Check Point Virtual Systems & Identity Awareness

Similar documents
Using the Terminal Services Gateway Lesson 10

McAfee Security Management Center

Check Point 1100 Appliances Frequently Asked Questions

SAS and F5 integration at F5 Networks. Updates for Version 11.6

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Identity Awareness Software Blade Check Point Software Technologies Ltd. [Unrestricted] For everyone

SRX als NGFW. Michel Tepper Consultant

*Performance and capacities are measured under ideal testing conditions using PAN-OS.0. Additionally, for VM

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources

All-in one security for large and medium-sized businesses.

Check Point softwareblades Secure. Flexible. Simple

Identity Firewall. About the Identity Firewall

Appliance Comparison Chart

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

NSG100 Nebula Cloud Managed Security Gateway

Appliance Comparison Chart

CHECK POINT NEXT GENERATION SECURITY GATEWAY FOR THE DATACENTER

The Virtualisation Security Journey: Beyond Endpoint Security with VMware and Symantec

Check Point Appliance

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

TECHNOLOGY Introduction The Difference Protection at the End Points Security made Simple

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

NSG50/100/200 Nebula Cloud Managed Security Gateway

Feature. *1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Azure MFA Integration with NetScaler

*Performance and capacities are measured under ideal testing conditions using PAN-OS 8.0. Additionally, for VM

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Securing the Next Generation Data Center

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

CNS-207-2I Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

Virtualized Network Services SDN solution for enterprises

Seqrite TERMINATOR (UTM) Unified Threat Management Solution.

Check Point Appliance

Check Point 4800 Appliance

CHECK POINT AND SECURITY SYSTEMS

Stonesoft Next Generation Firewall

Virtualized Network Services SDN solution for service providers

Course Modules for CCSE R77 (Check Point Certified Security Expert) Training Online

Cisco ACE30 Application Control Engine Module

New Features for ASA Version 9.0(2)

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

Check Point Appliance

ForeScout Extended Module for Palo Alto Networks Next Generation Firewall

Stonesoft Management Center. Release Notes Revision A

Deployment Scenarios Microsoft TMG Standard, TMG Enterprise, TMG Branch Office series Appliances

ForeScout CounterACT. (AWS) Plugin. Configuration Guide. Version 1.3

Appliance Comparison Chart

Check Point 4400 Appliance

Citrix NetScaler LLB Deployment Guide

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Enterprise Guest Access

Check Point Appliance

Who We Are.. ideras Features. Benefits

Palo Alto Networks PCNSE7 Exam

BIG-IP Access Policy Manager : Portal Access. Version 12.1

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

New methods to protect the network. Deeper visibility with Cisco NGFW Next Generation Firewall

Max sessions (IPv4 or IPv6) 500, , ,000

Extending Enterprise Security to Multicloud and Public Cloud

BIG-IP Access Policy Manager : Secure Web Gateway. Version 12.1

CyberP3i Course Module Series

Cisco s Appliance-based Content Security: IronPort and Web Security

Product overview. McAfee Web Protection Hybrid Integration Guide. Overview

NGFW Security Management Center

Cloud Access Manager SonicWALL Integration Overview

MyCloud Computing Business computing in the cloud, ready to go in minutes

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Hybride Cloud Szenarien HHochverfügbar mit KEMP Loadbalancern. Köln am 10.Oktober 2017

Never Drop a Call With TecInfo SIP Proxy White Paper

Cisco ASA Software Release 8.2

HySecure Quick Start Guide. HySecure 5.0

Table of Contents. VMware AirWatch: Technology Partner Integration

McAfee NGFW Installation Guide for Firewall/VPN Role 5.7. NGFW Engine in the Firewall/VPN Role

NGFW Security Management Center

Cisco Wide Area Application Services: Secure, Scalable, and Simple Central Management

Disclaimer CONFIDENTIAL 2

Installation Guide. McAfee Web Gateway Cloud Service

Introduction. The Safe-T Solution

NGFW Security Management Center

CounterACT Check Point Threat Prevention Module

Table of Contents HOL-1757-MBL-6

Surat Smart City Development Ltd. Surat Municipal Corporation 1

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Kerio Control. Unified Threat Management without Complexity. Presenters name. Presented by

Subscriber Data Correlation

Exam: : VPN/Security. Ver :

