Day 2 – Drinking From the Firehose

Summary: I was asking my friend why CPX was so good this year compared to last years. He said “Less sales RAH RAH, more technical”. He was right. They had about 30 developers in tow that knew the real answers. The “rah rah” team seemed to be in the background and only appeared when you need them which was great.  Oh and the attitude was much more humble this year for whatever reason. Oh, and they even talked about Quality Assurance a bit, wish I could hear more of this! So for the first time I can say I’d spend my own money going to this conference. Next year I think I might head to EuroCPX on my own dime.

41000/61000 – CoreXL/SecureXL


The 61000 is basically blades in a cage that cost $1 million. Each blade is 20 processors. In dashboard you only see 1 firewall, not even a cluster. Blades are hot swappable and have a variety of redundancy. The 41000 is a $250K small brother of the 61000. Each blade supports 10-40Gbps?? of throughput. They don’t use any special SecureXL hardware accelerator, they just throw more cores at the problem.

 

R80 SmartEvent/SmartLog Performance


SmartLog: They claim they reduced a 5 minute search to 10 seconds in SmartLog. They claim 1:1 index to log size (we were seeing 3:1). SmartEvent is totally rewritten to use its own Smartlog-like index and is suppose to be super fast. You can get R80 now, it is version agnostic works for all versions.

 

SmartDashboard – SubPolicies and Layers


I went  back 3 times to the R80 Mgt presentation. I am very excited about the work they are doing and can’t wait to download the EA and try it out.

  1. Two types of policies are much more structured in this GUI which is great
    -Access Policies – Rules people write with IP addresses and APPLICATION protocols and User Names. X can get to Y
    -Threat Prevention (dynamic rules responding to threats IPS, AV, Threat emulation,etc).
  2. Layers: In the picture you can see the 1/2/3 policies above. Those are called layers. Each can be one of the following: Access Control, Application Control, Compliance, DLP, (and maybe something else). The screen shows we are currently in the data center policy which is an access control policy. This policy is executed first from top to bottom on every packet. Next #2 the  compliance policy is executed and then Next #3 the DLP policy is executed.
  3. Cool thing you can install each layer separately from the others so you don’t have to install all of policy and IPS all at the same time. I think I said before that policy and threat measures can be installed separately…finally. You can see the policy installation options in this screen.

IMG_1707 IMG_1704

  1. WITHIN!!! A policy you can create subpolicies. These subpolicies are kinda like the current sections markers we have now except each subpolicy can have its own administrative editors. The policy will be executed from top down including all the subpolicies, but each one has a different editor.
  2. Down on the left you can barely see where you can use command line to do everything you want in the GUI. Very cool.
  3. They also have a “Web Services” view, where you can build web screens with SOAP/REST scripts to interact with the management station.
  4. They also added another column (optional) called data awareness. You can specify what types of files to allow/disallow for upload/downloads. Probably from the DLP blade. In the app control column you can say Frank can access YouTube but only for 60 seconds and 6 meg of data or give a file name they can download.
  5. Rules have another action called “Monitor”. They will just log activity but no make enforcement decision so you can play out “What If” scenarios.
  6. They do have a view called “Unified” where you can see all policies and threat protection all in 1 pane. Each column per rule is another protection like app control, threat prevention, etc.
  7. They finally support multiple concurrent admin audit. You log in and create a session. This session has all your edits. You can save your session, etc. As you work on rules you lock the rule but not the whole DMS. When you are done with your session you publish it. Only after you publish it can it get installed on gateway. When you click on the rule, you can see the history of edits on that rule.
  8. You can click on a rule and ask to see all the logs for that rule. Very cool.
  9. The gateways can now recognize interfaces as objects like Cisco/Palo/Juniper. You define the interface(s) as a zone and use that as an object.
  10. One thing that has me a bit worried. They say they integrated logging, monitoring, smartevent, policy all into one dashboard which would be really cool. But I think in reality you only see a summary in Dashboard and when you click for more detail it kicks off the standalone SmartWhateven client.  Not too impressed, prefer single pane of glass model.
  11. You can file Service Requests from SmartDashboard. pretty basic, really hope we don’t have to use it much. PLEASE!!! Not after the last 4 years of pain.
  12. Once again, nothing on MDS yet. Still in the thought stage.  But very cool start.
  13. I’ll save the best for last. CSV export and import!!!! You can FINALLY import and export objects with CSVs for editing and reimporting. Perfect for enterprises for managing large number of objects. If you are religious, thank you gods.
  14. For provisioning, they do have a script manager. Didn’t get to play with it much, seemed pretty basic.
  15. Change Control: I guess it will somehow integrate with Change Management systems like HP and Remedy and you can drag and drop from your Change Management on your ticket window into the management station for IP addresses and a column with ticket information like ticket number and comments from the change control ticket.  The links are they, they have to partner up.
  16. Web Based Object Management: So if you have an object group that is dynamic and person XXX is responsible for maintaining the group, you can create a web page with WebServices, they log in with AD and manage only that object and nothing else WITHOUT using SmartDashboard.
  17. I thought?? I saw CLI access VIA the SIC tunnel port 18191 from SmartDashboard which be very cool. That would supplement WebUI CLI access via 443 and of course CLI via port 22. Helps a ton in case we lock ourselves out of a box somehow, another avenue.

