Upload
trinhquynh
View
222
Download
0
Embed Size (px)
Citation preview
Check Point & AlgoSec Security-Update24./25. September 2014
Jason Card, Senior Security Consultant, [email protected]
Check PointVirtual Systems & Identity Awareness
Agenda
Check Point Virtual Systems Private Cloud Simplify Security Overview
Identity Awareness Features Performance Tips Best Practice Coming Soon
Check Point & AlgoSec Security-Update24./25. September 2014
Increasing Complexity
InternetPolicy 1Policy 1
Policy 2Policy 2
Web
Policy 9Policy 9
Finance
Policy 8Policy 8
Partner
Policy 7Policy 7
Customer
Policy 6Policy 6
VPN
Policy 3Policy 3
Policy 13Policy 13
Legal
Policy 5Policy 5
Sales
Policy 12Policy 12
Engineering
Policy 11Policy 11
Marketing Policy 10Policy 10
HR
Policy 4Policy 4
Data Center
More complex networks with increasing segmentation drives up costMore complex networks with increasing segmentation drives up cost
More advanced threats requiring multi-layered defense More advanced threats requiring multi-layered defense
More policies with many rules to meet growing business demandsMore policies with many rules to meet growing business demands
Need More Simplicity and Less Complexity Need More Simplicity and Less Complexity
Moving to Private CloudsCheck Point Virtual Systems Added…Check Point Virtual Systems Added…
Virtualized Gateways Simplify Private Cloud Security
VSVS
Internet
Policy 2Policy 2
Policy 1Policy 1
Policy 1Policy 1
Partner Sales
VSVSVSVS Policy 3Policy 3 Policy 4Policy 4
Datacenter Web Finance Legalemail HR
VSVS Policy 6Policy 6VSVS Policy 5Policy 5
VPN Customer Marketing Engineering
Check Point & AlgoSec Security-Update24./25. September 2014
Simplify Security
• Secure multiple networks from a single gateway
• Customized security and policy per virtual system
Scalability • Easily expand security protection by adding more virtual systems
• Seamlessly expand security capacity for future business and network growth
Consolidation• Maximize Investment with Optimized Hardware Utilization
• Lower costs by consolidating multiple security gateways
• Simplified management from a single management console
Multi-Tenancy
The Power of Virtualization
Multi-VSs with Central Management Using Check Point SM and MDSM Multi-VSs with Central Management Using Check Point SM and MDSM
Highly Scalability and Full Redundancy with VSLS Highly Scalability and Full Redundancy with VSLS
Check Point VSX Appliances
For 10 Years, Check Point VSX on dedicated hardware has delivered value and security for hundreds of our customers
Consolidate Up to 250 Gateways to Secure Many Customers & NetworksConsolidate Up to 250 Gateways to Secure Many Customers & Networks
Check Point & AlgoSec Security-Update24./25. September 2014
Introducing
Check Point Virtual Systems
Tapping the POWER of virtualization
All Software Blades on Every Virtual System
Simplify and Consolidate Boosting Performance
Check Point
VSLS
Next Generation Virtual System: Can run any Software Blades on any
Check Point Appliance
Check Point & AlgoSec Security-Update24./25. September 2014
Software Blades for Virtual Systems Anti-Bot
Application Control IPSFirewall AntivirusURL Filtering
Identity Awareness
Software Blades on Virtual SystemsSoftware Blades on Virtual Systems
Virtual System on any PlatformVirtual System on any Platform
… and Open Servers
Software Blade Security on Every Virtual System
* SSL VPN available in later release
Mobile Access*
Consolidate SecurityOne-Click Virtual System Creation
Simple Virtualization Wizard and provisioning templates
Dedicated Policy Per Virtual System
Customized security functions with granular security policies
Ease of Operation Resource monitoring on each Virtual System
Software upgrades without downtime
Inter-VS traffic redirecting via integrated virtual routers and switches
Enterprise
INTRANETEnterprise
INTRANET
Security with Virtual SystemsONE Gateway
WebWeb
FinanceFinanceHRHR
PartnersPartners
CustomersCustomers
Check Point & AlgoSec Security-Update24./25. September 2014
Performance and Scalability 8X concurrent connections with 64-bit
GAiA OS Advanced routing options with multiple
routing and multicasting protocols
Check Point CoreXL technology Enhanced deep packet inspection
throughput with security acceleration
Patented VSLS technology Scale up to 12 cluster members
High Connection
Capacity
Multi-Core Performance
Linear Scalability
Virtual Systems Software
(SW license)
Two Ways to Get Virtual Systems
Virtualize any applianceor open server
