[thwackCamp 2013 Chat Log] SolarWinds Software and Federal Compliance and Security – A Two Part Topic

Version 1
    MsgTimeIPAddressSenderTargetText
    10/10/2013 9:0067.79.13.15CaraMorning Shuth!
    10/10/2013 9:0024.121.148.105superray72Good Morning!
    10/10/2013 9:0369.138.216.104EdBenderyeah - ask questions here.
    10/10/2013 9:0363.226.32.16ecklerwr1NISPOM
    10/10/2013 9:0563.226.32.16ecklerwr1Monitoring devices inside Isolated and Restriced enclave WITHOUT icmp!  I want green devices on NPM without icmp!
    10/10/2013 9:0563.226.32.16ecklerwr1snmp only monitoring
    10/10/2013 9:05206.246.28.252billyGood Morning!
    10/10/2013 9:0667.79.13.15francoisecklerwr1hi all, yep have this one from Tue's session
    10/10/2013 9:0669.138.216.104EdBenderVery common request for NPM to have green nodes with ICMP disabled.
    10/10/2013 9:06206.246.28.252billyLoop1Systemsyou there jason?
    10/10/2013 9:06152.130.15.128Kurt (shadowsbear)The CAC card is also in other Federal agencies also.
    10/10/2013 9:0663.226.32.16ecklerwr1they will NEVER allow icmp to pass some firewalls... too easily used as a covert channel.
    10/10/2013 9:0767.79.13.15francoisecklerwr1got it, makes sense
    10/10/2013 9:0769.138.216.104EdBenderLuckily, CAC cards and the cards used in civilian agencies (HSPD-12)use the same technology.
    10/10/2013 9:0769.138.216.104EdBenderwe solve CAC issues and it seems to solve both dod and civilian issues - at least so far.
    10/10/2013 9:0869.138.216.104EdBenderis anybody using NCM for DISA STIG compliance reporting?
    10/10/2013 9:0969.138.216.104EdBenderor some other compliance reporting? FISMA?
    10/10/2013 9:0963.226.32.16ecklerwr1:^} thanks!  Great stuff NCM one module I don't have yet and am considering... STiGs or even better CIS Benchmarks.
    10/10/2013 9:1063.226.32.16ecklerwr1FSM as well possibly.
    10/10/2013 9:1069.138.216.104EdBenderFSM "evaluates well". Try it, you'll probably like it.
    10/10/2013 9:11152.130.15.128Kurt (shadowsbear)Does any changes get made to the firewall using FSM with user approval?
    10/10/2013 9:12152.130.15.128Kurt (shadowsbear)that should be without user approval
    10/10/2013 9:1269.138.216.104EdBenderFSM does not push out changes.
    10/10/2013 9:1269.138.216.104EdBenderFSM can create change scripts, but you need to run them.
    10/10/2013 9:12209.22.221.73RobertIRT Firewall & Router Configs, what can't NCM do that Firewall Security Manager can?
    10/10/2013 9:1269.138.216.104EdBenderYou can run them manually (SSH or TELNET). or use NCM to run them automatically
    10/10/2013 9:1267.79.13.15francoisEdBenderUnless you have NCM, in which case FSm uses NCM topush config back
    10/10/2013 9:1363.226.32.16ecklerwr1If you can get FSM to work with the new VMWare NSX that would be a plus when it's released... everyone that uses vmware is going to be all over NSX.
    10/10/2013 9:13152.130.15.128Kurt (shadowsbear)So the config for the firewall just gets imported into FSM and thats it. Then reports off that. Can you import in a downloaded copy of the Firewall config?
    10/10/2013 9:1463.226.32.16ecklerwr1sounds like you really need NCM if FSM is going to work well from what I gather.
    10/10/2013 9:1469.138.216.104EdBenderRobertNCM looks at individual lines - it does regular expression comparison checks.
    10/10/2013 9:1569.138.216.104EdBenderRobertFSM looks at all the rules together to see how they interact with each other in a non-compliant way.
    10/10/2013 9:15209.22.221.73RobertSo it's easy with UDT to see what devices a particular user logged into on a particular day?
    10/10/2013 9:1669.138.216.104EdBenderfrancoisLooks like a feature request for FSM - support VMWare NSX.
    10/10/2013 9:1667.79.13.15francoisecklerwr1it definitely makes using FSM easier and more powerful, but not a mucst have
    10/10/2013 9:1667.79.13.15francoisEdBendergot it
    10/10/2013 9:1769.138.216.104EdBenderKurt (shadowsbear)you can download configs manually and load them into FSM.
    10/10/2013 9:18209.22.221.73RobertSo it's easy with UDT to see what devices a particular user logged into on a particular day?  or how about who logged into a server on a specific date?
    10/10/2013 9:1869.138.216.104EdBenderKurt (shadowsbear)FSM can download directly from devices as well as from NCM database and manual import.
