04 vsx power-r65
DESCRIPTION
Check Point VPN-1 VSXTRANSCRIPT
©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Confidential]—For Check Point users and approved third parties
Check Point VPN-1 VSXCheck Point VPN-1 VSX
Peter SandkuijlEMEA SE High End Solutions
2©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Confidential]—For Check Point users and approved third parties
AgendaAgenda
What is VSX and why should I consider it? What is VSX and why should I consider it?
How to integrate a VSX infrastructure into my enterprise network?
How to integrate a VSX infrastructure into my enterprise network?
Is my VSX infrastructure robust,
scalable and fast?
Is my VSX infrastructure robust,
scalable and fast?
Is management of a VSX infrastructure
complex?
Is management of a VSX infrastructure
complex?
3©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Confidential]—For Check Point users and approved third parties
What is VSX?What is VSX?
VSX means Virtual System Extension
A VSX gateway is a physical server capable of running several instances of logical (or virtual) VPN-1 modules each protecting a specific network
Each virtual VPN-1 module enforces its own security and routing policies
4©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Confidential]—For Check Point users and approved third parties
Why should customers consider virtualization?Why should customers consider virtualization?
Cost optimizationUp to 250 virtual VPN-1 modules can be deployed on a single physical VSX gateway
Fast ProvisioningFew mouse clicks to create a new virtual VPN-1 module or cluster including its network settings
Better scalability & availabilityLinear performance improvement
Efficient ManagementScalable & granular management with Provider-1
Powerful CLI tool: vsx_util
2 screens wizard !
5©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Confidential]—For Check Point users and approved third parties
AgendaAgenda
What is VSX and why should I consider it? What is VSX and why should I consider it?
How to integrate a VSX infrastructure into my enterprise network?
How to integrate a VSX infrastructure into my enterprise network?
Is my VSX infrastructure robust,
scalable and fast?
Is my VSX infrastructure robust,
scalable and fast?
Is management of a VSX infrastructure
complex?
Is management of a VSX infrastructure
complex?
6©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Confidential]—For Check Point users and approved third parties
VSX virtual devices: Firewall objectsVSX virtual devices: Firewall objects
In the VSX world, a VPN-1 module is named a Virtual System (VS)
Each VS functions as a stand-alone, independent VPN-1 gateway
FW
VPN(Inc. SR/SC)
SMDF(Inc. WebInt)
SSL VPN(SNX)
AUTH(Client & Session)
Layer 3
Layer 2
Dynamic Routing
Secure XL
Cluster XLSecurity FeaturesNetwork Features
Scalability & Perf. Features
Virtual System
7©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Confidential]—For Check Point users and approved third parties
VSX virtual devices: Network objectsVSX virtual devices: Network objects
Two types of Network Objects:
Why are Network Objects used?To reach the external world according to customer network’s constraints
To route traffic from a Virtual System to another
A Virtual Router:Is protected by its own Security Policy (can be modified)
Like a Layer-3 VS, supports Dynamic Routing
Supports Source Routing
Virtual Routers & Switches use Warp Links to connect to Virtual Systems
Layer 2
Virtual SwitchLayer 3
Virtual Router
192.168.1.0/24
8©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Confidential]—For Check Point users and approved third parties
How to attach VSX gateway to the external world?How to attach VSX gateway to the external world?
Physical InterfacesExternal
Internal
Management
Sync
Logical Interfaces 802.1q
Company A
Company B
Company C
Data Center
SY
NC
Internet
9©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Confidential]—For Check Point users and approved third parties
How does VSX gateway dispatch packets to virtual devices?How does VSX gateway dispatch packets to virtual devices?
Physical InterfacePacket is immediately forwarded
Logical InterfacePacket is forwarded according to its VLAN ID
Virtual RouterPacket is routed according to its dst or src/dst IP address
Virtual SwitchPacket is switched according to its destination MAC address
Company ASubnet A
Company BSubnet B
Context DeterminationWhen a Virtual Device is connected through a…
10©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Confidential]—For Check Point users and approved third parties
VSX Into the WildVirtualizing several DMZ firewallsVSX Into the WildVirtualizing several DMZ firewalls
Customer ProfileBank Company
NeedsHas to host several Customer Projects (1 project = 1 DMZ)
Projects are reachable from the External
Projects use Internal resources
Before VSXTwo layers of firewall clusters to protect the “Project” Infrastructure from Internal & External threats
Secure Customer Projects with additional firewall clusters
With VSX– …
Trunk 802.1Q
eth1 eth0
MGMT
SYNC
DMZ
VS Interface Zone
VS1
eth5.100 DMZ1
eth5.101 DMZ2
eth5.102 DMZ3
eth6.112 External
eth7.116 Internal
VS2
eth4.103 DMZ4
eth4.104 DMZ5
eth4.105 DMZ6
eth6.113 External
eth7.117 Internal
Etc.
eth410Gbs
eth810Gbs
eth910Gbs
Trunk 802.1Qeth3
10GbsTrunk 802.1Q
eth210Gbs
Trunk 802.1Q
eth510Gbs
Core Switch
EXTERNAL
Router
Trunk 802.1Qeth610Gbs
INTERNAL
Router
Trunk 802.1Qeth7
10Gbs
vlan 116vlan 117vlan 118vlan 119
vlan 112vlan 113vlan 114vlan 115
vlan 100vlan 101vlan 102
vlan 103vlan 104vlan 105
vlan 104vlan 105vlan 106
vlan 107vlan 108vlan 109
11©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Confidential]—For Check Point users and approved third parties
AgendaAgenda
What is VSX and why should I consider it? What is VSX and why should I consider it?
