So the birds are singing that they are working on a R80 gateway in order to support the new R80 mgt station features like individual policy module pushes.
Please QA it this time…..
dreez
So the birds are singing that they are working on a R80 gateway in order to support the new R80 mgt station features like individual policy module pushes.
Please QA it this time…..
dreez
Got this from a little bird, so can’t take credit.
Use case was datacenter pushing 24Gb through a VSX chassis.
Can it do it?
I was told they got 22Gb on a 21700 through a single VS using this configuration:
4 port 10Gb bond with two ports used on 10Gb line card one and two ports used on 10Gb line card two. Have to separate on two different PCIe buses so don’t overload single PCIe bus.
VSLS Cluster (2 members) with 6 virtual systems created
Layer 3+4 bond distribution algorithm
Only one VS used to pass firewall traffic
Single firewall rule – ANY-ANY-ANY-Accept –Log
CoreXL enabled and set for 2 instances for the VS under test
Hyperthreading not enabled
cpmq set rx_num ixgbe 12
Follow these steps on both 21700VS cluster members
1. Create the $PPKDIR/boot/modules/simkern.conf file:
[Expert@HostName]# touch $PPKDIR/boot/modules/simkern.conf
Note: If this file already exists, then there will be no impact from ‘touch’ command.
2. Enable SecureXL parameter ‘sim_requeue_enabled’:
[Expert@HostName]# echo ‘sim_requeue_enabled=1’ >> $PPKDIR/boot/modules/simkern.conf
3. Check that SecureXL parameter was added:
[Expert@HostName]# cat $PPKDIR/boot/modules/simkern.conf
4. Reboot the machine to apply the changes.
Run test from appliance idle state. Between tests, please run:
fwaccel off
fw tab –t connections –x –y
fwaccel on
This will clear the connection table and avoid out-of-state errors in future tests.
I work with this awesome Cisco geek who manages ASAs and MARS. Today I walked him through generating a report for his people with SmartLog.
I thought he was going to cry. This normally big tall handsome ex-US-Marine generally stoic person started making squeeky bubbling noises and then just started laughing exclaiming “THAT….IS……AWESOME!!!!!!, It would take me hours or days in MARS and its so beautiful!!!!”
Which brings me back to my rant…..what the hell is Software Defined Protection? CheckPoint will change the world with their awesome new R80 management station and Dudi’s SmartLog that makes Cisco geeks cry. Everyone and their mother has Software Defined Protection…but how many have a “Single Pane Of Glass Security Management”???
Only CheckPoint – god bless their souls.
Dudi…you made a grown man cry. Love you dude,
dreez
PS: PEOPLE: Just make sure ya’ all QA it this time.
Have you ever sawed off the branch you are standing on? (TRANSLATION) Locked/Bricked yourself out of a firewall by changing to non-routable IPs, screwing up the sshd_config, blocking ssh, etc.? If not, then you haven’t spent enough years in the field.
Well this is not the total solution, but found it interesting. The WebUI has CLI access…..via port 443….and NOT terminating at the SSH daemon just a psuedo terminal. So its a step down from console access and a step up from SSH. You eliminate port 22 problems and sshd_config problems.
I also think??? R80 will give you access via the SIC tunnel port 18191 via SmartDashboard…I thought I spoke with the guy on this but can’t remember.
CLI ON!
dreez
Summary: I was asking my friend why CPX was so good this year compared to last years. He said “Less sales RAH RAH, more technical”. He was right. They had about 30 developers in tow that knew the real answers. The “rah rah” team seemed to be in the background and only appeared when you need them which was great. Oh and the attitude was much more humble this year for whatever reason. Oh, and they even talked about Quality Assurance a bit, wish I could hear more of this! So for the first time I can say I’d spend my own money going to this conference. Next year I think I might head to EuroCPX on my own dime.
41000/61000 – CoreXL/SecureXL
The 61000 is basically blades in a cage that cost $1 million. Each blade is 20 processors. In dashboard you only see 1 firewall, not even a cluster. Blades are hot swappable and have a variety of redundancy. The 41000 is a $250K small brother of the 61000. Each blade supports 10-40Gbps?? of throughput. They don’t use any special SecureXL hardware accelerator, they just throw more cores at the problem.
