virtualization optimize security
TRANSCRIPT
-
7/31/2019 Virtualization Optimize Security
1/33
2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
Best Practices:Network Consolidationand Virtualization
-
7/31/2019 Virtualization Optimize Security
2/33
2
22010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
Agenda
2 VSX future directions
1 Whats new with VSX
3 R70 VE overview
Avatar mode (layer 2 security)
Deployments scenarios and packet flows
Customer benefits
-
7/31/2019 Virtualization Optimize Security
3/33
3
32010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
Kernel 2.6 support for SecurePlatform SecurePlatform for VSX, based on latest update of Linux kernel 2.6.18
(RHEL 5.2) Support for all open servers currently supported for R70 on the HCL
Support of new Check Point Endpoint Connect (EPC) Supporting Check Points Endpoint Connect solution
Load-sharing and High-Availability Interface bonding Module side support for bonding interfaces either in High Availability or
Load-Sharing mode Central management for bonding operations, including smooth migration
from a physical interface to a bonded interface SecureXL acceleration support on bonded interfaces.
Enhanced URL Filtering content management Updated URL Filtering content management engine
New VSX-1 Appliance - VSX-11000, IAS based n Intel 55xx(Nehalem) processor servers and IBM BC HS22 blades Unprecedented performance, 24Gbps throughput for single unit
Whats in VSX NGX R67
-
7/31/2019 Virtualization Optimize Security
4/33
4
42010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
Package
Target Market Mid Enterprise Large Enterprise
License BundleVirtual Firewall, IPS, Performance Pack, IPSEC
High Availability/Load Sharing (VSLS)
Base number ofVSes
5 (Upgradeable to 10) 10 (Upgradeable to150)
number of VSes inAdd-On Packs
+5 VS +20 VS +20 VS VSLS
Performance
FW Throughput 4.5 Gbps 13.5 Gbps 27 Gbps
VPN Throughput 1.2 Gbps 3.5 Gbps 7 Gbps
ConcurrentSessions
1.1 Million 1.1 Million 1.8 Million*
* Real life numbers will vary as testing happens in a best case test lab environment
Current and New VSX-111xxx series Appliances
-
7/31/2019 Virtualization Optimize Security
5/33
5
52010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
VSX-1 Series Feature Details
VSX-1
3070
Single unit
VSX-1
9070
Single unit
VSX-1
9090
VSLS
VSX-1
11060 / 070 / 080Single unit
VSX-1
11260 / 270 / 280
VSLS
Package
TargetMarket
Mid Enterprise Large Enterprise / MSP High End
LicenseBundle
Virtual Firewall, IPS, Performance Pack, IPSECHigh Availability / Load Sharing (VSLS)
Base numberof VSes
5 (Upgradeableto 10)
10 (Upgradeable to150) 10 (Upgradeable to150)
Number ofVSes in Add-On Packs
+5 VS +20 VS +20 VS VSLS +20 VS +20 VS VSLS
Performance
FWThroughput
4.5
Gbps
13.5
Gbps
27
Gbps
15 / 20 / 25
Gbps
30 / 40 / 50
Gbps
VPNThroughput
1.2
Gbps
3.5
Gbps
7
Gbps
3.7 / 4.0 / 4.5
Gbps
7.4 / 8.0 / 9.0Gbps
ConcurrentSessions
1.1
Million
1.1
Million
1.8
Million
1.1
Million
1.8
Million
Note: VSLS is a bundle of two appliances for VS Load Sharing
-
7/31/2019 Virtualization Optimize Security
6/33
6
62010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
APP-11060, $ 70,000
APP-11070, $ 88,000
APP-11080, $ 105,000
VSX-1 11xxx Series Pricing Details
APP-11260 (VSLS), $ 126,000
APP-11270 (VSLS), $ 159,000
APP-11280 (VSLS), $ 190,000
-
7/31/2019 Virtualization Optimize Security
7/33772010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
Looking ahead
Kernel based AV support Support for anti-virus scanning per VS in kernel
Introducing a new content security feature, based on streaming technology
CoreXL support Allowing traffic that cannot be accelerated to be processed on multicore
machines using technology equal to the current VPN-1 R70
Enhanced IPS inspection Support for new IPS enhancements that will be introduced in next release
for VPN-1 (post R70.1)
Improved memory support 64 bit kernel allowing to utilize more than 2Gb of kernel memory
Improved total concurrent connection limit
IPv6 support Support for dual stack IPv4 and IPv6 support. Content TBD
-
7/31/2019 Virtualization Optimize Security
