Check Point Virtual Systems & Identity Awareness

Transcription

1 Check Point Virtual Systems & Identity Awareness Jason Card, Senior Security Consultant, CISSP Agenda Check Point Virtual Systems Private Cloud Simplify Security Overview Identity Awareness Features Performance Tips Best Practice Coming Soon

2 Increasing Complexity Need More Simplicity and Less Complexity More complex networks with increasing segmentation drives up cost More advanced threats requiring multi-layered defense Policy 5 Sales Policy 6 VPN Customer Policy 7 More policies with many rules to meet growing business demands Web Partner Internet Policy 1 Policy 13 Legal Engineering Policy 2 Policy 4 Data Center Policy 3 Marketing Policy 10 HR Policy 8 Policy 9 Finance Policy 12 Policy 11 Moving to Private Clouds Check Point Virtual Systems Added Partner Sales Policy 2 Internet Policy 1 Datacenter Web Finance HR Legal Policy 3 Policy 4 VPN Customer Marketing Engineering Policy 1 Policy 5 Policy 6 Virtualized Gateways Simplify Private Cloud Security

3 Consolidation Scalability Simplify Security Maximize Investment with Optimized Hardware Utilization Lower costs by consolidating multiple security gateways Simplified management from a single management console Easily expand security protection by adding more virtual systems Seamlessly expand security capacity for future business and network growth Multi-Tenancy Secure multiple networks from a single gateway Customized security and policy per virtual system The Power of Virtualization For 10 Years, Check Point X on dedicated hardware has delivered value and security for hundreds of our customers Consolidate Up to 250 Gateways to Secure Many Customers & Networks Multi-s with Central Management Using Check Point SM and MDSM Highly Scalability and Full Redundancy with LS Check Point X Appliances

4 Introducing Check Point Virtual Systems Tapping the POWER of virtualization Next Generation Virtual System: Can run any Software Blades on any Check Point Appliance All Software Blades on Every Virtual System Simplify and Consolidate Boosting Performance LS Check Point

5 Software Blades for Virtual Application Identity Mobile Firewall IPS Control Systems Awareness URL Filtering Antivirus Anti-Bot Access* Software Blades on Virtual Systems and Open Servers Virtual System on any Platform Software Blade Security on Every Virtual System * SSL VPN available in later release Consolidate Security One-Click Virtual System Creation Simple Virtualization Wizard and provisioning templates ONE Gateway Security with Virtual Systems Finance HR Partners Dedicated Policy Per Virtual System Customized security functions with granular security policies Web Customers Ease of Operation Resource monitoring on each Virtual System Software upgrades without downtime Inter- traffic redirecting via integrated virtual routers and switches Enterprise INTRANET

6 Performance and Scalability High Connection Capacity 8X concurrent connections with 64-bit GAiA OS Advanced routing options with multiple routing and multicasting protocols Multi-Core Performance Check Point CoreXL technology Enhanced deep packet inspection throughput with security acceleration Linear Scalability Patented LS technology Scale up to 12 cluster members Two Ways to Get Virtual Systems Virtual Systems Appliances (HW/SW bundle) Dedicated pre-configured Virtual System appliances Virtual Systems Software (SW license) Virtualize any appliance or open server License s License x3 s License x10 s License x25 s x50

7 Single SKU Virtual Systems Appliance Complete solution including Appliance, Software Blades and Virtual Systems 4400, , 12200, 12400, , 21400, 21600, Blade Package: Firewall, VPN, IA, ADNC, MOB-5, IPS, APCL -5 / -10 / -20 Virtual Systems Software Free License s x1 Security Gateway + Software Blades + License s License x3 s License x10 s License x25 s x50 Additional Licenses Virtual System price the same for all appliances and open servers Software Blades priced per gateway, can use on all instances One complementary Virtual System* per gateway * Available for: 4800, 12000, 21000, Power , Power , IP-1280, IP-2450 and open servers with 4 cores or more

