Perplexed, the CEO traveled down to the factory and walked up to the part of the line where the precision scales were installed. A few feet before the scale, a $20 desk fan was blowing any empty boxes off the belt and into a bin. Puzzled, the CEO turned to one of the workers who stated, “Oh, that…One of the guys put it there ’cause he was tired of walking over every time the bell rang!”
Having SSL Inspection has been always a matter of IT and Organisation fight.
In an architecture project, the only objection to my design was SSL Inspection and I had to bring some convincing reasons for that.
First of all, without SSL Inspection, basically there is zero visibility into what’s happening inside an encrypted traffic like HTTPS, SMTPS, POP3S, etc. Just imagine an attacker popping a machine, tunneling command and control via a HTTPS tunnel. Or an unfortunate employee, exposing confidential data by uploading them to some random cloud service… 0 visibility!
Second business driver I can think of is related to Data Loss Prevention; If a breach is detected tomorrow, there’s hardly any ways to detect what has been lost.
Benefits aside, a noteworthy drawback to SSL Inspection would be administrative overhead; you should distribute the CA cert to all nodes. That being said, in case of a Directory environment like Microsoft AD, it’s not a big deal, although Linux machines or some browsers need special configuration; beside, some web applications have to be excluded from inspection, mainly the ones utilizing Java.
Not really a drawback, but the administrators should be liable and trusted as they can easily intercept the traffic, unencrypted. This not only applies to the Proxy admins, but to a Mail admin, System admin, etc; which makes it an HR matter.
Note that any product which does MITM has the opportunity to expose data, and so its admins.
Here, you have to see the tradeoff; I believe the gained visibility worths it!
Sometimes CxOs might say that SSL is sacred! Yes, it is, but they have to decide how sacred they want SSL to be versus how interested they are in what information might be leaving the environment without authorization; or how much malware command and control (C&C) they might want quietly going out via SSL without being torn open for inspection.
Note that you have to design a way that all egress web traffic (both users and servers) must be enforced to go through the proxy, otherwise the whole proxy plan is pointless. Besides, you have to follow some practices:
- Know the business and business processes and demands. Every sector has its own limitations or requirements where might be against SSL inspection.
- Plan some whitelisting policies to disable inspection in specific cases where needed.
- Know your traffic and the percentage of encrypted requests.
- Make sure that your appliance supports the amount of traffic; SSL Inspection means decrypting the connection, inspecting it and then re-encrypting it.
P.S. Yes, my drawing skills are awful! 🙂
A couple of times in recent days I had the discussion of Certifications with two friends, once with Shawn Zandi, who is the Principal Network Architect at LinkedIn and another time with Hosein Khosravi who is a successful instructor and engineer!
I thought that it might be a good idea to blog on this topic with my own words and the conclusion of my own experience till now.
Disclaimer: I’m neither against nor with certifications. I’m not telling you to be certified or not; I’m not devaluing people who have made legit efforts to get certified and totally respect them and their achievement.
I’m just looking at it from my own perspective.
You can find lots of posts on this topic in the Internet from all the experts. Usually you’ll find two types of answers; the “marketing” and the honest ones!
You can detect the marketing persuasion by phrases like:
- You have to be certified to be hired!
- You have to be certified as an indication of your knowledge and expertise!
- This certification guarantees your job!
- This is the most valuable certification on the market!
- Your earnings will boom!
- Holders of this certification get paid the most!
Well, they could be true, but only to some extent; but I believe less than 10% of the time! I’m not saying neither certification is bad nor it is good. Let me dig deeper into it.
Basically, achieving a certification means that you have put enough efforts and dedication to pass an exam. That’s great, congratulations!
Similarly, earning a University mainly means that you have been a good learner.
First, I’ve to admit that sticking to a plan for a certification could bring dedication into your studies. Personally, I’ve also many times started to gain knowledge about a concept by following a certification path; but that should never be an end and boundary to grasp a technology!
Have in mind that the reality is usually different from exams.
