Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud
-
Upload
marketingarrowecscz -
Category
Technology
-
view
133 -
download
0
Transcript of Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud
1©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. ©2014 Check Point Software Technologies Ltd
Peter Kovalcik| SE Eastern Europe
Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud
2©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
3©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
4©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
5©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
6©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
7©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
8©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
9©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
10©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
11©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
12©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
13©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
14©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Growing enterprise complexity
[Protected] Non-confidential content
15©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
METHODOLOGY OF SDP
STEP 1: SEGMENTATION
STEP 2: DEFINE PROTECTIONS
STEP 3: CONSOLIDATION
STEP 4: POLICY DEFINITION
16©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Segmentation
17©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
METHODOLOGY OF SDP
STEP 1: SEGMENTATION
STEP 2: DEFINE PROTECTIONS
18©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Access Control vs. Threat Prevention
[Protected] Non-confidential content
19©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Risk-based Selection
[Protected] Non-confidential content
20©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Threat PreventionSegment Target Protections
DMZ Servers IPS
LAN Client machines IPS, AV, TE
DC Servers IPS
21©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Threat PreventionSegment Target Protections
DMZ Servers IPS
LAN Client machines IPS, AV, TE
DC Servers IPS
LAN Users AB
C&C
22©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Data Protection
Segment Target Protections
LAN Users DLP
DC Servers, Data DLP
24©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
METHODOLOGY OF SDP
STEP 1: SEGMENTATION
STEP 2: DEFINE PROTECTIONS
STEP 3: CONSOLIDATION
25©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Consolidation
26©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Virtual Edition: zabezp. VMware ESX
Inspect traffic between
Virtual Machines (VMs)
Secure new Virtual Machines
automatically
Protection from external
threats
Security Challenges
in Virtual Environments
[Restricted] ONLY for designated groups and individuals
27©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Network Mode Hypervisor Mode
vSwitch 1
ExtGW
Pk
t
Security API
vSwitch
Agent
Ext
Ext
Agent
Pkt
2.1.1.12.1.1.1 2.1.1.2
VE
Pkt
Operation Mode
• Protection from External threats
• Not aware of inter-vSwitch traffic
• Protects VMs with inter-vSwitch inspection
• Supports dynamic virtual environment
vSwitch 2
Pk
t
[Restricted] ONLY for designated groups and individuals
28©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
2.1.1.1 2.1.1.32.1.1.1
vSwitch
2.1.1.2 2.1.1.52.1.1.4
Ext
GW
Gateway is not aware of inter-vSwitch traffic
Packets not
inspected inside
vSwitch
Deployments before VMsafeintegration
Pkt
[Restricted] ONLY for designated groups and individuals
29©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Agent Agent Agent Agent Agent
2.1.1.1 2.1.1.32.1.1.32.1.1.1
Layer 2 security packet flow
vSwitch
2.1.1.2 2.1.1.52.1.1.4
Pkt
Pkt
VE
Security API
ESX Server
2.1.1.1 sends
packet to 2.1.1.3
Packet is not
inspected again
Packet passed firewall
inspection and is sent
back to the Agent
Packet intercepted in the
Agent and forwarded to the
Gateway for inspection
Pkt
Packet continues the
flow from where it was
intercepted
[Restricted] ONLY for designated groups and individuals
30©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
2.1.1.2
Layer 2 security in dynamic environments
2.1.1.12.1.1.1
Security API
vSwitch
VE
Ext
Security API
vSwitch
VEExtExt
ExtExt
ESX 1 ESX 2
Sync
2.1.1.32.1.1.32.1.1.2
Pkt
Agent AgentAgentAgent
Pkt
Connection initiated from
2.1.1.1 to 2.1.1.3
[Restricted] ONLY for designated groups and individuals
31©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
2.1.1.2
Layer 2 security in dynamic environments
2.1.1.12.1.1.1
Security API
vSwitch
Agent
Ext
Security API
vSwitch
ExtExt
ESX 1 ESX 2
2.1.1.3
Agent
Sync
2.1.1.3
AgentAgentAgent
2.1.1.2
ExtExt
VM is migrating
to ESX 2
Connections related with
2.1.1.3 will be marked that
they are handled by ESX 1
SG VE SG VE
[Restricted] ONLY for designated groups and individuals
32©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Agent
Layer 2 security in dynamic environments
Security API
vSwitch
Agent
Security API
vSwitch
ExtExt
ExtExt
ESX 1 ESX 2
2.1.1.3
Sync
Agent
Pkt
Pkt
Pkt
2.1.1.12.1.1.1 2.1.1.2
Pkt
Packet not
forwarded
Packet
forwarded to
ESX 1
New
connection
VE VE
Pkt
Pkt
Existing
connection
Pkt
[Restricted] ONLY for designated groups and individuals
33©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
VM 3VM 1 VM 2 VM 5VM 4
Installation automation
2.1.1.1
Security API
vSwitch
VM 3VM 1 VM 2
SG VE
Ext
External
SwitchExt
Service Console
VM 3VM 1 VM 2 VM 5VM 4VM 3VM 1 VM 2
Agent Agent Agent Agent Agent
ESX Server
Seamless security for dynamic environments
VE installed
VE retrieves
information on
VMs/Port
groups/vSwitches
Event sent to VE
informing of new VMs
VE attaches the Fast Path
Agents on the vNICs of
the new VMs
VE attaches the Fast Path
Agents on the vNICs of
the new VMs
[Restricted] ONLY for designated groups and individuals
34©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
METHODOLOGY OF SDP
STEP 1: SEGMENTATION
STEP 2: DEFINE PROTECTIONS
STEP 3: CONSOLIDATION
STEP 4: POLICY DEFINITION
35©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Management
36©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Summary
Physical Security Gateway Management Server
21400 VSLS
Virtual security Gateway (VSX)
Security Gateway Virtual Edition
• Hypervisor Mode
• Network Mode
• Security Management
• Multi-Domain Management
Cloud Orchestration
37©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. ©2014 Check Point Software Technologies Ltd
THANK YOU!