October, 2012 - PowerPoint PPT Presentation

slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
October, 2012 PowerPoint Presentation
Download Presentation
October, 2012

play fullscreen
1 / 50
October, 2012
306 Views
Download Presentation
beryl
Download Presentation

October, 2012

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Check Point Virtual SystemsThe Power of Virtualization Enable Software Blades and Virtualized Security for Private Cloud Environments October, 2012 [Restricted] ONLY for designated groups and individuals
  2. Agenda 1 Benefits of Virtualization 2 Check Point R75.40VS 3 A Deep Dive Into R75.40VS 4 DEMO [Restricted] ONLY for designated groups and individuals
  3. Key Virtual System Benefits Serve multiple customers from a single platform Customized security & policy per virtual system Consolidation Cut cost by consolidating your Security Gateways Use simple GUI to add a new Virtual System Multi-Tenancy Scalability Add more Virtual Systems without additional hardware Unique linear scalability with clustering technology [Restricted] ONLY for designated groups and individuals
  4. Deployment ScenariosEnterprise – Network Segmentation Lower overall CAPEX & OPEX Easily segment your network Internet Simplify your policy by creating a dedicated policy per segment Finance Mail Server R&D [Restricted] ONLY for designated groups and individuals
  5. Deployment ScenarioMSP – Multi-Tenancy MSP Network Easily add and support multiple customers Provide customized security services Increase revenues Customer 3 Customer 1 Customer 2 [Restricted] ONLY for designated groups and individuals
  6. Check Point R75.40VS [Restricted] ONLY for designated groups and individuals
  7. What’s New in R75.40VS Next Generation Virtual System: Can run any Software Blades on any Check Point Appliance Simplify and Consolidate All Software Blades on Every Virtual System Boosting Performance VSLS Check Point [Restricted] ONLY for designated groups and individuals
  8. Software Blades for Virtual Systems Application Control Identity Awareness Anti-Bot* IPS Antivirus* Firewall URL Filtering Software Blades on Virtual Systems … and Open Servers Virtual System on any Platform Software Blade Security on Every Virtual System * Available Q4/12 [Restricted] ONLY for designated groups and individuals
  9. R75.40 Virtual Systems R75.40VS unifies the Security Gateway product with the VSX product R75.40VS is NOT just a VSX release!! This software release merges the maintrainsecurity gateway with virtual systems. R75.40VS operates in 2 modes: physical mode – runs only 1 security gateway virtual mode (VS) – runs up to 250 virtual security gateways (Virtual Systems) on a single gateway R75.40VS virtual mode can only run in GAIA OS [Restricted] ONLY for designated groups and individuals
  10. R75.40VS Supported GWs Appliances 2012 models: 2200, 4200, 4400, 4600, 4800, 12200, 12400, 12600, 21400 Existing: UTM-1 3070, Power-1 9000, Power-11000, IP-1280, IP-2450 All VSX appliances Open servers Open servers with up to 12 cores [Restricted] ONLY for designated groups and individuals
  11. What’s new in R75.40VS Software Blades per each VS GAiA 64-bit OS Resource Monitoring and Allocation Improved performance Licensing & Packaging [Restricted] ONLY for designated groups and individuals
  12. A closer look … *IPv6 will be supported in 2013 ** Mobile Access Portal and Check Point Mobile for iOS and Android are not supported [Restricted] ONLY for designated groups and individuals
  13. What’s new in Virtual Systems Software Blades per each VS GAiA 64-bit OS Resource Monitoring and Allocation Improved performance Licensing & Packaging [Restricted] ONLY for designated groups and individuals
  14. GAiA 64-bit OS Advanced routing options with multiple routing and multicasting protocols Wide range of dynamic routing protocols: BGP, OSPF, RIP, PIM, IGMP Granular Permissions and Roles Tailored policies for each Virtual System High Connection Capacity 8X concurrent connections with 64-bit GAiA OS [Restricted] ONLY for designated groups and individuals
  15. What’s new in Virtual Systems Software Blades per each VS GAiA 64-bit OS Resource Monitoring and Allocation Improved performance Licensing & Packaging [Restricted] ONLY for designated groups and individuals
  16. Resource Monitoring Resource Usage Monitor Keeps track of the CPU and memory consumption per Virtual System Provides real-time information on the present and average CPU consumption by the Virtual Systems using SNMP and cli Monitor MIBs per Virtual System, using SNMPv3 Allows querying information per VS including networking MIB Two modes of SNMP monitoring Default mode - monitors VS0 only VS mode - supports SNMP monitoring per each VS SmartView Monitor [Restricted] ONLY for designated groups and individuals
  17. Monitoring Memory Resources “fwvsxmstat” command shows an overview of the memory that the system and each Virtual System is using. Global memory resources shown: Memory Total - Total physical memory on the Gateway Memory Free - Available physical memory Swap Total - Total of swap memory Swap Free - Available swap memory Swap-in rate - Total memory swaps per second [Expert@GIZA42G204:0]# fwvsxmstat sort allVSX Memory Status=================Memory Total: 997.22 MBMemory Free: 232.52 MBSwap Total: 2047.34 MBSwap Free: 2047.16 MBSwap-in rate: 0.00 MB VSID | Memory Consumption ======+====================    0 |          133.49 MB    8 |           92.41 MB    3 |           43.81 MB    2 |           42.47 MB    1 |           42.47 MB [Restricted] ONLY for designated groups and individuals
  18. Resource Allocation Have maximum flexibility with core allocation per Virtual System or per specific process or thread [Expert@Giza147GW203:1]# fwctl affinity -l -x -vsid 1 -flags tne ---------------------------------------------------- |PID     |VSID |     CPU        |SRC|V|KT |EXC| NAME ---------------------------------------------------- |  15462 |   1 |         all |   | |   |   | fwk_wd |  15464 |   1 | 1 2 3 | P | |   |   | fwk1_dev |  15476 |   1 |            0 2 | I | |   |   | |---fwk1_0 |  15465 |   1 |            0 1 | P | |   |   | cpd |  15731 |   1 |            0 1 | P | |   |   | |---cpd |  15734 |   1 |            0 1 | P | |   |   | |---cpd |  15735 |   1 |            0 1 | P | |   |   | |---cpd |  15467 |   1 |            2 3 | P | |   |   | fw |  15516 |   1 |           2 3 | P | |   |   | |---fw |  15517 |   1 |          2 3 | P | |   |   | |---fw |  15518 |   1 |           2 3 | P | |   |   | |---fw |  15477 |   1 |           all |   | |   |   | mpdaemon |  15635 |   1 |            all |   | |   |   | routed |  23021 |   1 |           all |   | |   |   | fw ------------------------------------------------------ Note: CPU Resource Control enforcement is not supported yet [Restricted] ONLY for designated groups and individuals
  19. What’s new in Virtual Systems Software Blades per each VS GAiA 64-bit OS Resource Monitoring and Allocation Improved performance Licensing & Packaging [Restricted] ONLY for designated groups and individuals
  20. Improved Performance Multicore support (CoreXL) 64-bit OS increase connection capacity  ClusterXLHigh Availability and VS Load Sharing (VSLS) [Restricted] ONLY for designated groups and individuals
  21. CoreXL per VS CoreXL increases the performance of the physical appliance with the ability to utilize multiple cores. It creates multiple firewall instances Not all VS are created equal. In order to allocate more resources to one VS you can create multiple instances of that VS to leverage CoreXL [Restricted] ONLY for designated groups and individuals
  22. Maximum number of VS per appliance [Restricted] ONLY for designated groups and individuals
  23. What’s new in Virtual Systems Software Blades per each VS GAiA 64-bit OS Resource Monitoring and Allocation Improved performance Licensing & Packaging [Restricted] ONLY for designated groups and individuals
  24. R75.40VS Virtual System Licensing Software Blades Security Gateway + + VS License VS License Free VS License VS License VS License VSs x10 VSs x50 VSs x3 VSs x1 VSs x25 Virtual System packages are licensed the same for all appliances & open servers Virtual System 3 VS package is available only for small gateways* Offering one complementary Virtual System** Software Blades are priced per gateway regardless number of Virtual Systems Software Blades apply to any/all Virtual Systems running on the gateway Software Blades pricing and SKUs are unchanged (same as with ‘physical’ GWs) * Available for: 2200, 4200, 4400, 4600 and Open servers with less than 4 cores ** Available for: 4800, 12200, 12400, 12600, 21400, Power-9000, Power-11000, IP-1280, IP-2450 and open servers with 4 cores or more [Restricted] ONLY for designated groups and individuals
  25. How can I start with Virtual Systems [Restricted] ONLY for designated groups and individuals
  26. How to get to Virtual Systems Existing VSX customers Upgrade of existing VSX configuration – after the clean install follow the usual “vsx_util reconfigure” procedure. This preserves all the configuration that resides on the management New customers Install the Gateway as a Security gateway only and define the gateway as VSX in the GUI Security Gateway customers Upgrade to R75.40VS physical mode One-Click conversion from R75.40VS physical mode to R75.40VS virtual mode to enable Virtual Systems All the above can be done for clusters as well as gateways [Restricted] ONLY for designated groups and individuals