8 X Supported GWs Check Point Appliances 2012 Models: 2200, 4000,12000, 13500, UTM-1: UTM Power-1: IP Series: X: Power , Power IP-1280, IP-2450 All X Appliances Open Servers Open servers with up to 12 cores Software Packaging License s x1 License s x3 License s x10 License s x25 License s x50 Complementary with 4800 and above Virtual Systems gateways Available for 2200, 4200, 4400, 4600 and open servers with 1 or 2 cores only Available for all gateways Available for all gateways Available for all gateways [Protected] For public distribution Included $3,000 $10,000 $23,000 $43,000

9 Summary Check Point Virtual Systems Maximize Security Gateway Investment Advanced Security with Software Blades High Scalability and Performance Simple Deployment and Provisioning Simplifying Security for Private Clouds Features Identity Awareness Performance Best Practices Coming Soon

10 Identity Awareness Granular access to data centers, applications and network segments by user, machine or location Integrated into Check Point Software Blade Architecture Provides scalable identity sharing between gateways Seamless Active Directory (AD) integration with multiple deployment options-clientless, Captive Portal or Identity Agent Branch Offices accessing the HQ DC2 Branch Office A DC1 Query Identity GW A HQ Branch Office B Share Data Center DC2 DC1 Identity GW B Identity GW HQ DC3 DC2 Branch Office C DC1 Identity GW C

11 New Identity Awareness Features in R75.40 and R76 User and Machine Transparent (browser based) Portal Awareness Authentication (R75.40) Identity Agent for Terminal Servers/ Citrix (R75.40) SSO with Remote Access Clients (R75.40) Across All Software Blades IPv6 Support (R76) Support for NTLMv2 (R76) Security Gateways New Identity Awareness Features in R77 RADIUS Accounting User and Machine Awareness IF MAP Automatic LDAP group update Automatic Exclusion of service accounts Across All Software Blades Security Gateways

12 Improving Performance Distribute Domain Controllers between Gateways Exclude Service Accounts and Servers Improving Performance Distribute Domain Controllers between Gateways Exclude Service Accounts and Servers A single GW can handle security events per second (12000 device) Limit the number of AD security events parsed by each GW by configuring each GW to query a different set of DCs Configure an identity GW on each geographical site, configure identity sharing as necessary

13 Improving ADQueryPerformance Distribute Domain Controllers between Gateways Exclude Service Accounts and Servers Service Accounts are user accounts which provide a specific security context. They generate multiple security events without substantial identity value. It is highly recommended to exclude all known service accounts from ADQuery Exchange servers, proxy servers, DNS servers or TS/Citrix should be excluded, particularly when Assume that only one user is connected per computer option is checked. Improving ADQueryPerformance Distribute Domain Controllers between Gateways Exclude Service Accounts and Servers

14 Improving ADQueryPerformance Distribute Domain Controllers between Gateways Exclude Service Accounts and Servers The new Automatic Exclusion of Service Accounts feature simplifies the tasks As a best practice, it is advised to exclude any known service account manually Improving ADQueryPerformance Distribute Domain Controllers between Gateways Exclude Service Accounts and Servers

15 Using Identity Awareness for Whitelisting Best practice: Grant access to identified users while denying access to unidentified users It is not recommended to block specific users while granting access to all the rest Captive Portal can be configured to back up ADQuery Tweaking the Thresholds ia_max_authenticated_users Maximum number of identities a single PDP (identity server) can store ia_max_enforced_identities Maximum number of identities a single PEP (Security Gateway) can store 30,000 Thresholds can be increased, depending on machine memory and pdp load

16 LDAP Nested Groups Configurations Until R75.40, a user was matched only to an LDAP group he explicitly belonged to. Starting R75.40 (and enabled by default since R75.45) there is full support for LDAP Nested Groups See sk66561 SK88520 Latest Tips and Best Practices Based on Lessons Learnt from Customer Deployments Updated on a Regular Bases

