©2003-2008 check point software technologies ltd. all rights reserved. [public] – for everyone...

©2003-2008 Check Point Software Technologies Ltd. All rights reserved.

puresecurity™[Public] – For everyone

Technical and Architectural Overviewof R70

Patrick Hanel

Technical consultant, CISSP

puresecurity™2©2003-2008 Check Point Software Technologies Ltd. All rights reserved. [Public] – For everyone

AgendaAgenda

Check Point Software Blade Architecture Check Point R70 Technology CheckPoint R70.1


In 2009 customers have a choiceIn 2009 customers have a choice

network security solutions Check Point Software Blades

one projectmultiple configurations

single management

one projectmultiple configurations

single management

OR

Lower investmentLower TCO

Lower investmentLower TCO

Etc…

multiple projectsdedicated hardware

dedicated management

multiple projectsdedicated hardware

dedicated management

VPN

IPS Web Security

Corporate HQ

VPNFirewall

Branch Office

Firewall


Our new security architectureOur new security architecture

softwareblades from Check Point


Total SecurityComplete Security & Management PortfolioTotal SecurityComplete Security & Management Portfolio

Security Gateway Blades

Security Management Blades


How does it work?How does it work?

STEP 1Select a container

based on size (# cores)

STEP 1Select a container

based on size (# cores)

STEP 2Select the software

blades

STEP 2Select the software

blades

STEP 3 Create a system that issimple, flexible, secure

STEP 3 Create a system that issimple, flexible, secure


Check Point Software Blades

softwarebladesfrom Check Point

SecureSecure FlexibleFlexibleFlexibleFlexible Simple Simple



Check Point R70 Technology


Check Point R70- The Evolution Continues

Check Point R70- The Evolution Continues

R70 release featuring Software Blade architecture

New IPS Software BladeNew IPS Software Blade

Improved Core Firewall Performance Improved Core Firewall Performance

New Provisioning Software Blade New Provisioning Software Blade



R70 architecture


R70 ArchitectureR70 Architecture

CoreXL

IPS Engine

Firewall

Deeper multi-core integration Multi-tier IPS filtering engine

– quickly filters ~90% of traffic

Filter attacks only on the relevant sections of the traffic– reduce overhead– Reduce false positives

Performance Improvements in Secure Platform OS

Netw

ork

Secure Platform

Netw

ork

IPS Engine

Firewall

…


Integration with CoreXLIntegration with CoreXL

Core #7Core #6

Core #3Core #2

Core #5Core #4

Core #1

Secure Network Dispatcher

Core #0

eth1

eth0

PPAK

Secure Network Dispatcher

PPAK

fw5Medium Path

Queue

fw4Medium Path

Queue

fw1Medium Path

Queue

fw0Medium Path

Queue

fw3Medium Path

Queue

fw2Medium Path

Queue

• Multiple firewall kernel instances increases performance 70%> per core• IPS runs outside of firewall path context• IPS processing: ~2x faster than firewall path


firewallIPS

Core #7Core #6

Core #3Core #2

Core #5Core #4

Core #1

Customize to Match HardwareCustomize to Match Hardware

fw6

Queue

firewall firewall firewall

firewall

firewall

Core #0

IPS

Dispatcher

SecureXL

eth1

eth0 Dispatcher

SecureXL

eth1

IPS IPSIPSIPS

CPU Affinity - the ability to attach software code to physical CPU– Kernel instances will execute firewall and IPS on that core

NIC Affinity – the abilitiy to attach Network Interfaces to a SecureXL/Dispatcher core


Set ClusterXL IPS Failover OptionsSet ClusterXL IPS Failover Options

Prefer security

Prefer connectivity



New IPS Engine/Architecture


Redesigned IPS EngineRedesigned IPS Engine

New Threat Control EngineNew Threat Control EngineUtilizing multiple methods of detection and analysis for Utilizing multiple methods of detection and analysis for

accurate and confident securityaccurate and confident security

• Pre-emptive and accurate detection via NEW! multi-method signature & behavioral prevention engine.

• Wide protection coverage for both server and client vulnerabilities.

• Protection profiles with attack severity, confidence, and performance settings to automatically set protections to Detect or Prevent.

• Open language for writing protections and protocol decoders.

• Application Identification for application policy enforcement.


