check point vpn-1 virtual edition - next generation

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone

Check Point Simplifies Cloud Security

August 31, 2010

22©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone

Agenda

1 Customer Challenges

4 Packaging and Pricing

2 Solution Overview

3 Use Cases

5 Summary


Server Virtualization Market Trends

► By 2012 half of the enterprise workload will be virtualized

► 60% of IT Managers claim securing virtual machines is difficult

Organizations with virtualized environments are asking for a simple solution to secure the

Virtual Machines.


Virtualization Security Challenges

Inspect traffic between Virtual Machines (VMs)

Secure new Virtual Machines automatically

Protection from external threats

Security Challenges in Virtual Environments


Hypervisor

VM VMVM


Security Challenges in Virtual Environments



Security Challenges in Virtual Environments (Data Center/Cloud)

Maintain zero-downtime during Virtual Machines live migration

Ensure Security in dynamic environments


2.1.1.1 2.1.1.32.1.1.1

vSwitch

2.1.1.2 2.1.1.52.1.1.4

Ext

GW

Gateway is not aware of inter-vSwitch traffic

Packets not inspected inside

vSwitch

Deployments before VMsafe integration

Pkt


Introducing Check PointSecurity Gateway Virtual Edition (VE)

Unified Management for Physical and Virtual

Best Virtual Security Gateway with the Software Blade Architecture

Securing the Virtual Machines

Check Point Delivers Plug and Play Security for Public and Private Clouds

Starting at $2,000

Software Blades

Check Point Security Gateway

Virtual Edition


Secure the Virtual Infrastructure

Inter-VM Traffic Inspection Protects Virtual Machines

►Seamless security within the Hypervisor

►Integration with VMsafe technology

►Audit configuration changes in the virtualization system

VMVM VE

Hypervisor ConnectorHypervisor


Check Point VESecurity Gateway

Internet vSwitch

InternalvSwitch

NICTeams

VMwareESX

VM

Database Servers

VM

Application Servers

VM

Web Servers

Internet

Service Console

ProductionLAN

ManagementLAN

VMwarevCenter

Check Point UTM-1Security Gateway

Cardholder data

Security Gateway VE with VMsafeComplete integration and awareness of VMware -

VMotion, Storage VMotion, HA and others

Protects VMs with inter-vSwitch

inspection


Virtual Edition Features

Hypervisor

► Include Firewall, IPS, VPN and all other Software Blades.

► Flexible and extensible security

Best Security

Antivirus

IPS

VPN

Firewall

VM VM VE

Hypervisor Connector

Software Blades

Check Point Security Gateway Virtual Edition (VE)



