If you're a (potential) Check Point customer, you've likely heard of ourĀ 3D Security Analysis Report. The idea is to take real traffic from your network off a span port, and run it through our Security Gateway to see what is going on in your network. While it is a sales tool, it's certainly an important one as it will instantly demonstrate the value of Check Point's solutions based on your own traffic.

Both for fun and to test an upcoming version of our Security Gateway software, I decided to run a 3D Security report against my own network. I took an existing Check Point appliance, loaded up with code, and plugged it into a Mirror Port on my switch. I let it it run for a day or so to collect traffic. In an active business network, you can let it run for as little as an hour or two and see results.

You can see what a full 3D Security report looks like byĀ downloading a sample. I won't share my report, but I will share bits and pieces of it so you can get a sense for the kinds of things it will show you. Specifically, I used IPS, App Control, and URL Filtering as part of my report, though it is possible to include DLP and (soon) Antibot.

There were a couple of surprises here. I thought I had removed Dropbox and Hamachi from all my computers. Apparently not. This will need to get corrected. LogMeIn is in use in my network, so I'm not worried about that. The eMule thing will have to be investigated since I'm pretty sure I'm not running that in my network (my kids aren't either).

In case you're not sure what these apps are, the report provides you with a nice description of all the apps:

Meanwhile, another thing the 3D report tells you is how much bandwidth the various apps are using:

I've used quite a bit of bandwidth over the last 24 hours or so! A third of it is SSL traffic, so I can't see inside it all (though I could if I deployed my gateway inline and added my CA certificate to my family PCs). Note not all of this is Internet-bound traffic, but still 2 GB in 24 hours is quite a lot, especially when you consider Comcast's 250GB cap!

The report provides a breakdown as well (note this is a partial list):

Finally, while there wasn't much going on from an IPS point of view, the blade did detect a couple of anomalies, which are provided along with the relevant remediation:

While the customer response to these reports has been generally positive, they are also end up being quite an eye-opener as you see things you never knew were going on. Even I am surprised at what I'm seeing in my own home network! Imagine what you'll find in your network.

FromĀ viaĀ Securing Mobile Devices May Be an Impossible Task:

Attacks against smartphones such as BlackBerrys, iPhones and Android phones have become quite prevalent in recent years and many of them have focused on getting malicious apps on users phones. Thats a quick and easy way to get access to user data and sensitive information. But there are a slew of other real and potential vectors that attackers have at their disposal no, as well. Going after the device firmware is one potential method, as is attacking the mobile infrastructure itself."

If I can update your phone remotely, I own the phone at every level and I own you. Its game over," said Don Bailey, a senior security consultant at iSEC Partners, said during the panel discussion.

While I myself have been thinking about mobile security, this is an angle I didn't even consider. If hackers can pwn the mobile phone network itself, well, everyone's mobile device is in danger. There's not much you can do about it, either.

By now I'm sure you've seen, heard, or read Check Point's official announcements made at NASDAQ this morning.Ā This is by no means a regurgitation of the official press releases, but it is my own personal take on what was announced.Ā If you want to see the announcement for yourself, check out the recording!

(Just to be clear, I work for Check Point and these are my own thoughts.)

Check Point R75.20

This release (press release,Ā download) brings a number of new features. One of the most anticipated ones is the ability to inspect outgoing SSL traffic. Not just for Application Control, where it is most needed given the proliferation of sites requiring SSL, but in all the various software blades we support. And its included as part of the relevant software blades license (i.e. it's not a separate charge).

SSL inspection is done by essentially doing a "man in the middle" on the traffic. The gateway dynamically generates a certificate for the destination website, which is presented to the client when they connect. This allows the Security Gateway to see the traffic "in the clear" and make the relevant security decisions. The connection is encrypted as it leaves the gateway with SSL. Since SSL inspection is more intensive than inspecting HTTP traffic, and potentially creates potential regulatory issues by its use, you will have granular controls as to when this feature is invoked.

Another new feature in R75.20 is a completely revamped URL Filtering blade. While Check Point is still selling this as a separate product, it is actually integrated with Application Control. Applications and URL Filtering categories are given equal billing in the now combined Application Control and URL Filtering rulebase. You can do user-level URL filtering (with Identity Awareness) and can take advantage of our UserCheck technology to inform users of the policies. We can also handle HTTPS websites and custom categories. The categories themselves have also been substantially updated.

Unlike with previous versions of URL Filtering, where the entire URL filtering database was stored locally on the Security Gateway, the new engine makes use of the cloud. Commonly accessed URLs and their categories are stored in a local cache on the gateway. Over 99% of your web traffic should be met by the local cache on your gateway. When someone accesses a URL not in the local cache, the URL Filtering database in the cloud is consulted, with the result being stored in the local cache for future use.

The Data Loss Prevention (DLP) blade also gets a substantial update in R75.20. HTTP performance is substantially improved in this release and you also gain the ability to examine HTTPS traffic as well. A large number of additional "out of the box" datatypes are now included. We also integrate with an internal Microsoft Exchange server so DLP can be performed on internal email as well as email leaving the organization.


