VSX & Identity Awareness - AVANTEC · Check Point & AlgoSec Security-Update 24./25. September 2014 Increasing Complexity Internet Policy 1 Policy 2 Web Policy 9 Finance Policy 8 Partner

Check Point & AlgoSec Security-Update24./25. September 2014

Jason Card, Senior Security Consultant, [email protected]

Check PointVirtual Systems & Identity Awareness

Agenda

Check Point Virtual Systems Private Cloud Simplify Security Overview

Identity Awareness Features Performance Tips Best Practice Coming Soon


Increasing Complexity

InternetPolicy 1Policy 1

Policy 2Policy 2

Web

Policy 9Policy 9

Finance

Policy 8Policy 8

Partner

Policy 7Policy 7

Customer

Policy 6Policy 6

VPN

Policy 3Policy 3

Email

Policy 13Policy 13

Legal

Policy 5Policy 5

Sales

Policy 12Policy 12

Engineering

Policy 11Policy 11

Marketing Policy 10Policy 10

HR

Policy 4Policy 4

Data Center

More complex networks with increasing segmentation drives up costMore complex networks with increasing segmentation drives up cost

More advanced threats requiring multi-layered defense More advanced threats requiring multi-layered defense

More policies with many rules to meet growing business demandsMore policies with many rules to meet growing business demands

Need More Simplicity and Less Complexity Need More Simplicity and Less Complexity

Moving to Private CloudsCheck Point Virtual Systems Added…Check Point Virtual Systems Added…

Virtualized Gateways Simplify Private Cloud Security

VSVS

Internet

Policy 2Policy 2

Policy 1Policy 1

Policy 1Policy 1

Partner Sales

VSVSVSVS Policy 3Policy 3 Policy 4Policy 4

Datacenter Web Finance Legalemail HR

VSVS Policy 6Policy 6VSVS Policy 5Policy 5

VPN Customer Marketing Engineering


Simplify Security

• Secure multiple networks from a single gateway

• Customized security and policy per virtual system

Scalability • Easily expand security protection by adding more virtual systems

• Seamlessly expand security capacity for future business and network growth

Consolidation• Maximize Investment with Optimized Hardware Utilization

• Lower costs by consolidating multiple security gateways

• Simplified management from a single management console

Multi-Tenancy

The Power of Virtualization

Multi-VSs with Central Management Using Check Point SM and MDSM Multi-VSs with Central Management Using Check Point SM and MDSM

Highly Scalability and Full Redundancy with VSLS Highly Scalability and Full Redundancy with VSLS

Check Point VSX Appliances

For 10 Years, Check Point VSX on dedicated hardware has delivered value and security for hundreds of our customers

Consolidate Up to 250 Gateways to Secure Many Customers & NetworksConsolidate Up to 250 Gateways to Secure Many Customers & Networks


Introducing

Check Point Virtual Systems

Tapping the POWER of virtualization

All Software Blades on Every Virtual System

Simplify and Consolidate Boosting Performance

Check Point

VSLS

Next Generation Virtual System: Can run any Software Blades on any

Check Point Appliance


Software Blades for Virtual Systems Anti-Bot

Application Control IPSFirewall AntivirusURL Filtering

Identity Awareness

Software Blades on Virtual SystemsSoftware Blades on Virtual Systems

Virtual System on any PlatformVirtual System on any Platform

… and Open Servers

Software Blade Security on Every Virtual System

* SSL VPN available in later release

Mobile Access*

Consolidate SecurityOne-Click Virtual System Creation

Simple Virtualization Wizard and provisioning templates

Dedicated Policy Per Virtual System

Customized security functions with granular security policies

Ease of Operation Resource monitoring on each Virtual System

Software upgrades without downtime

Inter-VS traffic redirecting via integrated virtual routers and switches

Enterprise

INTRANETEnterprise

INTRANET

Security with Virtual SystemsONE Gateway

WebWeb

FinanceFinanceHRHR

PartnersPartners

CustomersCustomers


Performance and Scalability 8X concurrent connections with 64-bit

GAiA OS Advanced routing options with multiple

routing and multicasting protocols

Check Point CoreXL technology Enhanced deep packet inspection

throughput with security acceleration

Patented VSLS technology Scale up to 12 cluster members

High Connection

Capacity

Multi-Core Performance

Linear Scalability

Virtual Systems Software

(SW license)

