Tuesday, January 25, 2011

Checkpoint Upgrade to R75

R75 supports upgrading from lower software versions and management of lower Security Gateway versions.
Supported Management and Gateway Upgrade Paths
You can upgrade these Security Management server and Security Gateway versions to R75:
NGX R65 for SecurePlatform 2.6
NGX R65 for IPSO 6.2 (with HFA70 only)
NGX R65 Connectra NGX R66 Plug-in
NGX R65 with Messaging Security
NGX R65 VSX NGX R65 Management Plug-in
NGX R65.3
NGX R65 UTM-1/Power-1
R70, R70.1, R70.20, R70.30, R70.40
R71, R71.10, R71.20, R71.30
Upgrading from NGX R65.4 to R75 or higher is not supported.
To upgrade Check Point Suite Products lower than NGX R65 to R75, you must
first upgrade to NGX R65 and then to R75.
Upgrading from NGX R65
When you upgrade from NGX R65, only these plug-ins may be present: Connectra,
SmartProvisioning, VSX, and Messaging Security. The presence of any other plug-in
will cause the upgrade process to fail.
If you upgrade from NGX R65 with plug-ins to R75, and later want to uninstall R75
(rollback to NGX R65), follow the instructions in sk37252

Tuesday, January 4, 2011

SiteProtector transaction log cleaning up

At times, your database transaction log for the SiteProtector database may reach its allocated disk space. To clear your transaction log you can use the following command through the CLI on your database server.
osql -E -d RealSecureDB -Q "backup log RealSecureDB with truncate_only"
If your SQL Server is running in a named instance, you will need to run this command instead:
osql -S <server name or IP>/<instance name> -U <username> -P <password> -d RealSecureDB -Q "backup log RealSecureDB with truncate_only"

For further information on truncating SQL Server transaction logs, please review Microsoft's official MSDN article at http://msdn.microsoft.com/en-us/library/aa173551(SQL.80).aspx#
Shrink a datafile to 64 Mb:
DBCC SHRINKFILE (MyDataFile01, 64);


Shrink the size of the current database data / log file or empty a file by moving the data.
      DBCC SHRINKFILE ( file , target_size
   file          -  Logical file name or file_id
   EMPTYFILE      - Migrate data to other files in the same filegroup.
                    The file can be removed with ALTER DATABASE.
   target_size   - The size for the file in megabytes.
                   default = that specified when the file was created, or 
                   the last size used with  ALTER DATABASE.(int)
   NOTRUNCATE    - Free space at the end of the data file is not returned to the OS
                    (pages are still moved)
   TRUNCATEONLY  - Release free space at the end of the data file to the OS
                   (do not move pages)
      NO_INFOMSGS   - Suppress all information messages (severity 0-10)
You can shrink a transaction log file while the system is in use (DML commands are also being executed), however this will only affect the inactive portion of the transaction log file.
Discover the file_ID for each file with the SQL:
SELECT file_id, name FROM sys.database_files;
After using TRUNCATE_ONLY you must perform a full backup

Shrink a datafile to 64 Mb:
DBCC SHRINKFILE (MyDataFile01, 64);
Shrink a Log file to 64 Mb:
USE MyDatabase;
DBCC SHRINKFILE(MyDatabase_Log, 64)


DBCC SHRINKFILE(MyDatabase_Log, 64)
Afterwords, perform a full backup of the database.
To make the file as small as possible you can specify
1 for 1 Mb, or just leave out the target_size completely, be aware that doing this will slow down the system a little as the system will just have to grow the log file again as soon as another transaction is started.
Set database recovery model to SIMPLE or FULL
"Men shrink less from offending one who inspires love than one who inspires fear" - Niccolo Machiavelli
Equivalent Oracle command: ALTER DATABASE Datafile '/oradata/ss64.dbf' resize 64M;

