MsgTime | IPAddress | Sender | Target | Text |
10/10/2013 9:00 | 67.79.13.15 | Cara | Morning Shuth! |
10/10/2013 9:00 | 24.121.148.105 | superray72 | Good Morning! |
10/10/2013 9:03 | 69.138.216.104 | EdBender | yeah - ask questions here. |
10/10/2013 9:03 | 63.226.32.16 | ecklerwr1 | NISPOM |
10/10/2013 9:05 | 63.226.32.16 | ecklerwr1 | Monitoring devices inside Isolated and Restriced enclave WITHOUT icmp! I want green devices on NPM without icmp! |
10/10/2013 9:05 | 63.226.32.16 | ecklerwr1 | snmp only monitoring |
10/10/2013 9:05 | 206.246.28.252 | billy | Good Morning! |
10/10/2013 9:06 | 67.79.13.15 | francois | ecklerwr1 | hi all, yep have this one from Tue's session |
10/10/2013 9:06 | 69.138.216.104 | EdBender | Very common request for NPM to have green nodes with ICMP disabled. |
10/10/2013 9:06 | 206.246.28.252 | billy | Loop1Systems | you there jason? |
10/10/2013 9:06 | 152.130.15.128 | Kurt (shadowsbear) | The CAC card is also in other Federal agencies also. |
10/10/2013 9:06 | 63.226.32.16 | ecklerwr1 | they will NEVER allow icmp to pass some firewalls... too easily used as a covert channel. |
10/10/2013 9:07 | 67.79.13.15 | francois | ecklerwr1 | got it, makes sense |
10/10/2013 9:07 | 69.138.216.104 | EdBender | Luckily, CAC cards and the cards used in civilian agencies (HSPD-12)use the same technology. |
10/10/2013 9:07 | 69.138.216.104 | EdBender | we solve CAC issues and it seems to solve both dod and civilian issues - at least so far. |
10/10/2013 9:08 | 69.138.216.104 | EdBender | is anybody using NCM for DISA STIG compliance reporting? |
10/10/2013 9:09 | 69.138.216.104 | EdBender | or some other compliance reporting? FISMA? |
10/10/2013 9:09 | 63.226.32.16 | ecklerwr1 | :^} thanks! Great stuff NCM one module I don't have yet and am considering... STiGs or even better CIS Benchmarks. |
10/10/2013 9:10 | 63.226.32.16 | ecklerwr1 | FSM as well possibly. |
10/10/2013 9:10 | 69.138.216.104 | EdBender | FSM "evaluates well". Try it, you'll probably like it. |
10/10/2013 9:11 | 152.130.15.128 | Kurt (shadowsbear) | Does any changes get made to the firewall using FSM with user approval? |
10/10/2013 9:12 | 152.130.15.128 | Kurt (shadowsbear) | that should be without user approval |
10/10/2013 9:12 | 69.138.216.104 | EdBender | FSM does not push out changes. |
10/10/2013 9:12 | 69.138.216.104 | EdBender | FSM can create change scripts, but you need to run them. |
10/10/2013 9:12 | 209.22.221.73 | Robert | IRT Firewall & Router Configs, what can't NCM do that Firewall Security Manager can? |
10/10/2013 9:12 | 69.138.216.104 | EdBender | You can run them manually (SSH or TELNET). or use NCM to run them automatically |
10/10/2013 9:12 | 67.79.13.15 | francois | EdBender | Unless you have NCM, in which case FSm uses NCM topush config back |
10/10/2013 9:13 | 63.226.32.16 | ecklerwr1 | If you can get FSM to work with the new VMWare NSX that would be a plus when it's released... everyone that uses vmware is going to be all over NSX. |
10/10/2013 9:13 | 152.130.15.128 | Kurt (shadowsbear) | So the config for the firewall just gets imported into FSM and thats it. Then reports off that. Can you import in a downloaded copy of the Firewall config? |
10/10/2013 9:14 | 63.226.32.16 | ecklerwr1 | sounds like you really need NCM if FSM is going to work well from what I gather. |
10/10/2013 9:14 | 69.138.216.104 | EdBender | Robert | NCM looks at individual lines - it does regular expression comparison checks. |
10/10/2013 9:15 | 69.138.216.104 | EdBender | Robert | FSM looks at all the rules together to see how they interact with each other in a non-compliant way. |