Check Point Appliance

NSG50/100/200 Nebula Cloud Managed Security Gateway

Security Gateway Virtual Edition

Level 1 Technical Firewall Traversal & Security. Level 1 Technical. Firewall Traversal & Security. V2 Page 1 of 16

Cisco AnyConnect Secure Mobility & VDI Demo Guide

User Identity Sources

A10 SSL INSIGHT & SONICWALL NEXT-GEN FIREWALLS

VMware EUC a competitor to Citrix? 2010 VMware Inc. All rights reserved

Transcription:

Check Point Virtual Systems & Identity Awareness Jason Card, Senior Security Consultant, CISSP card@avantec.ch Agenda Check Point Virtual Systems Private Cloud Simplify Security Overview Identity Awareness Features Performance Tips Best Practice Coming Soon

Increasing Complexity Need More Simplicity and Less Complexity More complex networks with increasing segmentation drives up cost More advanced threats requiring multi-layered defense Policy 5 Sales Policy 6 VPN Customer Policy 7 More policies with many rules to meet growing business demands Web Partner Internet Policy 1 Policy 13 Legal Engineering Policy 2 Policy 4 Data Center Policy 3 Email Marketing Policy 10 HR Policy 8 Policy 9 Finance Policy 12 Policy 11 Moving to Private Clouds Check Point Virtual Systems Added Partner Sales Policy 2 Internet Policy 1 Datacenter Web email Finance HR Legal Policy 3 Policy 4 VPN Customer Marketing Engineering Policy 1 Policy 5 Policy 6 Virtualized Gateways Simplify Private Cloud Security

Consolidation Scalability Simplify Security Maximize Investment with Optimized Hardware Utilization Lower costs by consolidating multiple security gateways Simplified management from a single management console Easily expand security protection by adding more virtual systems Seamlessly expand security capacity for future business and network growth Multi-Tenancy Secure multiple networks from a single gateway Customized security and policy per virtual system The Power of Virtualization For 10 Years, Check Point X on dedicated hardware has delivered value and security for hundreds of our customers Consolidate Up to 250 Gateways to Secure Many Customers & Networks Multi-s with Central Management Using Check Point SM and MDSM Highly Scalability and Full Redundancy with LS Check Point X Appliances

Introducing Check Point Virtual Systems Tapping the POWER of virtualization Next Generation Virtual System: Can run any Software Blades on any Check Point Appliance All Software Blades on Every Virtual System Simplify and Consolidate Boosting Performance LS Check Point

Software Blades for Virtual Application Identity Mobile Firewall IPS Control Systems Awareness URL Filtering Antivirus Anti-Bot Access* Software Blades on Virtual Systems and Open Servers Virtual System on any Platform Software Blade Security on Every Virtual System * SSL VPN available in later release Consolidate Security One-Click Virtual System Creation Simple Virtualization Wizard and provisioning templates ONE Gateway Security with Virtual Systems Finance HR Partners Dedicated Policy Per Virtual System Customized security functions with granular security policies Web Customers Ease of Operation Resource monitoring on each Virtual System Software upgrades without downtime Inter- traffic redirecting via integrated virtual routers and switches Enterprise INTRANET

Performance and Scalability High Connection Capacity 8X concurrent connections with 64-bit GAiA OS Advanced routing options with multiple routing and multicasting protocols Multi-Core Performance Check Point CoreXL technology Enhanced deep packet inspection throughput with security acceleration Linear Scalability Patented LS technology Scale up to 12 cluster members Two Ways to Get Virtual Systems Virtual Systems Appliances (HW/SW bundle) Dedicated pre-configured Virtual System appliances Virtual Systems Software (SW license) Virtualize any appliance or open server License s License x3 s License x10 s License x25 s x50

Single SKU Virtual Systems Appliance Complete solution including Appliance, Software Blades and Virtual Systems 4400, 4600 4800, 12200, 12400, 12600 13500, 21400, 21600, 21700 7-Blade Package: Firewall, VPN, IA, ADNC, MOB-5, IPS, APCL -5 / -10 / -20 Virtual Systems Software Free License s x1 Security Gateway + Software Blades + License s License x3 s License x10 s License x25 s x50 Additional Licenses Virtual System price the same for all appliances and open servers Software Blades priced per gateway, can use on all instances One complementary Virtual System* per gateway * Available for: 4800, 12000, 21000, Power-1 9000, Power-1 11000, IP-1280, IP-2450 and open servers with 4 cores or more

