410 likes | 726 Views
CPU 2012. Eusebio Nieva. Release Map. Release Map. Upgrade. SecurePlatform is so 2011…. One ISO Fits All. Power-1, UTM-1, Smart-1, 4000, 12000 and 21400. IP Appliances ( disk based, diskless and hybrid). Open Servers and VMWare. Full Software Blades Support.
E N D
CPU 2012 Eusebio Nieva
One ISO Fits All Power-1, UTM-1, Smart-1, 4000, 12000 and 21400 IP Appliances(disk based, diskless and hybrid) Open Servers and VMWare
Full Software Blades Support Customers can further realize their investment in IP appliances, with the ability to run all Software Blades
Connection capacity High connection capacity on select appliance models, via the built-in 64-bit firewall
IPv6 • Built-in IPv6 Protocol suite, fully configurable from Web UI and command line shell • Acceleration and Clustering Blade support for IPv6 is included • Dynamic Routing for IPv6 support is on the roadmap • VRRPv3 with IPv6 support is on the roadmap. • No support for inspection Blades
Role-based Administration • Gaia provides a whole new level of privilege management • For example, one administrator can be in charge of network configuration, another administrator in charge of backups, and a third administrator can be limited to system monitoring • Each administrator can be definedwith his or her own role
Authentication • RADIUS and TACACS+ • Up to 15 privilege levels using TACACS+ “enable” mechanism • TACACS+ and RADIUS groups can be linked to RBA
Networking • Two modes of redundancy:ClusterXL HA and VRRP
Networking • Well-known IPSO Dynamic Routing stack, fully integrated into the Gaia Web UI and command-line shell: • BGP • OSPF • RIP • PIM (Sparse mode and Dense mode) • IGMP • Dynamic Routing IPv6 support is on the roadmap. • Built-in DHCP relay agent. Each DHCP client subnet can be configured to have its own dedicated DHCP server. • Built-in DHCP server.
Clientless Terminal Window • Launch Terminal Window from WebUI • No Client Software Required
Main Commands • 4 Main Command Operations Set – Sets or changes a system Value Show – Displays a value or values from the system Delete – Removes a set value Add – Adds a new value to the system
Database Lock • Only One User Can Edit the GAIA Config at a time • Configuration lock must be taken to use set commands • Use ‘Lock Database Override’ login as: admin This system is for authorized use only. admin@192.0.2.254's password: Last login: Thu Apr 12 10:44:59 2012 CLINFR0771 Config lock is owned by admin. Use the command 'lock database override' to acquire the lock. GAIA-GA> lock da GAIA-GA> lock database ov GAIA-GA> lock database override GAIA-GA>
Navigating the Clish GAIA-GA> show inter interface - interface All interfaces - Lists all interfaces GAIA-GA> show interface eth0 eth1 lo GAIA-GA> show interface show interface VALUE alias VALUE show interface VALUE aliases show interface VALUE all show interface VALUE all show interface VALUE ipv4-address show interface VALUE ipv6-address show interface VALUE loopback VALUE show interface VALUE loopbacks show interface VALUE monitor-mode show interface VALUE vlans show interface VALUE { comments mac-addrmtu state speed duplex auto-negotiation type } show interface VALUE { ipv6-autoconfig } show interface VALUE { statistics } GAIA-GA> Press tab Press Space Tab Press ‘ESC’ ‘ESC’
Which Shells are available? • /etc/cli.sh – default shell of all users full GAIA CLI (clish). • /bin/bash, /bin/csh, /bin/sh, /bin/tcsh – Standard Linux shells, running ‘clish’ returns to GAIA CLI • /usr/bin/scponly – User can run SCP but nothing else • /sbin/nologin – User is not allowed to log in. • /bin/bash is required for SCP copies to and from the gateway
What’s Next? • ADP hardware acceleration • Port Based Routing • NetFlow • IPv6 Dynamic Routing • VRRPv3 – support for IPv6 • MultiQ??
Log Management Challenges Reasons for Collecting Logs What are the main reasons for collecting log data? Track suspicious behavior and prevent security incidents 64% Support forensics analysis 46% Meet compliance requirements 43% Detect/track suspicious behavior and prevent incidents is the top reason to collect logs SANS Analyst Program SANS Annual Log Management Survey Report, 2011
Log Management 1.0 Filtering one log file at a time A better way is available
Introducing Check Point SmartLog Simple and intuitive Google-like search • John Smith drop
Check Point SmartLog – Improved Logging and Status Blade Transforms Data Into Security Intelligence Intuitive, Google-like Search Experience Proactive Security Investigation Part of Check Point Security Management
Check Point SmartLog • Split-second Google-like search provides visibility over billions of log records • Split-second search results • x100 faster than SmartView Tracker • High performance index searches • Independent index engine • John Smith drop Google-like textual search • Tuned for large scale environments • Track logs across weeks and months • Simultaneous investigation across • Multiple log files • Management domains • Geographies
How SmartLog Works SmartLog Server 2 3 SmartLog Server reads logs from Log File and builds/ updates log index Admin search queries (via SmartLog Console) are executed on SmartLog index 1 Log are sent from Security Gateways to Security Management Log Server and stored in log file John Smith… Security Management
Unified Log Search and Investigation Find Communication Patterns • Accesses multiple log files (not just one file at a time) • Multiple index files • Only limited by disk size • More logs = longer time horizon • Logs from multiple domains • Can create more indexes
Enhanced Enterprise Visibility • Find patterns for proactive security investigation Track and monitor logs over weeks and month Unified Log Search in Multi-Domain Management Investigate logs across log files, geographies, and log servers
Integral Component of Security Management • Centrally track activity across all Software Blades and multiple domains Threat Prevention logs IPS or Anti-Bot or Anti-Virus High bandwidth tagged applications high bandwidth application All dropped connections for user John Smith drop or reject or blocked and more…
SmartLog Sizing for Smart-1 Appliances • Sizing Guidelines - Logs per Day with 1 Month Retention * Logs plus SmartLog indexes ** Retention period based on available storage and includes both logs and SmartLog indexes
SmartLog Deployment 2 Different Deployment Options • Upgrade existing Check Point security management server or log server • Add a separate SmartLog server with minimal impact on production system
Multi-Domain Deployment Elements Domain with Log Server equal or above R70.50, R71.50 or R75.30 SmartLog Server Logging and Status R75.40 Client User Interface SmartConsole R75.40 Multi-Domain Security Management
SmartLog FAQ #1 • Does SmartLog create an additional copy of the logs? • When installed on-top of a logs server it will store indexes with pointers to the log entry. The indexes will use some extra disk space (20-50% off the raw log size). • When installed on a dedicated server it will ALSO hold a copy of the indexed logs on that server. • Is it supported to install SmartLog on a MDM/MLM? • Yes, but SmartLogcan require a lot of resources so be careful when recommending this.
SmartLog FAQ #2 • Can you open SmartDashboard and go to IPS protections, AppCtrl rules etc with SmartLog like you can with SmartView Tracker? • In the current version you cannot but this feature is planned for the release version. • Can you view IPS and AntiBotpcap files in SmartLog? • No - this is planned for a later release.
Summary Check Point SmartLog Transforms Data Into Security Intelligence Intuitive, Google-like Search Experience Proactive Security Investigation Part of Check Point Security Management