Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud
- 1. Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud
Peter Kovalcik| SE Eastern Europe
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. ©2014 Check Point Software Technologies Lt1d
- 10. ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 10
- 11. ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 11
- 12. ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 12
- 13. ©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 13
- 14. Growing enterprise complexity
[Protected] Non-confidential content
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 14
- 15. METHODOLOGY OF SDP
STEP 1: SEGMENTATION
STEP 2: DEFINE PROTECTIONS
STEP 3: CONSOLIDATION
STEP 4: POLICY DEFINITION
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 15
- 17. METHODOLOGY OF SDP
STEP 1: SEGMENTATION
STEP 2: DEFINE PROTECTIONS
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 17
- 18. Access Control vs. Threat Prevention
[Protected] Non-confidential content
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 18
- 20. Threat Prevention
Segment Target Protections
DMZ Servers IPS
LAN Client machines IPS, AV, TE
DC Servers IPS
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 20
- 21. Threat Prevention
Segment Target Protections
DMZ Servers IPS
LAN Client machines IPS, AV, TE
DC Servers IPS
LAN Users AB
C&C
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 21
- 22. Data Protection
Segment Target Protections
LAN Users DLP
DC Servers, Data DLP
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 22
- 23. METHODOLOGY OF SDP
STEP 1: SEGMENTATION
STEP 2: DEFINE PROTECTIONS
STEP 3: CONSOLIDATION
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 24
- 25. Virtual Edition: zabezp. VMware ESX
Security Challenges
in Virtual Environments
Protection from external
threats
Inspect traffic between
Virtual Machines (VMs)
Secure new Virtual Machines
automatically
[Restricted] ONLY for designated groups and individuals
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 26
- 26. Network Mode Hypervisor Mode
Ext
2.1.1.1 2.1.1.2
Pkt
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 27
vSwitch 1
Ext
GW
Pkt
Security API
vSwitch
Agent
Ext
Agent
Pkt
VE
Operation Mode
• Protection from External threats
• Not aware of inter-vSwitch traffic
• Protects VMs with inter-vSwitch inspection
• Supports dynamic virtual environment
vSwitch 2
Pkt
[Restricted] ONLY for designated groups and individuals
- 27. Deployments before VMsafe
integration
Gateway is not aware of inter-vSwitch traffic
2.1.1.1 2.1.1.3
2.1.1.2 2.1.1.4 2.1.1.5
vSwitch
Packets not
inspected inside
vSwitch
Ext
GW
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 28
Pkt
[Restricted] ONLY for designated groups and individuals
- 28. Layer 2 security packet flow
ESX Server
2.1.1.1 sends
packet to 2.1.1.3
2.1.1.1 22..11..11..33
2.1.1.2 2.1.1.4 2.1.1.5
Pkt
Agent Agent Agent Agent Agent
vSwitch
Pkt
Packet continues the
flow from where it was
intercepted
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 29
Pkt
VE
Security API
Packet is not
inspected again
Packet passed firewall
inspection and is sent
back to the Agent
Packet intercepted in the
Agent and forwarded to the
Gateway for inspection
[Restricted] ONLY for designated groups and individuals
- 29. Layer 2 security in dynamic environments
ESX 1 ESX 2
2.1.1.2
Ext Ext
Sync
Agent Agent Agent
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 30
2.1.1.1
Security API
vSwitch
VE
Ext
Security API
vSwitch
Ext Ext VE
2.1.1.2 2.1.1.3
Pkt
Pkt
Connection initiated from
2.1.1.1 to 2.1.1.3
[Restricted] ONLY for designated groups and individuals
- 30. Layer 2 security in dynamic environments
ESX 1 ESX 2
2.1.1.2
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 31
2.1.1.1
2.1.1.2
Security API
vSwitch
Agent
Ext
Security API
vSwitch
Ext Ext
2.1.1.3
Agent
Sync
2.1.1.3
Agent Agent
Ext Ext
VM is migrating
to ESX 2
Connections related with
2.1.1.3 will be marked that
they are handled by ESX 1
SG VE SG VE
[Restricted] ONLY for designated groups and individuals
- 31. PPkktt
Agent
Layer 2 security in dynamic environments
ESX 1 ESX 2
Ext Ext
Packet
forwarded to
ESX 1
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 32
Existing
connection
2.1.1.1 2.1.1.2
Pkt
Security API
vSwitch
Agent
Security API
vSwitch
Ext Ext
2.1.1.3
Sync
Agent
Pkktt
Pkt
Packet not
forwarded
New
connection
VE VE
Pkt
[Restricted] ONLY for designated groups and individuals
- 32. Installation automation
Seamless security for dynamic environments
VM 1 VM 2 VM 3
VM 4 VM 5
Agent Agent Agent Agent Agent
VE attaches the Fast Path
Agents on the vNICs of
the new VMs
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 33
2.1.1.1
Security API
vSwitch
SG VE
Ext
External
Switch
Ext
Service Console
ESX Server
VE installed
VE retrieves
information on
VMs/Port
groups/vSwitches
Event sent to VE
informing of new VMs
VE attaches the Fast Path
Agents on the vNICs of
the new VMs
[Restricted] ONLY for designated groups and individuals
- 33. METHODOLOGY OF SDP
STEP 1: SEGMENTATION
STEP 2: DEFINE PROTECTIONS
STEP 3: CONSOLIDATION
STEP 4: POLICY DEFINITION
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 34
- 35. • Security Management
• Multi-Domain Management
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. 36
Summary
Physical Security Gateway Management Server
21400 VSLS
Virtual security Gateway (VSX)
Security Gateway Virtual Edition
• Hypervisor Mode
• Network Mode
Cloud Orchestration
- 36. THANK YOU!
©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. ©2014 Check Point Software Technologies L3t7d