VSs x50
VS
LicenseVSs x25
VS
LicenseVSs x10
VS
LicenseVSs x3
VS
License
Virtual Systems Appliances
(HW/SW bundle)
Dedicated pre-configured Virtual System appliances
Check Point & AlgoSec Security-Update24./25. September 2014
Single SKU Virtual Systems Appliance
4400, 4600
4800, 12200, 12400, 12600
13500, 21400, 21600, 21700
VS-5 / VS-10 / VS-20
Complete solution including Appliance, Software Blades and Virtual Systems
7-Blade Package:Firewall, VPN, IA, ADNC, MOB-5, IPS, APCL
Virtual Systems Software
+Security Gateway
+Software Blades
VSs x50
VS
LicenseVSs x25
VS
LicenseVSs x1
Free VS
License
VSs x10
VS
LicenseVSs x3
VS
License
* Available for: 4800, 12000, 21000, Power-1 9000, Power-1 11000, IP-1280, IP-2450 and open servers with 4 cores or more
Additional VS Licenses
Virtual System price the same for all appliances and open servers
Software Blades priced per gateway, can use on all VS instances
One complementary Virtual System* per gateway
Check Point & AlgoSec Security-Update24./25. September 2014
VSX Supported GWs
2012 Models: 2200, 4000,12000, 13500, 21000
UTM-1: UTM-1 3070
Power-1: Power-1 9000, Power-11000
IP Series: IP-1280, IP-2450
VSX: All VSX Appliances
Open servers with up to 12 cores
Check Point Appliances
Open Servers
VS Software Packaging
[Protected] For public distribution
Available for 2200, 4200, 4400, 4600 and open servers with 1 or 2 cores only
$3,000
$10,000
$23,000
$43,000
VSs x3
VS
License
VSs x50
VS
License
VSs x25
VS
License
VSs x10
VS
License Available for all gateways
Available for all gateways
Available for all gateways
IncludedVSs x1
VS
LicenseComplementary with 4800 and above Virtual Systems gateways
Check Point & AlgoSec Security-Update24./25. September 2014
Summary
Maximize Security Gateway Investment
Advanced Security with Software Blades
High Scalability and Performance
Check Point Virtual Systems
Simplifying Security for Private Clouds
Simple Deployment and Provisioning
Identity Awareness
Features
Performance
Best Practices
Coming Soon
Check Point & AlgoSec Security-Update24./25. September 2014
Identity Awareness
Granular access to data centers, applications and network segments by user, machine or location
Integrated into Check Point Software Blade Architecture Provides scalable identity sharing between gateways Seamless Active Directory (AD) integration with
multiple deployment options-Clientless, Captive Portal or Identity Agent
Identity GW B
Identity GW C
Branch Offices accessing the HQ
HQ
Branch Office B
Branch Office A
Branch Office C
Identity GW HQ
Identity GW A
DC1
DC2
DC1
DC2
DC1
DC2DC3
Data Center
Share
Query
Check Point & AlgoSec Security-Update24./25. September 2014
New Identity Awareness Features in R75.40 and R76
User and Machine Awareness
SecurityGateways
Across AllSoftware Blades
• Transparent (browser based) Portal Authentication (R75.40)
• Identity Agent for Terminal Servers/ Citrix (R75.40)
• SSO with Remote Access Clients (R75.40)
• IPv6 Support (R76)
• Support for NTLMv2 (R76)
New Identity Awareness Features in R77
User and Machine Awareness
SecurityGateways
Across AllSoftware Blades
• RADIUS Accounting
• IF‐MAP
• Automatic LDAP group update
• Automatic Exclusion of service accounts
Check Point & AlgoSec Security-Update24./25. September 2014
[Restricted] ONLY for designated groups and individuals
Distribute Domain Controllers between Gateways
Exclude Service Accounts and Servers
Improving Performance
[Restricted] ONLY for designated groups and individuals
Distribute Domain Controllers between Gateways
Exclude Service Accounts and Servers
Improving Performance
• A single GW can handle 800‐1000 security events per second (12000 device)
• Limit the number of AD security events parsed by each GW by configuring each GW to query a different set of DCs
• Configure an identity GW on each geographical site, configure identity sharing as necessary
Check Point & AlgoSec Security-Update24./25. September 2014
[Restricted] ONLY for designated groups and individuals
Distribute Domain Controllers between Gateways
Exclude Service Accounts and Servers
Improving ADQuery Performance
• Service Accounts are user accounts which provide a specific security context. They generate multiple security events without substantial identity value. It is highly recommended to exclude all known service accounts from ADQuery
• Exchange servers, proxy servers, DNS servers or TS/Citrix should be excluded, particularly when “Assume that only one user is connected per computer” option is checked.
