Check Point vSEC and securing the public/private cloud part 1

Hey everyone I wanted to talk about Check Points public/private cloud security solution called vSEC. I am going to make this a series of blog posts as the public/private cloud space is vast. So I will go through them one at a time.

The vSEC product is an exciting product that allows you to secure the East-West traffic while at the same time dynamically updating the physical gateways controlling the north-south traffic for a total holistic security solution. This allows the dynamic nature of the Software Defined Data Center (SDDC) and it’s agility and elasticity of an ever changing network that meets your needs, to apply equally to the security world. Gone are the days of non-stop change controls and a static security system that does not change without manual intervention. Now we have dynamic security in physical devices that keeps pace with dynamic virtual ones. This creates a new era in Data Center security.

Check Point vSEC leverages VMware NSX security automation for dynamic distribution and orchestration of vSEC for protecting East-West traffic. All while maintaining information sharing of the network to the physical world. If Check Point vSEC detects malware-infected VMs, it tags and automatically updates VMware NSX.

Meanwhile as the SDDC changes in location (IP’s etc) the Check Point infrastructure both virtual and physical are updated to reflect naming conventions as well IP address directly from vCENTER and the NSX controller.

I am currently working with my sales partner Jared Keesling and on occasion with Deanna Conrad. Both of which are rock star account managers here at Check Point. Together we are building a framework for the region that encompasses both security and the dynamic nature of today’s ever changing and growing network. Jared has helped build some amazing relationships in the Arizona, Las Vegas and New Mexico regions. Deanna has helped build some fantastic relationships in Education, Health Care and Government, here in this same region. Both of these superstar account managers have customers taking advantage of this great opportunity of security, automation, and elasticity of the vSEC product in their networks. I have been privileged to work with both of them as an SE.

Check Point Software realizes the importance of the virtual network both public and private cloud. In fact a recent forecast from predicted that a large portion of enterprise workloads will run in the cloud by mid-2018 either public or private.

It all adds up to an enlarged, complex and blurred attack surface for organizations, so they need a comprehensive solution to bridge security gaps and extend protections, visibility and control from data centers to the cloud in a way that works with the cloud’s elasticity and automation.

The use of cloud technologies both public and private such as VMware creates both a flexible and cost efficient landscape. However the new model of the hybrid datacenter can be more complex and requires a new approach to security. To stay ahead of threats, you need a modern security infrastructure designed for today’s dynamic networks. Check Point’s vSEC is a leap forward in security architecture, providing a modular, agile infrastructure that most importantly, is secure.

VMware vRealize Orchestrator and Check Point Software

See how you can use VMware vRealize Orchestrator to build rules inside of Check Point Software. What a great partnership !

How does Amazon Web Service Work??

I wanted to tell everyone about a blog post written by Nick Matthews that describes in depth how all the connectivity works in AWS. Nick defines the terms used by Amazon, and what they mean. In his blog he uses some great network diagrams to help explain how it all fits together.

Check it out here:

https://aws.amazon.com/blogs/apn/amazon-vpc-for-on-premises-network-engineers-part-one/

https://aws.amazon.com/blogs/apn/amazon-vpc-for-on-premises-network-engineers-part-two/

There is also a 45 minute video on YouTube that walks through the AWS network presentation:

Did you know??? Check Point vSEC is a family of products that delivers advanced threat prevention security to public, private and hybrid cloud and software-defined data center environments. Easily and affordably, extend security to your Amazon cloud using rapid one-click deployment of the vSEC gateway which is available in the AWS Marketplace. Policy management is simplified with centralized configuration and monitoring of cloud and on premise security from a single console.

You can read more about vSEC here: http://www.checkpoint.com/products-solutions/private-public-cloud/index.html

 

PAN- Setting The Record Straight

This video is titled 50 shades of PAN that was posted on YouTube. It really sets the record straight on what they have been claiming. This video shows a sales pitch by Mark McLaughlin CEO of Palo Alto.

See the video here:

You can fool all the people some of the time, and some of the people all the time, but you cannot fool all the people all the time.” – Abraham Lincoln

Samsung Research America uses Check Point to secure their Mobile Devices.

