The Dreezlog




OK I admit I'm old school. I was on the original team that designed one of the first firewalls to market - The Sidewinder with Secure Computing (now McAfee/Intel). Sidewinder was my baby and I loved working at SCC. And even today Sidewinder has some cool features....but it still doesn't have what drew me to be a Check Point fanatic...logging and management.
I made some coin at SCC during the IT boom (and since lost a lot of it) and my low-budget lifestyle allowed me to be an independent security bum who worked to rock climb. But when when my pal John Ford offered me this position at Midpoint I jumped. Why you ask? THE FOCUS!!!! baby. I am totally in love with Check Point logging and management. Its almost a phobia. I actually dream about it at features I'd like to add, how to optimize rulesets, cool architectures based on it, reasons why the competitors are so lame. I'll spend an hour trying to explain cross-CMA searches to my girlfriend Gaby. I think even John is sick of my Check Point management speeches. 
So here I am Director of Training and Services and this is my open ended unfiltered blog of the good, the bad and the ugly of Check Point and the security industry in general. Hope you are able to pick up some tidbits that enhance your career....and of course buy more Check Points from Midpoint.

Moving blog to

posted Dec 5, 2011, 1:48 PM by Unknown user   [ updated Dec 5, 2011, 1:48 PM ]

Google site blog is very limited so I moved my blog site to wordpress.
Hope to see you there!

Nov 15th, 2011 MDM/P1 Group Meeting Minneapolis MN

posted Nov 16, 2011, 2:29 AM by Unknown user   [ updated Nov 16, 2011, 6:45 AM ]

Once again our MDM user group meeting was well attended, 40 people, biggest attendence yet. Shawna and CheckPoint team really did a bangup job hittin' it and herding the cats. Obviously the venue was a big hit (Fago Di Ciao), but also people love the technical content. We had Itai Greenberg come from Isreal to talk about VSX and Gaia releases coming out next year and some of their features. I didn't write down the details, but here are some high points I can recall (sorry, there are lots of voids here)
GAIA: Release Q2? 64 bit. 1000 commands merge of IPSO and SPLAT.
           Note: No IPv6/IPv4 translation, all or nothing
VSX: Next version comes out on Gaia, they are providing VSX appliances.
VE: Architected so that any changes in VMware do not impact VE
MDM: Provisioning is up for a rehaul.
Thanks to Itai for his LONG travel in a short time...You could see he was tired but stuck with it just for us.
I gave a 5-minute talk on our MDM Enterprise Management class for newbies. Centralized management is a double-edge sword. It can decrease TCO, but doing an Assign-All Domains-Install by a newbiecontractor will quickly lead to multi-million $$$ shutdowns. So we feel #1 Training is the only answer and #2 we will be putting up a Cloud CheckPoint Playland so our students can safely practice their new skills after they leave class. Also wanted feedback on putting up a Cloud VSX environment for our MDM group so they can safely play with VSX in and MDM environment. 
I think the best part of all our MDM meetings is the social/technical interaction afterwards. Here is the creme' di creme' of large enterprise CheckPoint users having the ability to talk about what works and what doesn't work, the good/bad/ugly unfiltered. People stayed until 10pm (I left at 9:30 and they were still going) just talking shop. Discussions I picked up/listened into between organizations:
  1. How to use MDM in an M&A environment
  2. How to structure workflow with MDM
  3. Cool backup solutions developed internally
  4. Solutions to enterprise mobile iPhone rollouts in an MDM environment
  5. How to migrate from large SmartCenter to MDM environment
  6. How to reduce rulesets using Tufin Auto Policy Generator
Hope we can keep these going!
Minneapolis MDM/P1 User Group Nov 15th, 2011 

Red Alert: R75 Snapshots are broken

posted Nov 15, 2011, 7:29 AM by Unknown user   [ updated Nov 15, 2011, 7:31 AM ]

Just found out from 2 customers that R75 snapshots are broken..kinda. If you are upgrading from R75 to R75.20 and it fails (and it will), you can't just interrupt the boot and revert the snapshot. For some reason you have to rebuild the box as R75 with any hotfixes and THEN do a revert. UGH.
NOTE: When I was at CP support in Irving one advanced support person was trying to fix a huge bank that had corrupt backups/snapshots. They couldn't go forward or backwards.
NOTE: I took apart the snapshot .tgz and it had every file on the SPLAT disk. I really don't know why they can't restore the snapshot.....
Read my blog below on how verifying restores and pulling RAID drives.

