As a followup to my previous post about the Check Point purchase of Nokia’s security unit, here is the customer and partner email that was sent out by Amnon Bar-Lev, VP WW Field Operations and Technical Services, at Check Point:

It’s my pleasure to share with you that Check Point signed an agreement to acquire the Nokia security appliance business.

As many of you already know, Check Point and the Nokia security appliance business have collaborated over the past decade to deliver industry-leading enterprise security solutions. We believe that through this acquisition we will build upon our successful partnership to provide you with a deeper security appliance portfolio.

Nokia has been a leader in the security appliance market and a strategic partner to us for the last 12 years. We feel adding Nokia’s security appliance experience into Check Point’s broad range of security solutions is the natural progression of our long alliance and will assure a smooth path forward for our mutual customers.

With this acquisition, we are taking our partnership to the next level. We will continue to sell and support both Check Point and Nokia’s existing product lines and will work to enhance and create an even better line of security appliances – building upon the expertise and innovation of Check Point and Nokia.

Furthermore, our shared channel partners, another party in our long-standing collaboration, will be able to deliver our joint solutions quickly and with increased ease. As a result, you’ll interact with the same channel you have dealt with all along but in a much simpler way.

The agreement between Check Point and Nokia is expected to close in the first quarter of 2009 subject to regulatory approvals and customary closing conditions. Until the transaction is closed both companies will conduct business as usual, operating as two separate entities.

As the deal advances towards closure we will be sure to update you with more details of our integration plans.

A Frequently Asked Questions page has also been created here.

Here is the Nokia email from Greg Podshadley, Vice President and General Manager, Nokia Security Appliance Business Unit:

I am pleased to share with you a significant milestone for our business. Nokia announced today that it has signed an agreement for Check Point Software Technologies to acquire Nokia’s security appliance business unit.

As you know, the two businesses have collaborated for over a decade to deliver industry-leading enterprise security solutions. This agreement is the natural culmination of that long-standing collaboration. We also believe that this transaction will provide the best path forward for you – our valued customers and partners.

I want to assure you that a primary focus is to ensure a smooth transition for our customers and partners. We strongly believe the many synergies between the two companies will bring strengthened products and services to our customers and partners for years to come.

Thank you for your patience during our evolution. We look forward to our exciting path forward!

You knew it was bound to happen at some point. When Nokia announced that they were getting out of the security business a lot of people, myself included, figured that another vendor would be buying them. Nortel doesn’t have the money or financial stability to pick up a division of this size, Juniper is too focused on their switching business right now and is still trying to justify the money they dropped on the NetScreen acquisition, Enterasys wasn’t in the running, and Cisco didn’t care.

That leaves Nokia’s number one competitor for appliance based Check Point installations – Check Point. Check Point has the money, the support organization, and the know how to easily integrate the Nokia brand name of appliances into their current price list.

From the Check Point press release:

Check Point Software Technologies Ltd. (Nasdaq: CHKP), the worldwide leader in securing the Internet, today announced that it has signed an agreement to acquire Nokia’s security appliance business. The two businesses have collaborated over the past decade to deliver industry-leading enterprise security solutions. Building on this collaboration, Check Point will provide an extended security appliance portfolio developed, manufactured and supported by Check Point.

“As a pioneer in security appliances, the Nokia security appliance business has been an important strategic partner for Check Point and has helped us achieve early leadership in the security appliance market,” said Gil Shwed, Chairman and CEO at Check Point. “Adding Nokia’s security appliance portfolio into Check Point’s broad range of security solutions is the natural conclusion of our long collaboration, and will assure a smooth path forward for our mutual customers.”

I think this is a good move for Check Point. I hope, however, that they didn’t purchase the company just to bury it’s product line in favor of their own SecurePlatform appliance line. I’m also glad that my book will continue to be valid 🙂

Something strange happened the other day. While reviewing my enterprise logs in our evaluation QRadar SIEM solution (nice plug right?) I noticed that an internal IP address was scanning the internal IP address of our firewall cluster. The source port remained the same but the destination port incremented by one with each scan. After digging deeper, I was able to determine the MAC address of the offending device and, to my surprise, it was an HP Color LaserJet 2600n printer installed on the desk of one of our VPs. I immediately told him what was going on and he preceded to tell me that this particular printer had previously resided on the desk of our CEO and had been on the network for over a year.

This was about the time my thoughts went into “incident handling” mode…

Was there a rootkit on this printer?

What about a back door or trojan?

Did this printer obtain any sensitive information and send it out to a third party?

I’ve got to get this thing into the lab, pronto!

I confiscated the printer, set it up in the lab (which has it’s own external Internet link) attached to a hub, and plugged a laptop with a packet sniffer running on it. I figured that this would buy me some time to do some more research.

The printer model in question did not, after some research, have any servers running other than the default web interface. Some models did have a telnet server available but this model did not. That made me feel a tiny bit better but still not confident that things were OK.

I stumbled upon the following article which provided step-by-step disassembly of the HP Color LaserJet 2600n. This showed me that the printer did not have a hard drive and led me to believe that if this printer had been compromised it would have probably occurred either at the factory or by someone who was able to get into the guts of the printer. I decided to search for any other similarly reported issues using Google. No one had reported factory default installations of the printer doing anything out of the ordinary.

I then, somehow, stumbled upon an article entitled Using a JetDirect box as an Nmap Idlescan Zombie. From the article:

While I’m on the topic of Nmap and JetDirect boxes, they make great bouncers for stealth Idle scans (also know as Zombie scans) since their IPIDs are incremental. Basically what happen is the Nmap scan is bounced off of the JetDirect box and any logs on the target will show the IP of the JetDirect box as being the attacker.

The author, Adrian “Irongeek” Crenshaw, also provided an example of how to run the scan:

Here is an example of Nmap being run using a JetDirect box as a bouncer. I’ve used the -P0 option so that the host running Nmap does not ping the target first, lessening the stealth value by giving away the scanners true IP.
Irongeek:~# nmap -P0 -sI 192.168.1.93 Irongeek.irongeek.com

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-08 17:22 EDT
Idlescan using zombie 192.168.1.93 (192.168.1.93:80); Class: Incremental
Interesting ports on 192.168.1.5:
(The 1654 ports scanned but not shown below are in state: closed|filtered)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
587/tcp open submission

Nmap finished: 1 IP address (1 host up) scanned in 35.262 seconds
Irongeek:~#

Now this sounded like a more reasonable explanation of the anomaly. I informed the “powers-that-be” and let the printer run in the lab for several days with the sniffer connected to it. I did not see any anomalous behavior. I then tried to run the above scan, using the printer as the bouncer, and the results were exactly as expected.

The printer was placed back on the network but I continue to keep a close eye on the IP/MAC in our logs because…you never know.