Check Point recently deployed their Mobile Threat Prevention on Samsung’s mobile devices. The challenge was to completely secure the mobile environment. Like all companies Samsung employees increasingly work on smartphones, tablets, and their own devices.

“Mobile devices don’t operate behind a security infrastructure like corporate PCs, laptops, and servers do…” “Mobile devices are out in the wild, creating potential security issues and enabling malware to enter the samsungnetwork. There’s no mobile firewall to prevent cyber threats from getting in through emails and apps.”- Steven Lentz, CISSP, CIPP/US, Director Information Security at Samsung Research America

“Check Point had more up-to-date information and automated delivery of the latest malware-related intelligence,” said Lentz. “Check Point Mobile Threat Prevention offers the closest thing to zero-day detection on mobile devices. I like it when a product does what it is supposed to do—and more. Check Point did exactly that.” Check Point Mobile Threat Prevention also vmwareintegrated seamlessly with AirWatch by VMWare MDM and SIEM platforms. Now, Samsung gained comprehensive visibility
into mobile threats and automated enterprise-wide security policy enforcement.

See the testimonial: http://www.checkpoint.com/testimonial/samsung-research-america/index.html
Read the full article: http://www.checkpoint.com/downloads/testimonial-related/ccs-samsung-research-america.pdf

chkpt“Check Point Mobile Threat Prevention is the best
zero-day malware protection possible for mobile
devices. There’s nothing else out there with
multiple layers of protection. Our IP is secure,
and that’s peace of mind.”
Steven Lentz, CISSP, CIPP/US
Director Information Security at Samsung Research America

How Forensics is Better Than Detection

A friend and fellow colleague of mine Elijah Bagdonas recently sent me an awesome explanation of Check Point’s Forensics software. This software is a must have for any enterprise today. I wanted to share his writing with you.

 In the world of anti-malware most people are satisfied with good detection capabilities. But when we really stop to think about what detection gives us, it’s rather disappointing. It’s little more than a big red flashing light that says “ALERT: SOMETHING HAPPENED!” The question then becomes, what is that something that happened and what should I do about it? Here’s where the headache begins.

In most cases of virus detection the administrator has three realistic options:

  • Rely on Anti-Malware quarantine to clean up the mess
  • Re-Image the computer
  • Traditional forensic analysis

 In the case of Anti-Malware quarantine we first have to “know” about the malware. We must be able to identify a signature or behavior and be able to stop the infection before it starts. Sometimes malware can occur in a series of processes and we are only able to detect the last element in the chain. If we eliminate the known elements, the unknown elements can propagate again, putting us into an infection loop. We also can’t identify the damage done during the infection. Even though we detect the malware, it may have already accomplished its goal and we have no way of knowing.

Our second option has its own set of headaches. Re-imaging a computer is often the easy way out but it can be of great inconvenience to the user-base. This invasive process can often leave you with lost data and disruptive downtime to the end user resulting in lost productivity. This will also not protect you from future attacks of the same malware.

The final approach is traditional analysis of the machine to see what happened and how it can be reversed. Having this kind of skill with the advanced malware we see today is very scarce and requires specialized training. Traditional analysis is also very time consuming and costly to perform and with advanced malware, it can often clean up its own tracks before you get a chance to discover it.

There’s a better way

With the introduction of Check Point’s Endpoint Forensics we now have a way to see the whole picture. By keeping tabs on any and all changes that occur on the system, we can develop a comprehensive image of EXACTLY what happened when the infection hit in an easy to digest roadmap.

forensics1

 

In this example, the oem7ec2.exe process triggered a malware event. Since we’ve been keeping tabs on the changes, we can backtrack and find out exactly what happened (even across system boots). Let’s look at the steps that brought us to this point.

  • Chrome process launched
  • Chrome exploit is used while browsing to launch handle.tmp process
  • tmp process schedules a shellcode download to occur on next boot
  • exe payload is downloaded and ran on startup
  • Malicious code runs and sends personal data to C&C center

Since we know the whole story and all of the processes involved, we can also see that companysecret.doc was sent outbound resulting in a loss of data.