8/33882010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
Making your Requirements Our solutions
VirtualizationVSX running onVSX-1 Appliance
Provider-1 running onSmart-1 Appliance
Centralizedmanagement
Performance
Scalability
Virtual SystemLoad Sharing
Up to 250CMAs/VSs
DynamicRouting
Integrated(per VS/VR)
-
7/31/2019 Virtualization Optimize Security
9/33992010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
Customer Profile Retailer Company
Needs Simplify Security Policy Management
Simplify Network Management Improve Scalability & Performance
Before VSX Very large rulebase
Not scalable Performance bottleneck
With VSX
EXTERNAL
CoreSwitch
INTERNAL
CoreSwitch
Emails
Hosting
VPN
Browsing
eth1 eth0
VSX into the WildSplitting a big firewall into specialized virtual firewalls
eth6
MGMT
SYNC
INTERNALEXTERNAL
VS Interface
Browsingeth5.100
Eth6.100
Emailseth4.101
Eth7.101
Etc.
CoreSwitch
eth5
eth4
eth3
eth2
CoreSwitch
eth7
vlan 102eth8
eth9
Performance Pack
VSLS
Active/StandbyBrige Mode
-
7/31/2019 Virtualization Optimize Security
10/3310102010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
R70 VE New player VMsafeintegrated
-
7/31/2019 Virtualization Optimize Security
11/3311112010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
IT industry moves into the virtualization zone
More customers are consolidating and virtualizing theirbusiness environments
Business environment in the virtualization zone, they needthe same level of security
Security in the virtualization zone is not a privilege
it is a MUST
Check Point provides security in the virtualized zone forany consolidated environment
The message key points
-
7/31/2019 Virtualization Optimize Security
12/3312122010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
Deployments before VE
2.1.1.1 2.1.1.32.1.1.1
Security API
vSwitch
2.1.1.2 2.1.1.52.1.1.4
Pkt L2 In
L3 out
Ext
GW
GW is not aware
-
7/31/2019 Virtualization Optimize Security
13/3313132010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
Integrating with VMsafe API
Layer 2 security INSIDE the virtual ZONE
-
7/31/2019 Virtualization Optimize Security
14/3314142010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
Security Gateway VE R70 Overview
R70VESecuring your virtualized business
Provide security solution that harnesses the power of network
virtualization and provides comprehensive protection to secure
your VMware virtual networks
Can work as a standard Firewall providing comprehensivesecurity for VMware virtual environments, including integratedfirewall, IPS, URL Filtering, anti-virus, etc. (layer 3 security)
Leverage VMware vNetwork Appliance APIs to provide securityfor virtual machines within ESX hosts over virtual switches(layer 2 securityAKA Avatar mode)
-
7/31/2019 Virtualization Optimize Security
15/3315152010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
Protects individual virtual machines (VMs)and traffic between VMs on the same vSwitch
Maximum security granularity at the level ofvSwitch, port group and VM (L2)
Preserves Stateful Inspection during VMotionmigration
Misconfiguration protection and correction
Support nexus 1000
Security Gateway R70-VE Security
S G
-
7/31/2019 Virtualization Optimize Security
16/3316162010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
Automatic & Seamless L2 integration(Turn key solution)
Pre-defined gateway image easyand fast installation
Same Check Point managementconsole security policy cross virtualand physical boundaries
Audit virtualization events sent from
the ESX server
Support VMVMotion between ESX servers
Security Gateway R70-VE Management
A d
-
7/31/2019 Virtualization Optimize Security
17/33
17172010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
Avatar modevNetwork Appliance APIs Integration
During installation of Avatar, the GW will Attach a Fast Path
Agent component on all VM vNICs
All packets sent from and to the vNIC will first be examined by theFast Path Agent
The Fast Path Agent can handle the packet as follows:
Bypass: Pass the packet without inspection and send thepacket to the vSwitch/VM
Secure: Forward the packet to Avatar Gateway for FW-1inspection.
Block: Drop the packet
Monitor-only: Log packets that would have been dropped andsend packet to Avatar gateway for inspection.
Fast path agent is communicating with the GW to receive policy,and for sending logs to Smartview Tracker
-
7/31/2019 Virtualization Optimize Security
18/33
18182010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
Agent status
Filters:#Filters: 8#Machines: 5
Filter 0:VM UUID: 526a90a2-9b59-2feb-e721-0e5b4109ef33Interface: 0Type: VMLearned MAC: 00:50:56:97:3e:5aPackets processed inbound: 0Packets processed outbound: 0Packets dropped inbound: 0Packets dropped outbound: 0
Packets dropped mac anti-spoofing: 0Packets dropped ip anti-spoofing: 0Packets not forwarded: 32Security behavior: VIRTK_SEC_ENFORCE
Filter 1:VM UUID: 5033965c-8b8f-305e-1340-230a8e3028baInterface: 0Type: VMLearned MAC: 00:50:56:b3:72:23
Packets processed inbound: 0Packets processed outbound: 0Packets dropped inbound: 0Packets dropped outbound: 0Packets dropped mac anti-spoofing: 0Packets dropped ip anti-spoofing: 0Packets not forwarded: 22Security behavior: VIRTK_SEC_ENFORCE
-
7/31/2019 Virtualization Optimize Security
19/33
19192010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
2.1.1.1 2.1.1.32.1.1.32.1.1.1
Packet flow with Avatar L2 security
vSwitch
Agent Agent Agent Agent Agent
2.1.1.2 2.1.1.52.1.1.4
Pkt
P
kt
R70 VE
2.1.1.1 sendspacket to 2.1.1.3
Packet passed firewallinspection and is sent back
to the Agent
Security API
ESX Server
Pkt
Packet is notinspected again
Packet continues the flow
from where it wasintercepted
Packet intercepted in the
Agent and forwarded tothe Gateway for inspection
C bi d d L2 i L3 t
-
7/31/2019 Virtualization Optimize Security
20/33
21212010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
Combined modes - L2 in, L3 outinside ESX and outside the ESX server
2.1.1.1 2.1.1.32.1.1.32.1.1.1
Security API
vSwitch
Agent Agent Agent Agent Agent
2.1.1.2 2.1.1.52.1.1.4
R70 VE
V3
ExtTrunk port
L3 out
L2 in
ESX Server
Mi ti f Vi t l M hi
-
7/31/2019 Virtualization Optimize Security
21/33
22222010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
2.1.1.2
Migration of Virtual Machine L2 Security
2.1.1.12.1.1.1
Security API
vSwitch
Agent
R70 VE
Ext
Security API
vSwitch
R70 VEExtExt
ExtExt
ESX 1 ESX 2
Sync
2.1.1.32.1.1.3
AgentAgentAgent
2.1.1.2
Pkt
Pkt
Connection initiated
from 2.1.1.1 to2.1.1.3
-
7/31/2019 Virtualization Optimize Security
22/33
23232010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
2.1.1.2
Migration of Virtual Machine L2 Security
2.1.1.12.1.1.1
Security API
vSwitch
Agent
R70 VE
Ext
Security API
vSwitch
R70 VEExtExt
ExtExt
ESX 1 ESX 2
2.1.1.3
Agent
Sync
2.1.1.32.1.1.3
Connections table is notsynced between GWs to
maintain performancescalability
AgentAgentAgent
2.1.1.2
connections relatedwith 2.1.1.3 will be
marked that they arehandled by ESX 1
VM is
migrating toESX 2
Mi ti f Vi t l M hi
-
7/31/2019 Virtualization Optimize Security
23/33
24242010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
Migration of Virtual Machine L2 Security
2.1.1.12.1.1.1
Security API
vSwitch
Agent
R70 VE
Security API
vSwitch
R70 VEExtExt
ExtExt
ESX 1 ESX 2
2.1.1.3
Agent
Sync
Pkt
Agent
2.1.1.2
Pkt
Pkt
Existingconnection
Pkt
Pkt
Pkt
Newconnection
Packetforwarded
to ESX 1
Packet not
forwardedPkt
-
7/31/2019 Virtualization Optimize Security
24/33
25252010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
VM 3VM 1 VM 2 VM 5VM 4
Installing Avatar
2.1.1.1
Security API
vSwitch
VM 3VM 1 VM 2
R70 VE
V3
ExtTrunk port
Ext
Service Console
VM 3VM 1 VM 2 VM 5VM 4VM 3VM 1 VM 2
Agent Agent Agent Agent Agent
Avatar retrievesinformation on
VMs/Portgroups/vSwitches
Avatar attaches the FastPath Agents on thevNICs of the VMs
Event sent to
Avatar informingof new VMs
Avatar attaches the FastPath Agents on the
vNICs of the new VMs
Avatar
installed
ESX Server
-
7/31/2019 Virtualization Optimize Security
25/33
26262010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
The Fast Path Agents behavior is controlled by
selecting secure/bypass/block/monitor-only on thefollowing objects:
VM Controlling all Fast Path Agents attached to thevNICs of the VM. VM setting supersede Port group and
vSwitches configuration
Port group Controlling all Fast path Agents attached tothe vNICs which are in this port group. Port group settingssupersede vSwitches configuration
vSwitch Controlling all Fast Path Agents attached to thevNICs that are connected to this vSwitch.
Global settings A new VM will inherit the globalproperties (default is enforce mode)
Configuring Security
-
7/31/2019 Virtualization Optimize Security
26/33
29292010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
Alerts related to ESX
-
7/31/2019 Virtualization Optimize Security
27/33
30302010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
2.1.1.1 2.1.1.32.1.1.32.1.1.1
Fast Path Anti spoofing
Security API
vSwitch
Agent Agent Agent Agent Agent
2.1.1.2 2.1.1.52.1.1.4
2.1.1.1
R70 VE
Packet dropped
VM 2.1.1.5Tries to spoof
With VM 2.1.1.1 IP
-
7/31/2019 Virtualization Optimize Security
28/33
33332010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
R70 VE Benefits
V-CenterManagement
Firewall, IPSand UTMintegrated
in theVM-kernel
Best
Security
Full
Coverage
Protectionagainst
inter-VM and
externalthreats
Management
Interoperablewith VMware
V-Sphere
ManagementConsole
Consistency
Unifiedsecurity
policy insideand out ofthe virtual
zone
-
7/31/2019 Virtualization Optimize Security
29/33
34342010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
R70 VE technical information
Technical information
EA based on Security Gateway R70 (GA willbe based on R70 HFA)
Requires VMware vSphere 4.0 (when Avatarmode enabled)
Can be managed by R70 SmartCenter/R70
Provider-1
-
7/31/2019 Virtualization Optimize Security
30/33
35352010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
Support HA in Avatar mode Improve performance
scalability
Remove limitationsfor Avatar mode
Integrate Avatar in
management products
Integration to main-train
Future direction
-
7/31/2019 Virtualization Optimize Security
31/33
36362010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
Understanding The Difference
Number of Virtual Systems
Underlying OperatingSystem
PrimaryUse
VPN-1 VE
1 per ESX server
Splat running on Hypervisorand/or integrated with
service console
Protecting virtualsystems
VPN-1 Power VSX
Between 10 and 250per server
Pre-hardenedSecurePlatform
Virtualizing securitygateways
Management SmartCenter or Provider-1
-
7/31/2019 Virtualization Optimize Security
32/33
37372010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties
Summary
VPN-1 VSX
Allows for firewall consolidation Provides scalability and flexibility
Integrates in exisiting network setup
Answers green IT requirements
VPN-1 VE
Provides virtual applications the same best-in-classas applications on physical servers
Delivers the only solution where customers canchoose between appliances, software and virtualsecurity
Adds to the virtualization found in VPN-1 Power VSX
-
7/31/2019 Virtualization Optimize Security
33/33
Thank You!