Day 2 CPX

So once again I spent my time doing 1 on 1’s. I did attend two discussions for GAIA  2013 and the 2013 Roadmap:

Roadmap: Last year we heard a lot about 3d and The Security Company. No such words this year. This year its about:

1) Security Access Control
2) Threat Prevention (AV, Threat Cloud, Antibot, DDOS, IPS, etc)

75% of the talks are on Threat prevention. You will even see this in the new management environment. They will divide the GUI into Security and Threat Prevention.

The new management environment for 2014 looks great. Fine grain access control for admins (finally) down to the object and rule. Scalability up to 50 million objects in test environment. They will make it easier to import and export. Still two levels of scope, global and local. I can’t get a good answer if they are merging SDM and SmartDashboard which would be critical to me but I should know more May 6th or so.

So I asked about the whole global objects in local policy problem. Right now if you use global objects in local policy, upgrading or moving domains is a pain because you have to extract the global objects before migration. They still don’t have a good answer. But one trick is to use dynamic global objects instead that instantiate themselves into the local policy. Haven’t thought how that would all work and if it could migrate cleanly. Just thought I’d pass on.

Threat management and Threat cloud was all pretty obvious stuff because its been around forever. The CP advantage is it is managed from all one platform. So first lets see if the management environment is 1/2 decent (example: Can you manage the whole environment or just individual domains like now).  If the management environment is good, then give the actual sensors a year or so to mature and make sure they actually work. IPS is in pretty good shape. I haven’t been exposed to the other blades so not sure if they work.

Mobile Security: I missed most of this, but something about encrypting a document based on classification and only the need-to-know clients have keys to decrypt it. Hopefully I’ll be fully retired before I have to implement anything like this.  Not just CP, but any vendor trying something like this would be a $250/hour rate that I’d charge. Just way too complex and to many integration issues in the real world. Desktops are just too non-standard, and then your solution also has to work with mobile apps.

Licensing tidbit: So this explains why licensing is so horrible, but doesn’t justify it. From Day 1 they wanted to know what customers were using so they could devote resources to that product line. So if customers registered 1 million Mac OS Identity Awareness blades, then they’d swing support and R&D on it. Suggestion: Isn’t that what your sales systems CRM/SAP systems for? Why are they dumping on us techies trying to keep the train running.

GAIA: GAIA is getting better in small steps.

1) Auto updates small hotfixes. You can manage how this is done.
2) Upgrades: FINALLY you will be able to upgrade GAIA and then it will do some self-tests. If the tests fail, it will uninstall and revert. About time. Juniper been doing this for years.
3) NOTE: Splat only supported 1.2M connections no matter how much memory you jammed in. GAIA expands connection table as you jam in more memory. I still want to know what the supported and theoretical MAX are. I had to run so couldn’t ask.

4) Emergency disk. Hey they finally have an emergency USB that you canbuild with GAIA in case you need to recover passwords or a disk crash.

I had 1:1’s with more Identity Awareness (see my other blog) and with advanced routing/clustering.

Advanced Routing/Clustering: So if you have this turned on before R75.46 you probably know what I’m going to say. #1 if you can avoid routing on a firewall please do. If you really want to do routing, they do it on a standalone system. If you really want to avoid phone calls, then upgrade to R75.46. Routed seems stable and the memory leaks seems to have slowed down.  Note they haven’t figured out full connectivity upgrades yet with routing. Routed does not sync routes with the higher version member so even though the state tables sync, the routing does not and the routes have to converge which will take several seconds.

SUMMARY: Once again you just have to attend CPX for the 1 on 1’s and building relationships. The crew doing the work really want your feedback and are trying hard to do it right. It works both ways, you don’t give feedback, then they don’t know what to fix.

As last year remember that many staff do not speak native English so speak slowly and purposefully and slow down.  They may seem inattentive, but its hard being put into the hot seat being grilled when you don’t speak the language or know the culture. Try and establish a friendly dialogue before you ask your questions. Pace yourself. (Oh yeah, don’t forget to complain about licensing – just don’t yell!).

That’s it for CPX 2013!


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: