virtualization optimize security

7/31/2019 Virtualization Optimize Security

1/33

2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties

Best Practices:Network Consolidationand Virtualization


2/33

2

22010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties

Agenda

2 VSX future directions

1 Whats new with VSX

3 R70 VE overview

Avatar mode (layer 2 security)

Deployments scenarios and packet flows

Customer benefits


3/33

3


Kernel 2.6 support for SecurePlatform SecurePlatform for VSX, based on latest update of Linux kernel 2.6.18

(RHEL 5.2) Support for all open servers currently supported for R70 on the HCL

Support of new Check Point Endpoint Connect (EPC) Supporting Check Points Endpoint Connect solution

Load-sharing and High-Availability Interface bonding Module side support for bonding interfaces either in High Availability or

Load-Sharing mode Central management for bonding operations, including smooth migration

from a physical interface to a bonded interface SecureXL acceleration support on bonded interfaces.

Enhanced URL Filtering content management Updated URL Filtering content management engine

New VSX-1 Appliance - VSX-11000, IAS based n Intel 55xx(Nehalem) processor servers and IBM BC HS22 blades Unprecedented performance, 24Gbps throughput for single unit

Whats in VSX NGX R67


4/33

4


Package

Target Market Mid Enterprise Large Enterprise

License BundleVirtual Firewall, IPS, Performance Pack, IPSEC

High Availability/Load Sharing (VSLS)

Base number ofVSes

5 (Upgradeable to 10) 10 (Upgradeable to150)

number of VSes inAdd-On Packs

+5 VS +20 VS +20 VS VSLS

Performance

FW Throughput 4.5 Gbps 13.5 Gbps 27 Gbps

VPN Throughput 1.2 Gbps 3.5 Gbps 7 Gbps

ConcurrentSessions

1.1 Million 1.1 Million 1.8 Million*

* Real life numbers will vary as testing happens in a best case test lab environment

Current and New VSX-111xxx series Appliances


5/33

5


VSX-1 Series Feature Details

VSX-1

3070

Single unit

VSX-1

9070

Single unit

VSX-1

9090

VSLS

VSX-1

11060 / 070 / 080Single unit

VSX-1

11260 / 270 / 280

VSLS

Package

TargetMarket

Mid Enterprise Large Enterprise / MSP High End

LicenseBundle

Virtual Firewall, IPS, Performance Pack, IPSECHigh Availability / Load Sharing (VSLS)

Base numberof VSes

5 (Upgradeableto 10)

10 (Upgradeable to150) 10 (Upgradeable to150)

Number ofVSes in Add-On Packs

+5 VS +20 VS +20 VS VSLS +20 VS +20 VS VSLS

Performance

FWThroughput

4.5

Gbps

13.5

Gbps

27

Gbps

15 / 20 / 25

Gbps

30 / 40 / 50

Gbps

VPNThroughput

1.2

Gbps

3.5

Gbps

7

Gbps

3.7 / 4.0 / 4.5

Gbps

7.4 / 8.0 / 9.0Gbps

ConcurrentSessions

1.1

Million

1.1

Million

1.8

Million

1.1

Million

1.8

Million

Note: VSLS is a bundle of two appliances for VS Load Sharing


6/33

6


APP-11060, $ 70,000

APP-11070, $ 88,000

APP-11080, $ 105,000

VSX-1 11xxx Series Pricing Details

APP-11260 (VSLS), $ 126,000

APP-11270 (VSLS), $ 159,000

APP-11280 (VSLS), $ 190,000


7/33772010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties

Looking ahead

Kernel based AV support Support for anti-virus scanning per VS in kernel

Introducing a new content security feature, based on streaming technology

CoreXL support Allowing traffic that cannot be accelerated to be processed on multicore

machines using technology equal to the current VPN-1 R70

Enhanced IPS inspection Support for new IPS enhancements that will be introduced in next release

for VPN-1 (post R70.1)

Improved memory support 64 bit kernel allowing to utilize more than 2Gb of kernel memory

Improved total concurrent connection limit

IPv6 support Support for dual stack IPv4 and IPv6 support. Content TBD



Making your Requirements Our solutions

VirtualizationVSX running onVSX-1 Appliance

Provider-1 running onSmart-1 Appliance

Centralizedmanagement

Performance

Scalability

Virtual SystemLoad Sharing

Up to 250CMAs/VSs

DynamicRouting

Integrated(per VS/VR)



Customer Profile Retailer Company

Needs Simplify Security Policy Management

Simplify Network Management Improve Scalability & Performance

Before VSX Very large rulebase

Not scalable Performance bottleneck

With VSX

EXTERNAL

CoreSwitch

INTERNAL

CoreSwitch

Emails

Hosting

VPN

Browsing

eth1 eth0

VSX into the WildSplitting a big firewall into specialized virtual firewalls

eth6

MGMT

SYNC

INTERNALEXTERNAL

VS Interface

Browsingeth5.100

Eth6.100

Emailseth4.101

Eth7.101

Etc.

