check point vpn-1 virtual edition - next generation
TRANSCRIPT
©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Check Point Simplifies Cloud Security
August 31, 2010
22©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Agenda
1 Customer Challenges
4 Packaging and Pricing
2 Solution Overview
3 Use Cases
5 Summary
33©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Server Virtualization Market Trends
► By 2012 half of the enterprise workload will be virtualized
► 60% of IT Managers claim securing virtual machines is difficult
Organizations with virtualized environments are asking for a simple solution to secure the
Virtual Machines.
44©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Virtualization Security Challenges
Inspect traffic between Virtual Machines (VMs)
Secure new Virtual Machines automatically
Protection from external threats
Security Challenges in Virtual Environments
55©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Hypervisor
VM VMVM
Virtualization Security Challenges
Security Challenges in Virtual Environments
66©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Virtualization Security Challenges
Security Challenges in Virtual Environments (Data Center/Cloud)
Maintain zero-downtime during Virtual Machines live migration
Ensure Security in dynamic environments
77©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
2.1.1.1 2.1.1.32.1.1.1
vSwitch
2.1.1.2 2.1.1.52.1.1.4
Ext
GW
Gateway is not aware of inter-vSwitch traffic
Packets not inspected inside
vSwitch
Deployments before VMsafe integration
Pkt
88©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Introducing Check PointSecurity Gateway Virtual Edition (VE)
Unified Management for Physical and Virtual
Best Virtual Security Gateway with the Software Blade Architecture
Securing the Virtual Machines
Check Point Delivers Plug and Play Security for Public and Private Clouds
Starting at $2,000
Software Blades
Check Point Security Gateway
Virtual Edition
99©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Secure the Virtual Infrastructure
Inter-VM Traffic Inspection Protects Virtual Machines
►Seamless security within the Hypervisor
►Integration with VMsafe technology
►Audit configuration changes in the virtualization system
VMVM VE
Hypervisor ConnectorHypervisor
1010©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Check Point VESecurity Gateway
Internet vSwitch
InternalvSwitch
NICTeams
VMwareESX
VM
Database Servers
VM
Application Servers
VM
Web Servers
Internet
Service Console
ProductionLAN
ManagementLAN
VMwarevCenter
Check Point UTM-1Security Gateway
Cardholder data
Security Gateway VE with VMsafeComplete integration and awareness of VMware -
VMotion, Storage VMotion, HA and others
Protects VMs with inter-vSwitch
inspection
1111©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Virtual Edition Features
Hypervisor
► Include Firewall, IPS, VPN and all other Software Blades.
► Flexible and extensible security
Best Security
Antivirus
IPS
VPN
Firewall
VM VM VE
Hypervisor Connector
Software Blades
Check Point Security Gateway Virtual Edition (VE)
1212©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Virtual Edition Features
Inspecting Inter-VM Traffic
VMs Protection
► Plug and Play with no topology changes
► Securing new VMs automatically
► Zero-downtime during VMs live migration
► Include Firewall, IPS, VPN and all other Software Blades.
► Flexible and extensible security
Best Security
Hypervisor
VM VM VE
Hypervisor Connector
VM VM
1313©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Virtual Edition Features
Securing Dynamic Environments
VMs Protection
► Plug and Play with no topology changes
► Securing new VMs automatically
► Zero-downtime during VMs live migration
► Include Firewall, IPS, VPN and all other Software Blades.
► Flexible and extensible security
Best Security
Hypervisor
VM VM VE
Hypervisor Connector
1414©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Virtual Edition Features
► Same management for Physical and Virtual
► Running the management blades on a Virtual Machine
Unified Management
► Include Firewall, IPS, VPN and all other Software Blades.
► Flexible and extensible security
Best Security VMs Protection
► Plug and Play with no topology changes
► Securing new VMs automatically
► Zero-downtime during VMs live migration
1515©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Virtual Edition Features
► Same management for Physical and Virtual
► Running the management blades on a Virtual Machine
Unified Management
► Include Firewall, IPS, VPN and all other Software Blades.