17 SK Recommendations for Identity Awareness in X Solutions Small to Large Environments ADQuery and RADIUS Soon to come Supporting 200K users per single gateway ADQuery agent RADIUS Accounting with groups Improved engine that can handle more identified users (big improvement over current 30K users) Improved performance during policy installations Identifying whether or not the newly installed policy has any IDA related changes

18 Soon to Come Supporting 200K users per single gateway ADQuery agent RADIUS Accounting with groups Installed on any Windows based server (does not use WMI) Queries the domain controllers and propagates identities to one or more PDP gateways Less permissions More scalable, and less load on gateways and domain controllers ADQuery agent can serve as alternative to the standard ADQuery and Cross CMA solution (sk65404). Soon to come Supporting 200K users per single gateway ADQuery agent RADIUS Accounting with groups Current RADIUS Accounting implementation relies on LDAP servers for authorization (fetching groups) Allows for reading group information from the RADIUS Accounting messages directly, without the need to access other entities (LDAP server) Requires adding groups to the RADIUS Accounting message

19 Thank You!! Introducing New Virtual Systems Appliances Complete solution including Appliance, Software Blades and Virtual Systems Model SKU Description Included s Included SW blades 4400 CPAP SG4400 NGFW 5 1 x 4407 appliance LS CPAP SG4400 NGFW x 4407 appliance cluster CPAP SG4600 NGFW 5 1 x 4607 appliance LS CPAP SG4600 NGFW x 4607 appliance cluster CPAP SG4800 NGFW 10 1 x 4807 appliance LS CPAP SG4800 NGFW x 4807 appliance cluster CPAP SG12200 NGFW 10 1 x appliance LS CPAP SG12200 NGFW x appliance cluster 10 NGFW 7 blade package: * Firewall * VPN * IA * ADNC * MOB * IPS * APCL CPAP SG12400 NGFW 10 1 x appliance LS CPAP SG12400 NGFW x appliance cluster 10

20 Introducing New Virtual Systems Appliances Complete solution including Appliance, Software Blades and Virtual Systems Model SKU Description Included s Included SW blades CPAP SG12600 NGFW 20 1 x appliance LS CPAP SG12600 NGFW x appliance cluster CPAP SG13500 NGFW 20 1 x appliance LS CPAP SG13500 NGFW x appliance cluster CPAP SG21400 NGFW 20 1 x appliance LS CPAP SG21400 NGFW x appliance cluster CPAP SG21600 NGFW 20 1 x appliance LS CPAP SG21600 NGFW x appliance cluster 20 NGFW 7 blade package: * Firewall * VPN * IA * ADNC * MOB * IPS * APCL CPAP SG21700 NGFW 20 1 x appliance LS CPAP SG21700 NGFW x appliance cluster 20 Virtual Systems Appliance Performance Firewall Throughput VPN Throughput Concurrent Sessions LS LS LS LS LS 5 Gbps 9 Gbps 9 Gbps 16 Gbps 11 Gbps 20 Gbps 15 Gbps 27 Gbps 25 Gbps 45 Gbps 1.2 Gbps 2.1 Gbps 1.5 Gbps 2.7 Gbps 2 Gbps 3.6 Gbps 2.5 Gbps 4.5 Gbps 3.5 Gbps 6 Gbps 1.2M 1.4M 1.2M 1.4M 3.3M 4M 5M 6M 5M 6M LS LS LS LS LS Firewall Throughput 30 Gbps 54 Gbps 77 Gbps Gbps 50 Gbps 90 Gbps 75 Gbps 135 Gbps 78 Gbps 140 Gbps VPN Throughput 6 Gbps 10.5 Gbps 17 Gbps 30.6 Gbps 7 Gbps 12.5 Gbps 8.5 Gbps 15 Gbps 10.9 Gbps 19.5 Gbps Concurrent Sessions 5M 6M 28M 33.6M 10M 12M 13M 15.6M 13M 15.6M