MDM Architecture Part IV ( I think its IV)

What is an MDM? Well you better start learning what it is because its coming to a SmartDashboard near you in a couple years. In the future there will only be 1 management console not two and its about time. CP can’t hide MDM behind new icons for much longer.

This is the basic problem with MDM to date that will be rectified in the new version but I’m not sure exactly how. This is my guess from a brief look at the demo.

A Domain is composed of

  1. A rule
  2. A rule package called a policy
  3. Objects
  4. Firewalls

A MDS is composed of

  1. Global rules
  2. Global Policies
  3. Global Objects

Not too tough so far.

Next is where the problems start showing up.

A DMS applies a policy to a firewall (Yes it can do install on, forget that for now). So 1 policy gets installed on 1 firewall BUT all DMS objects get installed on ALL DMS firewalls. Seems unfair?

globalcomponents

dmscomponents

Similarly, a single Global Policy gets applied to a set of domain(s) and all the policies inside that domain(s) BUT the Global Objects are applied to ALL domains that have any global policy on them at all. Seems unfair.

globalscope

So the problem is on scoping. Objects are spewed all over the place while policies have explicit mappings. For example, let’s say you want DMS A Rule 1 to be applied to all DMS A firewalls. You’d have to manually duplicate Rule 1 into all DMS A policies..BUT..DMS A Object 1 automagically appears in all DMS A firewalls. As the number of firewalls and objects grow, the problem gets worse.

What I think they are going to do to fix this is put scoping rules on all these objects. Each object and policies will have a context in which they apply. There will be a firewall policy, DMS policy and Global policy. Like an onion of layers, the global policy will wrap the DMS policy  which will wrap the firewall policy. Similarly there will be global, DMS and firewall objects.

theonion of components

The ‘install on’ field should also exist as an alternative to the above.

Palo Alto does a similar thing and I think its just the next natural step … and I hope Check Point does it much better!!!

Just my opinion people

dreez

Advertisements
Post a comment or leave a trackback: Trackback URL.

Trackbacks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: