Monday, April 27, 2015

Books and beers for CPUG fans

As announced just a few days back, CPUG fans and contributors are invited to meet in Holiday Inn Amsterdam hotel tomorrow at 18:00. Netanium and Indeni will pay for the first 20 drinks (with my little help).

We also have five copies of Max Power book by Tim C. Hall a.k.a. Shadowpeak for you guys. Come and claim your copy, but please be quick.

R80 and other promises of CPX 2014

I am about to fly to Amsterdam for CPX 2015 event, and I am thinking about promises made the last year.

Most of them were delivered. Most of them but the new management.

R80 is being delayed again. The new management server with ability to maintain multiple write admin access, scalable, with completely different user experience is nowhere on the horizon.

We have expected it to be available on May 2014, then October 2014, then beginning of 2015. Nothing really happened.

The reason for the delay is more or less clear to me. It is a piece of work to replace the whole management engine of something complex as Check Point firewalls. One has to ensure backward compatibility with all existing enforcement points while putting in place brand new architecture and new technologies. On top of that, the new product has to provide usability on the level not lower than today. Check Point is known for the best administration experience, and this situation should be only improved.

There were other announcements on the last CPX: Mobile security, ThreatCloud, Threat Emulation, InteliStore.

These are the promises kept and delivered. I hope Check Point will do its best with R80 to release it in the nearest future. I am quite curious to see the road map 2015. I hope there will be something new other than repeating R80 key notes.

We will know in two days.

Friday, April 24, 2015

Enterprise Firewalls: Check Point & Palo Alto closing the gaps

Check Point has released Gartner's Enterprise Firewalls report the last night. According to it, Check Point is keeping its position as leader eight years in a row.

Here is how it looks:

You can see that CP and PAN are quote close one to another. That was not the case for two last reports (2013 and 2011). PAN was way ahead of Check Point in terms of technology (Completeness if vision axis)

You can also see that PAN has improved its ability to execute and is now almost head to head with Check Point on that.

The full report is available from Check Point site, in case you are interested in details. 

Wednesday, April 22, 2015

Unofficial CPUG gathering in Amsterdam

If you are going to CPX in Amsterdam and you are CPUG fan or participant, here is an announcement for you:

While Eric Anderson from CPUG won't be able to attend CPX in Amsterdam, longtime member and respected CCMA blogger Valeri Loukine (also known here as varera) has agreed to serve as CPUG's Ambassador to Europe. 

On behalf of CPUG and Indeni, Valeri will be able to offer a free pint (or other beverage) to the first 20 members to come say "hi" the night before CPX (Tuesday the 28th) at the bar in the Holiday Inn Amsterdam at around 19:00. 

He'll also have a handful of copies of ShadowPeak's "Max Power" book to give away, so be sure and stop by! If you think you can make it, please PM varera to be on the lookout for you.

In other words, dudes, come and have a drink with me!

Tuesday, April 21, 2015

Check Point Certification Goes Paperless

For the last three months, Check Point has been confirming professional certifications using both printed hard copy and electronic certifications. 

Starting 15 June 2015 you will be able to access your certifications through your User Center accounts and print a certificate on demand. After that date, Check Point will no longer send out hard copy certificates.

As always, for your certifications to show in your User Center account, your email address in your Pearson VUE profile must exactly match you User Center email address.

This is an official Check Point announcement posted by request of Kenneth Finley

Tuesday, April 14, 2015

My story around Threat Emulation: the issue, the solution, etc.

Some of you may remember my post from 28.03 about Threat Emulation issue I have found by accident.

It took Check Point a couple of weeks to investigate the issue and to provide not just an official response but also an actual solution. Well, let's say they have closed some of the evasion scenarios.

In a nutshell, the issue was about inability to detect a known malicious attachment in a zipped file. In my particular case it was a ZIP file with a plain Java script named as XXXX.doc.js. Although the file has had a minimal obfuscation effort, the main body of the script was a clear text, and the signature was known to be malicious with at least 10 parties in VirusTotal list when I have started investigating the issue.

To make sure why Check Point did not even try to emulate the threat, I have unzipped the file to scan the actual context with Check Point. Apparently CP ignores .js files. Only when I have changed the extension to .doc, it was properly recognised as a malicious. Funny part is, as soon as it is NOT a Java script, it cannot be executed, even by mistake.

Bottomline: Check Point cloud based Threat Emulation solution was ignoring executables of unsupported type if sent in ZIP, although ZIP format was formally a supported type.

Today this loophole is fixed, to a point. Here is the official answer I have got from Check Point Response Team:

As a result of your post we have decided to update our portal and scan all content of zip files and thus detecting also known malicious files that are yet to be supported in full emulation. The fix has been applied, as discussed.

