute of features and moved on. Period. End of show. Nothing was ever mentioned again about one of their coolest products. I just don’t get why the continue to bury the product that has kept them alive. Oh well, I’m just a lowly firewall monkey.

They had this super duper talk on zero-day hacks with live demos. WOW. One of the best hacking demos I’ve seen, much better than my mine and I thought mine was good.

After that I hit the trenches. The prepared talks didn’t seem to exciting.

——————————   MDS ——————————

MDS: Sounds really cool. I talked to a developer that left the project 1 year ago but this was the effort last year.

– Simplify migrations between domains
– One merged GUI between SmartDashboard and SDM(kinda) with ACL stuff in one Window and threat prevention in another
– SQL backend supporting rumors of 50 million objects
– Fine grained controls on admin access, so now 1 admin can’t lock everyone out of domain
– A rule can be constructed in one place using IP ACL, application control, IA, etc. You dont
have to hunt through tabs
– Person didn’t realize that SmartDashboard has Admin install ACL, and MDS eliminated it (where its most needed)
– Release is mid 2014 so probably usable in

So the gossip is going in the right direction. Hopefully the features and the code follow through.

So my advice is to upgrade to R75.46/7 and stay there until late 2014. R76 is going to be buggy and a new environment you will have to learn without any real new features. Stabilize your environment during this time and then start to upgrade end of 2014.

————-Smart Log——————-

My favorite product. So be aware that for a standalone environment they have this really cool feature of display response statistics (20% of responses are from this IP). They don’t display them in MDS environment because each domain computes its own and they don’t share. Ugh. That is what a enterprise environment does so hopefully they fix this. Still log smartlog, great job!

——————-  Identity Awareness —————–

I will write up next. Got some info to help you debug better

——————— Licensing ——————————–

Basically anyone with a CP shirt on I would go up to them and say “Licensing sucks, when are you going to fix it?”. Best response I got is they now have a team on it that will merge SmartUpdate and UserCenter. OK, so know I’m really scared….two of their worst products merged into one.

CP needs to eject licensing all together and just do auditing blade usage. SmartLicenseAudit should discover the blades you are using on how many systems, generate an email that you approve and then send. If you hack it and they catch you, $100K per violation.

Stay tuned,

fw unloadlocal

dreez

R75.46 NOW!

I’ll make this easy for you.

IF you are at 75.40 THEN
   upgrade to R75.46 AND (ask for HFAs)
ENDIF

God save the queen,

dreez