10/10/2013 9:15 | 209.22.221.73 | Robert | So it's easy with UDT to see what devices a particular user logged into on a particular day? |
10/10/2013 9:16 | 69.138.216.104 | EdBender | francois | Looks like a feature request for FSM - support VMWare NSX. |
10/10/2013 9:16 | 67.79.13.15 | francois | ecklerwr1 | it definitely makes using FSM easier and more powerful, but not a mucst have |
10/10/2013 9:16 | 67.79.13.15 | francois | EdBender | got it |
10/10/2013 9:17 | 69.138.216.104 | EdBender | Kurt (shadowsbear) | you can download configs manually and load them into FSM. |
10/10/2013 9:18 | 209.22.221.73 | Robert | So it's easy with UDT to see what devices a particular user logged into on a particular day? or how about who logged into a server on a specific date? |
10/10/2013 9:18 | 69.138.216.104 | EdBender | Kurt (shadowsbear) | FSM can download directly from devices as well as from NCM database and manual import. |
10/10/2013 9:18 | 63.226.32.16 | ecklerwr1 | that's what we use NTA for more than anything else... WAN links. |
10/10/2013 9:18 | 118.209.171.97 | Shuth | EdBender | How would you recommend to use FSM with Checkpoint and multiple policies? |
10/10/2013 9:19 | 67.79.13.15 | francois | Robert | UDT tracks connectiobn to SW ports not user connecting to server or apps |
10/10/2013 9:20 | 69.138.216.104 | EdBender | Robert | LEM can track logins to servers and apps. |
10/10/2013 9:21 | 209.22.221.73 | Robert | Ed - How does LEM do it? |
10/10/2013 9:21 | 99.127.50.5 | colby | Robert - using event log or other application log data |
10/10/2013 9:22 | 88.96.183.221 | garrethcoleman | LEM does not track, it will log audit events received by agent installed on nodes. |
10/10/2013 9:23 | 209.22.221.73 | Robert | Ok, thanks..I'll have to look more into it. |
10/10/2013 9:23 | 69.138.216.104 | EdBender | Shuth | I'm not sure about multiple policies on checkpoint but each policy might be treated as a separate firewall. Francois, is that right? |
10/10/2013 9:25 | 118.209.171.97 | Shuth | EdBender | When you try to import a different policy, it overwrites the original. Doesn't let you add multiple ones :-/ |
10/10/2013 9:25 | 63.226.32.16 | ecklerwr1 | That's only if the device will give serial numbers with snmp... they all don't |
10/10/2013 9:26 | 69.138.216.104 | EdBender | Shuth | that's not good! is this a known issue? Is this being worked on? I'm not expert on FSM, but this will need to be addressed. |
10/10/2013 9:27 | 118.209.171.97 | Shuth | EdBender | I don't know. I raised it during Tuesday's Config Mgmt session but thought you might know something more |
10/10/2013 9:30 | 152.133.10.6 | rambo | ckoziol | How do you playback old sessions? |
10/10/2013 9:30 | 63.226.32.16 | ecklerwr1 | CAC, crypto, and snmpv3 was a must... glad to see whole product line getting support. |
10/10/2013 9:32 | 66.68.96.99 | danielle.higgins | rambo | you can watch all of the old sessions below |
10/10/2013 9:32 | 66.68.96.99 | danielle.higgins | rambo | There is a playlist for day 1 and day 2 |
10/10/2013 9:32 | 69.138.216.104 | EdBender | ecklerwr1 | Yeah - we are making nice security improvements in all of the products. We don't publicly talk about them much because they aren't cool new features, but they address serious pain for many of our fed customers. |
10/10/2013 9:35 | 67.79.13.15 | francois | EdBender | sorry, fire drill, we had to leave teh building for 10 min |
10/10/2013 9:36 | 67.79.13.15 | francois | EdBender | yes, youcan load separate file, per policy, but not al at the same time |