    10/10/2013 9:1863.226.32.16ecklerwr1that's what we use NTA for more than anything else... WAN links.
    10/10/2013 9:18118.209.171.97ShuthEdBenderHow would you recommend to use FSM with Checkpoint and multiple policies?
    10/10/2013 9:1967.79.13.15francoisRobertUDT tracks connectiobn to SW ports not user connecting to server or apps
    10/10/2013 9:2069.138.216.104EdBenderRobertLEM can track logins to servers and apps.
    10/10/2013 9:21209.22.221.73RobertEd - How does LEM do it?
    10/10/2013 9:2199.127.50.5colbyRobert - using event log or other application log data
    10/10/2013 9:2288.96.183.221garrethcolemanLEM does not track, it will log audit events received by agent installed on nodes.
    10/10/2013 9:23209.22.221.73RobertOk, thanks..I'll have to look more into it.
    10/10/2013 9:2369.138.216.104EdBenderShuthI'm not sure about multiple policies on checkpoint but each policy might be treated as a separate firewall. Francois, is that right?
    10/10/2013 9:25118.209.171.97ShuthEdBenderWhen you try to import a different policy, it overwrites the original. Doesn't let you add multiple ones :-/
    10/10/2013 9:2563.226.32.16ecklerwr1That's only if the device will give serial numbers with snmp... they all don't
    10/10/2013 9:2669.138.216.104EdBenderShuththat's not good!  is this a known issue?  Is this being worked on?  I'm not expert on FSM, but this will need to be addressed.
    10/10/2013 9:27118.209.171.97ShuthEdBenderI don't know. I raised it during Tuesday's Config Mgmt session but thought you might know something more
    10/10/2013 9:30152.133.10.6rambockoziolHow do you playback old sessions?
    10/10/2013 9:3063.226.32.16ecklerwr1CAC, crypto, and snmpv3 was a must... glad to see whole product line getting support.
    10/10/2013 9:3266.68.96.99danielle.higginsramboyou can watch all of the old sessions below
    10/10/2013 9:3266.68.96.99danielle.higginsramboThere is a playlist for day 1 and day 2
    10/10/2013 9:3269.138.216.104EdBenderecklerwr1Yeah - we are making nice security improvements in all of the products.  We don't publicly talk about them much because they aren't cool new features, but they address serious pain for many of our fed customers.
    10/10/2013 9:3567.79.13.15francoisEdBendersorry, fire drill, we had to leave teh building for 10 min
    10/10/2013 9:3667.79.13.15francoisEdBenderyes, youcan load separate file, per policy, but not al at the same time
    10/10/2013 9:3667.79.13.15francoisShuthcorrect
    10/10/2013 9:3766.129.74.228mikedid he stop talking after "Luckily im able to?"
    10/10/2013 9:38192.30.215.5ScottSadlochaNo, still talking
    10/10/2013 9:3967.79.13.15Caramike, try refreshing the page
    10/10/2013 9:4163.226.32.16ecklerwr1We have the EOC and multiple NPMs... you really need to either add the snmp only polling feature or work out some hack we can use for icmp not being allowed.  I'm not putting a poller inside an enclave with 3 devices.
    10/10/2013 9:42209.22.221.73RobertSo it just pushes the data one way Nipr to SIPR?
    10/10/2013 9:4369.138.216.104EdBenderRobertyes NIPR to SIPR is the most common way.
    10/10/2013 9:4367.79.13.15francoisecklerwr1yep, got it. We are looking at it, but no firm plan. It's fairly high on the list
    10/10/2013 9:4369.138.216.104EdBenderRoberthowever, some two-way collaboration can be enabled with the solution.
    10/10/2013 9:4363.226.32.16ecklerwr1:^}
    10/10/2013 9:4569.138.216.104EdBenderRobertSIPR to NIPR opens a bigger can of worms, but it can be done.
    10/10/2013 9:4567.79.13.42sandipThanks for a great session Ed!
    10/10/2013 9:46209.22.221.73RobertYes, I'm thinking NIPR to SIPR to some degree is a small can of worms but certainly interesting...thanks for the session and updates.
    10/10/2013 9:4667.79.13.42sandipEd, Nicole, and Francois will still be available for questions for the next 15mins, so feel free to keep them rolling in!
    10/10/2013 9:4663.226.32.16ecklerwr1Thanks Ed... seems like EOC would have to go on the SIPR side and pull from NIPR.
    10/10/2013 9:46118.209.171.97ShuthEdBenderThanks Ed! I don't suppose SW could check internally re: multiple Checkpoint policies and FSM for me please?
    10/10/2013 9:46151.166.15.122ScottSEd, The EOC PM told me tat EOC still needs to poll NIPR Orions then roll data up to SIPR EOC - hence two way communication. Confirm?
    10/10/2013 9:4769.138.216.104EdBenderecklerwr1yes.  most IA people will tend to allow EOC on the high side so data flows only from low to high.
    10/10/2013 9:4767.79.13.15francoisShuthshuth, can you elaborate why this is a big issue:"When you try to import a different policy, it overwrites the original. Doesn't let you add multiple ones :-/"
    10/10/2013 9:4767.79.13.15francoisShuthI think I get it, but I'd like to hear it from you
    10/10/2013 9:4969.138.216.104EdBenderScottSEOC configured as part of a Cross Domain Solution from BlueSpace Software is one-way only (by default).
    10/10/2013 9:49118.209.171.97ShuthfrancoisWhen eval'ing with one of the Checkpoint engineers it was a big turnoff to not be able to easily check or compare the policies. If he wanted to check policy B he has to re-add the config files to FSM and select Policy B. To check Policy C, he has to repeat all of that
    10/10/2013 9:4969.138.216.104EdBenderScottSthe BlueSpace "middleware" makes the magic happen to eliminate the need for bi-directional comms between EOC SIPR and NPM NIPR.
    10/10/2013 9:5067.79.13.15francoisShuthmakes sense, perfect. Thanks. I'll make sure this gets to teh PM and dev
    10/10/2013 9:50209.22.221.73RobertEd - Will the cross domain solution still work when using EOC FOE on both sides?
    10/10/2013 9:51118.209.171.97ShuthfrancoisThanks!
    10/10/2013 9:51151.166.15.122ScottSEd, I am sending you anemail for more information....
    10/10/2013 9:51209.22.221.73RobertMeaning will a failover on NIPR mean a seamless transition and continuous information on the SIPR side?
    10/10/2013 9:5169.138.216.104EdBenderRobertin a CDS solution, EOC would only be on high side.  FOE can be used on the high side EOC.
    10/10/2013 9:52118.209.171.97Shuthfrancois(I'm not sure if it was us not using FSM correctly but I couldn't figure out a way to get it to work properly)
    10/10/2013 9:53209.22.221.73RobertOk, thanks Ed..I'll do some more research and send you any other questions I come up with.
    10/10/2013 9:5369.138.216.104EdBenderRobertOn NIPR side, you have NPM and FOE for the NPM server.  Both of them on the NIPR side.
    10/10/2013 9:5367.79.13.15francoisRobertJust checked with dev, FOE should not be an issue in this context
    10/10/2013 9:5369.138.216.104EdBenderRobertthere is a webinar recording that goes over the solution in more detail.
    10/10/2013 9:5569.138.216.104EdBenderRoberthttp://thwack.solarwinds.com/events/1006 is the link to the BlueSpace CDS webinar.
    10/10/2013 10:0563.226.32.16ecklerwr1Looking forward to EOC catching up with NPM improvements.
    10/10/2013 10:0763.226.32.16ecklerwr1would like to get more people off having to connect to NPM instances if I could get EOC to do more on its own.
    10/10/2013 10:0867.79.13.15francoisecklerwr1we have work ongoing on EOC. You cam check on teh What Are We Working on to see if they give details
    10/10/2013 10:0963.226.32.16ecklerwr1Yes I've been watching that... I'm glad to see EOC is finally getting some dev love.
    10/10/2013 10:1269.138.216.104EdBenderecklerwr1also, have you looked at adding an Additional Web Server to your Orion instance?  If the problem is too many concurrent users of Orion slowing it down, the Additional Web Server solves that problem.
    10/10/2013 10:1266.68.96.99danielle.higgins**Only a little under 2 hours left to complete the day 2 mission!!**
    10/10/2013 10:1366.68.96.99danielle.higginsWe're giving away a Samsung SSD after the mission closes at Noon CST
    10/10/2013 10:1767.79.13.15francoisecklerwr1yes it time :-)
    10/10/2013 10:1763.226.32.16ecklerwr1woohoo Danielle!
    10/10/2013 10:21128.29.43.2johnneydanielle.higginsDanielle, will all the recordings from this week be posted to /groups/thwackcamp-2013?
    10/10/2013 10:2166.68.96.99danielle.higginsjohnneyyes, they are being posted almost minutes after the sessions wrap
    10/10/2013 10:21128.29.43.2johnneydanielle.higginsthx
    10/10/2013 10:2267.79.13.42sandip8mins till the next session on Storage Manager, who's pumped?
    10/10/2013 10:2266.68.96.99danielle.higginsjohnneyscroll down on the page, you can see all of Tuesday's and Wednesday's sessions in the playlists
    10/10/2013 10:2263.226.32.16ecklerwr1We are some impatient geekers that's for sure.
    10/10/2013 10:2363.226.32.16ecklerwr1Must have seen that question about the recordings 100 times since tuesday :^}
    10/10/2013 10:2662.245.106.82bpbpyeah - let's go!
    10/10/2013 10:2663.226.32.16ecklerwr1whoever the woman is on there sure gets dissed for trying to talk on the radio
    10/10/2013 10:2671.64.110.224LeonAdatoYeah, I've asked a few "special" people from my company to watch this. Hope they're on!