R80 – wow

I’m blown away. I’m stunned. I’d sell my kids schoolbooks to use it (I don’t have kids). It is my inner glow.

In the past year I have used:

• Cisco’s new security management GUI
• Palo Alto’s Panorama (sounds like its from the Jetson’s cartoon)
• NSX Distributed Firewall
• R80 Checkpoint

And R80 blows away all the other vendors.

And get this….I think they even tested it before they released it. I know, even I am stunned. OK, there are still some bugs and dealing with CP arrogance is a pain but R80 makes it all OK. They actually thought about the user experience and enhanced its enterprise management capabilities to allow scaling. It is true art.

TESTED: Just basic SmartDashboard on R77.30 gateway. I did not test MDS or R80 gateway which are coming out soon.

[ IN PROGRESS ]

cool things:

• Was in 77.30: Deep inspection of objects. You can search through hierarchies of groups to find a base object like 1.1.1.1. Both in rule base and object finder. The search is like google or you can qualify it. Just beautiful.
• pencils on rules that identify items that were modified
• Local copy of changes that you publish and share with others, finally concurrent access
• SmartLog embedded into Dashboard and interacts with it – very very cool
• 14 second vs 2 minute policy installs – very cool
• From my desktop GUI is API driven. From GUI can console to mgt and issue API statements.
• Add to groups from menu and menu stays up until you are done makes it easy to add to groups. Several ways to group. Grouping is key to scaling a management environment.
• Import/Export domain worked flawlessly
• Can export into spreadsheet rules and objects. Needs a bit of work but step in right direction
• Licensing is actually a bit easier (I thought I’d never say this) to manage

Bad:

• Looks like they will not implement more scoping beyond global/local objects as in the past. I loved PAN’s implementation of global/domain/firewall/zone scoping. When microsegmentation hits, I think we will even need scoping on a per application basis. So application PAYROLL has its own rule/object database and can inherit/export to other databases.
• crashes now and then
• Where is SmartTracker :-(..but you can use R77.30 Tracker!!! Thank YOU!
• For same event – data in Tracker is different that in SmartLog
• vSec integration is pretty basic. You can only see security tags, can’t manipulate them
• Software update notifications are fudged at this time
• Can’t import rules and objects from spreadsheet
• Application-site objects have a flaw that if you use them like groups your rulebase may become corrupted in how it evaluates rules because you might have duplicate application objects and it does not alert you.
• Searching through groups with exceptions doesn’t work right.

I’ll update this as I use it more, but so far kudo’s. For large environments you might want to wait until more bugs are ironed out but for smaller installations you will never look back.

Inner Glow YAAAAH!

dreez

 

PA Daily Operations update – From The Trenches

Firewalls have been around for 25+ years and at this point to me is a firewall is a firewall no matter what the label on the box says. I am totally mystified why organizations randomly jump from one vendor to another based on technology alone. I know licensing costs soar, support sucks, platforms are unstable, etc. But in the end a firewall is a firewall and the grass doesn’t get much greener after you make the switch. You probably get 1 year of cheap hardware and kiss ass support before you swirl to the bottom of the toilet as the new vendor pulls in new customers and forgets all the fireworks they promised would fly from your behind.

So yes I am talking the PA vs. CP debacle. PA is a fine firewall (if you don’t turn on all the misc junk). CP is a fine firewall (if you don’t turn on all the misc. junk). PA is a massive marketing machine the earth has never before seen. CP has an incredible enterprise management and logging infrastructure that can’t sell snow to Eskimos.

I just spent 3 hours in a PA hands-on class. Been 5 years since touching one. My reaction : painful.  Why? Because from the marketing rah-rah I was expecting fireworks would fly from my behind. The reality is: Its just another firewall. The web interface reminds me of all the other freeware java/ajax shakey hope-to-god-this-works GUI firewall interfaces. Or maybe they hired a bunch of ex-Cisco CSM programmers and sent them to Web development school for 6 weeks.  I mean its OK, but primitive compared to CP for an enterprise environment. Their logging just sucks compared to SmartLog.

I just don’t get it, but kudos to their marketing machine.

I have friends at another  enterprise corp that spent millions and countless hours to switch. Years ago they had about 300-400 CP firewalls and ~5-10 firewall people. NOW:

• ~50 firewall bodies
• PA management and logging is OK but definitely not as good as CP
• It is stable
• App control is starting to be deployed and mostly works sometimes
• Various 3rd party analysis tools don’t work like Tufin, Firemon, etc. so rule reviews are difficult
• EXPENSIVE
• Support is hot/cold

So millions were spent and countless hours were toiled and they went from Point A to Point A with 5x more bodies. How did that increase security? How did that lower costs?

Summary: Don’t drink the Kool-aid. Understand what your end goal is, don’t just go from Point A to Point A. Spend those funds on more important security projects that have a cost/benefit.

 

 

 

 

Palo Alto Threat Detection review from the trenches

So I have a friend of mine XXX who has been through several iterations/implementations of IPS, DLP, Firewalls, Threat Detection because someone drank Vendor YYYY cool-aid. XXX is much like me — dealing with CheckPoint can sometimes be a pain and its getting real old but CP management and logging (SmartLog) keeps us with the home team.

XXX’s mgt drank the Palo Alto kool-aid so XXX brought me up to date on the good/bad/ugly of PA’s threat detection environment.

So here it is in my words with XXX’s review:

PROS:

• Scoping for objects/rules is great: firewall,zone,global. Wish Checkpoint had this
• Licensing is easier
• Solid as a rock, good quality
• IPS between Palo and CheckPoint is about the same

CONS:

• Logging cannot compare to SmartLog. Some cryptic form of regex
• Trying to correlate logs in centralized logging is very difficult – each log type Firewall, URL, Threat, etc has its own log item and the only way to tie them together is session ID which is reused about every 2 weeks.  Very difficult when there are multiple firewalls that use the same session id.
• They don’t even have a true DLP it is called Data Filtering.  It will not take full regex entries therefore false positive rate is very high for SSN and CC
• Wildfire only scans specific file types and is far less than FireEye.  It also will only scan a file that is 10 mb or lower so some files can get through.  [Getting exact numbers from FireEye.]
• Rules are easy to enter where it becomes difficult is if you want split responsibilities between network and security.  In order to enable URL filtering, IPS, data filtering they need to be added to a rule.
• no “Where Used” function until last release
• Expensive!
• Checkpoint has more of a true DLP, Palo has data filtering
• Support has been poor
• FYI: XXX LOVES!!! FireEye. Every firm I’ve worked with has said the same. What SmartLog is to me, They feel about FireEye

Summary: Detection systems are weak and forensics capabilities (Log searches/correlation) is even weaker.

2015 CPX Part Zwei – SDN

UPDATE: CheckPoint R80, R77.20(with updates) has announced integration with Vmware 6.0 which is great. Called Vsec. Clarifies many of the questions below. I haven’t seen it (because I’m sitting on a beach in Italy), but hope to do a pro/con when I get back.

========================================Date 5/10/2015 CPX Conference ===============

Summary: CheckPoint R80 is integrating with most the other SDN players: NSX, ACI, OpenStack. Looks great so far. Problem: (Heard this at CPX) Financial IT guy said CIO called him and asked for a 600 server farm to do some big data mining on confidential financial data. Classic physical deployments would take 6 months. They did it in 2 weeks – virtual world and scripting. How does/will CP protect this data mining farm? BEGIN SDN Glossary:

• North-South Traffic: data traffic in/out of a physical VMware/Virtual host
• East-West Traffic: data traffic between virtual guests internally within a physical VMware/Virtual host
• ESXi – VMware’s Hypervisor or operating system that operates on bare metal
• vSphere – VMware’s total virtual package offering
• vCenter – VMware’s management station component for managing servers
• NSX – Networking component of VMware
• Virtual Guest – A OS environment (Linux, Windows XP, MAC OS, OEM custom product) running in an emulated physical environment on top of a hypervisor (VMware, OpenStack, VirtualBox, KVM, etc). Common operations are virtual guests can be paused, take snapshots, have an API for automating/monitoring guests.