Intrusion Prevention best practices

Ten Best Practices for Enterprise Intrusion Prevention
by Lou Ryan
IT and network security managers face many challenges in securing their organization's critical servers from attack. Lack of dedicated security resources and the increased sophistication of attack methods are among their top headaches. Although intrusion detection systems (IDS) have been a popular solution for enterprises in the past, it is not enough to block the evolving attacks in cyber-space today. One of the main issues with IDS is that they do nothing to proactively stop intrusions before attacks occur. Also, many IDS are signature-based, so they don't detect new attacks or variations on old attacks, nor do they detect attacks in encrypted traffic such as HTTP over SSL (Secure Sockets Layer).
What's the alternative? Intrusion prevention is the next logical step in enterprise security. Intrusion prevention systems take IDS to the next level by going beyond just detecting, to actually stopping attacks before they cause damage. The difference between the two technologies is one enterprise executives are all too familiar with: Intrusion prevention blocked Code Red, Nimda, and SQL Slammer, while IDS users spent millions cleaning up after each of these.
What Is An Intrusion Prevention Solution?
There are many products and tools on the market today that use the "prevention" moniker. The right intrusion prevention solution includes enabling you to circumvent the need for analysis to be done before action can be taken to protect the system. In addition, it prevents attacks from doing damage to your operating system, applications and data. By using a system to proactively prevent attacks, there is no gap between the attack being detected, identifying it as an attack, and finally doing something to prevent it. In addition, intrusion prevention helps enterprises get better control of the costly and time-consuming process of installing software patches to plug vulnerabilities in operating systems and applications and to fend off attacks like worms and buffer overflows.
How do you choose the right type of solution for your organization? This checklist should serve as the building blocks to choosing the right enterprise intrusion prevention solution for your organization.
Table 1. Intrusion Prevention Checklist
Proactive, real-time prevention of attacks
The right solution should provide real-time prevention and analysis of attacks. It should identify the attack and prevent access to critical server resources before any unauthorized activity occurs.
Patch latency relief
Patch management is a complex process. Between the time a patch is developed and deployed, a smart hacker could compromise servers and critical data. A good intrusion prevention solution gives system administrators the protection needed during patch latency and ample time to test and deploy patches.
Protection for each critical server
Servers, where the most sensitive enterprise data resides, are on the hit list for most hackers. It is vital to have an intrusion prevention solution that is tailored for server protection. Too many solutions on the market today try to be the "ultimate" protection, by using the same mousetrap for servers and desktops. The result is thin technology that does not adequately protect sensitive systems and data.
Signatures and behavioral rules
The most effective method for identifying intrusions is a hybrid approach that combines the strengths of attack-specific signatures and behavioral rules. This hybrid approach avoids the fundamental trade-off by providing coverage to both known and unknown attacks and at the same time keep the false-positive rate to a minimum. One technology can't take the place of the other: Behavioral rules allow the servers to be protected from new and previously unknown attacks. However, the coverage of behavioral systems is limited, many attacks aren't covered, and behavioral systems generate more false positives. For full forensics capability, the signature is critical in identifying attacks, so security managers can know what sort of attack is being directed at their systems.
Strong security is founded on the concept of defense in depth: having several layers of protection. Redundant mechanisms should co-exist so that even if one hurdle is bypassed, there are always other barriers to cross.
Heterogeneous environment protection
Organizations using mixed computing environments need to be sure that the intrusion prevention they choose will be consistent across all their critical servers. It should also enable consistent, reliable cross-platform protection.
The ideal intrusion prevention solution will allow security configurations and policies too be easily be leveraged across applications, user groups and agents to decrease the cost of installing and maintaining large security deployments.
An enterprise-class intrusion prevention solution must scale to meet the needs of the extended enterprise while maintaining the highest levels of security. Scalability comes in the form of supporting large numbers of protected servers, supporting large amounts of event traffic, and supporting distributed security management to meet the needs of large, distributed organizations.
Low total cost of ownership
Ideally, the system you invest in should decrease costs associated with monitoring and managing total server security. Make sure that the system you are evaluating can show metrics around reducing man-hours spent on clean-up, patching, monitoring, etc.
Proven prevention technology
Beware of solutions that use the word, prevention,but are really detection-based products or desktop solutions in new packaging. It is important to investigate that the solution has been thoroughly tested, deployed, and continuously maintained, in an environment similar to your own. Read case studies, ask questions, and compare.
Strong corporate security policy
All businesses need a detailed and enforced corporate security policy.
You'll notice that there are actually eleven best practices on this list. Intrusion prevention is not a one-time implementation of point products, but a continuous evolving process. All businesses need a detailed and enforced corporate security policy. A security policy defines which "users" have access rights to which enterprise resources. Make sure the policy takes into consideration users within the enterprise as well as outside users including partners, customers, and remote employees accessing corporate resources.

About the Author
Lou Ryan is President and CEO of Entercept Security Technologies.