If I was CEO - MDM would be my only focus

posted Nov 5, 2011, 6:39 AM by Unknown user   [ updated Nov 16, 2011, 6:46 AM ]

Dear Gil,
As you know I am a total Check Point techie addict (aside from licensing). You have personally guided the company to be a billion dollar pillar in the security marketplace and have provided me a good living through it. I couldn't pack your lunch. I know you receive hundreds of unsolicited opinions on how to run your business from the peanut gallery every day and choosing a winner is very complex, but overall you have picked winners. Hats off to you.
So here is another know-it-all opinion from the peanut gallery. Take the gems, flush the turds and go make another billion for all of us.
I understand that Check Point's goal is to grow into a multibillion shekel security behemouth. The current strategy seems to be by offering every flash-in -the-pan security widget known to personkind to the marketplace. Today I noticed you bought another company Dynasec specializing in Governance and Compliance. So I ask myself how does Check Point or any company avoid the black hole of getting a sales force to sell so many disparate products. A PRODUCT oriented sales force which already has problems selling too many SKUs now has to learn to sell a SERVICE in a very competitive market. Will Check Point become the next Cisco? Losing focus and having a sales force running in circles selling routers, home firewalls, security services....blenders and who knows what.
MDM management and logging is the core of Check Point that has kept mama and its babies fed through the Ciscos, Junipers, and Palo Altos. WHY? Centralized management reduces TCO...less administrators, higher reliability. Easy focused sell. History has shown us that any attempt to create ancillary products that are not focused on MDM management and logging result in tepid sales at best. WHY? Sales force now has to learn a new product and compete against the best the marketplace has to offer. Very difficult pushing a rope uphill based on price alone.
BEGIN Peanut Gallery:
Any new product/service should be focused on MDM. That way MDM pulls that sale with the TCO pitch vs. pushing a rope uphill in a crowded market as a standalone product with the only competitive selling point is price. Cisco was giving ASA away for free and they still have problems displacing the mighty MDM.
In addition: Quit canabalizing your OPSEC partners. They usually have awesome products and Check Point is usually 5 versions behind the technology curve. Rather encourage them to integrate into MDM with an API. Or purchase the best OPSEC partner that integrates cleanly into MDM. Or license a portion of the technology (perhaps the low end) and brand it as CP and integrate into MDM.
Example: IPS is the perfect example.  IPS is your only product that integrates (weakly) into MDM. Now look at all your products and SERVICES and do the same. MDM will pull IPS product sales so a sales force does not have to push it uphill based on price alone.
END Peanut Gallery:
OK so we both started in the security business at the same time and you wound up with personal jets and bodyguards and I'm driving a 2006 Scion xA (most reliable car in USA) living in a 900sf condo. I'm just hoping you read this and take the best parts to make another billion so I can move up to a 2009 Scion xD (most reliable car in USA) and maybe buy this 1200sf condo I've been looking at.

MDM Architecture - Part II

posted Oct 28, 2011, 5:41 AM by Unknown user   [ updated Oct 28, 2011, 6:49 AM ]