10/10/2013 9:36 | 67.79.13.15 | francois | Shuth | correct |
10/10/2013 9:37 | 66.129.74.228 | mike | did he stop talking after "Luckily im able to?" |
10/10/2013 9:38 | 192.30.215.5 | ScottSadlocha | No, still talking |
10/10/2013 9:39 | 67.79.13.15 | Cara | mike, try refreshing the page |
10/10/2013 9:41 | 63.226.32.16 | ecklerwr1 | We have the EOC and multiple NPMs... you really need to either add the snmp only polling feature or work out some hack we can use for icmp not being allowed. I'm not putting a poller inside an enclave with 3 devices. |
10/10/2013 9:42 | 209.22.221.73 | Robert | So it just pushes the data one way Nipr to SIPR? |
10/10/2013 9:43 | 69.138.216.104 | EdBender | Robert | yes NIPR to SIPR is the most common way. |
10/10/2013 9:43 | 67.79.13.15 | francois | ecklerwr1 | yep, got it. We are looking at it, but no firm plan. It's fairly high on the list |
10/10/2013 9:43 | 69.138.216.104 | EdBender | Robert | however, some two-way collaboration can be enabled with the solution. |
10/10/2013 9:43 | 63.226.32.16 | ecklerwr1 | :^} |
10/10/2013 9:45 | 69.138.216.104 | EdBender | Robert | SIPR to NIPR opens a bigger can of worms, but it can be done. |
10/10/2013 9:45 | 67.79.13.42 | sandip | Thanks for a great session Ed! |
10/10/2013 9:46 | 209.22.221.73 | Robert | Yes, I'm thinking NIPR to SIPR to some degree is a small can of worms but certainly interesting...thanks for the session and updates. |
10/10/2013 9:46 | 67.79.13.42 | sandip | Ed, Nicole, and Francois will still be available for questions for the next 15mins, so feel free to keep them rolling in! |
10/10/2013 9:46 | 63.226.32.16 | ecklerwr1 | Thanks Ed... seems like EOC would have to go on the SIPR side and pull from NIPR. |
10/10/2013 9:46 | 118.209.171.97 | Shuth | EdBender | Thanks Ed! I don't suppose SW could check internally re: multiple Checkpoint policies and FSM for me please? |
10/10/2013 9:46 | 151.166.15.122 | ScottS | Ed, The EOC PM told me tat EOC still needs to poll NIPR Orions then roll data up to SIPR EOC - hence two way communication. Confirm? |
10/10/2013 9:47 | 69.138.216.104 | EdBender | ecklerwr1 | yes. most IA people will tend to allow EOC on the high side so data flows only from low to high. |
10/10/2013 9:47 | 67.79.13.15 | francois | Shuth | shuth, can you elaborate why this is a big issue:"When you try to import a different policy, it overwrites the original. Doesn't let you add multiple ones :-/" |
10/10/2013 9:47 | 67.79.13.15 | francois | Shuth | I think I get it, but I'd like to hear it from you |
10/10/2013 9:49 | 69.138.216.104 | EdBender | ScottS | EOC configured as part of a Cross Domain Solution from BlueSpace Software is one-way only (by default). |
10/10/2013 9:49 | 118.209.171.97 | Shuth | francois | When eval'ing with one of the Checkpoint engineers it was a big turnoff to not be able to easily check or compare the policies. If he wanted to check policy B he has to re-add the config files to FSM and select Policy B. To check Policy C, he has to repeat all of that |
10/10/2013 9:49 | 69.138.216.104 | EdBender | ScottS | the BlueSpace "middleware" makes the magic happen to eliminate the need for bi-directional comms between EOC SIPR and NPM NIPR. |
10/10/2013 9:50 | 67.79.13.15 | francois | Shuth | makes sense, perfect. Thanks. I'll make sure this gets to teh PM and dev |
10/10/2013 9:50 | 209.22.221.73 | Robert | Ed - Will the cross domain solution still work when using EOC FOE on both sides? |
10/10/2013 9:51 | 118.209.171.97 | Shuth | francois | Thanks! |