END SDN Glossary; BEGIN CP VE Glossary: CheckPoint VE is CP’s firewall product that runs in a vMware environment. It has two modes:

• Network mode – Firewall as you know it runs as a guest in a virtual environment, cannot see any other objects  in the virtual environment
• Hypervisor mode – runs inside the hypervisor, can see all objects in the virtual environment. This allows you to assign a L2 firewall to each virtual guest. So in the end, nothing more than host based firewalling….but saying the word ‘hypervisor’ sounds so much more cool.

END CP VE Glossary So CP has a couple problems with VMware right now:

• Currently not integrated in the latest ESXi 6.0 release at the Hypervisor level (Hypervisor level is like being inside the Windows OS. In Windows if you want a list of all processes you must ask or be inside of the Windows OS to see all the processes. If you want a ‘firewall’ to protect process A from process B you have to be inside Windows OS. Same thing with Vmware Hypervisor.)
• Management: R75.20—- cannot grab VMware objects/IP addresses/network fabric
• Enforcement: So right now CP is not integrated inside ESXi 6.0 VMware Hypervisor so CP cannot protect East-West Traffic.

The fuzzy details are CP has integrated with an old Vmware API 5.5, but not the current 6.0. In order to get into the real SDN game CP firewall must run inside the Vmware Hypervisor which is the Vmware OS. Specifically is must have access to NSX. Now one CAN today manually spin up CP VE network mode instances (as guests) inside the 600 virtual server farm and manually connect into the virtual network…..but a human being has to manually configure the firewalls as we do in the physical world because only humans know the IP addresses and server names and protocols. What R80 WILL do is use the VMware REST API (see my blah blah on REST) to grab all the VMware objects and their IP addresses. They appear as DataCenter objects (if I remember right) in Dashboard and can be referenced like any other object.Note that these objects are really pointers into the VMware environment, and R80 keeps sync with VMware so if the object is deleted in VMware, it disappears from CP (little scary, VMware modifying firewall policy, another discussion). What R80 can’t do is enforce policy on east-west traffic today because 1) There is no R80 firewall and 2) I’m not sure VMware released the latest 6.0 API. So I saw demos of the management integration and it looks good. VMware objects look like any other objects, but note they are pointers into VMware and not managed by CP. If all goes as planned, the R80 firewall should be supported in the NSX 6.0 Hypervisor. What are the bells and whistles?

• If a new VM is spun up, you can automatically generate a policy and a L2 firewall to protect it
• If a VM vMotions from Fargo to Shanghai, the firewall follows it
• At L2, you can redirect a service/port to the firewall for filtering (this host is infected, inspect all its port 80 traffic), and then back to its original route
• You can quarantine a VM if it misbehaves and not let it talk or shut it down

All this looks good, just hope they can get it to work. You see some of this in EXSi 5.5. So someone ask me “What do I think Software Define Protection” is? Mike what is “Software Defined Protection”??? Glad you asked. Firewall performance in a virtual world is a game changer. CheckPoint’s edge with Software Defined Protection is that it has been designed ground up in software. Performance is based on throwing more CPUs at the problem, and not custom ASICs. Other vendors rely on custom ASICs for performance so migrating their code to a software based virtual world requires re-coding and/or los of hardware based performance gains. In addition, in the virtual world security will become more dynamically scripted with no expensive slow humans in the chain. Firewalls, rules, objects will become more automatically created and destroyed all through software. CheckPoint’s R80 has the API and the tools (so they say) to play in a scripted automated world all managed from a single pane of glass centralized security management platform. Now THAT’s Software Defined Protection

2015 CPX – R80 and CapsuleH

Summary: 2015 CPX was like a continuation of 2014 CPX. No big announcements, usual rah-rah. R80 and Capsule were the focus. As always highlight was talking directly with developers. Lunch was great.