R80 SmartEvent/SmartLog Performance
SmartLog: They claim they reduced a 5 minute search to 10 seconds in SmartLog. They claim 1:1 index to log size (we were seeing 3:1). SmartEvent is totally rewritten to use its own Smartlog-like index and is suppose to be super fast. You can get R80 now, it is version agnostic works for all versions.
SmartDashboard – SubPolicies and Layers
I went back 3 times to the R80 Mgt presentation. I am very excited about the work they are doing and can’t wait to download the EA and try it out.
All of the above has the making of THE BEST Enterprise Security Management Environment on the planet. THIS is what makes and differentiates CP from the wannabees. THIS is what makes me so proud to be associated with this product. Two-Thumbs Plus Up (but please make sure you QA the frigging thing this time. Screw the whiners, take your time and deliver a quality product)
SCADA Demo
Kinda anticlimatical. Lots of FUD and when the attack happened I kept asking “what happened” and then it ended. I think I missed the point. I guess they are going after more SCADA traffic signatures for app control and IPS. Not sure how mature it is. If you have SCADA traffic, call them and they are very very ambitious to sniff your traffic and create more signatures.
GAIA – Next Steps
Nothing really too cool here, incremental which is OK by me as long as they run it through QA. As long as they stabilize the basic firewall features they can go as slow as they like. If the firewall doesn’t work, might as well get a different product.
Rant and Rave
PREQUEL: I had my best discussion with a gentleman from Atlanta who I forgot his name and organization. CP should hire him as their director of marketing because he painted the picture that Gill and marketing have missed for 25 years: “Single Pane of Glass for Policy and Response”. Right now organizations pick best of breed products. Large ones have 2-3 different firewall products (CP and Cisco), 1 SEIM like Envision (sucks), 1 Threat Emulator like Fireeye (awesome), 1 IPS like SourceFire (awesome). Best of breed. Unfortunately the threats are coming faster than these best of breeds can respond. When SourceFire picks up a DDOS or Fireeye sees a internal compromised system SLOW BUREAUCRATIC UNTRAINED POLITICAL people have to make phone calls and do change control and fight political battles to respond to the threat. Meanwhile the hackers only have one purpose and do not have to fight those political, training, etc battles.
While CP may not have all of the the best of breed point solutions, the do have the best of breed single pane of glass to respond to zero-day threats. It all starts with awesome management and logging which allows organizations to have one political boundary, one trained staff, one bureaucratic boundaries, one tactical solution solution to react to zero-day threats in one pane of glass.
But does that sell a CSO or CFO? No.
What sells is the ROI. Imagine only having to have X number of security operations personnel instead of 5x, one for firewalls, one for DLP, one for SEIM, one for AV, one for SPAM, one for URL, one for IPS, one for ….. The numbers may be off but you get the idea.
Basically CP marketing is selling technology (performance, appliances, pretty GUIs ). At CPX they pitched their latest theme “Software Defined Protection”. What the heck does that mean? How does that save money? How does that differentiate from competitors? How does that make me want to run to the CP Retail Store and buy 10 610000?? Instead my above description is selling solutions with ROI, and everyone understands ROI. This is the theme The Gill should paint and every talk and demonstration could echo it and every sales and marketing person could lead with. Maybe something like “CP: Your single pane zero-day solution” <<<Rah-Rah do the dance here>>. And then ever year at CPX The Gill should measure and share with us how far they have come to dominating the Security Management market based on their awesome management environment.
(Then again, The Gill has an awesome jet and I drive a 2006 Scion XA. Who Knows Best?)
My scratchy notes: Not sure this all makes sense…..
CP Geeks, I declare this years CPX a victory. Summary: It feels like that last 5 years (of pain) they have been laying the groundwork for a really cool platform and this year is the first year I can see this happening. Everything is looking good on paper.
9am: The disco starts,( the bass is still ringing in my head and its 10pm at night as I write this).
GIL Shwed, Amon Bar:
– Guess what? hackers are still out there
– Make sure you turn on your antivirus/antibot/IPS,etc
– Buy CP stuff
2012 3D security rah rah- that’s all history
2012 CP as security company vs product company- history
1400 attendees, 30% more than 2013. 600 in 2012. Conference is growing hugely
This years theme: Software Defined Protection based on:
– Enforcement Points: gateways, mobile,
– Control – 1) Access Control and 2) Threat Cloud set your policy
– Centralized Unified Mgt: to management the environment
If the above is confusing, basically they are coming back to their core strengths: Management, logging, enforcement through a single pane of glass.
