PhoneBoy’s Security Theater

Over my 10 years in Nokia's Security Appliance Business, I have met a lot of people. Many of these people worked in the business and moved onto other areas of Nokia. Others were the direct result of my "poking around." At one point, I hoped that I could leverage some of these contacts to branch out into other areas of Nokia.

Then, a funny thing happened at the end of September 2008. Nokia announced they were selling the Security Appliance Business to an outside investor. We were to become a new, independent company. Shortly thereafter, the wheels fell off the economy and the credit market dried up. This made such a venture untenable.

Shortly before Christmas, Nokia announced we were being sold to Check Point Software . It wasn't the original plan, but under the circumstances, it made the most sense.

Despite the uncertain economic climate, not to mention the uncertain future all of us faced, a funny thing happened. We all pulled together, tightened our belts a little, and forged ahead. Profitability continued. Epic amounts of customer satisfaction were attained. We showed incredible strength and determination. Every one of us.

Meanwhile, the rest of Nokia downsized and reorganized. The company is asked employees to volunteer for a layoff as well as ideas for cost savings. I would not be surprised if additional actions are being considered to ensure survival during this protracted recession.

Clearly, my days at Nokia are numbered. Some of us will end up at Check Point. Others, sadly will not. It's not only a long goodbye to a company that has treated me well for 10+ years, but to a "family" of people I've worked with. While like all families, we disagreed at times, we all tried our best to "delight our customers" and be "very human" (to borrow a couple of Nokia's values).

While it is goodbye to some, many of us will continue to work together as part of Check Point. Clearly, it won't be the same as it was. I have hope that, in time, it will be much better than what we had.

Intrusion Prevention Systems are designed to detect possible attacks that are occurring over the network and act upon them in some way. They are not unlike firewalls, but they tend to approach the problem a bit differently. Whereas your typical network firewall is a "deny by default" system (i.e. deny all traffic except those which pass certain criteria), an IPS tends to be an "allow all by default" system (i.e. allow all traffic except those things that look dangerous). Also, firewalls tend to be routers to serve as a network choke point, whereas the IPS is a "bump in the wire" looking at all traffic passing through. It is usually deployed in-line with the firewall, either on an ingress or egress point.

Joel Esler, one of the professional services guys for Sourcefire, who sell IPS solutions (Nokia, my employer, is a Sourcefire partner), wrote an interesting blog post decrying the typical practice of deploying the IPS outside the Internet-facing firewall. His basic message: if your Internet-facing firewall is properly configured and your important machines are properly ensconced behind it, you don't need an IPS on the outside of your firewall. The IPS should be placed inside the firewall.

While I agree that IPS is needed inside the external firewall, I think IPS has a useful place outside the firewall as well. It is not always feasible to put everything behind a firewall. For example, it may not be possible/feasible to subnet your external network so you can put stuff behind a firewall. You might be using a service that does not play nice with a firewall. Or any number of other technical or political reasons.

Even if you can manage to get everything behind a stateful inspection firewall, what's looking after the firewall? Sure, a properly configured firewall will deflect anything the Internet is likely to throw at it, but even a properly configured firewall might be susceptible to a security vulnerability.

To throw another viewpoint into the mix, perhaps the place to integrate IPS functionality is right in the firewall itself. Check Point was clearly starting down this road with SmartDefense in the NG AI release of VPN-1. Now in the R70 release of Check Point's Security Gateway product, we have the IPS software blade, which is a full-blown IPS.

The bottom line is that if you're going to use an IPS, you need it everywhere bad stuff could happen--inside or just outside your security parameter. Or on the firewall itself ;)

I recently went through the trouble of installing a Nokia IP260 as a firewall at home. It was one of the only machines I felt I could keep running in my office for any length of time and not cringe at the fan noise being thrown off. Clearly, our security appliances are not designed for home installation ;)

Unfortunately, the IP260 I had been using decided to die. Again. The unit had been sent to our repair facility on two separate occasions for repair for the same problem: won't even get to the boot manager. As a software guy, there's not a whole lot I can do about hardware problems ;)

The method they make employees follow is the "Return and Repair" method. We ship the box to the repair facility, they fix it and send it back to us. The only time a customer would ever follow this process is if their box is not covered by a support agreement. Otherwise, most direct customers get Advanced Replacement or on-site replacement, depending on your purchased support agreement.

The good news is that this unit should be scrapped and I'll get a (like) new unit to replace it. I also can run R65 now instead of R62. The bad news? I have to listen to the whine of the fans of an IP390 for a while.

Update: Our Service Parts guy told me they are going to overnight me a unit. I can scrap the unit myself. Spare parts FTW!

As I write this, I am still a Nokia employee. Yesterday's announcement did not change that, at least until the deal closes sometime in the next three months. Meanwhile, here are a few of the more interesting pieces that appeared online regarding the announcement.

• Check Point to buy Nokia security appliance business (from Reuters)
• Check Point to buy Nokia security appliance business (from Globes [online])
• Check Point Sees Better Product Through Nokia Acquisition (from eWeek Channel Insider)
• Check Point to acquire Nokia's security appliance business (from ThreatChaos)
• Check Point acts on my advice (from Network World)

Andrew Hay and Warren Verbanec, two of my former co-workers, along with Peter Giannoulis and Keli Hay have come together to make the Nokia Firewall, VPN, and IPSO Configuration Guide. These folks have put together a comprehensive tome covering all of Nokia's network security solutions, though the primary focus is on Nokia IPSO and Check Point VPN-1. I also played a small role in this book by writing the foreward for it, as well as helping both Andrew and Warren with various things over the years.

