Secure Virtual Network Architecture

Download Report

Transcript Secure Virtual Network Architecture

WORLDWIDE LEADER IN SECURING THE INTERNET
Check Point Next Generation
Feature Pack 1 (FP1)
Thomas Witte
Check Point Deutschland
Agenda
Check Point - The Company
 VPN-1 Solutions
 Enterprise Management Solutions
 Performance & Availability
 UserAuthority

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
2
Mission
Make the Internet
Secure, Reliable,
and Manageable
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
3
Check Point Facts

History




Check Point
Global market leadership




Founded June 1993
IPO June 1996
Strong growth in revenues and profits
62% VPN market share (Gartner Group, 2001)
42% firewall market share (#1 Position - IDC, 2001)
De-facto standard for Internet security
Strong business model



Technology innovation and leadership
Technology partnerships
Strong and diversified channel partnerships
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
4
Check Point Today

Financial Strength


25 consecutive quarters of
income/revenue growth
Market Leadership






186,000+ Installations
80,000+ VPN Gateways
63 Million+ VPN Clients
68,000+ Customers
1,500+ Channel Partners
300+ OPSEC Partners
450
400
Net Income
350
Revenue
300
250
200
150
100
50
0
1994
1995
1996
1997
1998
$ Millions
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
5
1999
2000
SVN Solutions
Management
FireWall-1
VPN-1 Product Family
- Gateway
- SecuRemote
- SecureClient
- SecureServer
Certified Appliances
VPN-1/FW-1 Small Office
Check Point RealSecure
VPN /
Security
Provider-1
Meta IP
User Authority
Account Management
Open Security Extension
Reporting
Certificate Manager
Stateful
Inspection
Policy-based
Management
Performance /
Availability
OPSEC
FloodGate-1 QoS
VPN-1 Accelerator Card
High Availability Module
Connect Control
Many solutions - one architecture
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
6
The OPSEC Best Of Breed Integration
Check Point Policy-Based Management
Content
Security
CVP
PKI &
Directories
UFP
Intrusion
Detection
SAMP
High
Availability
OMI
Event Anal.
& Reporting
Authentication
RADIUS
LDAP
OPSEC Protocols and APIs
LEA
UAM
Others
Others
Check Point Product Solutions
Servers
Switches
Routers
Security
Appliances
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Service
Providers
7
Security
Software
Policy
Consoles
Accel.
Engines
The New World
Private Network
Internet Backbone
Single Site
Distributed Network
Physical Assets
Virtual Corporation
The New Role of Security
Restrict Access
Secure Access
Prevent Losses
Generate Revenue
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
8
Security Everywhere
Networks
Systems
• LAN/WAN
• Broadband
Corporate
• Wireless
Office
Branch
Office
Fixed Line
Dial-Up
Broadband
Wireless
Applications
• E-Business
• E-Commerce
• Multimedia
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
9
• Servers
• Customers
• PCs
• Partners
• Phones/PDAs
• Suppliers
• Extended
Users
Workforces
• Desktops
• Mobile
• Mobile
Employees
Fast and Scalable
1994-1999
Large
Scale VPNs
Solaris
AIX
HP-UX
Enterprise Servers
Linux
Appliance
Remote Office &
Small Business
DSL
Home
Users
Cable
CHECK POINT
2000
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
10
NT
High
Performance
Gigabit
VPNs
WORLDWIDE LEADER IN SECURING THE INTERNET
VPN-1 Solutions
One-Click VPNs
Define a VPN Community
 Add sites to the community with one
click!