Two Ways to Get Virtual Systems

Virtualize any applianceor open server

VSs x50

VS

LicenseVSs x25

VS

LicenseVSs x10

VS

LicenseVSs x3

VS

License

Virtual Systems Appliances

(HW/SW bundle)

Dedicated pre-configured Virtual System appliances


Single SKU Virtual Systems Appliance

4400, 4600

4800, 12200, 12400, 12600

13500, 21400, 21600, 21700

VS-5 / VS-10 / VS-20

Complete solution including Appliance, Software Blades and Virtual Systems

7-Blade Package:Firewall, VPN, IA, ADNC, MOB-5, IPS, APCL

Virtual Systems Software

+Security Gateway

+Software Blades

VSs x50

VS

LicenseVSs x25

VS

LicenseVSs x1

Free VS

License

VSs x10

VS

LicenseVSs x3

VS

License

* Available for: 4800, 12000, 21000, Power-1 9000, Power-1 11000, IP-1280, IP-2450 and open servers with 4 cores or more

Additional VS Licenses

Virtual System price the same for all appliances and open servers

Software Blades priced per gateway, can use on all VS instances

One complementary Virtual System* per gateway


VSX Supported GWs

2012 Models: 2200, 4000,12000, 13500, 21000

UTM-1: UTM-1 3070

Power-1: Power-1 9000, Power-11000

IP Series: IP-1280, IP-2450

VSX: All VSX Appliances

Open servers with up to 12 cores

Check Point Appliances

Open Servers

VS Software Packaging

[Protected] For public distribution

Available for 2200, 4200, 4400, 4600 and open servers with 1 or 2 cores only

$3,000

$10,000

$23,000

$43,000

VSs x3

VS

License

VSs x50

VS

License

VSs x25

VS

License

VSs x10

VS

License Available for all gateways

Available for all gateways

Available for all gateways

IncludedVSs x1

VS

LicenseComplementary with 4800 and above Virtual Systems gateways


Summary

Maximize Security Gateway Investment

Advanced Security with Software Blades

High Scalability and Performance

Check Point Virtual Systems

Simplifying Security for Private Clouds

Simple Deployment and Provisioning

Identity Awareness

Features

Performance

Best Practices

Coming Soon


Identity Awareness

Granular access to data centers, applications and network segments by user, machine or location

Integrated into Check Point Software Blade Architecture Provides scalable identity sharing between gateways Seamless Active Directory (AD) integration with

multiple deployment options-Clientless, Captive Portal or Identity Agent

Identity GW B

Identity GW C

Branch Offices accessing the HQ

HQ

Branch Office B

Branch Office A

Branch Office C

Identity GW HQ

Identity GW A

DC1

DC2

DC1

DC2

DC1

DC2DC3

Data Center

Share

Query


New Identity Awareness Features in R75.40 and R76

User and Machine Awareness

SecurityGateways

Across AllSoftware Blades

• Transparent (browser based) Portal Authentication (R75.40)

• Identity Agent for Terminal Servers/ Citrix (R75.40)

• SSO with Remote Access Clients (R75.40)

• IPv6 Support (R76)

• Support for NTLMv2 (R76)

New Identity Awareness Features in R77

User and Machine Awareness

SecurityGateways

Across AllSoftware Blades

• RADIUS Accounting

• IF‐MAP

• Automatic LDAP group update

• Automatic Exclusion of service accounts


[Restricted] ONLY for designated groups and individuals

Distribute Domain Controllers between Gateways

Exclude Service Accounts and Servers

Improving Performance




Improving Performance

• A single GW can handle 800‐1000 security events per second (12000 device)

• Limit the number of AD security events parsed by each GW by configuring each GW to query a different set of DCs

• Configure an identity GW on each geographical site, configure identity sharing as necessary





Improving ADQuery Performance

• Service Accounts are user accounts which provide a specific security context. They generate multiple security events without substantial identity value. It is highly recommended to exclude all known service accounts from ADQuery

• Exchange servers, proxy servers, DNS servers or TS/Citrix should be excluded, particularly when “Assume that only one user is connected per computer” option is checked.