Of course, since the time this book was finished, but before it was printed and bound, and available on amazom.com and other places, Nokia announced it was selling off the Security Appliance business. Even if the boxes have a different name on them, which must happen eventually as result of new ownership, they'll still be the same high-quality systems you've come to know and love from Nokia.

The thing that has consumed my waking thoughts on Monday was the fact that Nokia has announced they are in the advanced stages of discussions with a financial investor to purchase this Security Appliance business from Nokia. Since this is the part of Nokia I work in, I am obviously a bit concerned by this.

All indications are that the Security Appliance part of Nokia's business will be spun out--intact--and made an independent company under new ownership. By itself, Nokia's Security Appliance business is fairly substantial. Not as big as Nokia's handset business, obviously, but it's still a reasonably sized business.

For customers, it should be business as usual. Operationally speaking, most of what makes up the Security Appliance business in Nokia is already fairly independent of the rest of Nokia. The relationships with Check Point, Sourcefire, and others will continue and likely strengthen. The only real change will be the name on the front door, though you will likely to continue to see the Nokia brand in use for a period of time while the marketing folks roll out the new branding.

I think it will be a positive thing for the business as a whole. I personally see a lot of opportunities in this new world order, both for myself and the business. That being said, I won't be part of Mother Nokia anymore, which I believe also has some interesting opportunities, but opens others. It's giving me a lot to think about.

It's interesting to see Charlie Schick, one of my Nokia colleagues discuss--on the corporate blog no less--a subject that has gotten a lot of attention thanks how well the Nokia E71 was kept secret before it's launch. And like Charlie, I'm going to drag out some thoughts from Nokia's internal blogosphere--my own specifically. However, unlike Charlie, I don't work in marketing and, obviously, am not speaking for the company here.

I am not opposed to the policy of not discussing publicly announced products. I understand the reasoning. That being said, it's frustrating at times to not be able to participate in a particular conversation about something everyone knows about thanks to a product leak. I think pretending the leak didn't happen is simply silly, which is the corporate policy today.

When a product leak does occur--and let's face it, it's going to happen despite our best efforts--we need to have a communications plan in-place for dealing with it. Immediately, not when the product releases. Somewhere between the current "stonewall" policy and "spilling the beans." I'm not sure how realistic that is, but at least that way we might have some control over the messaging versus in the current regime where the blogosphere has already told all before anyone inside Nokia has had a chance to say word one.

Of course, even if every Nokia employee keeps their lips tight about upcoming products, the mobile phones themselves leak information. Whenever you visit a web site, or upload a picture to Share on Ovi or Flickr, the phone will leave bits of information indicating what kind of device it is as well as certain capabilities. For example, look at the number of photos on Ovi taken with the E71. All of the pictures here right now were taken with a pre-production E71. I can tell you from personal experience that pre-production units are somewhat different than production ones, both in terms of hardware and software. Using this sample to judge picture quality will give misleading results.

While this isn't the same as leaking a picture or sending a damned prototype to a reviewer, it's information none the less. It's the kind of information that shouldn't be out there--especially if we can't actually talk about an unreleased device. Our devices--at least in their pre-production form--should not inadvertently leak information about themselves.

I actually think there might be an interesting "security" feature here: relay as little about the end user device as possible with these service, or even provide the facility change it to something else entirely. I know this is possible to do. Why not make this a built-in feature, along with changing EXIF data and other identifying information?

I have more thoughts on this, but most of them are not well formed or not well suited for outside consumption. What do you think about product leaks and what should be done about them, if any?

Every once in a while, the part of Nokia I work for announces new stuff. Today, it's a new piece of gear: the Nokia IP1280. Excuse the marketing speak, but I occasionally like to promote the things my part of Nokia is doing. :)

For some reason, I found the phrase "dealt deep layer enterprise security threats another blow" found in the press release announcing the Nokia IP1280 funny. I suppose it does that, since this 2U, quad-core Intel CPU powerhose can handle 24 ports, up to 14 Gbps of throughput with optional ADP modules, hot-swappable components, and a starting price of $39,995 USD. Yes, the IP1280 runs Check Point VPN-1, as most of the Nokia Appliances do.

As someone who works for the group that supports the Nokia Appliances, I would certainly appreciate it if when your company buys one of these platforms, you'd avail yourself of Nokia's First Call, Final Resolution support. At least that's what the marketing types have been calling it for many moons now.

You want to know what I do at Nokia? Support platforms like these guys. Firewalls, intrusion detection, VPNs. Yup, that's what I do.

Today, our little corner of Nokia officially announces the availability of the Nokia IP2450 geared specifically at the IDS market. The Nokia IP2450 has been available as a firewall platform for the past several months. Not a new platform, therefore, but new for the IDS market.

This 2U badboy will push 4 gigabits of data in a passive or inline mode and is expandable to 24 copper or fiber gigabit Ethernet ports. This means the box can sit inline on 11 different segments or monitor 23 segments passively. And yes, you can mix and match inline and passive mode ports.

The IDS on these boxes is provided by Sourcefire, which are the folks behind the popular open-source snort IDS tool. It runs on Nokia's Linux-based IPSO-LX OS. And, of course, it's backed by Nokia's worldwide technical support organization, of which I am a part of.

Don't ask me what these badboy's cost. I work in support, not sales. ;) Seriously, if you're interested, Contact Nokia or a Nokia partner for more details.