Check Point vSEC and securing the public/private cloud part 1

Hey everyone I wanted to talk about Check Points public/private cloud security solution called vSEC. I am going to make this a series of blog posts as the public/private cloud space is vast. So I will go through them one at a time.

The vSEC product is an exciting product that allows you to secure the East-West traffic while at the same time dynamically updating the physical gateways controlling the north-south traffic for a total holistic security solution. This allows the dynamic nature of the Software Defined Data Center (SDDC) and it’s agility and elasticity of an ever changing network that meets your needs, to apply equally to the security world. Gone are the days of non-stop change controls and a static security system that does not change without manual intervention. Now we have dynamic security in physical devices that keeps pace with dynamic virtual ones. This creates a new era in Data Center security.

Check Point vSEC leverages VMware NSX security automation for dynamic distribution and orchestration of vSEC for protecting East-West traffic. All while maintaining information sharing of the network to the physical world. If Check Point vSEC detects malware-infected VMs, it tags and automatically updates VMware NSX.

Meanwhile as the SDDC changes in location (IP’s etc) the Check Point infrastructure both virtual and physical are updated to reflect naming conventions as well IP address directly from vCENTER and the NSX controller.

I am currently working with my sales partner Jared Keesling and on occasion with Deanna Conrad. Both of which are rock star account managers here at Check Point. Together we are building a framework for the region that encompasses both security and the dynamic nature of today’s ever changing and growing network. Jared has helped build some amazing relationships in the Arizona, Las Vegas and New Mexico regions. Deanna has helped build some fantastic relationships in Education, Health Care and Government, here in this same region. Both of these superstar account managers have customers taking advantage of this great opportunity of security, automation, and elasticity of the vSEC product in their networks. I have been privileged to work with both of them as an SE.

Check Point Software realizes the importance of the virtual network both public and private cloud. In fact a recent forecast from predicted that a large portion of enterprise workloads will run in the cloud by mid-2018 either public or private.

It all adds up to an enlarged, complex and blurred attack surface for organizations, so they need a comprehensive solution to bridge security gaps and extend protections, visibility and control from data centers to the cloud in a way that works with the cloud’s elasticity and automation.

The use of cloud technologies both public and private such as VMware creates both a flexible and cost efficient landscape. However the new model of the hybrid datacenter can be more complex and requires a new approach to security. To stay ahead of threats, you need a modern security infrastructure designed for today’s dynamic networks. Check Point’s vSEC is a leap forward in security architecture, providing a modular, agile infrastructure that most importantly, is secure.

VMware vRealize Orchestrator and Check Point Software

See how you can use VMware vRealize Orchestrator to build rules inside of Check Point Software. What a great partnership !

Backup your O/S Config in GAIA command line

Many people will open a command prompt in GAIA and will do a “show configuration” to see how they have their Check Point configured. They will then copy/paste that config into notepad to save for later.

However there is an easier way to do this. By using the command (From the CLISH prompt)

save configuration <filename>

The file will be placed in the home directory of the user you are logged in as.

Here is an example:

back

NSA got owned

By now many of you have hear about the NSA hack. Because of this some vendors have  disclosed their vulnerability to the community.  This is a Hugh potential for issues in many environments worldwide. Today’s security administrators have a daunting task. Security devices log thousands of network events every day. New, complex targeted attacks designed to be evasive are difficult to identify and many be hidden within a multitude of other events.

Here is what happened according to an article at techcrunch:

“A group calling itself the Shadow Brokers dumped data online this weekend that it claimed to have stolen from the Equation Group, a hacking team widely believed to be associated with the NSA.

Cisco said in a security advisory that two vulnerabilities in the Shadow Brokers’ data could be used to breach its Adaptive Security Appliance (ASA) software used in its firewalls. “An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system,” Cisco’s disclosure says.

The data being offered for sale by the Shadow Brokers is dated between 2010 and 2013, so Cisco firewalls may have been vulnerable for years.

This exploit is referred to in the Shadow Brokers’ dump as EPICBANANA.

The second exploit, EXTRABACON, affects all releases of Cisco’s ASA software — but getting it to work is is tricky. The exploit would allow an attacker to take full control of the firewall system, but its complexity — and the fact that Cisco hadn’t discovered and patched it — suggests it was developed by a talented adversary.

Fortinet also said that some of its products released prior to August 2012 contained a vulnerability that would allow an attacker to take execution control over a firewall. More recent versions should not be affected, Fortinet said, although the company noted that its investigation into the code released by the Shadow Brokers is continuing.

Meanwhile, the Shadow Brokers also claim that their exploits will work on firewalls from Juniper Networks and TopSec, but neither company has publicly acknowledged the leak.”

As the IT environment evolves, mobile, cloud the Internet of Things. It is important for security to be one step ahead of the attackers and not a step behind. Did you know that Check Point Software just received it’s 12th NSS_Blog_260x260Recommended rating from NSS labs? Check Point’s Next Generation Threat Prevention (NGTX) with SandBlast™ was tested in the recent 2016 NSS Labs Breach Detection System (BDS) group test. Check Point earned the NSS ‘Recommended’ recognition for security effectiveness and value.