[Restricted] ONLY for designated groups and individuals
Distribute Domain Controllers between Gateways
Exclude Service Accounts and Servers
Improving ADQuery Performance
Check Point & AlgoSec Security-Update24./25. September 2014
[Restricted] ONLY for designated groups and individuals
Distribute Domain Controllers between Gateways
Exclude Service Accounts and Servers
Improving ADQuery Performance
• The new “Automatic Exclusion of Service Accounts” feature simplifies the tasks
• As a best practice, it is advised to exclude any known service accountmanually
[Restricted] ONLY for designated groups and individuals
Distribute Domain Controllers between Gateways
Exclude Service Accounts and Servers
Improving ADQuery Performance
Check Point & AlgoSec Security-Update24./25. September 2014
[Restricted] ONLY for designated groups and individuals
Best practice: Grant access to identified users while denying access to unidentified users
It is not recommended to block specific users while granting access to all the rest
Captive Portal can be configured to back‐up ADQuery
Using Identity Awareness for Whitelisting
[Restricted] ONLY for designated groups and individuals
ia_max_authenticated_usersMaximum number of identities a single PDP (identity server) can store
ia_max_enforced_identitiesMaximum number of identities a single PEP (Security Gateway) can store
Tweaking the Thresholds
30,000
Thresholds can be increased, depending on machine memory and pdp load
Check Point & AlgoSec Security-Update24./25. September 2014
[Restricted] ONLY for designated groups and individuals
Until R75.40, a user was matched only to an LDAP group he explicitly belonged to.
Starting R75.40 (and enabled by default since R75.45) –there is full support for LDAP Nested Groups
LDAP Nested Groups Configurations
See sk66561
[Restricted] ONLY for designated groups and individuals
Latest Tips and Best Practices
Based on Lessons Learnt from Customer Deployments
Updated on a Regular Bases
SK88520
Check Point & AlgoSec Security-Update24./25. September 2014
[Restricted] ONLY for designated groups and individuals
Recommendations for Identity Awareness in VSX Solutions
Small to Large Environments
ADQuery and RADIUS
SK101558
[Restricted] ONLY for designated groups and individuals
Supporting 200K users per single gateway
ADQuery agent
RADIUS Accounting with groups
Soon to come
• Improved engine that can handle more identified users (big improvement over current 30K users)
• Improved performance during policy installations ‐ Identifying whether or not the newly installed policy has any IDA‐related changes
Check Point & AlgoSec Security-Update24./25. September 2014
[Restricted] ONLY for designated groups and individuals
Supporting 200K users per single gateway
ADQuery agent
RADIUS Accounting with groups
Soon to Come…
• Installed on any Windows based server (does not use WMI)
• Queries the domain controllers and propagates identities to one or more PDP gateways
• Less permissions
• More scalable, and less load on gateways and domain controllers
ADQuery agent can serve as alternative to the standard ADQueryand Cross‐CMA solution (sk65404).
[Restricted] ONLY for designated groups and individuals
Supporting 200K users per single gateway
ADQuery agent
RADIUS Accounting with groups
Soon to come
• Current RADIUS Accounting implementation relies on LDAP servers for authorization (fetching groups)
• Allows for reading group information from the RADIUS Accounting messages directly, without the need to access other entities (LDAP server)
• Requires adding groups to the RADIUS Accounting message
Check Point & AlgoSec Security-Update24./25. September 2014
[Restricted] ONLY for designated groups and individuals
Thank You!!
