PhoneBoy’s Security Theater

I've been a participating in the Check Point user community in various places for a long time now. Heck, I ran a Check Point community of my own for a while. It's not often the community gets a new place to congregate, so it's worthy of an announcement.

Presenting CPshared:  The Open Technical Forum for All Things Check Point. In the NG days, this was a base "package" in the Check Point suite that handled communication between management and modules. It was also called the SVN Foundation. This is where the name comes from, and I think it's an appropriate name.

CPshared was started by an ex-Check Point employee and a long-time member of the Check Point community. It is designed to be an alternate approach to information dissemination to more established forums like CPUG--a forum I kickstarted by donating my own content to in 2005. CPshared includes a blog (with contributions by others), a web-based forum, a Twitter account @cpshared, and a web-based chat system.

CPshared has been under private beta for the last few weeks with a number of other long-time members of the Check Point community, including a few Check Point employees. It was formally announced today. If you use Check Point products, give it a look and join the small, but growing community!

Anyone who's following the Check Point Twitter, Facebook page, or has been peeking around in User Center has probably seen the release of R75--Check Point's next major release. DLP, Mobile Access, Identity Awareness, and Application Control are all now available as Software Blades--modules that can be enabled as needed.

Over the past several months, as part of my normal duties at Check Point, I have talked with a number of the people involved in this release. I've learned about some of the technologies that went into this release, and I have to say, it's quite amazing how it all comes together!

Take R75 out for a test drive. Even if you don't immediately use the new features, there are some usability enhancements in the SmartConsole applications, an improved IPS engine, and, of course, AppWiki, which is a great resource to find out about applications--even if you're not using our Application Control Software Blade!

From Check Point isn't for sale, says Shwed - Haaretz Daily Newspaper | Israel News:

Two months ago, antivirus systems giant McAfee was sold to Intel for $7.7 billion. At the time, a number of analysts suggested that Check Point Software Technologies would also be an attractive target for takeover. Gil Shwed, the company's founder and leader, yesterday shrugged at the idea in conversation with reporters, after the company filed its third-quarter financials.

Anything's possible, Shwed said: but he's been very consistent in his position for the last 17 years, which is that Check Point isn't for sale. "We are very proud of the fact that we are an Israeli company, an independent one," he said.

Why would Check Point put themselves up for sale when the financials continue to be strong and only getting better? I think it's just "wishful thinking" by the analysis.

Disclaimer: I work for Check Point.

Crossbeam has issued a press release about their expanded strategic partnership with my employer, Check Point Software Technologies. The key paragraph in that press release:

Customers can now purchase integrated solutions from Check Point, complete with maintenance and support delivered by Check Point’s award-winning global service organization. Check Point will provide support for both its software products and Crossbeam’s X-Series platform. This simplifies the ordering process and promotes closer product, sales and technical collaboration between Crossbeam and Check Point to support customer needs.

The kind of customers that will buy Crossbeam X-Series platforms are the kinds of customers who want what we used to call "first call, final resolution" back at Nokia. This is exactly what this provides: a single point of contact for purchasing and support of Check Point software on Crossbeam hardware. What's not to like?

One of the products I was most excited about finding out shortly after I joined Check Point was Abra. I'd be more excited if we were shipping the product--that is expected to happen at the end of March--but at least it's announced so I can talk about it a bit more freely :)

The product is pretty simple: you can walk up to any computer, plug your USB stick in, and access a secure virtual environment complete with connectivity to your corporate Intranet, access to applications installed on the host computer, hardware encryption, and simple, centralized management. Abra gives you all this and more!

The technologies that are being employed here are not entirely new. What is unique is how it is all tied together. SSL VPN products (including Check Point's own Connectra) have had the concept of a "Secure Workspace" for quite some time. When you connect to the SSL VPN gateway, you are allowed to run local applications and connect to remote resources. However, the apps operate in a kind of sandbox that restricts how you can get data into and out of the sandbox and what happens to the sandbox after the connection terminates (usually, it disappears).

Now, instead of writing the sandbox data on the local drive, move that onto a USB thumb drive that contains both hardware and software encryption. Add autorun capabilities so that when you insert the thumb drive, you are immediately prompted for authentication, taken into the secure workspace, and automatically connected to the corporate network. Meanwhile, the secure workspace and VPN settings are centrally managed using your existing Check Point Security Gateways.

I'm really excited about the future of this product! You can find out more on the Check Point Abra product pages.

Over the past couple of days, I was out at VMworld 2009 at Moscone Center in San Francisco, which is a trade show put out by the fine folks at VMware. While it was not my "official" job,  I did do a bit of booth duty at Check Point's booth. It's been a while since I've done that.

While there, I met a couple people I've been meaning to meet for years: Randy Bias, the guy behind Cloudscaling, and Chris Hoff (a.k.a. Beaker). I also got to experience first-hand at the show was the absolutely spectacular epic fail that is AT&T's wireless network during a trade show at Moscone Center. Full signal, yet calls were dropping like flies. Data might as well have been GPRS for all the speed I wasn't getting. It was horrible. Why AT&T doesn't have several microcells inside Moscone with either a fiber link or several DS3s for backhaul is absolutely beyond me.

