How does Amazon Web Service Work??

I wanted to tell everyone about a blog post written by Nick Matthews that describes in depth how all the connectivity works in AWS. Nick defines the terms used by Amazon, and what they mean. In his blog he uses some great network diagrams to help explain how it all fits together.

Check it out here:

https://aws.amazon.com/blogs/apn/amazon-vpc-for-on-premises-network-engineers-part-one/

https://aws.amazon.com/blogs/apn/amazon-vpc-for-on-premises-network-engineers-part-two/

There is also a 45 minute video on YouTube that walks through the AWS network presentation:

Did you know??? Check Point vSEC is a family of products that delivers advanced threat prevention security to public, private and hybrid cloud and software-defined data center environments. Easily and affordably, extend security to your Amazon cloud using rapid one-click deployment of the vSEC gateway which is available in the AWS Marketplace. Policy management is simplified with centralized configuration and monitoring of cloud and on premise security from a single console.

You can read more about vSEC here: http://www.checkpoint.com/products-solutions/private-public-cloud/index.html

 

PAN- Setting The Record Straight

This video is titled 50 shades of PAN that was posted on YouTube. It really sets the record straight on what they have been claiming. This video shows a sales pitch by Mark McLaughlin CEO of Palo Alto.

See the video here:

You can fool all the people some of the time, and some of the people all the time, but you cannot fool all the people all the time.” – Abraham Lincoln

Samsung Research America uses Check Point to secure their Mobile Devices.

Check Point recently deployed their Mobile Threat Prevention on Samsung’s mobile devices. The challenge was to completely secure the mobile environment. Like all companies Samsung employees increasingly work on smartphones, tablets, and their own devices.

“Mobile devices don’t operate behind a security infrastructure like corporate PCs, laptops, and servers do…” “Mobile devices are out in the wild, creating potential security issues and enabling malware to enter the samsungnetwork. There’s no mobile firewall to prevent cyber threats from getting in through emails and apps.”- Steven Lentz, CISSP, CIPP/US, Director Information Security at Samsung Research America

“Check Point had more up-to-date information and automated delivery of the latest malware-related intelligence,” said Lentz. “Check Point Mobile Threat Prevention offers the closest thing to zero-day detection on mobile devices. I like it when a product does what it is supposed to do—and more. Check Point did exactly that.” Check Point Mobile Threat Prevention also vmwareintegrated seamlessly with AirWatch by VMWare MDM and SIEM platforms. Now, Samsung gained comprehensive visibility
into mobile threats and automated enterprise-wide security policy enforcement.

See the testimonial: http://www.checkpoint.com/testimonial/samsung-research-america/index.html
Read the full article: http://www.checkpoint.com/downloads/testimonial-related/ccs-samsung-research-america.pdf

chkpt“Check Point Mobile Threat Prevention is the best
zero-day malware protection possible for mobile
devices. There’s nothing else out there with
multiple layers of protection. Our IP is secure,
and that’s peace of mind.”
Steven Lentz, CISSP, CIPP/US
Director Information Security at Samsung Research America

How Forensics is Better Than Detection

A friend and fellow colleague of mine Elijah Bagdonas recently sent me an awesome explanation of Check Point’s Forensics software. This software is a must have for any enterprise today. I wanted to share his writing with you.

 In the world of anti-malware most people are satisfied with good detection capabilities. But when we really stop to think about what detection gives us, it’s rather disappointing. It’s little more than a big red flashing light that says “ALERT: SOMETHING HAPPENED!” The question then becomes, what is that something that happened and what should I do about it? Here’s where the headache begins.

In most cases of virus detection the administrator has three realistic options:

  • Rely on Anti-Malware quarantine to clean up the mess
  • Re-Image the computer
  • Traditional forensic analysis

 In the case of Anti-Malware quarantine we first have to “know” about the malware. We must be able to identify a signature or behavior and be able to stop the infection before it starts. Sometimes malware can occur in a series of processes and we are only able to detect the last element in the chain. If we eliminate the known elements, the unknown elements can propagate again, putting us into an infection loop. We also can’t identify the damage done during the infection. Even though we detect the malware, it may have already accomplished its goal and we have no way of knowing.

Our second option has its own set of headaches. Re-imaging a computer is often the easy way out but it can be of great inconvenience to the user-base. This invasive process can often leave you with lost data and disruptive downtime to the end user resulting in lost productivity. This will also not protect you from future attacks of the same malware.

The final approach is traditional analysis of the machine to see what happened and how it can be reversed. Having this kind of skill with the advanced malware we see today is very scarce and requires specialized training. Traditional analysis is also very time consuming and costly to perform and with advanced malware, it can often clean up its own tracks before you get a chance to discover it.

There’s a better way

With the introduction of Check Point’s Endpoint Forensics we now have a way to see the whole picture. By keeping tabs on any and all changes that occur on the system, we can develop a comprehensive image of EXACTLY what happened when the infection hit in an easy to digest roadmap.

forensics1

 

In this example, the oem7ec2.exe process triggered a malware event. Since we’ve been keeping tabs on the changes, we can backtrack and find out exactly what happened (even across system boots). Let’s look at the steps that brought us to this point.

  • Chrome process launched
  • Chrome exploit is used while browsing to launch handle.tmp process
  • tmp process schedules a shellcode download to occur on next boot
  • exe payload is downloaded and ran on startup
  • Malicious code runs and sends personal data to C&C center

Since we know the whole story and all of the processes involved, we can also see that companysecret.doc was sent outbound resulting in a loss of data.

With this roadmap, not only do we have the complete picture of the steps involved, but a means to clean it up. Knowing all the steps means we can dynamically generate a script to clean up the mess that was left behind for easy remediation.

Armed with knowledge of everything involved it’s easy to see why Endpoint Forensics is clearly better than detection.

US-CERT to Windows Users: Apple Ends Support for QuickTime for Windows

I wanted to share this with everyone as this is something that is very important for folks to do. Krebsonsecurity.com recently reported that Microsoft is saying to remove Apple QuickTime for security concerns. Krebs reports:

“Microsoft Windows users who still have Apple Quicktime installed should ditch the program now that Apple has stopped shipping security updates for it, warns the Department of Homeland Security‘s U.S. Computer Emergency Readiness Team (US-CERT).

Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows.”

See the post from Apple “QuickTime 7 for Windows is no longer supported by Apple”  https://support.apple.com/kb/DL837?locale=en_US

US-CERT Post: https://www.us-cert.gov/ncas/alerts/TA16-105A

Thanks to Brian Krebs at krebsonsecurity.com for alerting us to this.

Security Policy Management Made Easy

Check Point’s security management architecture (SMART) has always been the best in the market. Upon release of the new R80 security management the best got even better.

In earlier versions you had to install SmartConsole applications (SmartDashboard) in order to manage security policies. This is a tool which enables centralized management of different products and versions. However, it always required that you had to install the application on a computer which was defined as a GUI-client in the security management server. It was also possible to manage policies using the command line tool DBEDIT, but that’s quite complicated tool that could not be recommended for normal policy manipulation. It was usually used in migrations and other more complex activities. Also only one administrator could be connected at a time in write-mode to the security management server.

All the above mentioned limitations are gone in R80. It contains a lot of new features and even more to come in future versions. However, in this post I focus on different ways to manipulate security policies.

  1. Unified SmartConsole
    This is the traditional way of creating rules. What is awesome is that you can do everything from the same console. SmartView Tracker is gone as a log viewer and replaced by SmartLog which is shown in the same SmartConsole window.
  2. SmartConsole CLI
    This is a command line interface that can be opened directly from the SmartConsole. By giving simple commands like “add host…” you can create objects and policies. It’s also possible to add commands into a file and upload this file directly to the CLI when all commands are executed. Think about the case where you need to quicly spin up several security policies or create 5000 objects. All you need to do is to create a command file and run it.Ok, ok… This has been possible with DBEDIT as well in earlier versions, but let’s have a quick look why the new way is better. In the following example we create the same network object with DBEDIT and with R80 CLI. Let’s see the difference (I omit the login and update/publish commands as they are only done once for all commands):