---

R80: Dorit says its out now, techies say Q3. MDS version is still up in the air. R80 firewall in EA. So basically I can’t say when its coming out but I hope to god the QA people are busy. I actually bought some CP stock based on R80 release.

Capsule: Funny: Gil says “How many people have threat prevention on your mobiles?” about 2 people out of 1300 raise their hands. “See, we can’t even get CP people to use it…that’s why its a 5 year plan”. Crowd roars. (not direct quote but something like that).

True Story: I was in Costa Rica on guided tour on steep path on sheer cliff. Guy ahead of me asks his wife to take a picture of him with his iPhone. Wife steps back and almost falls off cliff. He yells “MY IPHONE!!!!”

My read of Capsule is that people care more about their mobile phones than they do their partners. Reduce their battery usage, screw up texting, block mobile data access and they will hunt you down and burn you in your bed. I agree with Gil. Until the bad guys trash your phone and the pain is worse then the impact of the security software, the market has yet to develop. Technology needs to catch up to support the additional load  on the device.

I spent most my time tracking down their progress on Software Defined Networking which I think looks exciting and hopefully will be CP’s next ride to the top with R80 management.

The tofu and quinoa warm dish was fantastic. The tofu had a bit of crunch to it.

So the rest of the show was a 2014 repeat telling you to turn on more security stuff, the end of the world is near,  the cemeteries of full of people that had computer viruses, we are all going to die.

Random Details in Random Order with Random Comments:

---

CP Strategy over the years:

• 2012 CP as security company vs product company- history
• 2013 3D security rah rah- that’s all history
• 2014 Software Define Protection
  • Management
  • Control
  • Enforcement
• 2015 Software Define Protection – 2 years in a row

I actually saw SDP described in several talks 2 years in a row by some of top management…so maybe it will stick. I just don’t get how the title has anything to do with the content and how it makes CP standout from the rest of the hoard. Everyone has management, control, enforcement. CP’s edge is Great Centralized Management.

So my frustration with Gil is he does not set CP’s strategy as “Centralized Security Management” and then follow up to say “Last year we said we’d do X, Y,Z and we did X and Y. By 2017 we will do 1,2,3,4. Capsule is good example, everyone and their mothers will have mobile protection…but imaging trying to centrally manage security on 100,000 mobile phones. Who is going to do that best? Why is CP better than competitors? By when? What does it look like? What do the analyst think? What kind of revenue numbers? What is the sales strategy?

(To be fair Dorit did some of this, but from a operation point of view not a visionary point of view)

But then again he does have a private jet and I drive a 2006 Scion.

Who is Check Point this year.

Some guy gave talk trying to prove with statistics that CP is the best.

• Best prevention software – Everyone says this, software is still maturing.
• Best management platform – Agree: but competitors are very close. Needs quality R80 release
• Best security DNA – Everyone says this but he was right – most people in CP have military backgrounds with the enemy 20 miles from your child’s bed so they do have a security mindset.

Featured Speakers:

• Michael Morell – FBI director: End of world is near, Chinese hacked his email and wife figured it out, he saw scary stuff
• Michael Chertoff Former Homeland Security Guy:End of world is near, he saw scary stuff

Threat Prevention: 

• AV is now useless, too many zero day attacks
• IPS going the way of AV
• Threat Emulation is the rage….until hackers put a “sleep(till Tuesday)” in their code
• AntiBot is OK, but using encrypted channels so look for known DNS and IP addresses
• Threat Cloudiness is a must to stay on top of zero-day attacks
• They bought Hyperwise and Lacoon because the above are pretty iffy, but no one could tell me what they do.