An essential ingredient to successfully block unknown malware and zero-day threats is an integrated, advanced sandbox, like Check Point SandBlast Zero-Day Protection. Sandblast inspects files in a safe, virtual environment to discover malicious behavior before it enters the network; and its advanced CPU-level detection identifies and stops attacks at the exploit phase, before malware even has the chance to deploy.

Thwarting APT

Hey Everyone, I wanted to tell you about a great blog that CTO and Co-Founder of AlgoSec did at Infosec Island. In an article titled: “Back to basics: how simple techniques can thwart complex APT attacks.”

In the article he goes on to state some basic things that everyone can do to lower their risk level. I wanted to share some of his excellent and simple steps for an enterprise to do. He writes:

“Whilst it is very difficult to prevent attackers from carrying out the first stage in their APT journey – after all, there’s nothing particularly secretive about many OSINT scanning techniques – it is possible to prevent them from laterally moving across your network in search of your valuable data, with some back-to-basics principles.

  • Segment your network. Break up your flat internal network into multiple zones, based on the use pattern and category of data processed within each zone. This segmentation then prevents the APT from jumping from one ‘stepping stone’ machine to another.
  • Place firewalls to filter traffic between those zones. ‘Choke points’ – i.e. firewalls – must be placed between the zones to filter the traffic entering and exiting. In other words, firewalls must be placed on internal, lateral traffic paths, not just your network perimeter.
  • Write restrictive security policies for those firewalls to enforce. Gartner Research has suggested that 99% of firewall breaches are caused by firewall mis-configurations, not firewall flaws. The message is clear – your firewalls absolutely must be configured accurately and intelligently, to analyze and block the kind of internal communications that signal APTs.”

This is excellent advice for anyone looking to lower the risk of APT in their environment and good practice in any event. In the article he also explains the different steps that an attacker takes to infiltrate your network. See the full article here at:  http://infosecisland.com/blogview/24803-Back-to-basics-how-simple-techniques-can-thwart-complex-APT-attacks.html

 

How to use command line for first time wizard in Check Point

I have been asked by many people how do I use the command line to get my system configured. By using another post I put on how to install my system with just a serial and Ethernet (See my post: How to install Check Point without getting on a plane) that will get the code on your box that you want.  Now using a serial connection we can get it configured using a template and a command ‘config_system‘.

Procedure:
1 ) Create the Template File:
[Expert@HostName:0]# config_system –create-template /path_to/name_of_template_file
2) Edit the template file you created- assign the desired values in the relevant fields. (See example file below)
 Note: to enable / disable IPv4 and IPv6, define the following fields:
      ipstat_v4 (manually / off)
      ipstat_v6 (manually / off)
      Starting from R80.10, these parameters have default values, but in                         older version you must configure them (manually or off).
3) save the file
4) Test to see if your file is good.
[Expert@HostName:0]# config_system –dry-run –config-file /path_to/name_of_template_file
5) Run the file
[Expert@HostName:0]# config_system -f /path_to/name_of_template_file
6) Reboot the machine to complete the configuration

Here are all the flags that you can use and what they do.

config

Example of how you edit the file using “True or False” answers:

# Mandatory parameters - change the values specific to your setup
hostname=NEW_GW
ftw_sic_key=

# Mandatory parameters - do not change
install_security_managment=false
install_security_gw=true
gateway_daip=false
install_ppak=true
gateway_cluster_member=false

Here is an example of a gateway configuration template for a cluster member ready to be connected to management. (For a single box ready for management change the line “gateway_cluster_member=true” to False)

After you use the config system command to create a template, you will have a file that looks like this(see below). Notice below what I have highlighted in BOLD.  If a cluster member is what you want make yours look like mine. Just change the fields appropriately (hostname, IPs etc…) Remember practice this first !

(To make the template see above)
#########################################################################
# #
# Products configuration #
# #
# For keys below set “true”/”false” after ‘=’ within the quotes #
#########################################################################

# Install Security Gateway.
install_security_gw=true

# Install Acceleration Blade (aka Performance Pack).
install_ppak=true

# Enable DAIP (dynamic ip) gateway.
# Should be “false” if CXL or Security Management enabled
gateway_daip=“false”

# Enable/Disable CXL.
gateway_cluster_member=true

# Install Security Management.
install_security_managment=false

# Optional parameters, only one of the parameters below can be “true”.
# If no primary of secondary specified, log server will be installed.
# Requires Security Management to be installed.
install_mgmt_primary=false
install_mgmt_secondary=false

# Provider-1 paramters
# e.g: install_mds_primary=true
# install_mds_secondary=false
# install_mlm=false
# install_mds_interface=eth0
install_mds_primary=
install_mds_secondary=
install_mlm=
install_mds_interface=

# In case of Smart1 SmartEvent appliance, choose
# Security Management only, log server will be installed automatically

#########################################################################
# #
# Products Parameters #
# #
# For keys below set value after ‘=’ #
#########################################################################