    DBEDIT

    create network Net_10.10.57.0
    modify network_objects Net_10.10.57.0 ipaddr 10.10.57.0
    modify network_objects Net_10.10.57.0 netmask 255.255.255.0
    R80 CLI
    mgmt_cli add network name Net_10.10.57.0 subnet 10.10.57.0 mask-length 24 -s id.txt
    Instead of three commands in DBEDIT, with R80 you give only one. As I said this is a bit simplified statement as the login and publish are missing, but I’m sure you get the point.
  3. GAIA CLI
    From Gaia command line you can login to the management console (see the example below). Gaia management console is similar as the one in SmartrConsole. Each command starts with a keyword “mgmt” like “mgmt add host…”.R80Mgmt> mgmt login user admin
    Enter password:
    R80Mgmt>
    R80Mgmt> mgmt show networks
    objects:
    – uid: “0baad4de-7221-4578-b2b9-c3b78a759124”
    name: “CP_default_Office_Mode_addresses_pool”
    type: “network”
    domain:
    name: “SMC User”
  4. mgmt_cli
    This small little tool is available on all R80 management servers and SmartConsole installations and allows you to access the management server from any Linux or Windows machine (in Windows the tool is called mgmt_cli.exe). You don’t have to install SmartConsole on the computer, it’s enough that you copy the mgmt_cli-tool (it doesn’t require any installation) from the existing installation to the computer you would like to use for accessing the management server. Only thing you need to do is to enable the API from the Management API Settings on R80 SmartConsole.
    R80_mgmt_api
    The only difference with the mgmt_cli and SmartConsole or Gaia CLI is that the authentication needs to be carried out every time. When you login into SmartConsole you give the user name and password, but with the mgmt_cli you will either need to give this information every time or a login-command which creates a session for you. See the example below.
    Example:
    The following is an example mgmt_cli -connection which logs into the system creating a session (the same id is used for every command) and then creates some host and network objects, policy package with one rule (clean up rule is there by default, but without logging, this example enables login for the clean up rule as well). Finally the config changes are published making them available for other admins as well and the session is ended with the logout -command.

    mgmt_cli login user admin password vpn123 -m 192.168.80.254 > id.txt
    mgmt_cli add host name h_12 ip-address 10.1.2.10 -s id.txt
    mgmt_cli add host name h_13 ip-address 10.1.2.11 -s id.txt
    mgmt_cli add host name h_14 ip-address 10.1.2.12 -s id.txt
    mgmt_cli add host name h_15 ip-address 10.1.2.13 -s id.txt
    mgmt_cli add host name h_16 ip-address 10.1.2.14 -s id.txt
    mgmt_cli add host name h_17 ip-address 10.1.2.15 -s id.txt
    mgmt_cli add host name h_18 ip-address 10.1.2.16 -s id.txt
    mgmt_cli add host name h_19 ip-address 10.1.2.17 -s id.txt
    mgmt_cli add host name h_20 ip-address 10.1.2.18 -s id.txt
    mgmt_cli add network name n_test_net1 subnet 10.10.10.0 mask-length 24 -s id.txt
    mgmt_cli add network name n_test_net2 subnet 192.168.192.0 mask-length 24 -s id.txt
    mgmt_cli add network name n_test_net3 subnet 172.16.172.0 mask-length 24 -s id.txt
    mgmt_cli add package access True threat-prevention True name Policy_Lari -s id.txt
    mgmt_cli set access-rule layer “Policy_Lari Network” name “Cleanup rule” track “Log” -s id.txt
    mgmt_cli add access-rule layer “Policy_Lari Network” position 1 name “Test Rule” source n_test_net1 destination h_12 service “ssh” action “Accept” track “Full Log” -s id.txt
    mgmt_cli publish -s id.txt
    mgmt_cli logout -s id.txt

  5. Web Services
    You can create your own web app that simply uses HTTPS post to manipulate your security policies. This way you can integrate the security management to almost any web based ticketing system or similar.For more detailed information about the web services and usage examples visit the developers forum in R80 Exchange Point.

