Thursday, December 22, 2011

Some aspects of HHTPS inspection

There is a nice review of different SSL inspection aspects and (potentially) issues made my Kishin Fatnani over here.

Take a look, it is quite interesting.

Found through LinkedIn

Wednesday, December 21, 2011

upgrade_export fails if MGMT interface is down

Just a short note.

I have come across a weird issue. When you are trying to export your Management server configuration with migrate export (or upgrade_export, if you like doing it old fashion way), you have to make sure your machine is actually on the network. Trying to do this when it is disconnected will lead to the script failure.

I do not remember this kind of issue when working with R65, but it is definitely a case with R7X. Corresponding SK is sk63126.


Error message to look in the migrate log: Failed to get machine's IP address

Tuesday, December 20, 2011

Appliance Selection Tool never made it out of Beta?

Remember Appliance Selection tool, guys?


















It was announced Beta in September, and then disappeared. The link is dead now. The idea was to let you size appliances according to your traffic requirements. It was quite interesting when it was announced. When coming out as Beta, it looked good, at least beta good. And it was promised to be officially released in Q4 2011.

There are some traces of it on Check Point site. For example, it is mentioned in Security Power description. But nothing is out yet.

Too bad, my sales would love it. I would love it.

Would you?

Gartner puts Check Point to Leaders' quadrant in 2011

Gartner has positioned Check Point in the Leader’s quadrant in the Enterprise Network Firewalls Magic Quadrant. Check Point gets the highest ability to execute mark way ahead of the other vendors.




Only two companies, Palo Alto and Check Point, made the Leaders' quadrant this year. Most of the competitors are now in Challengers' area.

Palo Alto, according to Gartner, still has the best technology vision. Nevertheless it is bellow Check Point, Fortinet, Ciso and Juniper when it comes to ability to execute.

Based on CHKP press release.

Wednesday, December 14, 2011

Enforcing PC identity with Endpoint Connect client

One of the common challenges one can face concerning Remote Access VPN is necessity to enforce identity of end point client.  In other words, sometimes it is necessary to deny VPN access from non-corporate PCs.

It comes naturally if Microsoft Remote Access is in use, because there you could check the machine certificate. With Check Point clients, such as SecureClient or Endpoint Connect that is not so straight forward. Although you can make thorough compliance checks with SCV scripts, you cannot use machine certificates directly.

Of course, there is a way to create a script or a binary that would check certificate and report to SCV, but this is a complex task.

There is a simpler way to work the machine identity through SCV process. RegMonitor is part of SCV functionality. It allows you checking various parameter in the registry for existence and values. So if we could find a unique key entry or a string value in registry, then SVC would be able to decide whether an endpoint machine is part of the corporate domain or not.

If you look onto "Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership" entries in Windows Registry, you will see a number of groups defined for users. Each one of them has a unique SID. At least one group is common for all domain users. It means at least one of the group SID entries will be the same through the domain. Spoofing this entry is possible, but also not easy, as it can make non-domain PC unusable after default group SID changed.

SID group entries are also version independent. They will be the same for all domain users from XP to Windows 7.

A simple SVC RegMonitor script would give you a fair indication of an endpoint being a managed PC. It will work on both SecureClient and Enpoint Connect client.

This way is not ideal, but quite a good one, in my humble opinion.

Thursday, December 8, 2011

Japan is number three in this month readers list

I was checking my statistics the other day, and have found that Japanese readers are now in the third place for this month after Germany and USA. Switzerland is on the fourth.

I thank you all guys, but especially those from Japan. I love that country, and frankly, I would not expect my blog to be popular there. That is a pleasant surprise.

Thanks a lot for your interest.

私はあなたの興味のために非常に感謝

IPS Blade training is released

Check Point just have released a new training blade for IPS. As with other "blade" training modules, it consists of one hour Web-based lecture and practical lab.

Just a reminder. Starting with CCSE R75 PearsonVue based CCSE exam will give you only two years of benefits. After that you will have to take two blade trainings every year to maintain your CCSE status.

Thursday, December 1, 2011

First CCSA R75 course in Switzerland, possibly in continental Europe is over

Yesterday I have finished teaching my first CCSA R75 course. It is not only my personal first, it is also the very first course in Switzerland. Due to my knowledge it is the first ever in continental Europe.

Hope my students are happy, because I am.

Course is much better then the previous R71/70 ones. I have spotted only a few errors in the books, minor ones. It is well timed, we have managed to go through all the labs thoroughly.

I hope to see the participants again in my classroom.

I appreciate Dimension Data and Computerlinks to give me this opportunity. Thanks a lot everybody, and especially Yasushi and Mykhaylo from Computerlinks for effective and reliable lab platform.

Update: I have been informed that there was at least one CCSA R75 course provided in UK in early November.  Changing the subject accordingly :-)