# Management administrator name
# Must be provided, if Security Management installed
mgmt_admin_name=

# Management administrator password
# Must be provided, if Security Management installed
mgmt_admin_passwd=

# Management GUI client allowed e.g. any, 1.2.3.4, 192.168.0.0/24
# Set to “any” if any host allowed to connect to managment
# Set to “range” if range of IPs allowed to connect to management
# Set to “network” if IPs from specific network allowed to connect
# to management
# Set to “this” if it’ a single IP
# Must be provided if Security Management installed
mgmt_gui_clients_radio=
#
# In case of “range”, provide the first and last IPs in dotted format
mgmt_gui_clients_first_ip_field=
mgmt_gui_clients_last_ip_field=
#
# In case of “network”, provide IP in dotted format and netmask length
# in range 0-32
mgmt_gui_clients_ip_field=
mgmt_gui_clients_subnet_field=
#
# In case of a single IP
mgmt_gui_clients_hostname=
# Secure Internal Communication key, e.g. “aaaa”
# Must be provided, if primary Security Management not installed
ftw_sic_key=sweet

#########################################################################
# #
# Operating System configuration – optional section #
# #
# For keys below set value after ‘=’ #
#########################################################################

# Password (hash) of user admin.
# To get hash of admin password from configured system:
# dbget passwd:admin:passwd
# OR
# grep admin /etc/shadow | cut -d: -f2
#
# IMPORTANT! In order to preserve the literal value of each character
# in hash, inclose hash string within the quotes.
# e.g admin_hash=’put_here_your_hash_string’
#
# Optional parameter
admin_hash=”

# Interface name, optional parameter
iface=eth0

# Management interface IP in dotted format (e.g. 1.2.3.4),
# management interface mask length (in range 0-32, e,g 24 ) and
# default gateway.
# Pay attention, that if you run first time configuration remotely
# and you change IP, in order to maintain the connection,
# an old IP address will be retained as a secondary IP address.
# This secondary IP address can be delete later.
# Your session will be disconnected after first time condiguration
# process.
# Optional prameter, requires “iface” to be specified
# IPv6 address format: 0000:1111:2222:3333:4444:5555:6666:7777
# ipstat_v4 manually/off
ipstat_v4=manually
ipaddr_v4=192.168.10.10
masklen_v4=24
default_gw_v4=192.168.10.1

ipstat_v6=off
ipaddr_v6=
masklen_v6=
default_gw_v6=

# Host Name e.g host123, optional parameter
hostname=pocgw

# Domain Name e.g. checkpoint.com, optional parameter
domainname=

# Time Zone in format Area/Region (e.g America/New_York or Etc/GMT-5)
# Pay attention that GMT offset should be in classic UTC notation:
# GMT-5 is 5 hours behind UTC (i.e. west to Greenwich)
# Inclose time zone string within the quotes.
# Optional parameter
timezone=’Americas/Arizona

# NTP servers
# NTP parameters are optional
ntp_primary=192.168.10.5
ntp_primary_version=
ntp_secondary=
ntp_secondary_version=

# DNS – IP address of primary, secondary, tertiary DNS servers
# DNS parameters are optional.
primary=198.6.1.2
secondary=
tertiary=

See sk69701 for more information.

Flaw in Facebook Messenger found !

Check Point Software disclosed details about a vulnerability found in Facebook Messenger, both in the online and mobile applications. Following Check Point’s responsible disclosure, Facebook promptly fixed the vulnerability.

Check Point Security Researcher Roman Zaikin discovered the vulnerability allows hackers to control the Facebook chat and adjust the messages according to his needs, including deleting them and replacing text, links, and files.

There are a few potential attack vectors abusing this vulnerability. These schemes could have a severe impact on users due to Facebook’s vital role in everyday activities worldwide, one of which could be used to distribute malware.

Check out a video demo of it here:

You can also read the specifics here:  http://blog.checkpoint.com/2016/06/07/facebook-maliciouschat/

 

How does Amazon Web Service Work??

I wanted to tell everyone about a blog post written by Nick Matthews that describes in depth how all the connectivity works in AWS. Nick defines the terms used by Amazon, and what they mean. In his blog he uses some great network diagrams to help explain how it all fits together.

Check it out here:

https://aws.amazon.com/blogs/apn/amazon-vpc-for-on-premises-network-engineers-part-one/

https://aws.amazon.com/blogs/apn/amazon-vpc-for-on-premises-network-engineers-part-two/

There is also a 45 minute video on YouTube that walks through the AWS network presentation:

Did you know??? Check Point vSEC is a family of products that delivers advanced threat prevention security to public, private and hybrid cloud and software-defined data center environments. Easily and affordably, extend security to your Amazon cloud using rapid one-click deployment of the vSEC gateway which is available in the AWS Marketplace. Policy management is simplified with centralized configuration and monitoring of cloud and on premise security from a single console.

You can read more about vSEC here: http://www.checkpoint.com/products-solutions/private-public-cloud/index.html