So I think I've established you can't design your MDS architecture just thinking about 1 your job security. You have to think about the whole environment over the whole MDM life cycle. Ease of administration is a huge criteria here.
Global sharing is a great concept, but it does have pitfalls (can't rename globals,  can't delete some global objects (policies), can't delete global objects in local policies, hard to locate global objects, can't nest global policies, global database locked out by single administrator, few global tools like global provisioning/monitoring/strict IPS/logging). Until MDM is implemented in a true SQL database I don't feel that they will fix many of these problems.
SOOOOO Until that day happens we have to live with what we have...which is still the greatest enterprise management tool on the planet.
1) Common Policies: Think about it from a policy point of view. Is there a group of local policies that are 80/90% similar? Group similar local policies into one domain and use either the INSTALLON field or separate saved policies to install on groups of firewalls. Now these are a bit tricky because you need procedures to make sure the a rule is installed on the correct firewall. If you have maverick gunslinging administrators, you may want to think twice about doing this.
2) Mavericks: Do you have administrative mavericks that need their own playpen? Do you do a lot of M&A's with their own administrators? Separate them into their own set of isolated domain(s).
3) Decentralized administration: Are you like Berkshire Hathaway Company - the 8th largest company in the world but only 50'ish employees at headquarters in Nebraska (look at their web page once). I can assure you they have decentralized administration. A decentralized firm should have (maybe even multiple MDM environments) a global policy (or set of global policies) for each of the subfirms, then delegate administration to sets of domains for that firm. Note that this will require strict procedures so that sub-firms respect the integrity of other sub-firms global policies if they have write access.
4) Global VPNs: If you want to setup Check Point VPNs between Domains NOT under that same global policy...Research global VPNs before you do.
5) Ignore IPS: IPS really doesn't impact MDM architecture. MDM can't enforce IPS on domains, only offer IPS profiles to use if they want.
6) Separation of Duties: Remember that if you have separation of duties between security admins that create policy and NOC/Help Desk that REASSIGNS and installs policy, that the NOC will then have to have superadmin permissions and access to all global domains. If this is a problem, you may consider having multiple MDMs.
7) Security Zones: Let's say you want to map PCI security zones into global policy or isolated Domains. The problem here is that it may be at cross-purpose with the other policies that are business based so now you are crossing administrative boundaries. Make sure you factor in the administrative overhead to do that. Look at who the administrators are and what the business rules are and if it crosses administrative boundaries. There are better ways to make the auditors happy then only doing this security mapping in MDM (like Tufin).
1) Never Never Never use global objects in local rules.
2) Create a written naming standard for global objects and enforce it. You cannot rename global objects.
3) As long as you are creating a naming standard, might want to create a object color standard too. And then
    use it to color your security zones. You can change colors, but not names.
3) Global policies are forever. You can't delete them. Use gently
I'm sure I'll think of more, but that's it for now. This should get you started...

MDM Architecture

posted Oct 26, 2011, 10:21 AM by Unknown user   [ updated Nov 9, 2011, 4:17 PM ]