X Supported GWs Check Point Appliances 2012 Models: 2200, 4000,12000, 13500, 21000 UTM-1: UTM-1 3070 Power-1: IP Series: X: Power-1 9000, Power-11000 IP-1280, IP-2450 All X Appliances Open Servers Open servers with up to 12 cores Software Packaging License s x1 License s x3 License s x10 License s x25 License s x50 Complementary with 4800 and above Virtual Systems gateways Available for 2200, 4200, 4400, 4600 and open servers with 1 or 2 cores only Available for all gateways Available for all gateways Available for all gateways [Protected] For public distribution Included $3,000 $10,000 $23,000 $43,000

Summary Check Point Virtual Systems Maximize Security Gateway Investment Advanced Security with Software Blades High Scalability and Performance Simple Deployment and Provisioning Simplifying Security for Private Clouds Features Identity Awareness Performance Best Practices Coming Soon

Identity Awareness Granular access to data centers, applications and network segments by user, machine or location Integrated into Check Point Software Blade Architecture Provides scalable identity sharing between gateways Seamless Active Directory (AD) integration with multiple deployment options-clientless, Captive Portal or Identity Agent Branch Offices accessing the HQ DC2 Branch Office A DC1 Query Identity GW A HQ Branch Office B Share Data Center DC2 DC1 Identity GW B Identity GW HQ DC3 DC2 Branch Office C DC1 Identity GW C

New Identity Awareness Features in R75.40 and R76 User and Machine Transparent (browser based) Portal Awareness Authentication (R75.40) Identity Agent for Terminal Servers/ Citrix (R75.40) SSO with Remote Access Clients (R75.40) Across All Software Blades IPv6 Support (R76) Support for NTLMv2 (R76) Security Gateways New Identity Awareness Features in R77 RADIUS Accounting User and Machine Awareness IF MAP Automatic LDAP group update Automatic Exclusion of service accounts Across All Software Blades Security Gateways

Improving Performance Distribute Domain Controllers between Gateways Exclude Service Accounts and Servers Improving Performance Distribute Domain Controllers between Gateways Exclude Service Accounts and Servers A single GW can handle 800 1000 security events per second (12000 device) Limit the number of AD security events parsed by each GW by configuring each GW to query a different set of DCs Configure an identity GW on each geographical site, configure identity sharing as necessary

Improving ADQueryPerformance Distribute Domain Controllers between Gateways Exclude Service Accounts and Servers Service Accounts are user accounts which provide a specific security context. They generate multiple security events without substantial identity value. It is highly recommended to exclude all known service accounts from ADQuery Exchange servers, proxy servers, DNS servers or TS/Citrix should be excluded, particularly when Assume that only one user is connected per computer option is checked. Improving ADQueryPerformance Distribute Domain Controllers between Gateways Exclude Service Accounts and Servers

Improving ADQueryPerformance Distribute Domain Controllers between Gateways Exclude Service Accounts and Servers The new Automatic Exclusion of Service Accounts feature simplifies the tasks As a best practice, it is advised to exclude any known service account manually Improving ADQueryPerformance Distribute Domain Controllers between Gateways Exclude Service Accounts and Servers

Using Identity Awareness for Whitelisting Best practice: Grant access to identified users while denying access to unidentified users It is not recommended to block specific users while granting access to all the rest Captive Portal can be configured to back up ADQuery Tweaking the Thresholds ia_max_authenticated_users Maximum number of identities a single PDP (identity server) can store ia_max_enforced_identities Maximum number of identities a single PEP (Security Gateway) can store 30,000 Thresholds can be increased, depending on machine memory and pdp load

LDAP Nested Groups Configurations Until R75.40, a user was matched only to an LDAP group he explicitly belonged to. Starting R75.40 (and enabled by default since R75.45) there is full support for LDAP Nested Groups See sk66561 SK88520 Latest Tips and Best Practices Based on Lessons Learnt from Customer Deployments Updated on a Regular Bases

SK101558 Recommendations for Identity Awareness in X Solutions Small to Large Environments ADQuery and RADIUS Soon to come Supporting 200K users per single gateway ADQuery agent RADIUS Accounting with groups Improved engine that can handle more identified users (big improvement over current 30K users) Improved performance during policy installations Identifying whether or not the newly installed policy has any IDA related changes

