Over the past couple of days, I was out at VMworld 2009 at Moscone Center in San Francisco, which is a trade show put out by the fine folks at VMware. While it was not my "official" job,  I did do a bit of booth duty at Check Point's booth. It's been a while since I've done that.

While there, I met a couple people I've been meaning to meet for years: Randy Bias, the guy behind Cloudscaling, and Chris Hoff (a.k.a. Beaker). I also got to experience first-hand at the show was the absolutely spectacular epic fail that is AT&T's wireless network during a trade show at Moscone Center. Full signal, yet calls were dropping like flies. Data might as well have been GPRS for all the speed I wasn't getting. It was horrible. Why AT&T doesn't have several microcells inside Moscone with either a fiber link or several DS3s for backhaul is absolutely beyond me.

Meanwhile, back to VMworld and why Check Point was there. We were demonstrating Security Gateway R70 Virtual Edition (or R70 VE for short). The main difference between the R65 VE we ship today and R70 VE, aside from the new Software Blades architecture, is the level of integration with the VMware environment. Specifically, we use the VMsafe APIs provided by VMware, which give us a whole new level of visibility into the networking that goes on inside a VMware ESX server.

If you wanted to see what was going through every port in a physical switch, you might have some trouble either setting up mirror ports for everything or network taps. In VMware with the new VMsafe APIs, applications like R70 VE can see everything going through the virtual switch and can block it as appropriate.

In our demo, we show a couple of virtual machines hooked up to a virtual switch along with a separate VM for R70 VE. One of the VMs is compromised and starts "attacking" the other. These VMs and the R70 VE VM are on the same logical subnet, hooked to the same virtual switch. R70 VE is able to successfully block the attacking traffic using the IPS blade.

The good news for the firewall administrator is that this virtual gateway is managed with the same set of tools you use today: SmartCenter and all of the SmartConsole apps. It feels just like a gateway on a physical appliance, except it is running inside a virtual machine.

R70 VE is not shipping today. The code shown at VMworld is of alpha quality. We are expecting a Q4 2009 release timeframe, but that is not final and is subject to change.If you're looking for more details, let me know and I'll hook you up.

Recently, I was asked to complete a security awareness training at Check Point. It is considered a mandatory exercise for all employees. It consists of watching a brief presentation, taking a short multiple-choice test, virtually signing the security policy document, and providing a user validation question and answer.

The entire process took no more than 20 minutes. After having watched the presentation, I can tell you, with a fair degree of certainty what the different levels of classification are, what generally falls into each level of classification, and what my responsibilities are with respect to handling data in that classification. It was all done with clear language using examples I feel most people could relate to.

It is exactly the kind of policy presentation that any serious company should have. The reason: employees are often the weakest link in security. Educating employees on what the policy is vital to ensure corporate assets are protected.

Oh wait, you don't have a security policy? Well now, that is a problem.

Yesterday, I took the train up to The City and walked around Moscone Center, where the RSA Conference was being held. I took a few pics of people from the Check Point booths, the Barracuda Babes, and Stina from Yubico.

Now that we have the official announcement, I can now say I work for Check Point Software. And while I’ve been working with Check Point in some capacity or another since 1996, this is the first time I will actually be on their payroll.

A question I’ve gotten a bit since this was originally announced back in December is: what’s gonna happen to Nokia’s awesome support team? The good news is that the vast majority of that support team will be incorporated into Check Point. Furthermore, the combined support organization will implement best practices from both companies. In fact, Check Point’s support offerings now look very similar to those we sold at Nokia.

What about me? At the moment, I am trying to get through all the structural changes, which are still underway. I’m less worried about the “job” part of my job and more worried about more basic issues, like getting connected to Check Point’s Intranet, getting signed up for payroll and benefits, and understanding all the various policies and procedures–all of which will be different. So will my actual job, and I’ll begin to understand the particulars of it soon enough.

I guess it's time to take a break from kvetching about my job for a moment and talk about something security related. Or more specifically, something related to keeping your kids safe on the Internet.

My 8-year old son is becoming a bit more adventurous in his quest for all things Pokemon, not to mention Tower Defense-type games. He is using that "search area" in the upper right hand corner of the Firefox window to find things. This has resulted in coming across pages that are "blocked" by Microsoft's Family Safety filter, which I use on all the downstairs computers. This inevitably means he'll run into whatever room I am in and ask me to "type in my password" to unblock the site. Frequently, he asks me when I am doing something else and, of course, he wants it NOW.

When I am ready, I go to his computer--which is in our living room and thus in a public room--and find out what site he was trying to go to. Some sites I know aren't particularly great for his age range (e.g. MySpace), others I will check first. Because I'm not quite sure what I am going to find, I ask him to leave the room first. Either that or I will make note of the site and go check on a different computer.

The reason for this is very simple: Microsoft's Family Filter does not offer a lot of granularity on blocking. Furthermore, it doesn't give any explanation as to why it was blocked (e.g. what category the website was in). Even if it did, one should never assume the filter is entirely correct. Best way to keep the kids protected is to manually review the site--without them in the room--in case something particularly nasty shows up!

In one case, I went to a blocked website that appeared to have ok content, but had ads on it that were clearly not ok. Furthermore, there was so much crap on the site that the browser basically locked up! In short, there was no way I was allowing my son anywhere near this website.

I then explained to my son why I was still not going to allow access to the site in question. I reiterated why the filters are there and why I manually check things first. He understood and moved onto something else.

Obviously, things are relatively simple right now. As time wears on, things are going to be more complex, particularly when we get into instant messaging and interacting with other people online. Not to mention the difference in age-appropriateness between my 8-year-old son and 4-year-old daughter as they get older. However, it will hopefully be handled much the way it is handled today: with a conversation.

Reblog this post with Zemanta