My read: CP’s blades are still maturing but their edge is single pane of glass centralized management. Threat Prevention is not a technical problem, its a people management problem. When the sh*t hits the fan, you want all silo’s in the organization looking at a single pane of glass…not 10 different “Best of Breed” solutions. Single pane of glass security management increases detection rates because people are familiar with a single product, reduces response times, and lowers TCO.  This is the value CP brings to the security marketplace.

R80

• Everyone I spoke to has a different release date. I’m OK with being late, it just has to have the quality this time. I even bought some stock betting on R80.
• I can’t get 2 people to give me the same picture on R80 MDS. Latest speech is it will be 1 executable, but you can sign into either MDS or SmartDashboard. Last year they said it was all merged…we’ll that ain’t merged. MDS is long on the tooth and needs more integration with SmartDashboard. Only 2 big differences are
  • you are suppose to be able to have multiple sections of global policy instead of just top and bottom.
  • global objects are broken into chunks instead of one big database
  • you can import chunks of objects into the domains
• Hit counts on objects
• Logging integrated into Dashboard
• I couldn’t get an answer if you can seamlessly copy between domains
• They realize the future is all about scripted access, so REST API and associated tools is huge
• Software Defined Networking integration looks cool

Dorit – President

• Roadmap – Nothing really new just bigger faster
• I thought this was impressive. A person in our group asked a question about some innocuous technical point on Amazon cloud. Dorit hunted her down 1 hour later to give her an answer…and there were 1300 people at the conference.
• Dorit also was very responsive to my issues. I heard from internal people that she was pushing buttons trying to make things happen.

Developers

• As always one goes to CPX to talk to the developers. The afternoons are were you really can connect with the muscle of CP and get the real story. And they can see your pain and try and make a difference.
• I spoke with several developers from Threat Prevention, SDN, R80, They really want to hear your pain and make a difference which is a  great feel.

SDN, Clouds

• Spent 1/2 the show tracking down SDN demos which I am excited about.
• R80 will integrate into SDN products. Saw some cool demos
• Separate blog coming

Tufin – Talking the Right Talk

• Tufin gave a pitch on Cloud Security Management and how big an issue it will be.
• They are dead  on with identifying the problem, Rubin was great
• In cloud and SDN objects/rules are created by scripts so the scalability and speed of deployment will be mind boggling. Imagine having a script that deploys 1000’s of servers and firewalls and rulesets in seconds. Next there is a network problem and you have to go find it.
• I’m not sure what their solution is about but they are only ones that can talk about management complexity we are weaving for ourselves.

Looks like the Chicken is sleeping with the Fox

With Palo Alto eating everyone’s lunch looks like the fox and chicken are checking each other out. Desperate times, desperate measures. No atheists in a foxhole. Keep your friends close, keep your enemies closer…

http://blogs.cisco.com/datacenter/aci-checkpoint

My bets are with CP and R80….assuming they get it right. Future blog.

 

And now for the REST of the story…..

So in my previous rant YAMDS I showed you one way of going through the MDS database. The API for the MDS database is called CPMI. Its pretty crude and you can’t get to all the database but its quick and dirty.

R80 will (finally) have a real database behind it and not flat files. If we are really all good boys and girls customers they may even share the schema with us so we know where to find stuff! A very very simple MDS database will look something like this:

Now there are various ways of getting to a SQL database. Let’s compare traditional ODBC to REST

1) ODBC –

Traditional API that allows you to make SQL queries from almost any language that exist. So R80 MDS with a ODBC interface running a web server would look something like this. The web server would have a web page on it with this code:

 

So your web browser would connect to the MDS web server with this page http://mds/list_firewalls.php, the web server would execute this code and print out the firewalls on your web browser.

So this is a simple example. The interface could grow to others:

1. http://mds/delete_all_R65_firewalls/
2. http://mds/apply_licenses_to_firewalls
3. http://mds/copy_policies_from_one_firewall_to_another

where the number of URLs and the complexity of the operations are infinite.

PROBLEM: Let’s say a URL blows up in the middle of some complex operation. How will that error be shown to the user? “Error NO 1234256 Abort Operation Fatal Error”. You see this often don’t you? Well its because the client PC has no visibility into the internal complexity of these URLs.

 

2) REST

R80 will have a new API called REST (Representational State Transfer) which allows one to query the MDS database using HTTP GET/POST/PUT/(DELETE) commands. These commands can be issued from the command line using ‘curl’ OR from your desktop web browser OR from a PHP script. So its very versatile.

These HTTP commands are a simple way to query a database:

GET: RETRIEVE a single record or multiple records
POST: CREATE a new record
PUT: UPDATE an existing record
DELETE: DELETE an existing record

and that’s it! That is REST…<wait for it>

Now for the REST of the story!!!!

OK, so there is a little bit more…the art. There is an art on how you build a REST-full interface. Pre-REST there was SOAP interface which was a huge monster pig where you could send batches of commands to a web server and it was very structured, bureaucratic and stoic – so it was probably created by the some European Union government workers. REST-full developers revolted against SOAP and tried to find the simplest, laziest way to execute a single command and depend upon the ‘community’ to behave properly instead of being enforced by gigabytes of web server code. So REST-full people are more like socialist coffee-shop dwelling dope smoking Dutch. Hence the REST-A-FARIANs (get it maaaaaan, yaaah maaaan, pass the potato chips maaaaan).

This art can start wars in the developer community “You aren’t REST-full!”, “Yes I am a REST-A-FARIAN!!!!”. So it will be interesting to see if the R80 is REST-full or not…which of course will be subjective depending on which cultural attitude you aspire to.

But these are the basics I gleamed from a cloud smart friend of mine Steve Morman who does cloud stuff running weather web sites.

With REST you have:

1. Resources: Full URL that points to data in a table in a database (e.g. http://mds/network-objects)
2. Verbs: Actions to take on these tables (GET/CREATE/UPDATE/DELETE). Notice these are the ONLY 4 actions. You won’t see an action like http://mds/apply_rules_then_delete_objects_then push_policy_then_drink_your_milk.php
3. Nouns: The data which is structured more on how the database tables are laid out:
   1. http://mds/rule,
   2. http://mds/license;
   3. http://mds/network-object
4. Parameters to query for filtering data (e.g go through network objects filtering on clusters)
   http://mds/network-objects?type=gateway_cluster
5. Options: MIME header of HTTP request. (e.g. how you’d like to see the format of the return data json or xml)
   Example of generic HTTP header the tells the server how it would like to see the data formated
   

 

So here is how it all works together (bit simplified)

1. CREATE a new object
   http://mds/network-object
   POST /network-object HTTP / 1.1
   name=fw1&type=gateway;ip=1.1.1.1&interfaces=3&…………..
2. The POST returns a RESOURCE ID: 74859. This number is used to refer back to the record in the database. This is the glue that ties the client into the database to get records back out.
3. RETRIEVE the same object
   http://mds/network-object?resource-id=74859 will get the record back

Now are you ready for the art?

Each application interface will describe what good and bad queries look like. Check this out:

https://github.com/WhiteHouse/api-standards

If one specifies http://mds/network-object you will get a single object back because it is singular. If one specifies http://mds/network-objects (plural ‘s’) you will get the whole table back.  That is the ‘art’ in defining how these URLs are to be used.

….and that’s all I got. Simple huh?

The Win?

1. Simple interface into a database
2. Can use variety of applications from command line to web browser to access the database
3. If there are errors in processing it will be on client side, so better chance you get a decent error from it
4. You don’t need 1000 URLs on the server to do all types of complex processing. You can still have them, but not required
5. Processing offloaded from server so theoretically can handle more clients
6. Cleaner, easier to understand for even the common man like myself

Summary

REST will make R80 a true enterprise class management server. Any type of management server must be able to import/export data so it can integrate with the rest of the environment using automated scripts. While I love cpmiquerybin, its days are coming to a end.