Meanwhile, back to VMworld and why Check Point was there. We were demonstrating Security Gateway R70 Virtual Edition (or R70 VE for short). The main difference between the R65 VE we ship today and R70 VE, aside from the new Software Blades architecture, is the level of integration with the VMware environment. Specifically, we use the VMsafe APIs provided by VMware, which give us a whole new level of visibility into the networking that goes on inside a VMware ESX server.

If you wanted to see what was going through every port in a physical switch, you might have some trouble either setting up mirror ports for everything or network taps. In VMware with the new VMsafe APIs, applications like R70 VE can see everything going through the virtual switch and can block it as appropriate.

In our demo, we show a couple of virtual machines hooked up to a virtual switch along with a separate VM for R70 VE. One of the VMs is compromised and starts "attacking" the other. These VMs and the R70 VE VM are on the same logical subnet, hooked to the same virtual switch. R70 VE is able to successfully block the attacking traffic using the IPS blade.

The good news for the firewall administrator is that this virtual gateway is managed with the same set of tools you use today: SmartCenter and all of the SmartConsole apps. It feels just like a gateway on a physical appliance, except it is running inside a virtual machine.

R70 VE is not shipping today. The code shown at VMworld is of alpha quality. We are expecting a Q4 2009 release timeframe, but that is not final and is subject to change.If you're looking for more details, let me know and I'll hook you up.

Recently, I was asked to complete a security awareness training at Check Point. It is considered a mandatory exercise for all employees. It consists of watching a brief presentation, taking a short multiple-choice test, virtually signing the security policy document, and providing a user validation question and answer.

The entire process took no more than 20 minutes. After having watched the presentation, I can tell you, with a fair degree of certainty what the different levels of classification are, what generally falls into each level of classification, and what my responsibilities are with respect to handling data in that classification. It was all done with clear language using examples I feel most people could relate to.

It is exactly the kind of policy presentation that any serious company should have. The reason: employees are often the weakest link in security. Educating employees on what the policy is vital to ensure corporate assets are protected.

Oh wait, you don't have a security policy? Well now, that is a problem.

Yesterday, I took the train up to The City and walked around Moscone Center, where the RSA Conference was being held. I took a few pics of people from the Check Point booths, the Barracuda Babes, and Stina from Yubico.

Now that we have the official announcement, I can now say I work for Check Point Software. And while I’ve been working with Check Point in some capacity or another since 1996, this is the first time I will actually be on their payroll.

A question I’ve gotten a bit since this was originally announced back in December is: what’s gonna happen to Nokia’s awesome support team? The good news is that the vast majority of that support team will be incorporated into Check Point. Furthermore, the combined support organization will implement best practices from both companies. In fact, Check Point’s support offerings now look very similar to those we sold at Nokia.

What about me? At the moment, I am trying to get through all the structural changes, which are still underway. I’m less worried about the “job” part of my job and more worried about more basic issues, like getting connected to Check Point’s Intranet, getting signed up for payroll and benefits, and understanding all the various policies and procedures–all of which will be different. So will my actual job, and I’ll begin to understand the particulars of it soon enough.

Over my 10 years in Nokia's Security Appliance Business, I have met a lot of people. Many of these people worked in the business and moved onto other areas of Nokia. Others were the direct result of my "poking around." At one point, I hoped that I could leverage some of these contacts to branch out into other areas of Nokia.

Then, a funny thing happened at the end of September 2008. Nokia announced they were selling the Security Appliance Business to an outside investor. We were to become a new, independent company. Shortly thereafter, the wheels fell off the economy and the credit market dried up. This made such a venture untenable.

Shortly before Christmas, Nokia announced we were being sold to Check Point Software . It wasn't the original plan, but under the circumstances, it made the most sense.

Despite the uncertain economic climate, not to mention the uncertain future all of us faced, a funny thing happened. We all pulled together, tightened our belts a little, and forged ahead. Profitability continued. Epic amounts of customer satisfaction were attained. We showed incredible strength and determination. Every one of us.

Meanwhile, the rest of Nokia downsized and reorganized. The company is asked employees to volunteer for a layoff as well as ideas for cost savings. I would not be surprised if additional actions are being considered to ensure survival during this protracted recession.

Clearly, my days at Nokia are numbered. Some of us will end up at Check Point. Others, sadly will not. It's not only a long goodbye to a company that has treated me well for 10+ years, but to a "family" of people I've worked with. While like all families, we disagreed at times, we all tried our best to "delight our customers" and be "very human" (to borrow a couple of Nokia's values).

While it is goodbye to some, many of us will continue to work together as part of Check Point. Clearly, it won't be the same as it was. I have hope that, in time, it will be much better than what we had.