  27. One-Click Virtualization – Enable VSs [Restricted] ONLY for designated groups and individuals
  28. Virtual Systems Architecture [Restricted] ONLY for designated groups and individuals
  29. Technology – User Mode User Mode Firewall (vs Kernel Mode in R67) FW code is compiled in a DLL A process is created per each VS (fwk) A light-weight driver exists in the kernel which Dispatches packets to the relevant VS and executes the Drop/Accept decision that was made by firewall. User Mode Daemons Major Check Point daemons run per VS and are not virtualized Better segregation, easier resource monitoring and controlling Performance Pack (PPK) Virtualized kernel module Can run in 32/64bit OS Gaia includes the VRF patch for network virtualization layer, same patch as in R67/R68 with some minor changes to the memory consumption area Provisioning using clish – WebUI is not supported in virtual mode Routing is implemented by running Routed per VS (both for static and dynamic routes). [Restricted] ONLY for designated groups and individuals
  30. Virtual Systems Architecture – User Mode VS VS VS cpd cpd cpd fwd fwd fwd vpnd vpnd vpnd fwk fwk fwk UM KM fwk process is the firewall kernel code compiled in user mode. It is responsible for all the traffic inspection that is not done in the PPack same as firewall kernel driver Firewall dispatcher PPackvirtualized NIC NIC [Restricted] ONLY for designated groups and individuals
  31. User Mode Advantages vs Kernel Mode Better Security Speeding Up Development Part of the code and data can be shared between VS’s processes. Better segregation of VSs. Each VS state is encapsulated in a separate process with its own address space without access to the other VSs. Enhanced performance: packets belonging to several VSs can be processed in parallel. The integration with application layer features is easier Resource monitoring and enforcement: CPU time and memory of each process can be monitored and controlled Enhanced capacity: each VS has its own separate virtual address space meaning it can use 2-3GB of memory. [Restricted] ONLY for designated groups and individuals
  32. A Deep Dive Into R75.40VS [Restricted] ONLY for designated groups and individuals
  33. Multi-Queue Support Previously network interfaces had one interrupt assigned, that was handled by one CPU at a time. This caused problems with ‘one in one out’ topologies – low number of cores used. Multi-queue lets you allocate multiple interrupts to single interfaces, allowing using more cores for acceleration. Multi-queue is supported on network interfaces that use igb(1Gb) and ixgbe(10Gb) drivers. Sk80940 for Documentation and HotfixDownload [Restricted] ONLY for designated groups and individuals
  34. Without Multi-Queue 10Gbps IN VLAN10 OUT VLAN20 TO MGT1Gbps Single IRQ Dispacher SecureXL FW IPS AV FW IPS AV FW IPS AV FW IPS AV Dispacher SecureXL FW IPS AV FW IPS AV FW IPS AV FW IPS AV FW IPS AV FW IPS AV [Restricted] ONLY for designated groups and individuals
  35. With Multi-Queue 10Gbps IN VLAN10 OUT VLAN20 TO MGT1Gbps Four IRQs MultiQ Dispacher SecureXL MultiQ Dispacher SecureXL FW IPS AV FW IPS AV FW IPS AV Dispacher SecureXL MultiQ Dispacher SecureXL MultiQ Dispacher SecureXL FW IPS AV FW IPS AV FW IPS AV FW IPS AV [Restricted] ONLY for designated groups and individuals
  36. When Multi-Queue is not Relevant When most of the processing is done in CoreXL The CoreXL FW instances will be loaded, so there are no CPU cores that can be reassigned to SecureXL. When IPS or other deep inspection Software Blades are heavily used. When Performance Pack is already using 4 CPU cores and all of them are congested. When trying to increase session rate. When there is insufficient diversity of traffic flows. In the extreme case of single flow, for example, traffic will be handled only by a single CPU core. [Restricted] ONLY for designated groups and individuals
  37. Penalty Box What is Penalty Box and How it Works? It’s mechanism that performs an early drop of packets arriving from suspected sources. Allow the Firewall to handle better under high load, possibly caused by a DDoS attack. dos_suspectedanddos_penalty_boxppktable Packets will be dropped by the Performance Pack at very early stage (Accelerated Drop) This feature is currently supported only in Physical mode [Restricted] ONLY for designated groups and individuals
  38. Penalty Box simerdos <option> Status report: cat /proc/ppk/erdos Survive reboot: add this commands to /etc/rc.local [Restricted] ONLY for designated groups and individuals
  39. When to choose R75.40VS When wanting to simplify network security and consolidate security gateways with Virtual Systems. When you need to take advantage of improved VOIP support When you require IPS Software Blade enhancements Running a ‘one in one out’ topology [Restricted] ONLY for designated groups and individuals