With this roadmap, not only do we have the complete picture of the steps involved, but a means to clean it up. Knowing all the steps means we can dynamically generate a script to clean up the mess that was left behind for easy remediation.

Armed with knowledge of everything involved it’s easy to see why Endpoint Forensics is clearly better than detection.

Security Policy Management Made Easy

Check Point’s security management architecture (SMART) has always been the best in the market. Upon release of the new R80 security management the best got even better.

In earlier versions you had to install SmartConsole applications (SmartDashboard) in order to manage security policies. This is a tool which enables centralized management of different products and versions. However, it always required that you had to install the application on a computer which was defined as a GUI-client in the security management server. It was also possible to manage policies using the command line tool DBEDIT, but that’s quite complicated tool that could not be recommended for normal policy manipulation. It was usually used in migrations and other more complex activities. Also only one administrator could be connected at a time in write-mode to the security management server.

All the above mentioned limitations are gone in R80. It contains a lot of new features and even more to come in future versions. However, in this post I focus on different ways to manipulate security policies.

  1. Unified SmartConsole
    This is the traditional way of creating rules. What is awesome is that you can do everything from the same console. SmartView Tracker is gone as a log viewer and replaced by SmartLog which is shown in the same SmartConsole window.
  2. SmartConsole CLI
    This is a command line interface that can be opened directly from the SmartConsole. By giving simple commands like “add host…” you can create objects and policies. It’s also possible to add commands into a file and upload this file directly to the CLI when all commands are executed. Think about the case where you need to quicly spin up several security policies or create 5000 objects. All you need to do is to create a command file and run it.Ok, ok… This has been possible with DBEDIT as well in earlier versions, but let’s have a quick look why the new way is better. In the following example we create the same network object with DBEDIT and with R80 CLI. Let’s see the difference (I omit the login and update/publish commands as they are only done once for all commands):

    DBEDIT

    create network Net_10.10.57.0
    modify network_objects Net_10.10.57.0 ipaddr 10.10.57.0
    modify network_objects Net_10.10.57.0 netmask 255.255.255.0
    R80 CLI
    mgmt_cli add network name Net_10.10.57.0 subnet 10.10.57.0 mask-length 24 -s id.txt
    Instead of three commands in DBEDIT, with R80 you give only one. As I said this is a bit simplified statement as the login and publish are missing, but I’m sure you get the point.
  3. GAIA CLI
    From Gaia command line you can login to the management console (see the example below). Gaia management console is similar as the one in SmartrConsole. Each command starts with a keyword “mgmt” like “mgmt add host…”.R80Mgmt> mgmt login user admin
    Enter password:
    R80Mgmt>
    R80Mgmt> mgmt show networks
    objects:
    – uid: “0baad4de-7221-4578-b2b9-c3b78a759124”
    name: “CP_default_Office_Mode_addresses_pool”
    type: “network”
    domain:
    name: “SMC User”
  4. mgmt_cli
    This small little tool is available on all R80 management servers and SmartConsole installations and allows you to access the management server from any Linux or Windows machine (in Windows the tool is called mgmt_cli.exe). You don’t have to install SmartConsole on the computer, it’s enough that you copy the mgmt_cli-tool (it doesn’t require any installation) from the existing installation to the computer you would like to use for accessing the management server. Only thing you need to do is to enable the API from the Management API Settings on R80 SmartConsole.
    R80_mgmt_api
    The only difference with the mgmt_cli and SmartConsole or Gaia CLI is that the authentication needs to be carried out every time. When you login into SmartConsole you give the user name and password, but with the mgmt_cli you will either need to give this information every time or a login-command which creates a session for you. See the example below.
    Example:
    The following is an example mgmt_cli -connection which logs into the system creating a session (the same id is used for every command) and then creates some host and network objects, policy package with one rule (clean up rule is there by default, but without logging, this example enables login for the clean up rule as well). Finally the config changes are published making them available for other admins as well and the session is ended with the logout -command.