A common complaint I've heard from Check Point customers over the years is that the performance numbers we quote for our appliances don't reflect what performance you'll get in the real world with real world traffic patterns. This is because performance numbers have been historically quoted for a single firewall rule (any any any accept) with the most optimal traffic pattern (1500 byte UDP packets). To be fair, this has been the standard industry practice for some time now. Every vendor of network equipment performs tests like this.

Unfortunately, this isn't a good indicator of how an appliance will perform under real world conditions. With that in mind, Check Point has developedĀ a new testing methodology for its appliances using a real rulebase (100 rules) with real-world traffic patterns (both based on industry standards and actual patterns seen at Check Point customer installations). This rulebase and traffic pattern exercises all of the various features and functionalities available in our Security Gateway. Based on those tests, Check Point has rated each appliance with aĀ SecurityPowerĀ Unit rating (SPU).

One could call the SPU an arbitrary metric. What it gives you is a relatively simple way to compare appliances and the relative security load they can handle. More importantly, an SPU can be generated for a given set of requirements (required blades, throughput, number of connections, and so on). You can then compare that against the available appliances to ensure you choose the right security appliance for the right security task.

Check Point has developed a tool that does exactly this. It will be available shortly. Personally, I think this is a big deal.

New Appliances

Two new appliances are being launched today for the data center: the 21400 (press release,Ā product page) and the 61000 (press release,Ā product page). These appliances are aimed squarely at the data center, where tens or even hundreds ofĀ megabitsĀ gigabits per second of throughput are needed!

The 21400 is a powerful 2U platform that features massive port density (up to 37 1000-base-T ports, 36 1000-base-F SFP ports, or 12 10GBase-F SFP+ ports), 50 GB of firewall throughput, 21GB of IPS throughput, hot-swappable redundant power supplies and disk drives, and an optional Lights-out Management card. Everything you'd expect from a carrier-grade chassis. The appliance runs both R71 and R75 with SecurePlatform.

The 61000 series, on the other hand, is a monster appliance! It's a 14U (DC) or 15U (AC) bladed chassis that, when fully loaded, will support 200GB of firewall throughput today and, with future hardware and software enhancements, will support over 1TB of throughput in the future! Aside from all of the various connectivity and redundancy options, the appliance acts as a single platform that, when new hardware blades are added, automatically configures itself to distribute the load between the blades! The platform currently runs a 64bit version of SecurePlatform based on R75.

Both appliances, which are referred to as Data Center Appliances, are available now on theĀ Check Point pricelist.

Mobile devices are, like any powerful tool, a double edged sword. They enable unprecedented ability to access and create information from anywhere! They are also a huge problem for information security.

Unlike a traditional PC, where there are a number of solutions to address various information security needs, mobile devices (those running iOS, Android, Symbian, Blackberry and others) provide little if any mechanisms for third parties to provide security solutions. Beyond ActiveSync integration, which itself is potentially untrustworthy (remember how iOS used to lie to Exchange servers that their mail store was encrypted?), other options for securing the device or data on the device are limited.

That said, mobile operating systems have had the benefit of experience of other operating systems. They are designed to be more resistant to intrusion by requiring signed code, employing sandboxing, limiting the available APIs, and more. It doesn't eliminate the risk of security vulnerabilities, but it does minimize the risk known ones will occur.

Unfortunately, the "baked in" security only addresses a small segment of potential security issues. It does nothing to address future security issues that might crop up. Due to the limited APIs, it is not possible for third parties to address these issues without cooperation from the OS vendor (e.g. Apple, Google, Nokia). Unfortunately, security threats evolve far faster than an OS vendor's ability to mitigate these threats on their own. Just look at how long it took Microsoft to enable the firewall in Microsoft Windows by default, implement driver signing, or any number of other security mechanisms that are just the default on mobile operating systems.

Even so, the most important feature of a mobile device--the ability to access and share information from anywhere--is also a threat to an enterprise. The potential for data leakage is substantial! All I have to do is take a picture of a whiteboard in an office with confidential data on it using an Android phone with Google+ automatically uploading my photos "in the cloud" to have a potential data leak! Not to mention using your personal device to access mobile email and working with attachments.

Even if adequate tools existed to address all the issues on mobile devices, one should not blindly rely on these tools. It comes down to people understanding the security implications of their actions and adjusting their actions accordingly.

FromĀ ZoneAlarmā€™s Newest Security Solution: SocialGuard:

SocialGuard, ZoneAlarmā€™s newest security solution, promises a groundbreaking new method of monitoring and preventing safety breaches on Facebook the most popular social networking site by a mile, with over 500 million users without ā€œfriendingā€ your child and intruding on his/her social space. SocialGuard sends real-time alerts to parents via emailā€“or the SocialGuard interfaceā€“whenever suspicious activity is detected on your childā€™s profile; parents can customize security settings and keywords to trigger such messages if the child is exposed to illicit or inappropriate content. SocialGuard monitors childrenā€™s Facebook accounts for threats including cyberbullying, age fraud ensures children are not befriended by adults outside of their network; friend requests, hacked accounts, and link safety flags dangerous/offensive links contained in messages.

The product, available now, can be purchasedĀ here.

Check Point, my employer, is behind this. I've used the betas of this product and they do precisely what they say without being a huge burden on you or your computer. The price: $1.99 a month or $19.99 a year, makes this a no-brainer if you have kids using Facebook!

See what Check Point's Head of Consumer Business has to say about SocialGuard.