Inspecting Inter-VM Traffic

VMs Protection

► Plug and Play with no topology changes

► Securing new VMs automatically

► Zero-downtime during VMs live migration



Best Security

Hypervisor

VM VM VE


VM VM



Securing Dynamic Environments

VMs Protection






Best Security

Hypervisor

VM VM VE




► Same management for Physical and Virtual

► Running the management blades on a Virtual Machine

Unified Management



Best Security VMs Protection






► Same management for Physical and Virtual

► Running the management blades on a Virtual Machine

Unified Management



Best Security VMs Protection




Hypervisor

VM


VM

Virtualizing the Management Systems


Agent Agent Agent Agent Agent

2.1.1.1 2.1.1.32.1.1.32.1.1.1

Layer 2 security packet flow

vSwitch

2.1.1.2 2.1.1.52.1.1.4

Pkt

Pkt

VE

Security API

ESX Server

2.1.1.1 sends packet to 2.1.1.3

Packet is not inspected again

Packet passed firewall inspection and is sent

back to the Agent

Packet intercepted in the Agent and forwarded to the

Gateway for inspection

Pkt

Packet continues the flow from where it was

intercepted


2.1.1.2

Layer 2 security in dynamic environments

2.1.1.12.1.1.1

Security API

vSwitch

VE

Ext

Security API

vSwitch

VEExtExt

ExtExt

ESX 1 ESX 2

Sync

2.1.1.32.1.1.32.1.1.2

Pkt

Agent AgentAgentAgent

Pkt

Connection initiated from 2.1.1.1 to 2.1.1.3


2.1.1.2


2.1.1.12.1.1.1

Security API

vSwitch

Agent

Ext

Security API

vSwitch

ExtExt

ESX 1 ESX 2

2.1.1.3

Agent

Sync

2.1.1.3

AgentAgentAgent

2.1.1.2

ExtExt

VM is migrating to ESX 2

Connections related with 2.1.1.3 will be marked that they are handled by ESX 1

SG VE SG VE


Agent


Security API

vSwitch

Agent

Security API

vSwitch

ExtExt

ExtExt

ESX 1 ESX 2

2.1.1.3

Sync

Agent

Pkt

Pkt

Pkt

2.1.1.12.1.1.1 2.1.1.2

Pkt

Packet not forwarded

Packet forwarded to

ESX 1

New connection

VE VE

Pkt

PktExisting

connection

Pkt


2.1.1.1 2.1.1.32.1.1.32.1.1.1

Anti-spoofing illustration

Security API

vSwitch


2.1.1.2 2.1.1.52.1.1.4

VE

VM 2.1.1.5Tries to spoof

With VM 2.1.1.1 IP

Packet dropped

2.1.1.1

2.1.1.1


Easy Deployment

Standard Open Virtualization Format

(OVF) virtual appliance

Secure virtual environment by installing a virtual appliance


Deployment - Layer 2 mode

Automatic - No network changes required

► Protects all Virtual Machines on the ESX host► Attaches fast path agent to all virtual NICs on the ESX host► Creates new vSwitch named _cp_private_vswitch ► Creates new port group named _cp_private► Connects Security Gateway VE to _cp_private port group


VM 3VM 1 VM 2 VM 5VM 4

Installation automation

2.1.1.1

Security API

vSwitch

VM 3VM 1 VM 2

SG VE

Ext

ExternalSwitch

Ext

Service Console

VM 3VM 1 VM 2 VM 5VM 4VM 3VM 1 VM 2


ESX Server

Seamless security for dynamic environments

VE installed

VE retrieves information on

VMs/Port groups/vSwitches

Event sent to VE informing of new VMs

VE attaches the Fast Path Agents on the vNICs of

the new VMs

VE attaches the Fast Path Agents on the vNICs of

the new VMs


Flexible Virtual Machine security

►Bypass: Pass the packet without inspection

►Secure: Forward the packet to security gateway

►Block: Drop the packet►Monitor-only: Inspects and log

packets that would have been dropped

The Fast Path Agent configuration options


Single security management

Unified administration of physical and virtualized environments

Single console to manage all firewall

rules

Single console for IPS


Integration of ESX logs

VMware ESX Server logs

Logging and auditing of virtualization events

ESX logs integrated into Check Point

management


Virtualized Security Scenarios

Office in a BoxUse Security Gateway Virtual Edition (VE) with firewall, IPS, VPN and Software Blade to secure your office networks and assets

VE

Hypervisor

Enterprise Security Gateways Consolidate your Security Gateways deployment into a virtualized environment

VE

Hypervisor

VE VE

Secure the Virtual EnvironmentUse Security Gateway Virtual Edition to apply granular firewall and IPS policies for inter-VM trafficHypervisor


VE


Software Blades for Virtual Systems

+Additional Software

Blades can be added A-La-Carte

Optional

SGVExxxx

New containers for Security Gateway VE

Firewall with integrated Hypervisor protection

Based on number of physical cores

Firewall

From $2000GA: Sep 2010


Pricelist

Secure Gateway Virtual Edition – Containers The following products are based on the Software Blades architecture

Security Gateway VE Container Specifications Container Price

SGVE4801

For Security Gateway VE on a Virtual System with up to 48 cores $6,000

SGVE1601 For Security Gateway VE on a Virtual System with up to 16 cores $3,000

SGVE801 For Security Gateway VE on a Virtual System with up to 8 cores $2,000

The Firewall blade is included in the Security Gateway container priceAdditional software blades can added separately Gateways are licensed based on number of available physical cores.

https://pricelist.checkpoint.com/pricelist/US/product/product.jsp?pid=SGContainer&cid=Con




Summary

Unified Management for Physical and Virtual

Best Virtual Security Gateway with the Software Blade Architecture

Securing the Virtual Machines

Check Point Delivers Plug and Play Security for Public and Private Clouds

Starting at $2,000

Software Blades

Check Point Security Gateway

Virtual Edition

check point vpn-1 virtual edition - next generation

Technology