So these are the MDM ultimate questions I'm not sure anyone can answer (art vs science) but I will attempt to anyways.
1) When do I switch from SmartCenter to MDS?
2) How many global policies should I have in MDS?
3) How many domains should I assign to a Global Policy?
4) How many firewalls should I assign to a domain?
5) When do I use global objects vs local objects?
6) When should I start using high availability?
7) When should I start using a multi-domain log server vs. DMS logging?
OK, its like asking "What color should my next car be?". Not everyone is going to get the same answer.
These are the factors that should guide your decisions:
1) ADMINISTRATION ADMINISTRATION ADMINISTRATION: First and foremost MDM was built to ease administration. ISPs had a tough time keeping
all their managed mom-and-pop rulebases separated in a 24x7 shop with lots of administrators (both ISP and client's)
over a period of years so administrators came and went. If you are designing an MDS architecture the COMPLICATES administration, then you are going in the wrong direction. HINT: always design for simplified administration.
2) Security: MDM has facilities for global vs. local separation. If you are going at it from a programming point of view, you might be disappointed because its sure not C++, but more like Pascal - version 1 of global vs local scoping rules. So if you are a security nut and you decide to separate everything into 300 CMAs...well on paper it may look good to auditors but look out operationally: backups won't work, policies will take forever to install, upgrades will kill you if you use global objects wrong, etc. HINT: Only separate if you have too, and use multiple policies in a DMS too. Use global objects with caution.
3) Licenses: Check Point's achilles heel is licensing. Just assumed its screwed up and go from there. The more complex your environment the more licensing will kill you financially, morally, emotionally, etc. Its broken and everytime they try and fix it, the problem gets more complicated and worse. : HINT: Keep it simple
4) Updates: MDS has a facility for updating your environment on a global basis. Right now its Version 1 so don't bet your kid's schoolbooks on it but it is a good first step. HINT: don't use for now
5) Operations: Remember that the ivory tower architecture was not designed by the people doing 3am assign/installs. MDS will break if you get too complex. Example: Backups. Each domain replicates in entirety, binaries and everything. So 250 domains is 250 sets of duplicate binaries. Backups will fail when you have too many domains.
And when an upgrade goes bad good luck finding which of the 250 domains blew up on you. And then trying to find all locations of that global object you used: CROSS_CMA searches work better but still not quite there. HINT: keep it simple
6) Templates: What information do you want to share across firewalls? MDS has several facilities for sharing
global information, but you need to first figure out what you would like to share...instead of manually replicate over 300 domains. HINT: keep it simple
7) Changing environment: Does your company buy and sell other firms? Do you have to deal with sub-divisions
that are hostile but will be friendly when you fire all their administrators? HINT: Isolate trouble makers.
8) Upgrades: How will you upgrade your MDS environment? In pieces or all at one time. HINT: keep it simple.
9) IPS: remember that MDS cannot!!! enforce IPS policy on domains. It can only offer global templates to use
10) You will be replaced; Remember that the MDM has a life cycle outside of your employment contract. Someday you will move on and this monster you are creating has to be managed by someone else. Now you could ensure job security and also create a testament to your supreme god-like existence on this planet by making the MDM so complex that only you understand it and your organization would be foolish to fire such a god as yourself. But if you value your good name, I suggest you think about TCO and MDM life-cycle after your greatness departs from this earth.
11) Logging: Note that when you have a 1:1 firewall:domain, you can only monitor 1 log file per tracker session. If you merge multiple firewalls into tracker you can watch multiple logs in 1 SmartTracker sessions. If your environment has a lot of problems in 1 set of firewalls, you might want to merge them into 1 domain so all the logs are sent to the same log server.
Now remember I'm an MDM addict. It is by far the BEST enterprise management solution in the market. But it has its limits.
So my #1 advice is KEEP IT SIMPLE!!!! And ask yourself, are the security nutjubs going to be there at 3am when backups fail?
Mikes Motto: A security system that can't be managed is inherently insecure!!!!
So going to MDS will ease you administrative headaches if you have 200 firewalls all in 1 SmartCenter server. But 200 domains hosted in MDS will NOT NOT NOT ease your total overall administrative headaches (although on paper it seems more secure because of the separation), because you will kill yourself trying to manage the beast...and will probably make mistakes that make the entire architecture insecure because its soooo complex you can't analyze it.
So its easy for anyone to sit and cry WOLF!!, but coming up with solutions separates the men/women from the boys/girls.
Hold on as I check my manhood in future editions

Tufin SecureTrack Review

posted Oct 26, 2011, 9:49 AM by Unknown user   [ updated Oct 26, 2011, 9:50 AM ]

I reviewed the basic functions of Tufin SecureTrack. Great tool for:
1) Keeping and comparing versions of policies
2) Keeping auditors away with best practice, PCI, management reports
3) Optimize rulebases with rule hit counts
4) Also can be used for rule reviews
Also the last section has video on how to setup SecureTrack for this purpose. The
book is somewhat vague on setup in MDS environment.
OK it's rough and wish I had more time to do these but hope you get something out of it.

Check Point Network Debug Cheat Sheet

posted Oct 18, 2011, 3:23 PM by Unknown user   [ updated Oct 18, 2011, 3:23 PM ]

I'm sure there are 1 billion of these, but when I created this for the Unix/CP/Network novice
that got thrown into the SPLAT hole.

Indeni - Enterprise Firewall Monitoring

posted Oct 18, 2011, 10:41 AM by Unknown user   [ updated Oct 18, 2011, 10:41 AM ]

I have been reviewing Indeni in our labs. Indeni is like Smart Monitor on an enterprise can monitor
all your firewalls at once.
Here are the highlights.
(OK, video is kinda lame, I put it together in 2 hours)
This is a great example of how Check Point should expand MDS. They should create an OPSEC API for MDS and
let vendors like Indeni build ancillary products. Indeni would appear as another TAB at the tob of Global Policy menu or maybe in SDM.
And obviously ..... NEVER cannabalize your OPSEC partners!!!! Ugh. Let partners do what they do best and Check Point focus on their core...Enterprise Management and Logging.