CoreSwitch

eth5

eth4

eth3

eth2

CoreSwitch

eth7

vlan 102eth8

eth9

Performance Pack

VSLS

Active/StandbyBrige Mode



R70 VE New player VMsafeintegrated



IT industry moves into the virtualization zone

More customers are consolidating and virtualizing theirbusiness environments

Business environment in the virtualization zone, they needthe same level of security

Security in the virtualization zone is not a privilege

it is a MUST

Check Point provides security in the virtualized zone forany consolidated environment

The message key points



Deployments before VE

2.1.1.1 2.1.1.32.1.1.1

Security API

vSwitch

2.1.1.2 2.1.1.52.1.1.4

Pkt L2 In

L3 out

Ext

GW

GW is not aware



Integrating with VMsafe API

Layer 2 security INSIDE the virtual ZONE



Security Gateway VE R70 Overview

R70VESecuring your virtualized business

Provide security solution that harnesses the power of network

virtualization and provides comprehensive protection to secure

your VMware virtual networks

Can work as a standard Firewall providing comprehensivesecurity for VMware virtual environments, including integratedfirewall, IPS, URL Filtering, anti-virus, etc. (layer 3 security)

Leverage VMware vNetwork Appliance APIs to provide securityfor virtual machines within ESX hosts over virtual switches(layer 2 securityAKA Avatar mode)



Protects individual virtual machines (VMs)and traffic between VMs on the same vSwitch

Maximum security granularity at the level ofvSwitch, port group and VM (L2)

Preserves Stateful Inspection during VMotionmigration

Misconfiguration protection and correction

Support nexus 1000

Security Gateway R70-VE Security

S G



Automatic & Seamless L2 integration(Turn key solution)

Pre-defined gateway image easyand fast installation

Same Check Point managementconsole security policy cross virtualand physical boundaries

Audit virtualization events sent from

the ESX server

Support VMVMotion between ESX servers

Security Gateway R70-VE Management

A d


17/33


Avatar modevNetwork Appliance APIs Integration

During installation of Avatar, the GW will Attach a Fast Path

Agent component on all VM vNICs

All packets sent from and to the vNIC will first be examined by theFast Path Agent

The Fast Path Agent can handle the packet as follows:

Bypass: Pass the packet without inspection and send thepacket to the vSwitch/VM

Secure: Forward the packet to Avatar Gateway for FW-1inspection.

Block: Drop the packet

Monitor-only: Log packets that would have been dropped andsend packet to Avatar gateway for inspection.

Fast path agent is communicating with the GW to receive policy,and for sending logs to Smartview Tracker


18/33


Agent status

Filters:#Filters: 8#Machines: 5

Filter 0:VM UUID: 526a90a2-9b59-2feb-e721-0e5b4109ef33Interface: 0Type: VMLearned MAC: 00:50:56:97:3e:5aPackets processed inbound: 0Packets processed outbound: 0Packets dropped inbound: 0Packets dropped outbound: 0

Packets dropped mac anti-spoofing: 0Packets dropped ip anti-spoofing: 0Packets not forwarded: 32Security behavior: VIRTK_SEC_ENFORCE

Filter 1:VM UUID: 5033965c-8b8f-305e-1340-230a8e3028baInterface: 0Type: VMLearned MAC: 00:50:56:b3:72:23

Packets processed inbound: 0Packets processed outbound: 0Packets dropped inbound: 0Packets dropped outbound: 0Packets dropped mac anti-spoofing: 0Packets dropped ip anti-spoofing: 0Packets not forwarded: 22Security behavior: VIRTK_SEC_ENFORCE


