Wednesday, June 15, 2016

An open letter to Check Point: App control and scada + offline updates

Dear Checkpoint

    Over the past 90 days I have been working on testing out checkpoint's scada protections in the 1200R firewall. After seeing what is possible with just modbus at CPX Chicago, I can hardly wait to see what else can be done!

There is just one problem. App control requires internet access.*

Checkpoint's solution for application control assumes the firewall (and / or the management server?) will have internet access. This presents a major problem for scada systems of which many do not have internet access. Ok maybe some of them do, but lets ignore those for now.

So list the issues that remain stalemated.

  1. 1200R doesn't seem to support offline updates without internet access. This is what i've been told but can't verify since I can't see to get the offline update package (yet). From what I understand it has something to do with verifying the contract over the internet.
  2. You have to sign a new EULA to get access to an offline update package. Once you have something happens (magic!) and then you gain access the package. The rumblings i'm hearing is its a completely manual process to install them to the firewall. I'm guessing its a tar file.
  3. Assuming issues 1 and 2 are resolved and worked into a process for updating, how will I know when a new package is out? The app wiki has no release dates on it. I also haven't found any place to get email alert about to signatures. Could be missing something here.
  4. bonus points, why isn't there a smartupdate package I can download?

I had no idea what an uphill battle this would become. I've been working with many people on this issue. I also don't want to diminish all the help I've received, but this is a major problem that remains unresolved.

So i guess after calling this an open letter I should wrap this up.

Check Point, come on, there has to be a way to resolve this. Lets find it and move on and start generating some really interesting reports!


  1. Hi John,

    I'd first like to thank you for your enthusiasm of our ICS/SCADA solution you saw at CPX. I too share your enthusiasm - it is really a very cool solution (completely unbiased opinion of course :-) ).

    My name is Noam Green, and I'm the Head of Security Platforms at Check Point and also the Product Manager for the ICS/SCADA solution (again - completely unbiased opinion).

    I'd like to relate to your concerns by dividing them to two:
    1. Yes - Check Point does have an offline update solution using a product called: Private Threat Cloud (or PTC). Details about PTC below.
    2. You don't have to have a continuous update (or even the latest one) to work with the solution. I expect what you are experiencing is related more to a licensing issue, rather than lack of latest update (but I may be wrong).

    Let's talk a bit about PTC - Private Threat Cloud.
    Check Point uses our Threat Cloud to centralize all updates, cyber intelligent feeds, Check Point research feeds, Sandboxing (threat emulation) detection, etc.
    Every security gateway connects to the Threat Cloud to get different updates (e.g: IPS) but also when an unknown file is passed through to validate if it is malicious or not.
    The Threat Cloud is also used for licensing and entitlement of the different software blades. The gateway would connect to the TC to validate the software blade licenses before enabling them to operate.

    The PTC enables all the above features, while sitting in the customer’s data center. The data center can be connected or disconnected from the Internet. The PTC receives its updates from a separate download agent which connects to the “real” Threat Cloud and retrieves the updates. You can then move the updates from the download agent to the PTC either manually (e.g: via USB stick) or via a network connection.

    So to summarize –
    1. Yes, you can have offline updates for the 1200R using a Private Threat Cloud.
    2. The gateway needs to activate the license before working (please contact me off line, and I’ll be happy to explain how this can be done offline as well).

    Please feel free to contact me for further clarifications. I value your input and feedback.

    Noam Green | Head of Security Platforms, Product Management | Check Point Software Technologies

  2. Sorry for not seeing this earlier, google deemed it spamy.

    So the idea behind PTC sounds interesting for the future for sure, but i'm guessing its not going to be free and on top of that i'll need some device to run it on. At soonest this is a next year option.

    I don't understand why this process has been made to difficult from a user perspective. I know enough to know there are many things far above my level of understanding, but my knee jerk reaction is I should be able to login to my usercenter account and download an offline package which could be distributed via my management server. I know there are concerns about using a service that hasn't been properly paid for, but i don't understand how that service could be used without a valid contract as those blades expire.

    I also understand this is a somewhat old idea and I get this is only a part of what PTC does, but still. Make hulk angry.

    Anyway, feel free to comment. I'll be contacting you out of band in the meantime.


Danger Will Robinson!