SlideShare a Scribd company logo

Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud

Download as PPSX, PDF
MarketingArrowECS_CZ
MarketingArrowECS_CZ

Peter Kovalčík, SE Eastern Europe, Check Point Virtualization Forum 2014, Prague, 22.10.2014 Jestliže SlideShare nezobrazí prezentaci korektně, můžete si ji stáhnout ve formátu .ppsx nebo .pdf (kliknutím na tlačitko v dolní liště snímků).

Related slideshows

Top 9 Critical Findings - Dramatically Improve Your Organization's Security
Top 9 Critical Findings - Dramatically Improve Your Organization's SecurityTop 9 Critical Findings - Dramatically Improve Your Organization's Security
Top 9 Critical Findings - Dramatically Improve Your Organization's Security
 
CODE BLUE 2014 : [ドローンへの攻撃] マルウェア感染とネットワーク経由の攻撃 by ドンチョル・ホン DONGCHEOL HONG
CODE BLUE 2014 : [ドローンへの攻撃] マルウェア感染とネットワーク経由の攻撃 by ドンチョル・ホン DONGCHEOL HONGCODE BLUE 2014 : [ドローンへの攻撃] マルウェア感染とネットワーク経由の攻撃 by ドンチョル・ホン DONGCHEOL HONG
CODE BLUE 2014 : [ドローンへの攻撃] マルウェア感染とネットワーク経由の攻撃 by ドンチョル・ホン DONGCHEOL HONG
 
Check Point Virtual Systems
Check Point Virtual SystemsCheck Point Virtual Systems
Check Point Virtual Systems
 
1 of 36
Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud Peter Kovalcik| SE Eastern Europe ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. ©2014 Check Point Software Technologies Lt1d
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 2
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 3
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 4
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 5
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 6
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 7
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 8
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 9
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 10
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 11
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 12
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 13
Growing enterprise complexity [Protected] Non-confidential content ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 14
METHODOLOGY OF SDP STEP 1: SEGMENTATION STEP 2: DEFINE PROTECTIONS STEP 3: CONSOLIDATION STEP 4: POLICY DEFINITION ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 15
Segmentation ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 16
METHODOLOGY OF SDP STEP 1: SEGMENTATION STEP 2: DEFINE PROTECTIONS ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 17
Access Control vs. Threat Prevention [Protected] Non-confidential content ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 18
Risk-based Selection [Protected] Non-confidential content ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 19
Threat Prevention Segment Target Protections DMZ Servers IPS LAN Client machines IPS, AV, TE DC Servers IPS ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 20
Threat Prevention Segment Target Protections DMZ Servers IPS LAN Client machines IPS, AV, TE DC Servers IPS LAN Users AB C&C ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 21
Data Protection Segment Target Protections LAN Users DLP DC Servers, Data DLP ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 22
METHODOLOGY OF SDP STEP 1: SEGMENTATION STEP 2: DEFINE PROTECTIONS STEP 3: CONSOLIDATION ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 24
Consolidation ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 25
Virtual Edition: zabezp. VMware ESX Security Challenges in Virtual Environments Protection from external threats Inspect traffic between Virtual Machines (VMs) Secure new Virtual Machines automatically [Restricted] ONLY for designated groups and individuals ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 26
Network Mode Hypervisor Mode Ext 2.1.1.1 2.1.1.2 Pkt ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 27 vSwitch 1 Ext GW Pkt Security API vSwitch Agent Ext Agent Pkt VE Operation Mode • Protection from External threats • Not aware of inter-vSwitch traffic • Protects VMs with inter-vSwitch inspection • Supports dynamic virtual environment vSwitch 2 Pkt [Restricted] ONLY for designated groups and individuals
Deployments before VMsafe integration Gateway is not aware of inter-vSwitch traffic 2.1.1.1 2.1.1.3 2.1.1.2 2.1.1.4 2.1.1.5 vSwitch Packets not inspected inside vSwitch Ext GW ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 28 Pkt [Restricted] ONLY for designated groups and individuals
Layer 2 security packet flow ESX Server 2.1.1.1 sends packet to 2.1.1.3 2.1.1.1 22..11..11..33 2.1.1.2 2.1.1.4 2.1.1.5 Pkt Agent Agent Agent Agent Agent vSwitch Pkt Packet continues the flow from where it was intercepted ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 29 Pkt VE Security API Packet is not inspected again Packet passed firewall inspection and is sent back to the Agent Packet intercepted in the Agent and forwarded to the Gateway for inspection [Restricted] ONLY for designated groups and individuals
Layer 2 security in dynamic environments ESX 1 ESX 2 2.1.1.2 Ext Ext Sync Agent Agent Agent ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 30 2.1.1.1 Security API vSwitch VE Ext Security API vSwitch Ext Ext VE 2.1.1.2 2.1.1.3 Pkt Pkt Connection initiated from 2.1.1.1 to 2.1.1.3 [Restricted] ONLY for designated groups and individuals
Layer 2 security in dynamic environments ESX 1 ESX 2 2.1.1.2 ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 31 2.1.1.1 2.1.1.2 Security API vSwitch Agent Ext Security API vSwitch Ext Ext 2.1.1.3 Agent Sync 2.1.1.3 Agent Agent Ext Ext VM is migrating to ESX 2 Connections related with 2.1.1.3 will be marked that they are handled by ESX 1 SG VE SG VE [Restricted] ONLY for designated groups and individuals
PPkktt Agent Layer 2 security in dynamic environments ESX 1 ESX 2 Ext Ext Packet forwarded to ESX 1 ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 32 Existing connection 2.1.1.1 2.1.1.2 Pkt Security API vSwitch Agent Security API vSwitch Ext Ext 2.1.1.3 Sync Agent Pkktt Pkt Packet not forwarded New connection VE VE Pkt [Restricted] ONLY for designated groups and individuals
Installation automation Seamless security for dynamic environments VM 1 VM 2 VM 3 VM 4 VM 5 Agent Agent Agent Agent Agent VE attaches the Fast Path Agents on the vNICs of the new VMs ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 33 2.1.1.1 Security API vSwitch SG VE Ext External Switch Ext Service Console ESX Server VE installed VE retrieves information on VMs/Port groups/vSwitches Event sent to VE informing of new VMs VE attaches the Fast Path Agents on the vNICs of the new VMs [Restricted] ONLY for designated groups and individuals
METHODOLOGY OF SDP STEP 1: SEGMENTATION STEP 2: DEFINE PROTECTIONS STEP 3: CONSOLIDATION STEP 4: POLICY DEFINITION ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 34
Management ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 35
• Security Management • Multi-Domain Management ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 36 Summary Physical Security Gateway Management Server 21400 VSLS Virtual security Gateway (VSX) Security Gateway Virtual Edition • Hypervisor Mode • Network Mode Cloud Orchestration
THANK YOU! ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. ©2014 Check Point Software Technologies L3t7d

More Related Content

Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud

  • 1. Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud Peter Kovalcik| SE Eastern Europe ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. ©2014 Check Point Software Technologies Lt1d
  • 2. ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 2
  • 3. ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 3
  • 4. ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 4
  • 5. ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 5
  • 6. ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 6
  • 7. ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 7
  • 8. ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 8
  • 9. ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 9
  • 10. ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 10
  • 11. ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 11
  • 12. ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 12
  • 13. ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 13
  • 14. Growing enterprise complexity [Protected] Non-confidential content ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 14
  • 15. METHODOLOGY OF SDP STEP 1: SEGMENTATION STEP 2: DEFINE PROTECTIONS STEP 3: CONSOLIDATION STEP 4: POLICY DEFINITION ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 15
  • 16. Segmentation ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 16
  • 17. METHODOLOGY OF SDP STEP 1: SEGMENTATION STEP 2: DEFINE PROTECTIONS ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 17
  • 18. Access Control vs. Threat Prevention [Protected] Non-confidential content ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 18
  • 19. Risk-based Selection [Protected] Non-confidential content ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 19
  • 20. Threat Prevention Segment Target Protections DMZ Servers IPS LAN Client machines IPS, AV, TE DC Servers IPS ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 20
  • 21. Threat Prevention Segment Target Protections DMZ Servers IPS LAN Client machines IPS, AV, TE DC Servers IPS LAN Users AB C&C ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 21
  • 22. Data Protection Segment Target Protections LAN Users DLP DC Servers, Data DLP ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 22
  • 23. METHODOLOGY OF SDP STEP 1: SEGMENTATION STEP 2: DEFINE PROTECTIONS STEP 3: CONSOLIDATION ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 24
  • 24. Consolidation ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 25
  • 25. Virtual Edition: zabezp. VMware ESX Security Challenges in Virtual Environments Protection from external threats Inspect traffic between Virtual Machines (VMs) Secure new Virtual Machines automatically [Restricted] ONLY for designated groups and individuals ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 26
  • 26. Network Mode Hypervisor Mode Ext 2.1.1.1 2.1.1.2 Pkt ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 27 vSwitch 1 Ext GW Pkt Security API vSwitch Agent Ext Agent Pkt VE Operation Mode • Protection from External threats • Not aware of inter-vSwitch traffic • Protects VMs with inter-vSwitch inspection • Supports dynamic virtual environment vSwitch 2 Pkt [Restricted] ONLY for designated groups and individuals
  • 27. Deployments before VMsafe integration Gateway is not aware of inter-vSwitch traffic 2.1.1.1 2.1.1.3 2.1.1.2 2.1.1.4 2.1.1.5 vSwitch Packets not inspected inside vSwitch Ext GW ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 28 Pkt [Restricted] ONLY for designated groups and individuals
  • 28. Layer 2 security packet flow ESX Server 2.1.1.1 sends packet to 2.1.1.3 2.1.1.1 22..11..11..33 2.1.1.2 2.1.1.4 2.1.1.5 Pkt Agent Agent Agent Agent Agent vSwitch Pkt Packet continues the flow from where it was intercepted ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 29 Pkt VE Security API Packet is not inspected again Packet passed firewall inspection and is sent back to the Agent Packet intercepted in the Agent and forwarded to the Gateway for inspection [Restricted] ONLY for designated groups and individuals
  • 29. Layer 2 security in dynamic environments ESX 1 ESX 2 2.1.1.2 Ext Ext Sync Agent Agent Agent ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 30 2.1.1.1 Security API vSwitch VE Ext Security API vSwitch Ext Ext VE 2.1.1.2 2.1.1.3 Pkt Pkt Connection initiated from 2.1.1.1 to 2.1.1.3 [Restricted] ONLY for designated groups and individuals
  • 30. Layer 2 security in dynamic environments ESX 1 ESX 2 2.1.1.2 ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 31 2.1.1.1 2.1.1.2 Security API vSwitch Agent Ext Security API vSwitch Ext Ext 2.1.1.3 Agent Sync 2.1.1.3 Agent Agent Ext Ext VM is migrating to ESX 2 Connections related with 2.1.1.3 will be marked that they are handled by ESX 1 SG VE SG VE [Restricted] ONLY for designated groups and individuals
  • 31. PPkktt Agent Layer 2 security in dynamic environments ESX 1 ESX 2 Ext Ext Packet forwarded to ESX 1 ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 32 Existing connection 2.1.1.1 2.1.1.2 Pkt Security API vSwitch Agent Security API vSwitch Ext Ext 2.1.1.3 Sync Agent Pkktt Pkt Packet not forwarded New connection VE VE Pkt [Restricted] ONLY for designated groups and individuals
  • 32. Installation automation Seamless security for dynamic environments VM 1 VM 2 VM 3 VM 4 VM 5 Agent Agent Agent Agent Agent VE attaches the Fast Path Agents on the vNICs of the new VMs ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 33 2.1.1.1 Security API vSwitch SG VE Ext External Switch Ext Service Console ESX Server VE installed VE retrieves information on VMs/Port groups/vSwitches Event sent to VE informing of new VMs VE attaches the Fast Path Agents on the vNICs of the new VMs [Restricted] ONLY for designated groups and individuals
  • 33. METHODOLOGY OF SDP STEP 1: SEGMENTATION STEP 2: DEFINE PROTECTIONS STEP 3: CONSOLIDATION STEP 4: POLICY DEFINITION ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 34
  • 34. Management ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 35
  • 35. • Security Management • Multi-Domain Management ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 36 Summary Physical Security Gateway Management Server 21400 VSLS Virtual security Gateway (VSX) Security Gateway Virtual Edition • Hypervisor Mode • Network Mode Cloud Orchestration
  • 36. THANK YOU! ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. ©2014 Check Point Software Technologies L3t7d