How to integrate a VSX infrastructure into my enterprise network?
How to integrate a VSX infrastructure into my enterprise network?
Is my VSX infrastructure robust,
scalable and fast?
Is my VSX infrastructure robust,
scalable and fast?
Is management of a VSX infrastructure
complex?
Is management of a VSX infrastructure
complex?
12©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Confidential]—For Check Point users and approved third parties
SYNCSYNC
ClusteringIntroduction to VSLSClusteringIntroduction to VSLS
Two clustering levelsVSX Gateways: active/active
Virtual Systems: active/standby
Don’t need to assign dedicated IP addresses to each cluster’s members
Only one sync network
Easy provisioning
VIP: IP1VIP: IP1
VIP: IP2VIP: IP2
192.168.196.0/22
192.168.196.0/22
Created by the VSX Administrator
Created by the VSX Administrator
Created by the VSX Management Infrastructure
Created by the VSX Management Infrastructure
13©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Confidential]—For Check Point users and approved third parties
SYNCSYNC
ClusteringVirtual System Load SharingClusteringVirtual System Load Sharing
Distributes VS instances between different VSX gateways
Sync improvementsNew state: Backup
Sync only between active & standby (unicast sync)
VS distributionPerformed automatically or manually (vsx_util redistribute_vsls)
Depends on priorities and weights
14©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Confidential]—For Check Point users and approved third parties
ClusteringActive/Standby Bridge ModeClusteringActive/Standby Bridge Mode
Relevant for VSX gateways hosting Layer-2 VS clusters
Offers the following advantages over STP:
Path redundancy
Loop prevention
Immediate failover
Control over bridge failover
Works with VSLS
VSs sync & publish their MAC forwarding table
Cluster XLCluster XL
STPSTP
STPSTP
STPSTP
STPSTP
STPSTP
STPSTP
15©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Confidential]—For Check Point users and approved third parties
VSX into the WildSplitting a big firewall into specialized virtual firewallsVSX into the WildSplitting a big firewall into specialized virtual firewalls
Customer ProfileRetailer Company
NeedsSimplify Security Policy Management
Simplify Network Management
Improve Scalability & Performance
Before VSXVery large rulebase
Not scalable
Performance bottleneck
With VSX– …
EXTERNAL
CoreSwitch
INTERNAL
Core Switch
Emails
Hosting
VPN
Browsing
vlan 100
eth1eth1 eth0eth0
eth6eth6
MGMT
SYNC
INTERNAL EXTERNAL
VS Interface
Browsingeth5.100
Eth6.100
Emailseth4.101
Eth7.101
Etc.
Core Switch
vlan 100
vlan 101
vlan 102vlan103
eth5eth5
eth4eth4
eth3eth3
eth2eth2
CoreSwitch
vlan 101
eth7eth7
vlan 102eth8eth8
vlan 103
eth9eth9
Performance PackPerformance Pack
VSLSVSLS
Active/StandbyBrige Mode
Active/StandbyBrige Mode
16©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Confidential]—For Check Point users and approved third parties
AgendaAgenda
What is VSX and why should I consider it? What is VSX and why should I consider it?
How to integrate a VSX infrastructure into my enterprise network?
How to integrate a VSX infrastructure into my enterprise network?
Is my VSX infrastructure robust,
scalable and fast?
Is my VSX infrastructure robust,
scalable and fast?
Is management of a VSX infrastructure
complex?
Is management of a VSX infrastructure
complex?
17©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Confidential]—For Check Point users and approved third parties
VSX managementVSX management
3-tier management architecture with either SmartCenter or Provider-1
Only one Mgmt IP address is used per VSX gateway
SMART ConsolesSMART
Consoles
SmartCenterSmartCenter
Provider-1Provider-1
VSX GatewaysVSX Gateways
18©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Confidential]—For Check Point users and approved third parties
VSX managementProvider-1 focusVSX managementProvider-1 focus
Main CMA manages the VSX infrastructure
Target CMAs manage one or more Virtual Devices
Multiple concurrent administrators
Granular permissions
Separate object databases
19©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Confidential]—For Check Point users and approved third parties
ConclusionConclusion
Scale both enterprise perimeter & core sides security– VSX objects allow fast and complete integration anywhere in the
Enterprise– Scalable & resilient security with VSX clustering
Powerful Management– Fast VSs or VSs clusters provisioning– Central VSX infrastructure database including network settings– IP addresses optimization (1 Mgmt IP per VSX gateway, 1 sync
network, no dedicated IPs)– Scalable & granular management with P-1– Easy recovery of a failed gateway with CLI tool vsx_util
Reduce TCO