Adobe Critical Vulnerability and Patch

Brian Krebs wrote an article at Krebs on Security about Adobe. Seems they had to rush an emergency patch out because the security hole was already being exploited in active attacks.

Adobe said a “critical” bug exists in all versions of Flash including Flash versions 21.0.0.197 and lower (older) across a broad range of systems, including Windows, Mac, Linux and Chrome OS.

Check Out the full article here at:

http://krebsonsecurity.com/2016/04/adobe-patches-flash-player-zero-day-threat/#more-34432

brokenflash-a

MDM for iPhone/iPad – You are at Risk !

Check Point disclosed details about SideStepper, a vulnerability that can be used to install malicious enterprise apps on iPhone and iPad devices enrolled with a mobile device management (MDM) solution. The Check Point mobile research team presented details about this vulnerability at Black Hat Asia 2016 in Singapore on April 1, 2016. The vulnerability impacts millions of iPhone or iPad devices enrolled with an MDM solution.

Check out the read about it here: http://blog.checkpoint.com/2016/03/31/sidestepper/

 

SideStepper_LinkdIn_BPOST_w_Logo_698x400

How to update CPUSE from the command line.

My friend  and fellow SE (William Garner) had a condition where he needed to do a CPUSE update from the command line, which he did and he wrote up a procedure on how to do it.  By luck of the draw I ran into a situation where CPUSE needed to be updated as well.  So I thought I would post this simple and effective procedure on how to do it.

Important to Note:  If you are updating from build 839 and above continue with steps below, if not refer to sk106696.

Download the package. Download package at sk92449 (Section 3-A)

Transfer the package to machine into /some_path_to_updated_DA/ directory.

UnPack the package:

[Expert@HostName]# cd /some_path_to_updated_DA/
[Expert@HostName]# tar -zxvf DeploymentAgent_<build>.tgz

Install the Deployment Agent RPM (the currently running Deployment Agent will be stopped automatically):

[Expert@HostName]# rpm -Uhv – -force CPda-00-00.i386.rpm

Start the Deployment Agent:

[Expert@HostName]# $DADIR/bin/dastart

 

How to know what Jumbo Hotfix is installed on your Check Point device

I have been asked ‘how do you see what Jumbo HF you are currently on’. There is a simple command you can run from your device to tell you. If you are running R77 with at least Take 38 do this:

Short answer:
As Expert type: installed_jumbo_take –n

This should return with a simple number like 128. That means you are on Jumbo Hotfix accumulator 128.
If no argument is specified ( -n above), then the command will print:RXX.XX Jumbo Hotfix Accumulator take_N is installed, see skXXXXX”.

Long Answer:
For Take 38 and above

The same command applies to Jumbo that was installed using Gaia CPUSE and using Legacy CLI.

[Expert@HostName:0]# installed_jumbo_take [-n | -h]

If no argument is specified, then the command will print: “RXX.XX Jumbo Hotfix Accumulator take_N is installed, see skXXXXX”.
If “-n” argument is specified, then the command will print only the number of the Take (value “0” means that a reference to the Jumbo Hotfix Accumulator was not found in Check Point registry).
If “-h” argument is specified, then the command will print the usage help.

On VSX Gateway, this command must be run from the context of VS0 (run “vsenv” command).

For Take 37 and lower

If Jumbo Hotfix Accumulator was installed using Gaia CPUSE:

[Expert@HostName]# $CPDIR/bin/cpprod_util CPPROD_GetValue “CPUpdates/6.0/BUNDLE_GULLI_HF_BASE_008” SU_Build_Take 0

If Jumbo Hotfix Accumulator was installed using Legacy CLI:

[Expert@HostName]# $CPDIR/bin/cpprod_util CPPROD_GetValue “Check Point Mini Suite/setup/GULLI_HF_BASE_008” Take 0