TRAINING‎ > ‎RESOURCES‎ > ‎The Dreezlog‎ > ‎

Dear CheckPoint - When are you going to enhance MDS?

posted Oct 15, 2011, 5:00 AM by Michael Endrizzi   [ updated Nov 16, 2011, 2:26 AM ]
It should be obvious by now that I'm a MDS freak. I actually was dreaming about this stuff last night and had to get up at 5am to document it. Love it. I just wish Check Point would love their MDS as much as I do. It has been years since they've adding any major enhancements to MDS (IPS). They actually went backwards by taking out containers in R75.20...bummer for large sites.
 
Dear CheckPoint,
 
This is my Xmas wishlist for MDS.
0) MDS API: for OPSEC partners to add more features into MDS.
1) Don't cannablize your OPSEC partners by incorporating the features they create and build. They usually
    do it better than CP can because they are focused on it.
1) Global Provisioning: Create another tab in global policies and/or SDM for provisioning GROUPS of firewalls (setting routes, updating passwords, adding users, running scripts). I've heard that IPSO had great provisioning...
you have the code use it.
2) Global Monitoring: SmartMonitor on a global basis for groups of firewalls
3) Licensing: Oh yeah....the elephant in the room. Licensing is like the US Health Care system. It
is sooo complex, soooo broke, sooo expensive and its killing its clients. And don't fix it with another
round of 'simplification'.  It's like Obamacare. Marketing makes it sound like a Christmas present, but the reality it's
more complex and expensive. Find another model that works and use that. Then use aggressive
license auditing to make sure customers don't cheat.
4) Fix Global SmartUpdate.
5) Global CLI: Look at SmartSplat and build something like it so you can command line into groups of SPLATs
    all from one view.
6) SQL Database backend: I hesitate on this because debugging configuration files is so much easier than dealing
   with databases....but we really need a database to enable multiple admins to access global policies concurrently
7) Global Logging: One SmartTracker interface for all firewalls. SmartEvent is OK, but not for debugging.
8) Force MDS IPS: Force domains to implement Global IPS policy
9) GlobalBackup: There should be a panel with one button to backup the whole environment and provide status on global backups
10) More flexible GlobalObjects in Local Rules. Can't be deleted, renamed, etc. This might be fixed if you could build a SQL backend. This is limiting the scope of usefullness of global policy
11) Global Objects local to its Global Policy: Instead of global objects global to the world...have the objects of
    making them local to the encompasing global policy they are defined in. Programming 101. Might consider
    using some Object Oriented scoping rules.
12) Granularize administrative permissions so that NOC people can REASSIGN policy and more granular on who can install vs assign.
13) Oh yeah ASSIGN vs REASSIGN....geez louise please rename these to "DESTROYYOURMDSINFRASTRUCTURE" and "REASSIGN POLICY"...and make it extra hard to install on the ASSIGN. Or at least do an autobackup of the DOMAIN to FIREWALL mapping before you ASSIGN.
14) OneClickSync: Right now in HA environments you have to synch each Domain. Would be cool if you could click on the MDM and do a one-click sync for all the Domains. This can be used in case you are going to bring one MDS offline and need to synch back to a single MDS. Also, its not totally obvious which MDS you are synching to/from, might want to change icons to arrows or something to show direction of synch.
14) OK, here is one of my product ideas. How do you keep your network infrastructure in sync with your firewall's view of the network infrastructure. The routing people randomly delete and add routes. What if they take a DMZ route and add it to the CORE. Now your firewall rule will allow data going to the DMZ to be routed to the core. Life's a bitch.
 
Gather all the routing tables from all the firewalls. Now gather all the routes from all your routers. First make sure the firewall routes actually exist in the infrastructure. THEN make sure all the firewall network objects actually have real routes in the infrastructure. You have to establish a baseline with this information to make sure your firewal view reflects reality with the network infrastructure. Next: MDS should run a daily report and report on CHANGES between the firewall view and what the routers are reporting. At least now you know if your firewall is in synch with your infrastructure.
 
Mama CP, if you could just add one or two of these I'd love you forever.
 
I'm sure I'll think of more in tommorrow's nights sleep.
 
Love
Mike
Comments