New York
Sydney
Intranet VPN
Tokyo
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
London
12
One-Click VPNs
Definition of a VPN Community automatically
creates an encryption rule in the security policy
One-Click VPNs simplify security policy
creation and management
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
13
VPN-1 Clients
ConnectMode

Allows users to explicitly
CONNECT/DISCONNECT


from the VPN
Enables multiple “connection
profiles” for different
environments
Benefits:
 Provides more control to
users who want it
 Uses model similar to
dial-up for greater ease of
use
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
14
VPN-1 SecureClient
OfficeMode
10.x.x.x
10.x.x.x
Remote Users
Corporate
Network


VPN-1 Gateway assigns IP address to
VPN-1 SecureClient during key exchange
Benefits:



Remote user “appears” local
Enables some IP-based applications
Eases user experience
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
15
VPN-1 SecureClient
One-Click Certificates


Manager generates
user certificate with
“one-click”
Benefits:

Internal Certificate Authority
included with VPN-1 for
strong authentication
“out of the box”
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
16
VPN-1 SecureClient
New Policy Interface


Rules sorted by direction (inbound/outbound)
Benefits:

Client policies are easier to read
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
17
VPN-1 SecureClient
Diagnostic Tools
Shows status of
client connection,
security, etc.
Shows policy in
force on client
Shows events
logged on the client
Reduces administrative overhead involved
in supporting remote access VPN users
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
18
More New VPN-1 Features

VPN-1 Gateway


FIPS 140 Level 2 Compliance
VPN-1 SecureClient

Policy Server Clustering
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
19
WORLDWIDE LEADER IN SECURING THE INTERNET
Enterprise Management
Solutions
Dynamic Address Gateways
Gateways with dynamically assigned IP
addresses can be managed remotely
 Benefits:


Supports Remote Office/Branch Office
environments with low-cost Internet access
From ISP
216.200.241.66
VPN-1/FireWall-1 SmallOffice
with dynamically assigned
IP address
Management
Console and
Management Server
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
21
Enhanced Administrator Security
“Profiles” define privileges
Granular settings provide access control
restrictions
Authentication choices include digital
certificates
Increased control and delegation of
administrator roles and responsibilities
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
22
Multiple Policy Support:
Limit Policy Scope
(1) Limit the set of Gateways on which a
policy can be installed
(2) At policy install time, only valid
installation targets appear
(3) Excluded Gateways do
not appear
Simplified management for security
environments requiring multiple policies
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
23
Visual Policy Editor
Expanded Rule Visualization
Path 1
Path …
Path 4
Visualize Traffic Paths
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
24
Extranet Ready
Establish Trust
Exchange Network Objects
Extranet partner “A”
Extranet partner “B”
Build Extranet Access Rules
A simple structure and process for
defining and managing Extranets
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
25
WORLDWIDE LEADER IN SECURING THE INTERNET
Performance & Availability
ClusterXL: Gateway-based
Load Sharing
Remote office
accesses central
servers
Synchronized
gateways share
load dynamically


Scalable performance for all
traffic through gateways
Includes high availability for
seamless fail-over
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
27
Remote VPN
user accesses
email
VPN Load Distribution
Gateway 2
“Access
Gateway 1”
Gateway 1


Client randomly selects gateway
Enables near-linear scalability for
remote access
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
28
“Access
Gateway 2”
Low-Cost Plug-in VPN
Acceleration

Offloads 3DES
encryption to Intel
IPSec NICs


Provides line speed
encryption
Available for
approximately $70
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
29
Tremendous
price/
performance
for open
platforms
FloodGate-1
Low Latency Queuing (LLQ)
High Quality Multimedia & Voice on VPNs
 Prioritized over all other traffic
 Configurable per packet guarantees




Constant Bit Rate (CBR)
Max delay
Encryption taken into account
Multiple rules permissible
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
30
WORLDWIDE LEADER IN SECURING THE INTERNET
UserAuthority
UserAuthority SecureAgent
Windows
Domain Controller
2. User attempts to
access resources
through
VPN-1/FireWall-1
1. User logs into
domain
controller and
downloads
SecureAgent
VPN-1/FireWall-1



Single sign on based on Windows
Domain Authentication for VPN1/FireWall-1 and UserAuthorityenabled applications
Enables user-based tracking in
dynamic environment
Transparent to end user
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
32
3. UserAuthority
and
SecureAgent
are queried to
determine user
identity and
credentials
Thank You!
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
33