All of the above has the making of THE BEST Enterprise Security Management Environment on the planet. THIS is what makes and differentiates CP from the wannabees. THIS is what makes me so proud to be associated with this product. Two-Thumbs  Plus Up (but please make sure you QA the frigging thing this time. Screw the whiners, take your time and deliver a quality product)

SCADA Demo


Kinda anticlimatical. Lots of FUD and when the attack happened I kept asking “what happened” and then it ended. I think I missed the point. I guess they are going after more SCADA traffic signatures for app control and IPS. Not sure how mature it is. If you have SCADA traffic, call them and they are very very ambitious to sniff your traffic and create more signatures.

 

GAIA – Next Steps


Nothing really too cool here, incremental which is OK by me as long as they run it through QA. As long as they stabilize the basic firewall features they can go as slow as they like. If the firewall doesn’t work, might as well get a different product.

  1. Working on 77.20 for more stability THANK YOU!!!!!
  2. They have a routing team in Israel instead of the Nokia crew in California and the Cluster people in Israel. So hopefully routing and clustering will start coming together.
  3. More abilities to upgrade from the GUI from the cloud…I missed some of this. I hate upgrading from the GUI because it freezes and dies so I’ll stick with the CLI thanks.
  4. You can get detailed reports on HFAs, HFs, versions, etc in the GUI. In future will upload to cloud for more reports. OK start, but need inventory of our whole environment, not just 1 gateway at a time.
  5. CPView: Seems to be a really cool CLI tool to view performance issues. Can run on any version NOW. Can see inside the kernel and inside blades to see what they are doing with memory and CPU. Thumbs up.
  6. Performance sizer. Runs 24 hours on a system and can tell you if you need a bigger system. We use it and it is so-so. You have to be able to anticipate internal external User base and doesn’t seem to be based on realistic numbers. Neutral.
  7. CoreXL and SecureXL can be mostly modified within the GUI instead of the command line. Thank YOU!
  8. I saw nothing on fixing licensing hell. Oh well, maybe version R90.
  9. LVM Manager. They have a CLI GUI that lets you dynamically change disk partition sizes. Just front end to lvmmanager from Linux but I like it.

Rant and Rave


PREQUEL: I had my best discussion with a gentleman from Atlanta who I forgot his name and organization. CP should hire him as their director of marketing because he painted the picture that Gill and marketing have missed for 25 years: “Single Pane of Glass for Policy and Response”.  Right now organizations pick best of breed products. Large ones have 2-3 different firewall products (CP and Cisco), 1 SEIM like Envision (sucks), 1 Threat Emulator like Fireeye (awesome), 1 IPS like SourceFire (awesome). Best of breed. Unfortunately the threats are coming faster than these best of breeds can respond. When SourceFire picks up a DDOS or Fireeye sees a internal compromised system SLOW BUREAUCRATIC UNTRAINED POLITICAL people have to make phone calls and do change control and fight political battles to respond to the threat. Meanwhile the hackers only have one purpose and do not have to fight those political, training, etc battles.

While CP may not have all of the the best of breed point solutions, the do have the best of breed single pane of glass to respond to zero-day threats. It all starts with awesome management and logging which allows organizations to have one political boundary, one trained staff, one  bureaucratic boundaries, one tactical solution solution to react to zero-day threats in one pane of glass.

But does that sell a CSO or CFO? No.

What sells is the ROI. Imagine only having to have X number of security operations personnel instead of 5x, one for firewalls, one for DLP, one for SEIM, one for AV, one for SPAM, one for URL, one for IPS, one for ….. The numbers may be off but you get the idea.

Basically CP marketing is selling technology (performance, appliances, pretty GUIs ). At CPX they pitched their latest theme “Software Defined Protection”. What the heck does that mean? How does that save money? How does that differentiate from competitors? How does that make me want to run to the CP Retail Store and buy 10 610000?? Instead my above description is selling solutions with ROI, and everyone understands ROI. This is the theme The Gill should paint and every talk and demonstration could echo it and every sales and marketing person could lead with. Maybe something like “CP: Your single pane zero-day solution” <<<Rah-Rah do the dance here>>. And then ever year at CPX The Gill should measure and share with us how far they have come to dominating the Security Management market based on their awesome management environment.

(Then again, The Gill has an awesome jet and I drive a 2006 Scion XA. Who Knows Best?)

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • Heather  On May 12, 2014 at 7:17 pm

    Thanks Michael. I feel like I was there through your comments. Anything on R80 VSX?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: