How To Set Up Certificate Based VPNs with Check Point Appliances: CPFW Config Guide

indeni, cisco

Securing virtual private networks (VPNs) in enterprise Site-to-Site environments is an important task for keeping the trusted network and data protected. Also it’s critical to avoid any loss of data sovereignty.

When it comes to VPN security many security experts first think of encryption algorithms, perfect forward secrecy (PFS), Diffie-Hellman groups… and a long pre-shared key (PSK). Ouch!

What about VPN certificates?

Every security expert knows how much better certificates are for gaining high security levels. Therefore certificates are always best practice in enterprise grade security environments.

However, most VPN site-to-site setups are still based on simple, long lasting pre-shared keys. In many cases these keys were even forgotten by the administrators in charge of keeping the network secure because once configured for the VPN tunnel they are not needed anymore.

This is because it’s much quicker and really easy to set up a VPN with a simple pre-shared key than having to deal with certificates and a certificate authority (CA).

But is it really that hard to implement a way better security architecture based on certificates? This article shows how simple it can be when you work with Check Point Firewall & VPN security gateways.

Let’s get started! Continue reading

How to Reset Device Trust – F5 LTM Load Balancing Methods Troubleshooting ConfigSync and Device Clustering

indeni, cisco

F5 LTM Load Balancing Methods: How to Reset Device Trust.

The official F5 SOL13946 provides information on troubleshooting device clustering and configuration sync for 11v  F5 load balancers  and other products, however it is rather long winded.  This guide is designed as a quick reference when troubleshooting device clustering or config sync. An overview of the config sync process for version 9.x and 10.x units can be found in F5 SOL7024

Version 11.x

  • Communication between machines occurs in the following manner to form a device cluster:
    mcpd process on the local machine connects to the tmm process on the local machine on port 6699
  • tmm process then contacts the peer’s config sync IP on port 4353
  • Once the peer receives, they use tmm to contact mcpd over port 6699 on their local device.
  • If this process fails, it is re-attempted every 5 seconds.
  • If this process succeeds, there is a mesh between peer mcpd processes.

* local machine here refers to the self IP configured for config sync. Check it under Device Management > Devices > click on device > Device Connectivity > Config Sync, for example.

Continue reading

Check Point Users: You Are Not Ready for June 5th, 2016

UPDATE May 31st 2016: Check Point has updated the SK. The rollout of SHA-256 has been postponed to June 5th 2016.

Back in April 2015, Check Point published SK103839. In it, Check Point informs its customers that the update services for the various software blades will start using SHA-256 instead of SHA-1. This is in response to reports that SHA-1 has weaknesses that, if not already overcome by hackers, may be overcome as soon as 2018. Check Point is not alone in this effort, Google and other vendors are at it, too.

As the SK states, “To ensure the connectivity of Check Point software to Check Point online update services that use SHA-256 based certificates, a hotfix is required. Check Point highly recommends to install this hotfix to maintain the aforementioned update services functionality.”. In other words – if you’re not on R77.30, you should install the hotfix on all of your firewalls and management servers before November.

Continue reading

Cisco vs Palo Alto Networks: The Hidden Battle

Capture

In my conversations with firewall users I often hear references to the “battle of the titans” between Check Point and Palo Alto Networks. Both are leaders in the Gartner Magic Quadrant, their security technologies are often compared and the marketing slander has been seen often in all the different mediums.

As everyone is aware, PANW’s aggressive growth outpaces the growth of the firewall market. This means that a large portion of the growth is coming from the displacement of their competitors. A point PANW’s CEO, Mark McLaughlin, made recently.

However, very little attention has been given to this:

download

The sum of the percentages is greater than 100% as some customers migrated from multiple vendors to PANW.

Continue reading