► Flexible and extensible security
Best Security VMs Protection
► Plug and Play with no topology changes
► Securing new VMs automatically
► Zero-downtime during VMs live migration
Hypervisor
VM
Hypervisor Connector
VM
Virtualizing the Management Systems
1616©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Agent Agent Agent Agent Agent
2.1.1.1 2.1.1.32.1.1.32.1.1.1
Layer 2 security packet flow
vSwitch
2.1.1.2 2.1.1.52.1.1.4
Pkt
Pkt
VE
Security API
ESX Server
2.1.1.1 sends packet to 2.1.1.3
Packet is not inspected again
Packet passed firewall inspection and is sent
back to the Agent
Packet intercepted in the Agent and forwarded to the
Gateway for inspection
Pkt
Packet continues the flow from where it was
intercepted
1717©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
2.1.1.2
Layer 2 security in dynamic environments
2.1.1.12.1.1.1
Security API
vSwitch
VE
Ext
Security API
vSwitch
VEExtExt
ExtExt
ESX 1 ESX 2
Sync
2.1.1.32.1.1.32.1.1.2
Pkt
Agent AgentAgentAgent
Pkt
Connection initiated from 2.1.1.1 to 2.1.1.3
1818©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
2.1.1.2
Layer 2 security in dynamic environments
2.1.1.12.1.1.1
Security API
vSwitch
Agent
Ext
Security API
vSwitch
ExtExt
ESX 1 ESX 2
2.1.1.3
Agent
Sync
2.1.1.3
AgentAgentAgent
2.1.1.2
ExtExt
VM is migrating to ESX 2
Connections related with 2.1.1.3 will be marked that they are handled by ESX 1
SG VE SG VE
1919©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Agent
Layer 2 security in dynamic environments
Security API
vSwitch
Agent
Security API
vSwitch
ExtExt
ExtExt
ESX 1 ESX 2
2.1.1.3
Sync
Agent
Pkt
Pkt
Pkt
2.1.1.12.1.1.1 2.1.1.2
Pkt
Packet not forwarded
Packet forwarded to
ESX 1
New connection
VE VE
Pkt
PktExisting
connection
Pkt
2020©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
2.1.1.1 2.1.1.32.1.1.32.1.1.1
Anti-spoofing illustration
Security API
vSwitch
Agent Agent Agent Agent Agent
2.1.1.2 2.1.1.52.1.1.4
VE
VM 2.1.1.5Tries to spoof
With VM 2.1.1.1 IP
Packet dropped
2.1.1.1
2.1.1.1
2121©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Easy Deployment
Standard Open Virtualization Format
(OVF) virtual appliance
Secure virtual environment by installing a virtual appliance
2222©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Deployment - Layer 2 mode
Automatic - No network changes required
► Protects all Virtual Machines on the ESX host► Attaches fast path agent to all virtual NICs on the ESX host► Creates new vSwitch named _cp_private_vswitch ► Creates new port group named _cp_private► Connects Security Gateway VE to _cp_private port group
2323©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
VM 3VM 1 VM 2 VM 5VM 4
Installation automation
2.1.1.1
Security API
vSwitch
VM 3VM 1 VM 2
SG VE
Ext
ExternalSwitch
Ext
Service Console
VM 3VM 1 VM 2 VM 5VM 4VM 3VM 1 VM 2
Agent Agent Agent Agent Agent
ESX Server
Seamless security for dynamic environments
VE installed
VE retrieves information on
VMs/Port groups/vSwitches
Event sent to VE informing of new VMs
VE attaches the Fast Path Agents on the vNICs of
the new VMs
VE attaches the Fast Path Agents on the vNICs of
the new VMs
2424©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Flexible Virtual Machine security
►Bypass: Pass the packet without inspection
►Secure: Forward the packet to security gateway
►Block: Drop the packet►Monitor-only: Inspects and log
packets that would have been dropped
The Fast Path Agent configuration options
2525©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Single security management
Unified administration of physical and virtualized environments
Single console to manage all firewall
rules
Single console for IPS
2626©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Integration of ESX logs
VMware ESX Server logs
Logging and auditing of virtualization events
ESX logs integrated into Check Point
management
2727©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Virtualized Security Scenarios
Office in a BoxUse Security Gateway Virtual Edition (VE) with firewall, IPS, VPN and Software Blade to secure your office networks and assets
VE
Hypervisor
Enterprise Security Gateways Consolidate your Security Gateways deployment into a virtualized environment
VE
Hypervisor
VE VE
Secure the Virtual EnvironmentUse Security Gateway Virtual Edition to apply granular firewall and IPS policies for inter-VM trafficHypervisor
Hypervisor Connector
VE
2828©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Software Blades for Virtual Systems
+Additional Software
Blades can be added A-La-Carte
Optional
SGVExxxx
New containers for Security Gateway VE
Firewall with integrated Hypervisor protection
Based on number of physical cores
Firewall
From $2000GA: Sep 2010
2929©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Pricelist
Secure Gateway Virtual Edition – Containers The following products are based on the Software Blades architecture
Security Gateway VE Container Specifications Container Price
SGVE4801
For Security Gateway VE on a Virtual System with up to 48 cores $6,000
SGVE1601 For Security Gateway VE on a Virtual System with up to 16 cores $3,000
SGVE801 For Security Gateway VE on a Virtual System with up to 8 cores $2,000
The Firewall blade is included in the Security Gateway container priceAdditional software blades can added separately Gateways are licensed based on number of available physical cores.
3030©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Summary
Unified Management for Physical and Virtual
Best Virtual Security Gateway with the Software Blade Architecture
Securing the Virtual Machines
Check Point Delivers Plug and Play Security for Public and Private Clouds
Starting at $2,000
Software Blades
Check Point Security Gateway
Virtual Edition
©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone
Thank You!