Dear CheckPoint - When are you going to enhance MDS?

posted Oct 15, 2011, 5:00 AM by Unknown user   [ updated Nov 16, 2011, 2:26 AM ]

It should be obvious by now that I'm a MDS freak. I actually was dreaming about this stuff last night and had to get up at 5am to document it. Love it. I just wish Check Point would love their MDS as much as I do. It has been years since they've adding any major enhancements to MDS (IPS). They actually went backwards by taking out containers in R75.20...bummer for large sites.
Dear CheckPoint,
This is my Xmas wishlist for MDS.
0) MDS API: for OPSEC partners to add more features into MDS.
1) Don't cannablize your OPSEC partners by incorporating the features they create and build. They usually
    do it better than CP can because they are focused on it.
1) Global Provisioning: Create another tab in global policies and/or SDM for provisioning GROUPS of firewalls (setting routes, updating passwords, adding users, running scripts). I've heard that IPSO had great provisioning...
you have the code use it.
2) Global Monitoring: SmartMonitor on a global basis for groups of firewalls
3) Licensing: Oh yeah....the elephant in the room. Licensing is like the US Health Care system. It
is sooo complex, soooo broke, sooo expensive and its killing its clients. And don't fix it with another
round of 'simplification'.  It's like Obamacare. Marketing makes it sound like a Christmas present, but the reality it's
more complex and expensive. Find another model that works and use that. Then use aggressive
license auditing to make sure customers don't cheat.
4) Fix Global SmartUpdate.
5) Global CLI: Look at SmartSplat and build something like it so you can command line into groups of SPLATs
    all from one view.
6) SQL Database backend: I hesitate on this because debugging configuration files is so much easier than dealing
   with databases....but we really need a database to enable multiple admins to access global policies concurrently
7) Global Logging: One SmartTracker interface for all firewalls. SmartEvent is OK, but not for debugging.
8) Force MDS IPS: Force domains to implement Global IPS policy
9) GlobalBackup: There should be a panel with one button to backup the whole environment and provide status on global backups
10) More flexible GlobalObjects in Local Rules. Can't be deleted, renamed, etc. This might be fixed if you could build a SQL backend. This is limiting the scope of usefullness of global policy
11) Global Objects local to its Global Policy: Instead of global objects global to the world...have the objects of
    making them local to the encompasing global policy they are defined in. Programming 101. Might consider
    using some Object Oriented scoping rules.
12) Granularize administrative permissions so that NOC people can REASSIGN policy and more granular on who can install vs assign.
13) Oh yeah ASSIGN vs REASSIGN....geez louise please rename these to "DESTROYYOURMDSINFRASTRUCTURE" and "REASSIGN POLICY"...and make it extra hard to install on the ASSIGN. Or at least do an autobackup of the DOMAIN to FIREWALL mapping before you ASSIGN.
14) OneClickSync: Right now in HA environments you have to synch each Domain. Would be cool if you could click on the MDM and do a one-click sync for all the Domains. This can be used in case you are going to bring one MDS offline and need to synch back to a single MDS. Also, its not totally obvious which MDS you are synching to/from, might want to change icons to arrows or something to show direction of synch.
14) OK, here is one of my product ideas. How do you keep your network infrastructure in sync with your firewall's view of the network infrastructure. The routing people randomly delete and add routes. What if they take a DMZ route and add it to the CORE. Now your firewall rule will allow data going to the DMZ to be routed to the core. Life's a bitch.
Gather all the routing tables from all the firewalls. Now gather all the routes from all your routers. First make sure the firewall routes actually exist in the infrastructure. THEN make sure all the firewall network objects actually have real routes in the infrastructure. You have to establish a baseline with this information to make sure your firewal view reflects reality with the network infrastructure. Next: MDS should run a daily report and report on CHANGES between the firewall view and what the routers are reporting. At least now you know if your firewall is in synch with your infrastructure.
Mama CP, if you could just add one or two of these I'd love you forever.
I'm sure I'll think of more in tommorrow's nights sleep.

1-10 of 13