Upload
malcolm-willis
View
217
Download
0
Embed Size (px)
Citation preview
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
puresecurity™[Public] – For everyone
Technical and Architectural Overviewof R70
Patrick Hanel
Technical consultant, CISSP
puresecurity™2©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
AgendaAgenda
Check Point Software Blade Architecture Check Point R70 Technology CheckPoint R70.1
puresecurity™3©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
In 2009 customers have a choiceIn 2009 customers have a choice
network security solutions Check Point Software Blades
one projectmultiple configurations
single management
one projectmultiple configurations
single management
OR
Lower investmentLower TCO
Lower investmentLower TCO
Etc…
multiple projectsdedicated hardware
dedicated management
multiple projectsdedicated hardware
dedicated management
VPN
IPS Web Security
Corporate HQ
VPNFirewall
Branch Office
Firewall
puresecurity™4©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Our new security architectureOur new security architecture
softwareblades from Check Point
puresecurity™5©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Total SecurityComplete Security & Management PortfolioTotal SecurityComplete Security & Management Portfolio
Security Gateway Blades
Security Management Blades
puresecurity™6©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
How does it work?How does it work?
STEP 1Select a container
based on size (# cores)
STEP 1Select a container
based on size (# cores)
STEP 2Select the software
blades
STEP 2Select the software
blades
STEP 3 Create a system that issimple, flexible, secure
STEP 3 Create a system that issimple, flexible, secure
puresecurity™7©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Check Point Software Blades
softwarebladesfrom Check Point
SecureSecure FlexibleFlexibleFlexibleFlexible Simple Simple
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
puresecurity™[Public] – For everyone
Check Point R70 Technology
puresecurity™9©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Check Point R70- The Evolution Continues
Check Point R70- The Evolution Continues
R70 release featuring Software Blade architecture
New IPS Software BladeNew IPS Software Blade
Improved Core Firewall Performance Improved Core Firewall Performance
New Provisioning Software Blade New Provisioning Software Blade
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
puresecurity™[Public] – For everyone
R70 architecture
puresecurity™11©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
R70 ArchitectureR70 Architecture
CoreXL
IPS Engine
Firewall
Deeper multi-core integration Multi-tier IPS filtering engine
– quickly filters ~90% of traffic
Filter attacks only on the relevant sections of the traffic– reduce overhead– Reduce false positives
Performance Improvements in Secure Platform OS
Netw
ork
Secure Platform
Netw
ork
IPS Engine
Firewall
…
puresecurity™12©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Integration with CoreXLIntegration with CoreXL
Core #7Core #6
Core #3Core #2
Core #5Core #4
Core #1
Secure Network Dispatcher
Core #0
eth1
eth0
PPAK
Secure Network Dispatcher
PPAK
fw5Medium Path
Queue
fw4Medium Path
Queue
fw1Medium Path
Queue
fw0Medium Path
Queue
fw3Medium Path
Queue
fw2Medium Path
Queue
• Multiple firewall kernel instances increases performance 70%> per core• IPS runs outside of firewall path context• IPS processing: ~2x faster than firewall path
puresecurity™13©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
firewallIPS
Core #7Core #6
Core #3Core #2
Core #5Core #4
Core #1
Customize to Match HardwareCustomize to Match Hardware
fw6
Queue
firewall firewall firewall
firewall
firewall
Core #0
IPS
Dispatcher
SecureXL
eth1
eth0 Dispatcher
SecureXL
eth1
IPS IPSIPSIPS
CPU Affinity - the ability to attach software code to physical CPU– Kernel instances will execute firewall and IPS on that core
NIC Affinity – the abilitiy to attach Network Interfaces to a SecureXL/Dispatcher core
puresecurity™14©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Set ClusterXL IPS Failover OptionsSet ClusterXL IPS Failover Options
Prefer security
Prefer connectivity
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
puresecurity™[Public] – For everyone
New IPS Engine/Architecture
puresecurity™16©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Redesigned IPS EngineRedesigned IPS Engine
New Threat Control EngineNew Threat Control EngineUtilizing multiple methods of detection and analysis for Utilizing multiple methods of detection and analysis for
accurate and confident securityaccurate and confident security
• Pre-emptive and accurate detection via NEW! multi-method signature & behavioral prevention engine.
• Wide protection coverage for both server and client vulnerabilities.
• Protection profiles with attack severity, confidence, and performance settings to automatically set protections to Detect or Prevent.
• Open language for writing protections and protocol decoders.
• Application Identification for application policy enforcement.
puresecurity™17©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Architecture – Main ConceptsArchitecture – Main Concepts
IPS Parallel Inspection Architecture– Multi-Layered parsing – where each layer screens attacks or the
protocol/application.– Parsers Parse, Protections Protect
» Protocol parser should not do security.
» Protections should not re-parse the traffic again and again.
» Makes protections much more accurate
“Accelerate” the IPS Inspection– Done by separating the IPS engines from the FW infrastructure
to an independent blade.
puresecurity™18©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Protects against IPS EvasionProtects against IPS Evasion
The Streaming Engine reassembles TCP packets Works in conjunction with SecureXL to accelerate
packets Prevents IPS evasion and network attacks Provides packet captures
ad.txt get bget b ad.txt
Assembles packets for inspection and detects some attacks
puresecurity™19©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Protects Against Protocol Anomalies Protects Against Protocol Anomalies
Protocol Parsers dissect the data stream Validate protocol compliance The outcome is a context
– Examples of contexts are HTTP URL, FTP command, FTP file name, HTTP response, and certain files
puresecurity™20©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
INSPECT V2 Detects Complex AttacksINSPECT V2 Detects Complex Attacks
Accelerated by SecureXL & CoreXL Supports complex inspections to pin-
point the attack Supports for loops, if conditions, string
searches, and more Decreases the development time of
new protections Useful for inspection of applications &
protocols that are not well-defined
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
puresecurity™[Public] – For everyone
IPS Blade
puresecurity™22©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
New IPS Management Workflow Enhanced IPS profiles automatically activate protections Mark new protections for Follow-up
Better IPS Performance and Enforcement New high speed pattern matching engine New architecture facilitates fast release of new updates Packet capture mechanism
Ensure total system performance New IPS Event Management
Timeline status to easily identify critical events on mission critical servers Forensic analysis tools to easily drill-down to packet captures of attack
events
Introducing IPS Software BladeIntroducing IPS Software Blade
puresecurity™23©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Improved IPS Management Flexible IPS policy and Event management
Improved Performance Merger of CoreXL into the main release Fast IPS engine integrated with CoreXL
Better Security New multi-detection IPS engine with over 2300 behavioral and signature
based protections
Support for New Platforms SecurePlatform based on 2.6 kernel IPSO 6.x Windows Server 2008 RHEL 5 (Security Management only) Solaris 8, 9, 10 (Security Management only)
Why upgrade to Security Gateway R70?Why upgrade to Security Gateway R70?
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
puresecurity™[Public] – For everyone
Flexible IPS Policy Management
puresecurity™25©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Single Security Management ConsoleSingle Security Management Console
puresecurity™26©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Severity levels– Likelihood that an attack will cause damage
Confidence levels– how confident IPS is that recognized attacks are actually undesirable
traffic
Performance Impact– Protection impact on gateway performance
Protection Type– Clients and/or Servers
Industry Reference (e.g.: CVE-2009-0098 and MS09-003)
More Information and ClassificationMore Information and Classification
puresecurity™27©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Signatures
– Prevent specific vulnerabilities
Anomaly protections
– Prevent suspicious non-compliant traffic
Application Controls
– Select what is permitted or not inside a protocol
Engine Settings
– Ability to configure the behavior of the different engines (like TCP, http, SIP, instant messengers etc…)
Enforcement TypesEnforcement Types
puresecurity™28©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Simplified IPS Policy ManagementSimplified IPS Policy Management
Turn on the IPS Blade– Enable the blade, select a profile, and install the policy
Protections are automatically activated by the IPS profile– Default optimized for performance– Recommended optimized for security
Update Protections– Protections are automatically activated by the profile setting
Review IPS Status– Quickly see overall status and Security Center news
Set Application Enforcement Policy– Not automatically enforced by the profile settings
puresecurity™29©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Turn on IPS BladeTurn on IPS Blade
IPS is O
N
1. Enable IPS
2. Select a profile
3. Install the policy
puresecurity™30©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Automatic ActivationsAutomatic Activations
New protections are automatically activated
And set to Prevent or Detect
puresecurity™31©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Quickly overview your statusQuickly overview your status
puresecurity™32©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Set Application Enforcement PolicySet Application Enforcement Policy
Save your bandwidth and enforce proper network usage. – Dozens of Peer-to-peer and Instant
Messaging applications can be blocked with just a click
New applications are constantly being added via IPS updates– E.g. ARES, QQ, TeamViewer …
puresecurity™33©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Granular Controls For Advanced UsersGranular Controls For Advanced Users
Customize and create new IPS profiles– Over-ride protections
Better management of new protections– Apply revision control in case you want to revert to an earlier update– Newly downloaded protections can be set to detect or prevent– Mark new protections for Follow-up to make it easier to review and
monitor them– Activate only the Protections that match your network assets– Jump from the log directly to the protection– View packet captures
Create Network Exceptions– At the profile or protection level
Optimize IPS Policy Strong integration with Provider-1
– Define multiple protection policies on the global level and choose how to implement them on the customer level
puresecurity™34©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Customize Your IPS PolicyCustomize Your IPS Policy
1. Start with the Recommended IPS profile
2. Set the entire profile to Detect
3. Configure the automatic Security, Performance, and Confidence Level
4. Activate only the protections needed
5. Look at the logs, adjust protections as needed
6. Once satisfied with the result, Move to prevent mode
puresecurity™35©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Browse and navigate through the protectionsBrowse and navigate through the protections
The Protection Browser allows easy and simple navigation through the entire list of protections. You can search, sort, filter, export and take action directly from the grid!
puresecurity™36©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Exclude specific traffic from inspection based on– Protections (individual, or
all)– Source IPs, Networks or
Groups– Destination IPs, Networks or
Groups– Services– Gateways
Locate Issues, Troubleshoot, Change What Is NeededLocate Issues, Troubleshoot, Change What Is Needed
Add Network ExceptionsAdd Network Exceptions
puresecurity™37©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
View Packet CaptureView Packet Capture
Packet Capture– Useful forensic tool– Granular admin permission
puresecurity™38©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Optimizing IPSOptimizing IPS
Set protection scope– Protect internal
hosts – Protect all
As an extra safety measure, use the Bypass Under Load mechanism to automatically disable the IPS in the unlikely event of high load
puresecurity™39©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Safely Integrate New ProtectionsSafely Integrate New Protections
Follow up on newly downloaded protections. Manage the integration of each new protection
individually. The user has complete control.
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
puresecurity™[Public] – For everyone
Whats new in R70.1
puresecurity™41©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
R70.1 Delivers SmartWorkflowR70.1 Delivers SmartWorkflow
Single Console Integration
Visual change tracking
Flexible authorization
Audit trails
Automated Policy Change ManagementAutomated Policy Change Management
puresecurity™42©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Hardware sensors monitoring– Fan speed, Motherboard voltages, CPU Temperatures– Web Interface Display– SNMP Support– All Power-1 appliances
R70.1 New Appliance FeaturesR70.1 New Appliance Features
RAID monitoring– Logical & Physical HDD status– SNMP Support– Power-1 Appliances
Initial Configuration from USB key
Improved Setup from LCD– Setup Mgmt IP – Reboot
puresecurity™43©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Power-1 11000 Hardware monitoringPower-1 11000 Hardware monitoring
puresecurity™44©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
R70.1 New Appliance FeaturesR70.1 New Appliance Features
SecurityGateway
eth1
eth0
Link Aggregation
– Also known as NIC Teaming or Interface Bonding
– All interfaces in a bond are active and act as a single logical interface
– Traffic is load balanced between the bonded interfaces
– Increase aggregate bandwidth with high availability for the physical interfaces
– IEEE 802.3ad or XOR standard
– For SecurePlatform
bond0
puresecurity™45©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
R70.1 New Software FeaturesR70.1 New Software Features
URL Filtering EnhancementsURL Filtering Enhancements
Reporting & Event Correlation Software Blades on VMware ESX
Reporting & Event Correlation Software Blades on VMware ESX
puresecurity™46©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
R70.1 User Interface New FeaturesR70.1 User Interface New Features
Quick Add Object to Rule Base
Where Used – Go To
Easily View Group Members
Extended CloneFunctionality
puresecurity™47©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
R70.1 EnhancementsR70.1 Enhancements
SmartWorkflow– Change management of Network Policy objects & rules– Audit trail of changes via SmartView Tracker filter
DoS/DDoS Attack Mitigation– Detects multiple attacks– Learning mode– Gateway and server protections
Appliance/SecurePlatform enhancements– Link aggregation – active/active NIC bonding– USB key enables remote deployment of appliances– Appliance hardware monitoring
IPS-1 and R70 IPS Event Management
puresecurity™48©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone
Strong performance with integrated IPS enabled– Accelerated with SecureXL and CoreXL
Better Security with a New multi-threat detection engine– Better protections – Scales as new protections are added– Industry-leading real-time threat protection update times
Easy-to-use integrated IPS– Simplified management of IPS policy and updates– Granular control of IPS policy, updates, and protections – Cyclic workflow management design– Great IPS Event Management and Forensic Analysis
R70 ConclusionR70 Conclusion
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
puresecurity™[Public] – For everyone
Thank You !