10/10/2013 9:51 | 151.166.15.122 | ScottS | Ed, I am sending you anemail for more information.... |
10/10/2013 9:51 | 209.22.221.73 | Robert | Meaning will a failover on NIPR mean a seamless transition and continuous information on the SIPR side? |
10/10/2013 9:51 | 69.138.216.104 | EdBender | Robert | in a CDS solution, EOC would only be on high side. FOE can be used on the high side EOC. |
10/10/2013 9:52 | 118.209.171.97 | Shuth | francois | (I'm not sure if it was us not using FSM correctly but I couldn't figure out a way to get it to work properly) |
10/10/2013 9:53 | 209.22.221.73 | Robert | Ok, thanks Ed..I'll do some more research and send you any other questions I come up with. |
10/10/2013 9:53 | 69.138.216.104 | EdBender | Robert | On NIPR side, you have NPM and FOE for the NPM server. Both of them on the NIPR side. |
10/10/2013 9:53 | 67.79.13.15 | francois | Robert | Just checked with dev, FOE should not be an issue in this context |
10/10/2013 9:53 | 69.138.216.104 | EdBender | Robert | there is a webinar recording that goes over the solution in more detail. |
10/10/2013 9:55 | 69.138.216.104 | EdBender | Robert | http://thwack.solarwinds.com/events/1006 is the link to the BlueSpace CDS webinar. |
10/10/2013 10:05 | 63.226.32.16 | ecklerwr1 | Looking forward to EOC catching up with NPM improvements. |
10/10/2013 10:07 | 63.226.32.16 | ecklerwr1 | would like to get more people off having to connect to NPM instances if I could get EOC to do more on its own. |
10/10/2013 10:08 | 67.79.13.15 | francois | ecklerwr1 | we have work ongoing on EOC. You cam check on teh What Are We Working on to see if they give details |
10/10/2013 10:09 | 63.226.32.16 | ecklerwr1 | Yes I've been watching that... I'm glad to see EOC is finally getting some dev love. |
10/10/2013 10:12 | 69.138.216.104 | EdBender | ecklerwr1 | also, have you looked at adding an Additional Web Server to your Orion instance? If the problem is too many concurrent users of Orion slowing it down, the Additional Web Server solves that problem. |
10/10/2013 10:12 | 66.68.96.99 | danielle.higgins | **Only a little under 2 hours left to complete the day 2 mission!!** |
10/10/2013 10:13 | 66.68.96.99 | danielle.higgins | We're giving away a Samsung SSD after the mission closes at Noon CST |
10/10/2013 10:17 | 67.79.13.15 | francois | ecklerwr1 | yes it time :-) |
10/10/2013 10:17 | 63.226.32.16 | ecklerwr1 | woohoo Danielle! |
10/10/2013 10:21 | 128.29.43.2 | johnney | danielle.higgins | Danielle, will all the recordings from this week be posted to /groups/thwackcamp-2013? |
10/10/2013 10:21 | 66.68.96.99 | danielle.higgins | johnney | yes, they are being posted almost minutes after the sessions wrap |
10/10/2013 10:21 | 128.29.43.2 | johnney | danielle.higgins | thx |
10/10/2013 10:22 | 67.79.13.42 | sandip | 8mins till the next session on Storage Manager, who's pumped? |
10/10/2013 10:22 | 66.68.96.99 | danielle.higgins | johnney | scroll down on the page, you can see all of Tuesday's and Wednesday's sessions in the playlists |
10/10/2013 10:22 | 63.226.32.16 | ecklerwr1 | We are some impatient geekers that's for sure. |
10/10/2013 10:23 | 63.226.32.16 | ecklerwr1 | Must have seen that question about the recordings 100 times since tuesday :^} |
10/10/2013 10:26 | 62.245.106.82 | bpbp | yeah - let's go! |
10/10/2013 10:26 | 63.226.32.16 | ecklerwr1 | whoever the woman is on there sure gets dissed for trying to talk on the radio |
10/10/2013 10:26 | 71.64.110.224 | LeonAdato | Yeah, I've asked a few "special" people from my company to watch this. Hope they're on! |
Comments