Architecture – Main ConceptsArchitecture – Main Concepts

IPS Parallel Inspection Architecture– Multi-Layered parsing – where each layer screens attacks or the

protocol/application.– Parsers Parse, Protections Protect

» Protocol parser should not do security.

» Protections should not re-parse the traffic again and again.

» Makes protections much more accurate

“Accelerate” the IPS Inspection– Done by separating the IPS engines from the FW infrastructure

to an independent blade.


Protects against IPS EvasionProtects against IPS Evasion

The Streaming Engine reassembles TCP packets Works in conjunction with SecureXL to accelerate

packets Prevents IPS evasion and network attacks Provides packet captures

ad.txt get bget b ad.txt

Assembles packets for inspection and detects some attacks


Protects Against Protocol Anomalies Protects Against Protocol Anomalies

Protocol Parsers dissect the data stream Validate protocol compliance The outcome is a context

– Examples of contexts are HTTP URL, FTP command, FTP file name, HTTP response, and certain files


INSPECT V2 Detects Complex AttacksINSPECT V2 Detects Complex Attacks

Accelerated by SecureXL & CoreXL Supports complex inspections to pin-

point the attack Supports for loops, if conditions, string

searches, and more Decreases the development time of

new protections Useful for inspection of applications &

protocols that are not well-defined



IPS Blade


New IPS Management Workflow Enhanced IPS profiles automatically activate protections Mark new protections for Follow-up

Better IPS Performance and Enforcement New high speed pattern matching engine New architecture facilitates fast release of new updates Packet capture mechanism

Ensure total system performance New IPS Event Management

Timeline status to easily identify critical events on mission critical servers Forensic analysis tools to easily drill-down to packet captures of attack

events

Introducing IPS Software BladeIntroducing IPS Software Blade


Improved IPS Management Flexible IPS policy and Event management

Improved Performance Merger of CoreXL into the main release Fast IPS engine integrated with CoreXL

Better Security New multi-detection IPS engine with over 2300 behavioral and signature

based protections

Support for New Platforms SecurePlatform based on 2.6 kernel IPSO 6.x Windows Server 2008 RHEL 5 (Security Management only) Solaris 8, 9, 10 (Security Management only)

Why upgrade to Security Gateway R70?Why upgrade to Security Gateway R70?



Flexible IPS Policy Management


Single Security Management ConsoleSingle Security Management Console


Severity levels– Likelihood that an attack will cause damage

Confidence levels– how confident IPS is that recognized attacks are actually undesirable

traffic

Performance Impact– Protection impact on gateway performance

Protection Type– Clients and/or Servers

Industry Reference (e.g.: CVE-2009-0098 and MS09-003)

More Information and ClassificationMore Information and Classification


Signatures

– Prevent specific vulnerabilities

Anomaly protections

– Prevent suspicious non-compliant traffic

Application Controls

– Select what is permitted or not inside a protocol

Engine Settings

– Ability to configure the behavior of the different engines (like TCP, http, SIP, instant messengers etc…)

Enforcement TypesEnforcement Types


Simplified IPS Policy ManagementSimplified IPS Policy Management

Turn on the IPS Blade– Enable the blade, select a profile, and install the policy

Protections are automatically activated by the IPS profile– Default optimized for performance– Recommended optimized for security

Update Protections– Protections are automatically activated by the profile setting

Review IPS Status– Quickly see overall status and Security Center news

Set Application Enforcement Policy– Not automatically enforced by the profile settings


Turn on IPS BladeTurn on IPS Blade

IPS is O

N

1. Enable IPS

2. Select a profile

3. Install the policy


Automatic ActivationsAutomatic Activations

New protections are automatically activated

And set to Prevent or Detect


Quickly overview your statusQuickly overview your status


Set Application Enforcement PolicySet Application Enforcement Policy

Save your bandwidth and enforce proper network usage. – Dozens of Peer-to-peer and Instant

Messaging applications can be blocked with just a click

New applications are constantly being added via IPS updates– E.g. ARES, QQ, TeamViewer …


Granular Controls For Advanced UsersGranular Controls For Advanced Users

Customize and create new IPS profiles– Over-ride protections

Better management of new protections– Apply revision control in case you want to revert to an earlier update– Newly downloaded protections can be set to detect or prevent– Mark new protections for Follow-up to make it easier to review and

monitor them– Activate only the Protections that match your network assets– Jump from the log directly to the protection– View packet captures