    mgmt_cli login user admin password vpn123 -m 192.168.80.254 > id.txt
    mgmt_cli add host name h_12 ip-address 10.1.2.10 -s id.txt
    mgmt_cli add host name h_13 ip-address 10.1.2.11 -s id.txt
    mgmt_cli add host name h_14 ip-address 10.1.2.12 -s id.txt
    mgmt_cli add host name h_15 ip-address 10.1.2.13 -s id.txt
    mgmt_cli add host name h_16 ip-address 10.1.2.14 -s id.txt
    mgmt_cli add host name h_17 ip-address 10.1.2.15 -s id.txt
    mgmt_cli add host name h_18 ip-address 10.1.2.16 -s id.txt
    mgmt_cli add host name h_19 ip-address 10.1.2.17 -s id.txt
    mgmt_cli add host name h_20 ip-address 10.1.2.18 -s id.txt
    mgmt_cli add network name n_test_net1 subnet 10.10.10.0 mask-length 24 -s id.txt
    mgmt_cli add network name n_test_net2 subnet 192.168.192.0 mask-length 24 -s id.txt
    mgmt_cli add network name n_test_net3 subnet 172.16.172.0 mask-length 24 -s id.txt
    mgmt_cli add package access True threat-prevention True name Policy_Lari -s id.txt
    mgmt_cli set access-rule layer “Policy_Lari Network” name “Cleanup rule” track “Log” -s id.txt
    mgmt_cli add access-rule layer “Policy_Lari Network” position 1 name “Test Rule” source n_test_net1 destination h_12 service “ssh” action “Accept” track “Full Log” -s id.txt
    mgmt_cli publish -s id.txt
    mgmt_cli logout -s id.txt

  5. Web Services
    You can create your own web app that simply uses HTTPS post to manipulate your security policies. This way you can integrate the security management to almost any web based ticketing system or similar.For more detailed information about the web services and usage examples visit the developers forum in R80 Exchange Point.

How to update CPUSE from the command line.

My friend  and fellow SE (William Garner) had a condition where he needed to do a CPUSE update from the command line, which he did and he wrote up a procedure on how to do it.  By luck of the draw I ran into a situation where CPUSE needed to be updated as well.  So I thought I would post this simple and effective procedure on how to do it.

Important to Note:  If you are updating from build 839 and above continue with steps below, if not refer to sk106696.

Download the package. Download package at sk92449 (Section 3-A)

Transfer the package to machine into /some_path_to_updated_DA/ directory.

UnPack the package:

[Expert@HostName]# cd /some_path_to_updated_DA/
[Expert@HostName]# tar -zxvf DeploymentAgent_<build>.tgz

Install the Deployment Agent RPM (the currently running Deployment Agent will be stopped automatically):

[Expert@HostName]# rpm -Uhv – -force CPda-00-00.i386.rpm

Start the Deployment Agent:

[Expert@HostName]# $DADIR/bin/dastart

 

Security Solid Gateway

Once again Check Point shows why they are a leader in the security space. It isn’t the flash marketing, the catch phrases, or tag lines, the cool looking media. It is about whether or not your business is secured. That is ultimately why you buy a security product correct? We don’t buy a car without a test drive first, why would this be any different?

A friend of mine recently ran a Nessus scan and found this information on the Check Point R80 code on GAIA. This is what he wrote:

“So now that R80 Gaia is GA, on a whim I cranked up a custom Nessus scan in what I affectionately refer to as “Maximum Hostility” mode.  The goal is not just so see what is reported but what impact it has on the target (crashing processes, memory leaks, runaway logs, DoS, etc).  Gaia R80 passed with flying colors…

After running these nasty high-speed scans a couple of times I saw no restarted processes, memory increasing/leaking, no core dumps (I enabled them), nor excessive logging of the utter blasting that Nessus gave Gaia R80 on my quad-core i7 in VMWare. ”

So what is the bottom line here. You need a product that goes beyond the sales and marketing hype. Something that actually secures your environment. Why would you care about all this? I have a security product, so what you ask? Because you want to be able to go home at the end of the day or week and enjoy your life, and not be sitting on conference lines into the early am or on the weekend dealing with security issues at your place of business. That is why.

“the best problems to solve are ones that affect you personally” – Paul Graham.