vsx c02 vsx arch deployment

8/12/2019 VSX C02 VSX Arch Deployment

1/14


2/14

V S X A R C H I T E C T U R E A N D D E P L O Y M E N T

12

2

Key Terms VPN-1/FireWall-1 VSX

Managed Service Provider (MSP)

Customer Management Add-on (CMA)

Virtual System (VS)

VSX GUI Client

VSX Management Server

Multi Domain Server (MDS)

VSX Gateway

Context Identification

Virtual System Matching

VSX Inspection Module

Network Operation Center (NOC)


3/14

.

.

.

.

.V S X A R C H I T E C T U R E A N D D E P L O Y M E N T

VSX Overview

13

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

V S X O V E R V I E W

VPN-1/FireWall-1 Virtual System Extension(VSX) is a security and VPN

solution, designed to meet the demands of large-scale environments. Centrally

managed and incorporating key network resources internally, VSX allows

businesses to offer comprehensive firewall and VPN functions to their

customers, while reducing production costs and improving efficiency. Through

a virtualization of network infrastructure, VSX allows administrators to use it

to replace a collection of standard hardware devices. The VSX Gateway is

comprised of a virtual topology that includes virtual devices that replace

physical ones, such as routers, traditional firewalls, and even some network

cables.

When managed by Provider-1 NG, the unique architecture of VSX allows data

centers orManaged Service Providers(MSPs) to separate all customer-specific

data, such as objects and rules, not only in the Provider-1 NG environment with

the use of Customer Management Add-ons(CMAs), but also at the

Enforcement Module level through the use of Virtual Systems.

A VSX Gateway recognizes the context of traffic passing through it, and acts on

it. Although configured on the same gateway, multiple Virtual Systems(VSs)

separately enforce each customers Security Policy only on the traffic

associated with the context they are protecting. Each Virtual System acts as asingle standard FireWall-1 enforcement module. With VSX, MSPs can offer

comprehensive security solutions to their customers, by protecting their

sensitive data and consolidating resources. VSX can also be integrated into an

existing Check Point infrastructure.


4/14


VSX Overview

14

2

VSX is based on Check Points Next Generation architecture, and is comprised

of the following components:

VSX GUI Client


VSX Gateway

VSX Components


5/14

.

.

.

.


VSX Overview

15

VSX GUI Cl ientThe VSX GUI Client allows Security Administrators to manage multiple VSX

Gateways, and multiple Virtual Systems installed on those Gateways. The VSX

GUI Client can also be used to configure Global Policies that can be applied to

multiple VSX Gateways.

The VSX GUI Client can be either the VSX version of the Multi Domain GUI

or the VSX version of the SmartConsole. Even though the both types of VSX

GUI Clients are specific to VSX, they can also be deployed with other Check

Point products. For example, the VSX version of SmartConsole can be used to

configure the VSX Management Server or a standard VPN-1/FireWall-1

Management Module.


The VSX GUI Client connects to the VSX Management Server. The VSXManagement Server can be installed on a Provider-1 NGMulti Domain Server

(MDS), or as a standard SmartCenter Server. It is the VSX Management Server

that maintains Check Point databases, including objects, rules, and policies of

VSX Gateways and Virtual Systems. Although a VSX Gateway can only be

managed by a VSX Management Server, a VSX Management Server can also

be used to manage standard Check Point Enforcement Modules.

VSX GatewayThe VSX Gatewayis the Enforcement Module for all protected networks,

including the Network Operations Center (NOC). The VSX Gateway enforces

the Security Policies compiled by the VSX Management Server.


6/14


VSX Gateway Security Enforcement

16

2

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

V S X G A T E W A Y S E C U R I T Y E N F O R C E M E N T

VSX is installed between the Data Link and Network Layers of the IP Protocol

Stack on the gateway. Since VSX is installed at the lowest software level and

below the network layer, it functions within the operating-system kernel. The

VSX Gateway performs the following tasks:

Context Identification

Context Inspection

VPN-1/FireWall -1 VSX Context Identi f icat ionVPN-1/FireWall-1 VSX inspects all traffic traveling through the VSX Gateway,

to determine its context. Context Identification is based mainly on the interface

by which traffic enters the gateway. VSX also gathers information about each

packets source and destination IP addresses. Using the collected information,the VSX Gateway routes the packets to the appropriate Virtual System for

inspection. This process is also called Virtual System Matching. Which Virtual

System receives the packets is determined by the configured Virtual System

properties, including interface information.

VSX Context Identification Module


7/14

.

.

.

.



17

VPN/FireWall -1 VSX InspectionEach interface is tied to a specific Virtual System. Once VSX determines the

context of the traffic, including entry point and destination network, it routes

the traffic to the context-related Virtual System for inspection. The Inspection

Module of the Virtual System then applies its Security Policy to the incoming

packets.

The VSX Inspection Modulesfunction similarly to the Inspection Module of aVPN-1/FireWall-1 Gateway. State and context data is stored in dynamic tables,

and information from the communication and application states and, the Virtual

Systems network configuration and Security Policy are used, to determine if

the traffic should be allowed to pass to its destination or should be dropped.

Like the implicit-drop rule of VPN-1/FireWall-1, any traffic not explicitly

allowed by the Security Policy is dropped.

Each Virtual System uses information from the internal structures of the IP

protocol family and relevant applications built on top of them, to extract data

from each packets application content. This information provides the system

with context information not always provided by each application.


8/14



18

2

The state and context tables for each transaction are updated dynamically, and

are used to provide continual data for subsequent traffic inspections by the VSX

Inspection Module.

VSX Inspection Module

Virtual System TechnologyThe VS, installed at the VSX Gateway, is a logical system that functions as the

enforcement module for a given network. Although multiple VS modules can

be deployed on a single gateway, all of the network specific data is kept in

separate databases, including the dynamic state tables. Each VS is attached toeither a physical or a virtual interface.


9/14

.

.

.

.


Deployment Scenarios

19

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

D E P L O Y M E N T S C E N A R I O S

VSX allows MSPs to provide cost-effective security services for point-of-

presence-based and hosting environments. These large-scale deployment

environments benefit from VSXs ability to virtualize most network hardware.

Physical hardware is expensive to maintain, takes up valuable space, and

requires a staff to support an ever-growing environment. By consolidating tasks

onto a single machine, VSX gives MSP administrators the ability to reduce

operating costs.

VSX offers MSP Security Administrators the ability to construct a virtual-

network environment to replace a more costly, less-efficient physical-network

environment. VSX uses Virtual Systems in place of physical gateways

functioning as separate firewalls. VSXs Virtual Router eliminates the need for

Security Administrators to purchase a separate physical router. Even some

network cables can be eliminated, through the use of virtual warp links between

Virtual Systems and Virtual Routers.

Point-of-Presence Configuration Without VSXAPoint-of-presence configuration is designed for MSPs who offer other

services to their clients, such as Internet access, in addition to maintaining

company firewalls. Using leased lines, a customer is able to connect securely

with an MSP at a point-of-presence. From the point-of-presence, the customercan send and receive Internet data.


10/14



20

2

In a typical point-of-presence environment, an MSP deploys multiple physical

devices, such as routers and gateways, to regulate network traffic and enforce

multiple Security Policies for its different customers.

Point-of-Presence Configuration without VSX Deployment


11/14

.

.

.

.



21

Point-of-Presence Configuration with VSXBy replacing most of the physical systems in the typical point-of-presence

environment, VSX reduces the cost of the MSP deployment. Notice in the

example below that the physical routers and gateways, including the NOC

gateway, have been replaced by a single VSX Gateway enforcing multiple

policies, while still protecting the NOC.

Point-of-Presence Configuration With VSX Deployment


12/14



22

2

NOC SecurityWhen operating in a standard configuration, a NOC keeps its own firewall

separate from the Provider-1 NG setup. With VSX, the VSX Gateway functions

as the NOC firewall. The MDS maintaining the VSX Management Server is

connected to the VSX Gateway, by a dedicated link on the protected network. It

is the Security Policy of the VSX Gateway that is used to protect the Provider-1

NG system. Provider-1 is not a firewall, so it depends on a firewall to protect it.


13/14

.

.

.

.


Benefits of VSX 2.0.1

23

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

B E N E F I T S O F V S X 2 . 0 . 1

Security and VPN Functional i tyFunctionality of VSX 2.0.1 is based on NG FP3.

Overlapping IP Space Support

VSX Gateways can support overlapping IP addressing for multiple customers,protected by separate Virtual Systems.

This type of deployment scenario is not supported with

customers whose networks share the same CMA.

Customer-to-Customer Connectivi tyNetworks protected by one VS can now connect to networks protected by

another VS on the same VSX Gateway, with the new inter-VS routing

functionality.

For inter VS routing to occur, traffic from both networks mustbe inspected and allowed by both Virtual Systems.

VSX Gateway High Avai labi l i tyVSX 2.0.1 offers Security Administrators the ability to configure VSX

Gateway clusters for load balancing and High Availability.

Scalable ManagementVSX can now be managed with Provider-1 NG for VSX or from a standard

SmartCenter Server. Additionally, VSX allows Security Administrators to

configure separate management domains for one or more Virtual Systems.

In Provider-1 NG for VSX, multiple Security Administrators can also be

configured with granular permission control. In VSX 2.0.1, a separate

management interface is no longer required. Security Administrators can nowmanage their VSX Gateways or clusters from the Internet, via the external-

gateway interface.


14/14

vsx c02 vsx arch deployment

Documents