Что нового появилось после выхода R70

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone

Что нового появилось после выхода R70

Антон Разумов[email protected]Консультант по безопасностиCheck Point Software Technologies

22©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone |

R70 introduced with:


R70.1


Introducing R70.1

SmartWorkflow blade Hardware monitoring Various features GUI enhancements


Introducing SmartWorkflow

Check Point’s SmartWorkflow software blade automates security policy change management Enforces a formal process of tracking, approving and

auditing security policy changes Reduces errors by providing granular visibility into policy

changes Enhances compliance through audit trails and built-in role

segregation Aligns to an organization’s existing change management

approval process Streamlines change management increasing operational

efficiency One-stop, total policy lifecycle management integrated into

SmartDashboard


SmartWorkflow Operation Mode


• Smart Workflow • Automatic security database revisions• Highlighting the changes in SmartDashboard• Allowing visual navigation between the changes• Allow discarding the changes and returning back to the previous database revision.• Allow generating change comparison report• Audit trailing change

R70.1 SmartWorkflowplanned for R70.1


Hardware Health Monitoring Capabilities

• RAID Health: Monitor the health of the disks in the RAID array, and be notified of the states of the volumes and disks. The information is available via SNMP.

• Sensors: Monitor fan speed, voltages, and temperatures on the hardware. The information is available via SNMP and, for Check Point appliances, also via the SecurePlatform Web interface.

R70.1 HW monitoring:


Link Aggregation 802.3ad Both interfaces need to be connected to the same switch when

aggregating Up to 8 NIC’s in a bond No limit besides the SPLAT limit of 1015 total interfaces Both HA and LS are supported

Ability to set IP address trough LCD Changed URLF filter database provider Remote Deployment Tool (USB based tool to allow initial OS configuration)

R70.1 additional features:


• Quick Add Object - Allows you to easily find and insert objects into the Security Rule Base

• Where Used > Go To - Allows you to jump from the Where Used window to the locations itreferences.

• Easily View Group Members - When hovering over a Group in the Rule Base, a tooltip displaysthe Group members.

• Extended Clone Functionality - The Clone functionality, which allows creating a new objectbased on an existing one, is extended to include Services, IP ranges, Group

objects, etc.• Read Only State for Object Properties

- In numerous key fields of the object properties it is nowpossible to copy the text of the fields while in ‘Read-only’ state.

• Delete Multiple Database Versions – While in the Database Revision Control window, it ispossible to select multiple Database Versions and delete them at once.

R70.1 GUI enhancements


R70.20


Event Correlation & IPS Event Analysis Software Blades Update

Reporting Blade Updates IPS Software Blade Update Multi-Core Licensing

Moving on to R70.20, what’s new:


IPS Event Analysis Client


New Real Time Views & Simplified Events Processing

Timeline View Charts View Maps View Group By – Real Time Pivots and Graphs for Data User / machine identification


Timeline View


Charts View


Maps View


Group By – Real Time Pivots and Graphs for Data


User / machine identification: The challenge

Ability to identify users and computers passing through the firewall

Distinguish between corporate and unmanaged devices

Traffic monitoring and network maintenance

Network and Security events analysis


User / machine identification: The Solution

Introducing new Check Point firewall capability to provide Identity-based auditing Present user and machine identity in the firewall logs

Leveraging Check Point SmartView Tracker and Eventia logging solutions

The identity information is based on Microsoft Active Directory integration

Identity-based Auditing

User and machine identity in Check Point SmartView Tracker


User / machine identification: The use case

Security and compliance audit Troubleshooting network issues Ability to distinguish corporate and unmanaged

assets Helpdesk and maintenance Analyzing network usage

Bring Identity Awareness to your Check Point firewall


User / machine identification: How it works

User and Computer Identity is obtained from Active Directory (AD) security event logs

The gathered AD log information is used to build an association map that is referenced for enriching Check Point logs with the AD username and computer name based on users’ IP address.

Check Point Log Server uses WMI protocol to communicate with Active Directory

Supported in SmartCenter management from R70.2 SmartView Tracker Eventia Reporter and Analyzer

Does not require any installations on Active Directory server Leverage your existing security gateways, no upgrade is needed


User / machine identification: Flow

CorporateNetwork

HR DatabaseFinance Database

Microsoft Active Directory

Data Center

SmartCenterLog Server

Security Gateway

SmartView Tracker

Logon to Domain- Username- Computer name- IP address

1

Send Logs (WMI)- User name- Computer name- IP address

2

User’s connection

- Source IP address

3

Log:- Source IP address- Destination

4

Log Entry:- Destination Computer name- Source User & Computer name - Source & Destination IP address

5


SmartView Tracker Example – Identity auditing


User / machine identification: Summary

• Bring Identity-based auditing capability to you Check Point logging system

• Leverage existing Check Point management and logging infrastructure: SmartView Tracker and Eventia

• Plug and Play clientless solution (no installations required on endpoints or AD)

• Simple and easy way to audit your users and machines activity on the network


Real-Time Analysis & Action

Real-Time Analysis & Action

Group By - On-Line Pivoting of Data (no need to export data externally)

New Search Feature Forensics: Drill down from the “big picture” to events, then

use advanced filtering / search / group / sort to go deeper, and finally go to raw logs / packet capture to understand exactly what happened.


New Search Feature


Forensics


Forensics


Workflow

Workflow

Open tickets, manage life cycle


Tickets


Tickets


Tickets


IPS Specific reports

Overview Page showing everything IPS – Critical Issues, Top Events, Sources & Destinations, Latest Protections

Detailed Hourly, Weekly and Monthly Reports with many categories

IPS Event Analysis reports relating specifically to IPS events.

Share IPS Event & Packet Capture with Check Point Security Research Team


IPS Event Analysis reports relating specifically to IPS events.


Share IPS Event & Packet Capture with Check Point Security Research Team


Reporting Blade Updates




18 new regulatory compliance reports Standard web filtering activity report Additional information available for Endpoint Security

reports


Compliance Reports


Standard web filtering activity report


Endpoint Security reports


IPS Software Blade Update


IPS Software Blade Update

New Protection Category - Block by Country (called "Geo Protection" in IPS)

Web Intelligence Log improvements Logs now show the original IP addresses of proxied

connections Optional Packet Capture on First Instance of any

Protection Several False Positive Fixes


Geo Protection


Multi-Core Licensing


Multi-Core Licensing

The Check Point Security Gateway software license for multi-core, open server platforms allows you to use less than the number of physical cores on the system. R70.20 will automatically use the number of cores allowed by the license.


R70.30 and R70.40


What’s new in 70.30 ?

Maintenance HFA Non-English regional formats are now supported in the

map visualization features of SmartDashboard. IPS Event Analysis and Eventia Analyzer. SmartWorkflow reports can now be viewed in Windows 7. It is now possible to use the SSL Network Extender client

to access internal resources behind the Security Gateway, using a client digital certificate that is signed by a subordinate CA. The certificate need not be directly signed by a trusted CA. For example, the certificate can be signed by a CA that belongs to the organization itself, which is in turn signed by a trusted root CA.


What’s new in 70.40 ?

The R70.40 Security Management Server can manage: New to be introduced UTM-1 gateway for centrally managed branch offices UTM-1 Edge N Series and Embedded NGX 8.1 Release gateways VSX R67 and includes enhancements to the vsx_util command for improved

user experience and IPSO 6.2 IP appliances with SmartProvisioning, including the ability to

modify Interfaces, Routing, Backup, DNS, Domain Name, Hosts, and Host Names

additional functionality

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone

Антон Разумов[email protected]Консультант по безопасностиCheck Point Software Technologies

Спасибо!

Documents

Что нового появилось после выхода R70