  40. When to Choose R75.40 When not wanting to work with the above R75.40VS Virtualized Systems, VoIP, or IPS improvements. When considering to upgrade to R75.45 (not possible from R75.40VS), in order to benefit from new offerings such as DDoS Protector, IPS False Positive reduction, Anti-Bot & Antivirus fixes and many more. When using a Solaris-based management server (R75.40VS does not support Solaris). [Restricted] ONLY for designated groups and individuals
  41. Upgrade considerations R75.40, R75.40VS and R75.45 will be upgradable to a new maintrainversion, scheduled for release in a few months, that will include all the releases' features R65 can be upgraded to: R70, R71.10 and R75 VSX R65, VSX R65.10, VSX R65.20, VSX R67 and VSX R67.10 can be upgraded to R75.40VS Gaia R75.40VS cannot be upgraded to R75.45 R75.40VS gateway cannot be managed by R75.45 management. But you can manage R75.45 Gateway with a R75.40VS Management, with some limitations. For exceptions, limitations and instructions, please carefully read the relevant "Release Notes" and sk82460 before upgrading [Restricted] ONLY for designated groups and individuals
  42. FAQ Q: Will this release replace the VSX? A: Yes, R75.40VS replaces VSX. IPv6 support is planned for 2013. If Virtual System Customers need IPv6 they are advised to continue working with VSX R68. Q: What Blades do we support in the two R75.40VS modes? A: Physical mode: All functionalities in R75.40, including IPv6, DLP and Anti-Spam Software Blades. Virtual mode: All functionalities in R75.40, except IPv6, DLP and Anti-Spam Software Blades. IPv6 and the DLP, Anti-Spam Blades will be supported for virtual mode in a future release. Q: Do I need to buy a Blade Software license for each VS? A: No, Blade licensing is per gateway regardless the number of VSs. It’s possible to define the Blades that are running on each VS and any VS can run any Blade with any Policy. [Restricted] ONLY for designated groups and individuals
  43. FAQ Q: How do the various Software Blades updates work in VS mode? A: The communication with the UserCenter is done from VS0, which needs to have connectivy. Q: Is R75.40VS supported by 61000 appliance and also Crossbeam? A: R75.40Vs is supported by Crossbeam since Q3 and will support 61000 appliance in the end of Q4. Q: What performance should I expect in the R75.40VS Virtual System mode? A: 1- When comparing to VSX R67 all the performance parameters improved. When comparing to R75.40 Physical Gateway: the main performance parameters are identical to the physical mode. In cases where the majority of traffic is not accelerated you can expect a degradation of about 10%-15%. [Restricted] ONLY for designated groups and individuals
  44. FAQ 2- The Blades that are activated of each virtual system. Each SW Blade activated on the VS has a memory impact on the memory consumption of that VS. 3- Connections table size. Increase in the Virtual Systems connections table size results in overall higher memory consumption. You should avoid turning on unneeded software blades and having unutilized instances. Q: Does virtualized mode always run with GAiA OS, using 64-bit mode? A: Virtual Systems is available on GAiA OS and XOS.The OS kernel will run in 64-bit mode only if the machine has 6GB or more RAM, else, it would run in 32-bit. User mode runs only in 32-bit mode. [Restricted] ONLY for designated groups and individuals
  45. Summary [Restricted] ONLY for designated groups and individuals
  46. Simplify and Consolidate Security ONE Gateway One-Click Virtual System Creation Simple Virtualization Wizard and provisioning templates Security with Virtual Systems HR Partners Finance Customers Web Dedicated Policy Per Virtual System Customized security functions with granular security policies Ease of Operation Resource monitoring on each Virtual System Software upgrades without downtime Inter-VS traffic redirecting via integrated virtual routers and switches Enterprise INTRANET [Restricted] ONLY for designated groups and individuals
  47. Performance Boost and Scalability High Connection Capacity 8X concurrent connections with 64-bit GAiAOS Advanced routing options with multiple routing and multicasting protocols Multi-Core Performance Check Point CoreXL technology Enhanced deep packet inspection throughput with security acceleration Linear Scalability Patented VSLS technology Scale up to 8 cluster members [Restricted] ONLY for designated groups and individuals
  48. DEMO [Restricted] ONLY for designated groups and individuals
  49. GW MGMT [Restricted] ONLY for designated groups and individuals
  50. Thank You [Restricted] ONLY for designated groups and individuals