What is new in R70 ?

Download Report

Transcript What is new in R70 ?

Technical and Architectural Overview
of R70
Patrick Hanel
Technical consultant, CISSP
puresecurity ™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
Agenda
 Check Point Software Blade Architecture
 Check Point R70 Technology
 CheckPoint R70.1
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
2
In 2009 customers have a choice
network security solutions
Check Point Software Blades
Corporate HQ
IPS
Web Security
VPN
Firewall
Branch Office
VPN
Firewall
OR
Etc…
multiple projects
dedicated hardware
dedicated management
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
Lower
oneinvestment
project
Lower
TCO
multiple
configurations
single management
[Public] – For everyone
3
Our new security architecture
softwareblades from Check Point
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
4
Total Security
Complete Security & Management Portfolio
Security
Gateway
Blades
Security
Management
Blades
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
5
How does it work?
STEP 1
STEP 2
STEP 3
Select a container
based on size (# cores)
Select the software
blades
Create a system that is
simple, flexible, secure
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
6
Check Point Software Blades
softwareblades
from Check Point
Secure
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
Flexible
Simple
[Public] – For everyone
7
Check Point R70 Technology
puresecurity ™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
Check Point R70
- The Evolution Continues
 R70 release featuring Software Blade architecture
New IPS Software Blade
Improved Core Firewall Performance
New Provisioning Software Blade
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
9
R70 architecture
puresecurity ™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
R70 Architecture
Network
 Deeper multi-core integration
 Multi-tier IPS filtering engine
– quickly filters ~90% of traffic
 Filter attacks only on the
relevant sections of the traffic
– reduce overhead
– Reduce false positives
 Performance Improvements
in Secure Platform OS
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
Firewall
IPS Engine
IPS Engine
…
CoreXL
Secure Platform
Network
puresecurity™
Firewall
[Public] – For everyone
11
Integration with CoreXL
Core #0
eth1
eth0
Secure Network
Dispatcher
Core #1
Secure Network
Dispatcher
PPAK
PPAK
Core #2
Core #3
fw5
fw4
Medium Path
Queue
Medium Path
Queue
Core #4
Core #5
Core #6
Core #7
fw3
fw2
fw1
fw0
Medium Path
Queue
Medium Path
Queue
Medium Path
Queue
Medium Path
Queue
• Multiple firewall kernel instances increases performance 70%> per core
• IPS runs outside of firewall path context
• IPS processing: ~2x faster than firewall path
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
12
Customize to Match Hardware
Core #0
eth1
eth0 eth1
Dispatcher
Core #1
Dispatcher
fw6
SecureXL
Core #4
SecureXL
Queue
Core #5
firewall
IPS
firewall
IPS
Core #2
Core #3
firewall
firewall
IPS
Core #6
IPS
Core #7
firewall
IPS
firewall
IPS
 CPU Affinity - the ability to attach software code to physical CPU
– Kernel instances will execute firewall and IPS on that core
 NIC Affinity – the abilitiy to attach Network Interfaces to a
SecureXL/Dispatcher core
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
13
Set ClusterXL IPS Failover Options
 Prefer
security
 Prefer
connectivity
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
14
New IPS Engine/Architecture
puresecurity ™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
Redesigned IPS Engine
New Threat Control Engine
Utilizing multiple methods of detection and analysis for
accurate and confident security
• Pre-emptive and accurate detection via NEW! multimethod signature & behavioral prevention engine.
• Wide protection coverage for both server and client
vulnerabilities.
• Protection profiles with attack severity, confidence, and
performance settings to automatically set protections to
Detect or Prevent.
• Open language for writing protections and protocol
decoders.
• Application Identification for application policy
enforcement.
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
16
Architecture – Main Concepts
 IPS Parallel Inspection Architecture
– Multi-Layered parsing – where each layer screens attacks or the
protocol/application.
– Parsers Parse, Protections Protect
» Protocol parser should not do security.
» Protections should not re-parse the traffic again and again.
» Makes protections much more accurate
 “Accelerate” the IPS Inspection
– Done by separating the IPS engines from the FW infrastructure
to an independent blade.
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
17
Protects against IPS Evasion
 The Streaming Engine reassembles TCP packets
 Works in conjunction with SecureXL to accelerate
packets
 Prevents IPS evasion and network attacks
 Provides packet captures
Assembles packets for inspection and detects some attacks
ad.txt
get
b
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
get
b
ad.txt
[Public] – For everyone
18
Protects Against Protocol Anomalies
 Protocol Parsers dissect the data stream
 Validate protocol compliance
 The outcome is a context
– Examples of contexts are HTTP URL, FTP command, FTP file
name, HTTP response, and certain files
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
19
INSPECT V2 Detects Complex Attacks
 Accelerated by SecureXL & CoreXL
 Supports complex inspections to pinpoint the attack
 Supports for loops, if conditions, string
searches, and more
 Decreases the development time of
new protections
 Useful for inspection of applications &
protocols that are not well-defined
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
20
IPS Blade
puresecurity ™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
Introducing IPS Software Blade
 New IPS Management Workflow

Enhanced IPS profiles automatically activate protections

Mark new protections for Follow-up
 Better IPS Performance and Enforcement

New high speed pattern matching engine

New architecture facilitates fast release of new updates

Packet capture mechanism

Ensure total system performance
 New IPS Event Management


Timeline status to easily identify critical events on mission critical
servers
Forensic analysis tools to easily drill-down to packet captures of attack
events
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
22
Why upgrade to Security Gateway R70?
 Improved IPS Management
 Flexible IPS policy and Event management
 Improved Performance
 Merger of CoreXL into the main release
 Fast IPS engine integrated with CoreXL
 Better Security
 New multi-detection IPS engine with over 2300 behavioral and signature
based protections
 Support for New Platforms





SecurePlatform based on 2.6 kernel
IPSO 6.x
Windows Server 2008
RHEL 5 (Security Management only)
Solaris 8, 9, 10 (Security Management only)
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
23
Flexible IPS Policy Management
puresecurity ™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
Single Security Management Console
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
25
More Information and Classification
 Severity levels
– Likelihood that an attack will cause damage
 Confidence levels
– how confident IPS is that recognized attacks are actually
undesirable traffic
 Performance Impact
– Protection impact on gateway performance
 Protection Type
– Clients and/or Servers
 Industry Reference
(e.g.: CVE-2009-0098 and MS09-003)
™
puresecurity
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
26
Enforcement Types
 Signatures
– Prevent specific vulnerabilities
 Anomaly protections
– Prevent suspicious non-compliant traffic
 Application Controls
– Select what is permitted or not inside a protocol
 Engine Settings
– Ability to configure the behavior of the different engines
(like TCP, http, SIP, instant messengers etc…)
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
27
Simplified IPS Policy Management
 Turn on the IPS Blade
– Enable the blade, select a profile, and install the policy
 Protections are automatically activated by the IPS profile
– Default optimized for performance
– Recommended optimized for security
 Update Protections
– Protections are automatically activated by the profile setting
 Review IPS Status
– Quickly see overall status and Security Center news
 Set Application Enforcement Policy
– Not automatically enforced by the profile settings
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
28
Turn on IPS Blade
1. Enable IPS
2. Select a
profile
3. Install the
policy
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
29
Automatic Activations
New
protections
are
automatically
activated
And set to
Prevent or
Detect
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
30
Quickly overview your status
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
31
Set Application Enforcement Policy
 Save your bandwidth and enforce proper
network usage.
– Dozens of Peer-to-peer and Instant
Messaging applications can be blocked with
just a click
 New applications are constantly being
added via IPS updates
– E.g. ARES, QQ, TeamViewer …
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
32
Granular Controls For Advanced Users
 Customize and create new IPS profiles
– Over-ride protections
 Better management of new protections
– Apply revision control in case you want to revert to an earlier update
– Newly downloaded protections can be set to detect or prevent
– Mark new protections for Follow-up to make it easier to review and
monitor them
– Activate only the Protections that match your network assets
– Jump from the log directly to the protection
– View packet captures
 Create Network Exceptions
– At the profile or protection level
 Optimize IPS Policy
 Strong integration with Provider-1
– Define multiple protection policies on the global level and choose how to
implement them on the customer level
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
33
Customize Your IPS Policy
1.
2.
3.
4.
5.
6.
Start with the
Recommended IPS
profile
Set the entire profile
to Detect
Configure the
automatic Security,
Performance, and
Confidence Level
Activate only the
protections needed
Look at the logs,
adjust protections
as needed
Once satisfied with
the result, Move to
prevent mode
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
34
Browse and navigate through the protections
 The Protection Browser allows easy and simple
navigation through the entire list of protections. You can
search, sort, filter, export and take action directly from
the grid!
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
35
Add Network Exceptions
Locate Issues, Troubleshoot, Change What Is Needed
 Exclude specific traffic
from inspection based on
– Protections (individual, or all)
– Source IPs, Networks or
Groups
– Destination IPs, Networks or
Groups
– Services
– Gateways
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
36
View Packet Capture
 Packet Capture
– Useful forensic tool
– Granular admin permission
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
37
Optimizing IPS
 Set protection
scope
– Protect internal
hosts
– Protect all
 As an extra
safety measure,
use the Bypass
Under Load
mechanism to
automatically
disable the IPS in
the unlikely event
of high load
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
38
Safely Integrate New Protections
 Follow up on newly downloaded protections.
 Manage the integration of each new protection
individually. The user has complete control.
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
39
Whats new in R70.1
puresecurity ™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
R70.1 Delivers SmartWorkflow
Automated Policy Change Management
Visual change tracking
Flexible authorization
Audit trails
Single Console
Integration
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
41
R70.1 New Appliance Features
 Hardware sensors monitoring
–
–
–
–
Fan speed, Motherboard voltages, CPU Temperatures
Web Interface Display
SNMP Support
All Power-1 appliances
 RAID monitoring
– Logical & Physical HDD status
– SNMP Support
– Power-1 Appliances
 Initial Configuration from USB key
 Improved Setup from LCD
– Setup Mgmt IP
– Reboot
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
42
Power-1 11000 Hardware monitoring
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
43
R70.1 New Appliance Features
 Link Aggregation
Security
Gateway
– Also known as NIC Teaming or
Interface Bonding
bond0
– All interfaces in a bond are active and
act as a single logical interface
eth0
– Traffic is load balanced between the
bonded interfaces
eth1
– Increase aggregate bandwidth with high
availability for the physical interfaces
– IEEE 802.3ad or XOR standard
– For SecurePlatform
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
44
R70.1 New Software Features
URL Filtering Enhancements
Reporting & Event Correlation
Software Blades on VMware ESX
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
45
R70.1 User Interface New Features
 Quick Add Object to Rule
Base
 Where Used – Go To
 Easily View Group
Members
 Extended Clone
Functionality
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
46
R70.1 Enhancements
 SmartWorkflow
– Change management of Network Policy objects & rules
– Audit trail of changes via SmartView Tracker filter
 DoS/DDoS Attack Mitigation
– Detects multiple attacks
– Learning mode
– Gateway and server protections
 Appliance/SecurePlatform enhancements
– Link aggregation – active/active NIC bonding
– USB key enables remote deployment of appliances
– Appliance hardware monitoring
 IPS-1 and R70 IPS Event Management
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
47
R70 Conclusion
 Strong performance with integrated IPS enabled
– Accelerated with SecureXL and CoreXL
 Better Security with a New multi-threat detection engine
– Better protections
– Scales as new protections are added
– Industry-leading real-time threat protection update times
 Easy-to-use integrated IPS
–
–
–
–
Simplified management of IPS policy and updates
Granular control of IPS policy, updates, and protections
Cyclic workflow management design
Great IPS Event Management and Forensic Analysis
puresecurity™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone
48
Thank You !
puresecurity ™
©2003-2008 Check Point Software Technologies Ltd. All rights reserved.
[Public] – For everyone