• The new “Automatic Exclusion of Service Accounts” feature simplifies the tasks

• As a best practice, it is advised to exclude any known service accountmanually







Best practice: Grant access to identified users while denying access to unidentified users

It is not recommended to block specific users while granting access to all the rest

Captive Portal can be configured to back‐up ADQuery

Using Identity Awareness for Whitelisting


ia_max_authenticated_usersMaximum number of identities a single PDP (identity server) can store

ia_max_enforced_identitiesMaximum number of identities a single PEP (Security Gateway) can store

Tweaking the Thresholds

30,000

Thresholds can be increased, depending on machine memory and pdp load



Until R75.40, a user was matched only to an LDAP group he explicitly belonged to.

Starting R75.40 (and enabled by default since R75.45) –there is full support for LDAP Nested Groups

LDAP Nested Groups Configurations

See sk66561


Latest Tips and Best Practices

Based on Lessons Learnt from Customer Deployments

Updated on a Regular Bases

SK88520



Recommendations for Identity Awareness in VSX Solutions

Small to Large Environments

ADQuery and RADIUS

SK101558


Supporting 200K users per single gateway

ADQuery agent

RADIUS Accounting with groups

Soon to come

• Improved engine that can handle more identified users (big improvement over current 30K users)

• Improved performance during policy installations ‐ Identifying whether or not the newly installed policy has any IDA‐related changes




ADQuery agent


Soon to Come…

• Installed on any Windows based server (does not use WMI)

• Queries the domain controllers and propagates identities to one or more PDP gateways

• Less permissions

• More scalable, and less load on gateways and domain controllers

ADQuery agent can serve as alternative to the standard ADQueryand Cross‐CMA solution (sk65404).



ADQuery agent


Soon to come

• Current RADIUS Accounting implementation relies on LDAP servers for authorization (fetching groups)

• Allows for reading group information from the RADIUS Accounting messages directly, without the need to access other entities (LDAP server)

• Requires adding groups to the RADIUS Accounting message



Thank You!!

Introducing New Virtual Systems Appliances

Model SKU DescriptionIncluded

VSsIncluded SW blades

4400 VS CPAP‐SG4400‐NGFW‐VS5 1 x 4407 appliance 5

NGFW7‐blade package:* Firewall* VPN* IA* ADNC* MOB* IPS* APCL

4400 VSLS CPAP‐SG4400‐NGFW‐VS5‐2 2 x 4407 appliance cluster 5









Complete solution including Appliance,Software Blades and Virtual Systems


Introducing New Virtual Systems Appliances

Model SKU DescriptionIncluded

VSsIncluded SW blades


NGFW7‐blade package:* Firewall* VPN* IA* ADNC* MOB* IPS* APCL










Complete solution including Appliance,Software Blades and Virtual Systems

Virtual Systems Appliance Performance

4400VS

4400 VSLS

4600VS

4600 VSLS

4800VS

4800 VSLS

12200 VS

12200 VSLS

12400 VS

12400 VSLS

Firewall

Throughput5 Gbps 9 Gbps 9 Gbps 16 Gbps 11 Gbps 20 Gbps 15 Gbps 27 Gbps 25 Gbps 45 Gbps

VPN Throughput

1.2 Gbps 2.1 Gbps 1.5 Gbps 2.7 Gbps 2 Gbps 3.6 Gbps 2.5 Gbps 4.5 Gbps 3.5 Gbps 6 Gbps

Concurrent Sessions

1.2M 1.4M 1.2M 1.4M 3.3M 4M 5M 6M 5M 6M

12600 VS

12600 VSLS

13500 VS

13500 VSLS

21400 VS

21400 VSLS

21600 VS

21600 VSLS

21700 VS

21700 VSLS

Firewall

Throughput30 Gbps 54 Gbps 77 Gbps

138.6 Gbps

50 Gbps 90 Gbps 75 Gbps 135 Gbps 78 Gbps 140 Gbps

VPN Throughput

6 Gbps10.5 Gbps

17 Gbps30.6 Gbps

7 Gbps 12.5 Gbps 8.5 Gbps 15 Gbps10.9 Gbps

19.5 Gbps

Concurrent Sessions

5M 6M 28M 33.6M 10M 12M 13M 15.6M 13M 15.6M

Documents

VSX & Identity Awareness - AVANTEC · Check Point & AlgoSec Security-Update 24./25. September 2014 Increasing Complexity Internet Policy 1 Policy 2 Web Policy 9 Finance Policy 8 Partner