Soon to Come Supporting 200K users per single gateway ADQuery agent RADIUS Accounting with groups Installed on any Windows based server (does not use WMI) Queries the domain controllers and propagates identities to one or more PDP gateways Less permissions More scalable, and less load on gateways and domain controllers ADQuery agent can serve as alternative to the standard ADQuery and Cross CMA solution (sk65404). Soon to come Supporting 200K users per single gateway ADQuery agent RADIUS Accounting with groups Current RADIUS Accounting implementation relies on LDAP servers for authorization (fetching groups) Allows for reading group information from the RADIUS Accounting messages directly, without the need to access other entities (LDAP server) Requires adding groups to the RADIUS Accounting message

Thank You!! Introducing New Virtual Systems Appliances Complete solution including Appliance, Software Blades and Virtual Systems Model SKU Description Included s Included SW blades 4400 CPAP SG4400 NGFW 5 1 x 4407 appliance 5 4400 LS CPAP SG4400 NGFW 5 2 2 x 4407 appliance cluster 5 4600 CPAP SG4600 NGFW 5 1 x 4607 appliance 5 4600 LS CPAP SG4600 NGFW 5 2 2 x 4607 appliance cluster 5 4800 CPAP SG4800 NGFW 10 1 x 4807 appliance 10 4800 LS CPAP SG4800 NGFW 10 2 2 x 4807 appliance cluster 10 12200 CPAP SG12200 NGFW 10 1 x 12207 appliance 10 12200 LS CPAP SG12200 NGFW 10 2 2 x 12207 appliance cluster 10 NGFW 7 blade package: * Firewall * VPN * IA * ADNC * MOB * IPS * APCL 12400 CPAP SG12400 NGFW 10 1 x 12407 appliance 10 12400 LS CPAP SG12400 NGFW 10 2 2 x 12407 appliance cluster 10

Introducing New Virtual Systems Appliances Complete solution including Appliance, Software Blades and Virtual Systems Model SKU Description Included s Included SW blades 12600 CPAP SG12600 NGFW 20 1 x 12607 appliance 20 12600 LS CPAP SG12600 NGFW 20 2 2 x 12607 appliance cluster 20 13500 CPAP SG13500 NGFW 20 1 x 13507 appliance 20 13500 LS CPAP SG13500 NGFW 20 2 2 x 13507 appliance cluster 20 21400 CPAP SG21400 NGFW 20 1 x 21407 appliance 20 21400 LS CPAP SG21400 NGFW 20 2 2 x 21407 appliance cluster 20 21600 CPAP SG21600 NGFW 20 1 x 21607 appliance 20 21600 LS CPAP SG21600 NGFW 20 2 2 x 21607 appliance cluster 20 NGFW 7 blade package: * Firewall * VPN * IA * ADNC * MOB * IPS * APCL 21700 CPAP SG21700 NGFW 20 1 x 21707 appliance 20 21700 LS CPAP SG21700 NGFW 20 2 2 x 21707 appliance cluster 20 Virtual Systems Appliance Performance Firewall Throughput VPN Throughput Concurrent Sessions 4400 4400 LS 4600 4600 LS 4800 4800 LS 12200 12200 LS 12400 12400 LS 5 Gbps 9 Gbps 9 Gbps 16 Gbps 11 Gbps 20 Gbps 15 Gbps 27 Gbps 25 Gbps 45 Gbps 1.2 Gbps 2.1 Gbps 1.5 Gbps 2.7 Gbps 2 Gbps 3.6 Gbps 2.5 Gbps 4.5 Gbps 3.5 Gbps 6 Gbps 1.2M 1.4M 1.2M 1.4M 3.3M 4M 5M 6M 5M 6M 12600 12600 LS 13500 13500 LS 21400 21400 LS 21600 21600 LS 21700 21700 LS Firewall Throughput 30 Gbps 54 Gbps 77 Gbps 138.6 Gbps 50 Gbps 90 Gbps 75 Gbps 135 Gbps 78 Gbps 140 Gbps VPN Throughput 6 Gbps 10.5 Gbps 17 Gbps 30.6 Gbps 7 Gbps 12.5 Gbps 8.5 Gbps 15 Gbps 10.9 Gbps 19.5 Gbps Concurrent Sessions 5M 6M 28M 33.6M 10M 12M 13M 15.6M 13M 15.6M

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback