w o r l d w i d e l e a d e r i n s e c u r i n g t h e i n t e r n e t check point next generation...
Post on 22-Dec-2015
219 views
TRANSCRIPT
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T
Check Point Next GenerationFeature Pack 1 (FP1)Check Point Next GenerationFeature Pack 1 (FP1)
Thomas Witte
Check Point Deutschland
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 2
AgendaAgendaCheck Point - The CompanyCheck Point - The CompanyVPN-1 SolutionsVPN-1 SolutionsEnterprise Management SolutionsEnterprise Management SolutionsPerformance & AvailabilityPerformance & AvailabilityUserAuthorityUserAuthority
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 3
MissionMission
Make the Internet Secure, Reliable,and Manageable
Make the Internet Secure, Reliable,and Manageable
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 4
Check Point FactsCheck Point Facts HistoryHistory
Founded June 1993Founded June 1993 IPO June 1996IPO June 1996 Strong growth in revenues and profitsStrong growth in revenues and profits
Global market leadershipGlobal market leadership 62% VPN market share (Gartner Group, 2001)62% VPN market share (Gartner Group, 2001) 42% firewall market share (#1 Position - IDC, 2001)42% firewall market share (#1 Position - IDC, 2001) De-facto standard for Internet securityDe-facto standard for Internet security
Strong business modelStrong business model Technology innovation and leadershipTechnology innovation and leadership Technology partnershipsTechnology partnerships Strong and diversified channel partnershipsStrong and diversified channel partnerships
Check Point
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 5
Check Point TodayCheck Point Today
Financial StrengthFinancial Strength 25 consecutive quarters of 25 consecutive quarters of
income/revenue growthincome/revenue growth
Market LeadershipMarket Leadership 186,000+ Installations186,000+ Installations 80,000+ VPN Gateways80,000+ VPN Gateways 63 Million+ VPN Clients63 Million+ VPN Clients 68,000+ Customers68,000+ Customers 1,500+ Channel Partners1,500+ Channel Partners 300+ OPSEC Partners300+ OPSEC Partners 0
50
100
150
200
250
300
350
400
450
1994 1995 1996 1997 1998 1999 2000
Net Income
Revenue
$ Millions
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 6
Management
VPN /Security
Performance /Availability
Policy-basedManagement
O P S E CO P S E C
FireWall-1VPN-1 Product Family - Gateway - SecuRemote - SecureClient - SecureServerCertified AppliancesVPN-1/FW-1 Small OfficeCheck Point RealSecure
Provider-1Meta IPUser AuthorityAccount ManagementOpen Security ExtensionReportingCertificate Manager
FloodGate-1 QoSVPN-1 Accelerator CardHigh Availability ModuleConnect Control
Stateful Inspection
SVN SolutionsSVN Solutions
Many solutions - one architectureMany solutions - one architecture
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 7
The OPSEC - Best Of Breed IntegrationThe OPSEC - Best Of Breed Integration
Content Security
IntrusionDetection
HighAvailability Authentication
Servers Switches RoutersSecurity
AppliancesService
ProvidersSecuritySoftware
PolicyConsoles
Accel.Engines
OPSEC Protocols and APIs
Event Anal. & Reporting Others
Check Point Product Solutions
Check Point Policy-Based Management
CVP UFP SAMP LEAOMI RADIUS LDAP UAM Others
PKI & Directories
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 8
Physical AssetsPhysical Assets Virtual CorporationVirtual Corporation
Private NetworkPrivate Network Internet BackboneInternet Backbone
Single SiteSingle Site Distributed NetworkDistributed Network
Restrict AccessRestrict Access Secure AccessSecure Access
Prevent LossesPrevent Losses Generate RevenueGenerate Revenue
The New Role of Security The New Role of Security
The New WorldThe New World
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 9
Fixed LineDial-Up
BroadbandWireless
Fixed LineDial-Up
BroadbandWireless
CorporateCorporateOfficeOffice
BranchBranchOfficeOffice
• CustomersCustomers• PartnersPartners• SuppliersSuppliers
• ExtendedExtendedWorkforcesWorkforces
• MobileMobileEmployeesEmployees
Networks• LAN/WANLAN/WAN
• Broadband• Wireless• Broadband• Wireless
Systems• ServersServers• PCsPCs
• Phones/PDAs• Phones/PDAs
Applications• E-Business• E-Commerce• Multimedia
• E-Business• E-Commerce• Multimedia
Users• DesktopsDesktops
• Mobile• Mobile
Security EverywhereSecurity Everywhere
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 10
1994-19991994-1999
CHECK POINT2000
CHECK POINT2000
Fast and ScalableFast and Scalable
Large Scale VPNsLarge Scale VPNs
High High PerformancePerformance Enterprise ServersEnterprise Servers
Remote Office &Remote Office &Small BusinessSmall Business
HomeHome UsersUsers
LinuxLinuxApplianceAppliance
CableCable
DSLDSL
Gigabit Gigabit VPNsVPNs
AIXAIX
NTNT
SolarisSolaris HP-UXHP-UX
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T
VPN-1 SolutionsVPN-1 Solutions
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 12
Intranet VPN
One-Click VPNsOne-Click VPNsDefine a VPN CommunityDefine a VPN CommunityAdd sites to the community with one Add sites to the community with one
click!click!
SydneyNew York
LondonTokyo
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 13
One-Click VPNsOne-Click VPNs
Definition of a VPN Community automatically Definition of a VPN Community automatically creates an encryption rule in the security policycreates an encryption rule in the security policy
One-Click VPNs simplify security policy creation and management
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 14
VPN-1 ClientsConnectModeVPN-1 ClientsConnectMode
Allows users to explicitly Allows users to explicitly CONNECT/DISCONNECTCONNECT/DISCONNECT from the VPNfrom the VPN
Enables multiple “connection Enables multiple “connection profiles” for different profiles” for different environments environments
Benefits:Benefits: Provides more control to Provides more control to
users who want itusers who want it Uses model similar to Uses model similar to
dial-up for greater ease of dial-up for greater ease of useuse
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 15
VPN-1 SecureClientOfficeModeVPN-1 SecureClientOfficeMode
VPN-1 Gateway assigns IP address to VPN-1 Gateway assigns IP address to VPN-1 SecureClient during key exchangeVPN-1 SecureClient during key exchange
Benefits:Benefits: Remote user “appears” localRemote user “appears” local Enables some IP-based applicationsEnables some IP-based applications Eases user experienceEases user experience
Corporate Network
Remote Users
10.x.x.x 10.x.x.x
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 16
VPN-1 SecureClientOne-Click CertificatesVPN-1 SecureClientOne-Click Certificates
Manager generates Manager generates user certificate with user certificate with “one-click”“one-click”
Benefits:Benefits: Internal Certificate Authority Internal Certificate Authority
included with VPN-1 for included with VPN-1 for strong authentication strong authentication “out of the box”“out of the box”
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 17
VPN-1 SecureClientNew Policy InterfaceVPN-1 SecureClientNew Policy Interface
Rules sorted by direction (inbound/outbound)Rules sorted by direction (inbound/outbound) Benefits:Benefits:
Client policies are easier to readClient policies are easier to read
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 18
VPN-1 SecureClientDiagnostic ToolsVPN-1 SecureClientDiagnostic Tools
Reduces administrative overhead involved Reduces administrative overhead involved in supporting remote access VPN usersin supporting remote access VPN users
Shows status of client connection, security, etc.
Shows policy in force on client
Shows events logged on the client
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 19
More New VPN-1 FeaturesMore New VPN-1 Features
VPN-1 GatewayVPN-1 Gateway FIPS 140 Level 2 ComplianceFIPS 140 Level 2 Compliance
VPN-1 SecureClient VPN-1 SecureClient Policy Server ClusteringPolicy Server Clustering
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T
Enterprise Management SolutionsEnterprise Management Solutions
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 21
Dynamic Address GatewaysDynamic Address Gateways
Gateways with dynamically assigned IP Gateways with dynamically assigned IP addresses can be managed remotelyaddresses can be managed remotely
Benefits:Benefits: Supports Remote Office/Branch Office Supports Remote Office/Branch Office
environments with low-cost Internet accessenvironments with low-cost Internet access
VPN-1/FireWall-1 SmallOffice with dynamically assigned
IP address
Management Console and
Management Server
216.200.241.66
From ISP
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 22
Enhanced Administrator SecurityEnhanced Administrator Security
Granular settings provide access control restrictions
Authentication choices include digital certificates
Increased control and delegation of Increased control and delegation of administrator roles and responsibilitiesadministrator roles and responsibilities
“Profiles” define privileges
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 23
Multiple Policy Support:Limit Policy ScopeMultiple Policy Support:Limit Policy Scope
(1) Limit the set of Gateways on which a policy can be installed
(2) At policy install time, only valid installation targets appear
(3) Excluded Gateways do not appear
Simplified management for security Simplified management for security environments requiring multiple policiesenvironments requiring multiple policies
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 24
Visual Policy Editor Expanded Rule VisualizationVisual Policy Editor Expanded Rule Visualization
Path 1
Path 4
Path …
Visualize Traffic PathsVisualize Traffic Paths
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 25
Extranet ReadyExtranet Ready
A simple structure and process for A simple structure and process for defining and managing Extranetsdefining and managing Extranets
EstablishEstablish TrustTrust
Exchange Network ObjectsExchange Network Objects
Build Extranet Access RulesBuild Extranet Access Rules
Extranet partner “A”Extranet partner “A” Extranet partner “B”Extranet partner “B”
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T
Performance & AvailabilityPerformance & Availability
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 27
ClusterXL: Gateway-based Load SharingClusterXL: Gateway-based Load Sharing
Remote VPN user accesses
Remote VPN user accesses
Remote office accesses central
servers
Remote office accesses central
servers
Scalable performance for all Scalable performance for all traffic through gatewaystraffic through gateways
Includes high availability for Includes high availability for seamless fail-overseamless fail-over
Synchronized gateways share load dynamically
Synchronized gateways share load dynamically
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 28
VPN Load DistributionVPN Load Distribution
Client randomly selects gatewayClient randomly selects gateway Enables near-linear scalability for Enables near-linear scalability for
remote accessremote access
“Access Gateway 1”
“Access Gateway 1”
Gateway 1
Gateway 2
“Access Gateway 2”
“Access Gateway 2”
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 29
Offloads 3DES Offloads 3DES encryption to Intel encryption to Intel IPSec NICsIPSec NICs Provides line speed Provides line speed
encryptionencryption Available for Available for
approximately $70approximately $70
Tremendous price/
performance for open
platforms
Low-Cost Plug-in VPN AccelerationLow-Cost Plug-in VPN Acceleration
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 30
FloodGate-1Low Latency Queuing (LLQ)FloodGate-1Low Latency Queuing (LLQ)
High Quality Multimedia & Voice on VPNsHigh Quality Multimedia & Voice on VPNsPrioritized over all other trafficPrioritized over all other trafficConfigurable per packet guaranteesConfigurable per packet guarantees
Constant Bit Rate (CBR)Constant Bit Rate (CBR) Max delayMax delay Encryption taken into accountEncryption taken into account
Multiple rules permissibleMultiple rules permissible
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T
UserAuthorityUserAuthority
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 32
UserAuthority SecureAgentUserAuthority SecureAgent
Single sign on based on Windows Single sign on based on Windows Domain Authentication for VPN-Domain Authentication for VPN-1/FireWall-1 and UserAuthority-1/FireWall-1 and UserAuthority-enabled applicationsenabled applications
Enables user-based tracking in Enables user-based tracking in dynamic environmentdynamic environment
Transparent to end userTransparent to end user
1. User logs into domain controller and downloads SecureAgent
2. User attempts to access resources through VPN-1/FireWall-1
3. UserAuthority and SecureAgent are queried to determine user identity and credentials
Windows Domain Controller
VPN-1/FireWall-1
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential 33
Thank You!Thank You!