Introducing New Virtual Systems Appliances
Model SKU DescriptionIncluded
VSsIncluded SW blades
4400 VS CPAP‐SG4400‐NGFW‐VS5 1 x 4407 appliance 5
NGFW7‐blade package:* Firewall* VPN* IA* ADNC* MOB* IPS* APCL
4400 VSLS CPAP‐SG4400‐NGFW‐VS5‐2 2 x 4407 appliance cluster 5
4600 VS CPAP‐SG4600‐NGFW‐VS5 1 x 4607 appliance 5
4600 VSLS CPAP‐SG4600‐NGFW‐VS5‐2 2 x 4607 appliance cluster 5
4800 VS CPAP‐SG4800‐NGFW‐VS10 1 x 4807 appliance 10
4800 VSLS CPAP‐SG4800‐NGFW‐VS10‐2 2 x 4807 appliance cluster 10
12200 VS CPAP‐SG12200‐NGFW‐VS10 1 x 12207 appliance 10
12200 VSLS CPAP‐SG12200‐NGFW‐VS10‐2 2 x 12207 appliance cluster 10
12400 VS CPAP‐SG12400‐NGFW‐VS10 1 x 12407 appliance 10
12400 VSLS CPAP‐SG12400‐NGFW‐VS10‐2 2 x 12407 appliance cluster 10
Complete solution including Appliance,Software Blades and Virtual Systems
Check Point & AlgoSec Security-Update24./25. September 2014
Introducing New Virtual Systems Appliances
Model SKU DescriptionIncluded
VSsIncluded SW blades
12600 VS CPAP‐SG12600‐NGFW‐VS20 1 x 12607 appliance 20
NGFW7‐blade package:* Firewall* VPN* IA* ADNC* MOB* IPS* APCL
12600 VSLS CPAP‐SG12600‐NGFW‐VS20‐2 2 x 12607 appliance cluster 20
13500 VS CPAP‐SG13500‐NGFW‐VS20 1 x 13507 appliance 20
13500 VSLS CPAP‐SG13500‐NGFW‐VS20‐2 2 x 13507 appliance cluster 20
21400 VS CPAP‐SG21400‐NGFW‐VS20 1 x 21407 appliance 20
21400 VSLS CPAP‐SG21400‐NGFW‐VS20‐2 2 x 21407 appliance cluster 20
21600 VS CPAP‐SG21600‐NGFW‐VS20 1 x 21607 appliance 20
21600 VSLS CPAP‐SG21600‐NGFW‐VS20‐2 2 x 21607 appliance cluster 20
21700 VS CPAP‐SG21700‐NGFW‐VS20 1 x 21707 appliance 20
21700 VSLS CPAP‐SG21700‐NGFW‐VS20‐2 2 x 21707 appliance cluster 20
Complete solution including Appliance,Software Blades and Virtual Systems
Virtual Systems Appliance Performance
4400VS
4400 VSLS
4600VS
4600 VSLS
4800VS
4800 VSLS
12200 VS
12200 VSLS
12400 VS
12400 VSLS
Firewall
Throughput5 Gbps 9 Gbps 9 Gbps 16 Gbps 11 Gbps 20 Gbps 15 Gbps 27 Gbps 25 Gbps 45 Gbps
VPN Throughput
1.2 Gbps 2.1 Gbps 1.5 Gbps 2.7 Gbps 2 Gbps 3.6 Gbps 2.5 Gbps 4.5 Gbps 3.5 Gbps 6 Gbps
Concurrent Sessions
1.2M 1.4M 1.2M 1.4M 3.3M 4M 5M 6M 5M 6M
12600 VS
12600 VSLS
13500 VS
13500 VSLS
21400 VS
21400 VSLS
21600 VS
21600 VSLS
21700 VS
21700 VSLS
Firewall
Throughput30 Gbps 54 Gbps 77 Gbps
138.6 Gbps
50 Gbps 90 Gbps 75 Gbps 135 Gbps 78 Gbps 140 Gbps
VPN Throughput
6 Gbps10.5 Gbps
17 Gbps30.6 Gbps
7 Gbps 12.5 Gbps 8.5 Gbps 15 Gbps10.9 Gbps
19.5 Gbps
Concurrent Sessions
5M 6M 28M 33.6M 10M 12M 13M 15.6M 13M 15.6M