 

All Hail REST!

dreez

Many Thanks to Steve Mormon who laid to REST the concepts so simple that even bald old guys like me can understand.

Steve was babysitting  his beautiful wife Arah (our climbing partner) who likes to fall down on ice while trail running.

VSX & CoreXL Training- You’ll love the price

So Oct 13th 2013 I went VSX & CoreXL crazy. I saw the world going virtual, so I wanted to figure out how to balance VSX across millions of processors with CoreXL and how to fine tune it. (I’m sure some sales guy would love to sell that appliance). So I spent 9 months geeking out on Linux internals, talking to developers, etc. I was trying to put a class togther for the VSX/CoreXL geeks of the world. We got some interest and lots of emails but it was a money loser trying to get 10 people into a room in the same city for the right price.

WHY?

Because there are so few CoreXL geeks in the world. 99% of the people just want it to work by clicking on buttons in the GUI and then call support when it blows up. This course is 80% deep dark Linux OS…..boring, geeky, complex, scary.

SOOOOOOOOOO. We decide to just share it for FREE!!!!

I stopped development on May 2014 so the slides are probably 80% complete but you’ll probably grep some info from them.

CoreXL Slides – Version 5 – 5/24/2014

Maybe someday I’ll put together a class and finish the slides, but for now enjoy.

CoreXL OUT!

dreez

PS: Special thanks to the Chicago Check Point crew  Doug Shumaker, Jason Taplitz, Rich Comber and the 10 other Men of Check Point – for their listening to me drone on for hours and their critique.

YAF – Yet another Firewall

So just got my mitts on a 1100 and only one question.

WHY?

It is so different from mainline GAIA, its almost like buying Yet Another Firewall YAF. CP’s strength which I adore is Single Glass – Centralized Security Management – Lower Total Cost of Ownership – Etc. So WHY introduce YAF that doesn’t look like or can administrate like GAIA mainline? The GUI is not standard GAIA and the command line is butchered GAIA and the file system is not GAIA-like. I can tell a totally different team of R&D developed this YAF.

For large enterprises that are looking to standardize to lower administrative costs…and are borderline CP customers, why not just tip them over the edge to a competitor because the 1100 is YAF. OK, it may be simple and stripped down and stable,etc…but then what differentiates it from the competitors? Why not just keep the Edge series which were AWESOME and super stable rock solid? I’m not getting it.

And then I think of the R&D and support costs of YAF that distracts CP from its main mission – Single Pane of Glass.

Then again Gil has a jet and I  have a 2006 Scion…

More Pros-Cons of NanoVision

So we hired a one of those wiz bang Cisco geek smart guys that was a Palo Alto admin in his past 2 gigs 8,000 users each about. These are his pros and cons:

Pros:

– easy to manage and understand, quick learning curve

– stable

– good support

– licensing is simplier than Cisco and CP

– good for small shops

– integration with AD was good

– Cisco weenie says if you have ASA, its a no brainer to move to PA. If you have CP it

   is a sideways move some pluses and some minuses.

Cons:

– groups have 500 limit and then you must create more sub/groups for objects

– Objects can be either global objects or firewall specific objects. No way for

  1 object can be shared by several specific firewalls. Zones are used to assign

   rules to a group of firewalls but CANNOT hold objects.

– Small firewalls have limits on number of objects they support so be careful with

   large number of shared objects, especially if you have lots of global shared objects

– logging is poor when scales

– they are hemorrhaging cash $200M+ in last year, when do they hit the wall?

SUMMARY: good for small shops. larger shops will hit the wall when buying bigger appliances because underlying software does not scale that well for large number of objects/users/rules, etc.

Once again MDS has not been replaced, the heart and soul of CP. Everyone and their mother can implement security technologies(ACLs, AV, antibot, IPS, antispam,etc), but so far only CP can converge them into a SCALABLE single pane of glass security management (as long as they test them this time before they ship!!!)