Create Network Exceptions– At the profile or protection level

Optimize IPS Policy Strong integration with Provider-1

– Define multiple protection policies on the global level and choose how to implement them on the customer level


Customize Your IPS PolicyCustomize Your IPS Policy

1. Start with the Recommended IPS profile

2. Set the entire profile to Detect

3. Configure the automatic Security, Performance, and Confidence Level

4. Activate only the protections needed

5. Look at the logs, adjust protections as needed

6. Once satisfied with the result, Move to prevent mode


Browse and navigate through the protectionsBrowse and navigate through the protections

The Protection Browser allows easy and simple navigation through the entire list of protections. You can search, sort, filter, export and take action directly from the grid!


Exclude specific traffic from inspection based on– Protections (individual, or

all)– Source IPs, Networks or

Groups– Destination IPs, Networks or

Groups– Services– Gateways

Locate Issues, Troubleshoot, Change What Is NeededLocate Issues, Troubleshoot, Change What Is Needed

Add Network ExceptionsAdd Network Exceptions


View Packet CaptureView Packet Capture

Packet Capture– Useful forensic tool– Granular admin permission


Optimizing IPSOptimizing IPS

Set protection scope– Protect internal

hosts – Protect all

As an extra safety measure, use the Bypass Under Load mechanism to automatically disable the IPS in the unlikely event of high load


Safely Integrate New ProtectionsSafely Integrate New Protections

Follow up on newly downloaded protections. Manage the integration of each new protection

individually. The user has complete control.



Whats new in R70.1


R70.1 Delivers SmartWorkflowR70.1 Delivers SmartWorkflow

Single Console Integration

Visual change tracking

Flexible authorization

Audit trails

Automated Policy Change ManagementAutomated Policy Change Management


Hardware sensors monitoring– Fan speed, Motherboard voltages, CPU Temperatures– Web Interface Display– SNMP Support– All Power-1 appliances

R70.1 New Appliance FeaturesR70.1 New Appliance Features

RAID monitoring– Logical & Physical HDD status– SNMP Support– Power-1 Appliances

Initial Configuration from USB key

Improved Setup from LCD– Setup Mgmt IP – Reboot


Power-1 11000 Hardware monitoringPower-1 11000 Hardware monitoring


R70.1 New Appliance FeaturesR70.1 New Appliance Features

SecurityGateway

eth1

eth0

Link Aggregation

– Also known as NIC Teaming or Interface Bonding

– All interfaces in a bond are active and act as a single logical interface

– Traffic is load balanced between the bonded interfaces

– Increase aggregate bandwidth with high availability for the physical interfaces

– IEEE 802.3ad or XOR standard

– For SecurePlatform

bond0


R70.1 New Software FeaturesR70.1 New Software Features

URL Filtering EnhancementsURL Filtering Enhancements

Reporting & Event Correlation Software Blades on VMware ESX

Reporting & Event Correlation Software Blades on VMware ESX


R70.1 User Interface New FeaturesR70.1 User Interface New Features

Quick Add Object to Rule Base

Where Used – Go To

Easily View Group Members

Extended CloneFunctionality


R70.1 EnhancementsR70.1 Enhancements

SmartWorkflow– Change management of Network Policy objects & rules– Audit trail of changes via SmartView Tracker filter

DoS/DDoS Attack Mitigation– Detects multiple attacks– Learning mode– Gateway and server protections

Appliance/SecurePlatform enhancements– Link aggregation – active/active NIC bonding– USB key enables remote deployment of appliances– Appliance hardware monitoring

IPS-1 and R70 IPS Event Management


Strong performance with integrated IPS enabled– Accelerated with SecureXL and CoreXL

Better Security with a New multi-threat detection engine– Better protections – Scales as new protections are added– Industry-leading real-time threat protection update times

Easy-to-use integrated IPS– Simplified management of IPS policy and updates– Granular control of IPS policy, updates, and protections – Cyclic workflow management design– Great IPS Event Management and Forensic Analysis

R70 ConclusionR70 Conclusion



Thank You !

©2003-2008 check point software technologies ltd. all rights reserved. [public] – for everyone...

Documents