As for our customers, they were never vulnerable to this attack vector by using the Anti-Virus and Anti-Bot software blades.

I have checked, and indeed, the known bad malware is now being detected as part of ZIP files. There is, however, still an issue with the concept of "supported file types" and Threat Prevention.

Same malware will pass TE without detection if sent unzipped. Today Check Point does not emulate Java script files and powershell files. Why? I have no idea. 

The point is, if an attacker sends an attachment as XXXX.doc.js or XXXX.doc.ps1, he can still bypass TE protection easily. To be fair, I am not aware of any other vendor with a Threat Emulation solution that tries to detonate these types of files. It is not specifically a Check Point only problem. Of course some users will click on such a file, the humans are the weakest link in the security anyway.

Friday, April 10, 2015

CPUGcon wanted alive / dead (cross out one option please)

As you may remember, once upon a time it was a CPUG conference.

It was a technical event to share knowledge and experience around Check Point security products. It was taking place in Switzerland and later in Germany from 2008 till 2013. The motto of the event was "we tell the truth and help each other out". It was an actual de-virtualization of CPUG forum community. It was lots of fun. It was practically free of marketing buzz. It was transparent, open, truthful, friendly and independent. It was arguably the best European technical event of the year around Check Point.

What has happen to it? In 2014 Barry Stiefel, the previous owner and maintainer of CPUG forum, has sold his business to another company. Before that, CPUG site was down for some time. The community was in disarray. The time was lost. The idea was practically dead.

But is it dead now, really? CPUG conference as a tech community event and community spirit, is it actually dead enough to be forgotten? CPUG has had some rough time before.

Today the site is back and, since the previous owner is out of the picture, some new opportunities may come around. We could be friends with Check Point, for starters, if you catch my drift. We could continue doing the same, with new people and new ideas. How about it?

I am not ready closing the book on CPUG annual conference just yet. There is still enough time to make it happen in 2015. Are you onboard? Do you think we should try?

This is a call to all CPUG friends and participants to speak out. Please let us all know what you think about this. Just say it, yey or nay.

With CPX around the corner, we would like to meet with all friends of CPUG attending the events in Amsterdam and Washington. If you are coming to CPX, let's meet somewhere and have a chat, have a drink.

Are you in? Are you still in, guys? if yes, follow the announcement. We will fix the time and place a bit later. Hope to see you again soon.

Tuesday, April 7, 2015

Is the security market ready for preemptive monitoring solutions?

How many times have you seen firewalls failing because of a subtile issue that becomes critical in time? Memory leaks, license or contract expiration, disk space running low, excessive local logging, sudden cluster failover without any obvious reason, performance issues masked by imperfect monitoring and many other things one could detect in time with a right tool.

This list could be a couple of page long only for Check Point.

Now, let's say our security and networking systems are multi-layer and multi-vendor. How to make sure your system is running fine? How to see the early tiny signs of future problems to fix them before they become critical? What do you do?

SmartView Monitor? Scripts? How often, how deep? How much effort do you spend to tune such a system?  Any?

During my 15 years I have seen just too many issues where security system failure could be prevented by early detection of the symptoms.

Some integrators and Check Point support partners even sell such monitoring as a service. Usually it is done manually, remotely or on site, on a periodic basis: a week, a month, couple of times during the year. Each of such services is an artistic piece, where experts are looking for something they know and suspect. Each one of them for something different, as their experiences are not coherent and comprehensive.

There are many niche vendors to complement well known security solutions with change management and orchestration: Tufin, Algosec, Skybox Security, Firemon, Athena and others. With so many companies there is clearly a market for such tools.

But what about preemptive monitoring? The only company I know for such matter is Indeni.

Indeni is not just for Check Point. Their product is working also with Cisco, Juniper, Fortinet, Palo Alto Networks and F5.

The tool monitors thousands of details that might indicate a failure and reports the findings as alerts. It can be deployed and integrated in half an hour. It is intuitive and simple to use.

You do not have to take my work for it. Register, download a demo and check for yourself. Or just sign up for the news from Indeni.

In my personal view, having just one vendor does not necessarily mean there is no market. On the opposite. It may mean this particular solution is going to be the next big thing.

Wednesday, April 1, 2015

Check Point is changing name to Pink Point

Did you mention lately the new colours of Check Point banners? Much pink, you say? Ever thought why?

The answer is finally revealed!

Tomorrow Check Point will change its name to Pink Point Technologies company. The domain is already reserved, DNS entries and certificates will be also transferred.

Check Point emails will remain valid for next 6 month running in parallel with extensions.

I wish the renewed company the brightest and the pinkest future! Hooray!

P.S. If you have any doubt, check the date of this post. Cheers.