19/33


2.1.1.1 2.1.1.32.1.1.32.1.1.1

Packet flow with Avatar L2 security

vSwitch

Agent Agent Agent Agent Agent

2.1.1.2 2.1.1.52.1.1.4

Pkt

P

kt

R70 VE

2.1.1.1 sendspacket to 2.1.1.3

Packet passed firewallinspection and is sent back

to the Agent

Security API

ESX Server

Pkt

Packet is notinspected again

Packet continues the flow

from where it wasintercepted

Packet intercepted in the

Agent and forwarded tothe Gateway for inspection

C bi d d L2 i L3 t


20/33


Combined modes - L2 in, L3 outinside ESX and outside the ESX server

2.1.1.1 2.1.1.32.1.1.32.1.1.1

Security API

vSwitch


2.1.1.2 2.1.1.52.1.1.4

R70 VE

V3

ExtTrunk port

L3 out

L2 in

ESX Server

Mi ti f Vi t l M hi


21/33


2.1.1.2

Migration of Virtual Machine L2 Security

2.1.1.12.1.1.1

Security API

vSwitch

Agent

R70 VE

Ext

Security API

vSwitch

R70 VEExtExt

ExtExt

ESX 1 ESX 2

Sync

2.1.1.32.1.1.3

AgentAgentAgent

2.1.1.2

Pkt

Pkt

Connection initiated

from 2.1.1.1 to2.1.1.3


22/33


2.1.1.2


2.1.1.12.1.1.1

Security API

vSwitch

Agent

R70 VE

Ext

Security API

vSwitch

R70 VEExtExt

ExtExt

ESX 1 ESX 2

2.1.1.3

Agent

Sync

2.1.1.32.1.1.3

Connections table is notsynced between GWs to

maintain performancescalability

AgentAgentAgent

2.1.1.2

connections relatedwith 2.1.1.3 will be

marked that they arehandled by ESX 1

VM is

migrating toESX 2

Mi ti f Vi t l M hi


23/33



2.1.1.12.1.1.1

Security API

vSwitch

Agent

R70 VE

Security API

vSwitch

R70 VEExtExt

ExtExt

ESX 1 ESX 2

2.1.1.3

Agent

Sync

Pkt

Agent

2.1.1.2

Pkt

Pkt

Existingconnection

Pkt

Pkt

Pkt

Newconnection

Packetforwarded

to ESX 1

Packet not

forwardedPkt


24/33


VM 3VM 1 VM 2 VM 5VM 4

Installing Avatar

2.1.1.1

Security API

vSwitch

VM 3VM 1 VM 2

R70 VE

V3

ExtTrunk port

Ext

Service Console

VM 3VM 1 VM 2 VM 5VM 4VM 3VM 1 VM 2


Avatar retrievesinformation on

VMs/Portgroups/vSwitches

Avatar attaches the FastPath Agents on thevNICs of the VMs

Event sent to

Avatar informingof new VMs

Avatar attaches the FastPath Agents on the

vNICs of the new VMs

Avatar

installed

ESX Server


25/33


The Fast Path Agents behavior is controlled by

selecting secure/bypass/block/monitor-only on thefollowing objects:

VM Controlling all Fast Path Agents attached to thevNICs of the VM. VM setting supersede Port group and

vSwitches configuration

Port group Controlling all Fast path Agents attached tothe vNICs which are in this port group. Port group settingssupersede vSwitches configuration

vSwitch Controlling all Fast Path Agents attached to thevNICs that are connected to this vSwitch.

Global settings A new VM will inherit the globalproperties (default is enforce mode)

Configuring Security


26/33


Alerts related to ESX


27/33


2.1.1.1 2.1.1.32.1.1.32.1.1.1

Fast Path Anti spoofing

Security API

vSwitch


2.1.1.2 2.1.1.52.1.1.4

2.1.1.1

R70 VE

Packet dropped

VM 2.1.1.5Tries to spoof

With VM 2.1.1.1 IP


28/33


R70 VE Benefits

V-CenterManagement

Firewall, IPSand UTMintegrated

in theVM-kernel

Best

Security

Full

Coverage

Protectionagainst

inter-VM and

externalthreats

Management

Interoperablewith VMware

V-Sphere

ManagementConsole

Consistency

Unifiedsecurity

policy insideand out ofthe virtual

zone


29/33


R70 VE technical information

Technical information

EA based on Security Gateway R70 (GA willbe based on R70 HFA)

Requires VMware vSphere 4.0 (when Avatarmode enabled)

Can be managed by R70 SmartCenter/R70

Provider-1


30/33


Support HA in Avatar mode Improve performance

scalability

Remove limitationsfor Avatar mode

Integrate Avatar in

management products

Integration to main-train

Future direction


31/33


Understanding The Difference

Number of Virtual Systems

Underlying OperatingSystem

PrimaryUse

VPN-1 VE

1 per ESX server

Splat running on Hypervisorand/or integrated with

service console

Protecting virtualsystems

VPN-1 Power VSX

Between 10 and 250per server

Pre-hardenedSecurePlatform

Virtualizing securitygateways

Management SmartCenter or Provider-1


32/33


Summary

VPN-1 VSX

Allows for firewall consolidation Provides scalability and flexibility

Integrates in exisiting network setup

Answers green IT requirements

VPN-1 VE

Provides virtual applications the same best-in-classas applications on physical servers

Delivers the only solution where customers canchoose between appliances, software and virtualsecurity

Adds to the virtualization found in VPN-1 Power VSX


33/33

Thank You!

virtualization optimize security

Documents