Threat Cloud: Is basically virtual machine where they run attachments to see if they modify system files. Then distribute to all gateways to make enforcement decisions real time. They are now opening the threat cloud to other parties so they can contribute. All the data will be anonymized. This is an excellent decision. Hackers share info, why shouldn’t the defenders. Two Thumbs Up.
OPINION: This is CP’s strength. One platform for analyzing and enforcing decisions near real time. Although as a separate product not a market leader, the full package of management logging enforcement is alone in the marketplace. Very cool. I’m a believer. Just hope they QA it before they release it.
Announcement: Threat Cloud is now Open Threat cloud so other organizations can contribute to it. Very cool,
Announcement: R80 Management in EA. Sign Up. Looks REALLY !!! cool. Only the SmartDashboard version right now working on the MDS version. But two thumbs up on features. Hope they do QA on it.
Observation: MDS, SmartDashboard, SmartLog, SmartEvent, Smart Monitor are being merged into a single product which makes data analysis so much easier. Not sure why people pay for Envision, Arcsite, Mcafee Security Manager as separate products.
Mobile Enforcement: Endpoint will perform Secure Document, Isolated Sandbox and Cloud Filter to filter data sent to device: OPINION: Jury is out. Feels like a really heavy client waiting for the hardware to catch up to support it. Not much experience with it at this point.
Brian Krebs
Amusing talk about work monitoring the underground. He broke the Target story. He noticed that hackers where selling credit cards with zip codes and figured out that the zip codes were to bypass the geo-location lockouts the banks put on use of stolen credit cards.
His summary was dead on and I’ve been saying for years. Buying a bunch of blinking lights is useless:
1) Figure out who wants to get you
2) Know your enemy
3) By talent not just tools to do the analysis
4) Go past compliance basics
PERFORMANCE LAB:
61000/41000: Good presentation by Marco on the power of these systems. Really expensive but I think it is the architecture of future CP products. Basically in your SmartDashboard GUI you see 1 standalone firewall but the hardware appliance is running 120?? CPUS and all hot swappable so you just plug in more boards if you need more throughput. They decide to throw CPUs at the performance problem vs ASICs. So clustering and CoreXL are fairly invisible to you at the dashboard. Great concept hope they QA it.
21000: has a secureXL accelerator card based on the Tilera processor that is V2 of the NOKIA accelerator card. Only available in 21000.
MultiQueue
There are two semi-new features to improve performance on the gateways:
1) HyperSpec: Turning on Hyperthreading on the processors to double the number of processors. Best used for assisting IPS/ThreatEmulation/etc CPU intensive work and NOT I/O
2) Multi-Queue: Assign multiple CPUs to a NIC where each CPU handles a unique src/dst session for that one NIC. Only enhances I/O performance throughput and NOT CPU intensive performance and NOT more individual sessions.
CoreXL and SecureXL admin are going into the GUI to simplify admin. Here are samples:
VERY impressed.
QA and Training
– QA now has 230 people doing testing. Development has QA sessions every week. But he cautioned that it is a very complex product and will take a while to see results but R77.10 is good start. Run away from R76
– Training: Taken away from sales and embedded into R&D. So training will be on par with software releases. Some very cool classes on Advanced Debug and VSX. Hope they send it through QA.
Met Pete and friends overlooking Potomac: Thanks for getting to know you all there!
Going to bed with a CPX buzz.
dreez
Yes once again its that time of year and I will be heading to the conference. Got tons of questions about SecureXL, CoreXL, SAM, optimized drops, R80 MDM. Brian Krebs who detailed the Target breach will be speaking.
Remember that CPX is a bit special, so review my CPX How To Guide.
Several people wanted to get together. Fantastic. Email me by clicking on my name below my picture and I’ll send you my cell phone and we will gather a posse’. Wednesday night is looking good…and I’m staying all weekend to enjoy the sites.
"The most difficult thing is the decision to act, the rest is merely tenacity." -Amelia Earhart
These are stories from my travels. Generally I like to write stories about local people that I meet and also brag about living the retirement dream with my #1 wife Gaby. She is also my only wife.