Exams usually teach you the techniques but not the tactics. You’ve to be prepared for the complexities and harsh situations; you’ve to be able to manage your time, keep pace with new technologies, use them to make your work more efficient and play a part in connecting people and services!
Besides, You should be able to network with people and learn how to discuss your ideas and present yourself.
Be curious and find the original idea behind a thing; i.e. was there a problem out there that made engineers to create that protocol? Did it solve their issue?
Imagine yourself in different situations and scenarios; then challenge your creativity to propose something. This is a best practice!
Read the standards and scrutinize the concepts in detail; google and read what others say about the concept; think out of the box and try to figure out other possibilities; dig the RFCs deep and even maybe you can contribute to one!
Again, studying and learning is always good, whatever the reason is. Just you should be cautious of not getting bound to a vendor. Get to know what’s going on around, know the market and today’s business need; read, read and read and make some educated guesses for the future! Have in mind that the half-life of IT skills is less than 2 years. You should be fast otherwise you’ll be left behind.
So, I believe the honest and truthful answer is that, you have to earn the knowledge by dedication, hard work, experience, curiosity and creativity. A vendor’s certification can’t be a good measure of someone’s knowledge in the IT era today; you’re not bound to vendors anymore; at the end of the day we’re going to live in the IoT and SDN world. (Yeah, they’re the new fancy words)
You should add value to the certificate; not the certificate to you!
If you’re confident of having the knowledge, and you’re able to discuss and demonstrate your skills, then you’re at it! Don’t panic and let your expertise talk for itself.
A good approach could be to become certified when it’s needed; yes, sometimes vendor partners need certified people for specific projects to get discounts and support contracts; I call it a practical approach. This brings a win-win result. You get the knowledge, certification, and money.
It’s not a vendor to approve If you’re an engineer, architect, consultant, etc.; it’s you and your knowledge!
From all the articles out there, Russ White has done a great job writing on this and related topics; I totally recommend reading the posts below:
To make it a little bit brighter to myself, I’m gonna explain them in a different way with different diagrams and matrix based on my own design experience with these models.
Disclaimer: Please have in mind that the number of routers drawn, doesn’t reflect the reality of the design, and is just been this way for the sake of simplicity; obviously there would be redundant routers in real World, and also the Core could span different PoPs.
Besides, the bigger border routers could reflect two separate ones, one on Core, and one on Branch side.
Design Model 1
This model is suitable when least Administrative Domain Control is required; though it still overcomes an end-to-end IGP design, providing better management between remote campuses.
Core IGP is mainly used to provide Next-hop reachability for iBGP speakers. Please note that this is applicable to all models where iBGP is used in the Core.
The downside to this design is moderate operation complexity; which could arise i.e. by IGP-into-BGP Redistribution and iBGP full-mesh/RR/Confederation management in the Core. Continue reading “Enterprise Core Routing Design Models with BGP”
Following my post on Check Point CCSA Exam notes, in this post I’m gonna write notes on CCSE exam. Though this time I won’t fall into configuration and try to only point out the more important and real-world-applicable things.
Management Server HA
- When adding a new Check Point host as a Secondary Management Server, do not Initialize SIC before selecting Network Policy Management feature!
- After adding the host, save and Install the policy; synchronization will then work.
As a reminder, whenever you reset the SIC for a Gateway from Management Server, it should be re-initialized from the Gateway by cpconfig; don’t forget to exit cpconfig!
Check Point calls its clustering solution ClusterXL which supports up to 8 Cluster members and can be implemented in two main flavors:
- Multicast mode: 50/50, very efficient and excellent performance
- Unicast mode: 70/30, to be used in environments where an intermediate device has issues with multicast MAC address (IGMP Snooping)
Expert@GAiA-2:0]# cphaprob state Cluster Mode: Load Sharing (Unicast) with IGMP Membership Number Unique Address Assigned Load State 1 192.168.0.101 30% Active (pivot) 2 (local) 192.168.0.102 70% Active
- High Availability (HA)
- New Mode: Each member has its own physical IP address
- Legacy Mode: Both members have the same physical IP address
To make kernel changes permanent, they should be written in $FWDIR/modules/fwkern.conf