Introduction To Check Point Security Architecture Overview
Sections covered in this Module:
● 1.1 Introduction to Check Point and Next Generation Cyber Security ● 1.2 The Basic Components of Check Point Perimeter Security Arch. ● 1.3 Check Point Security Gateway Appliances Portfolio ● 1.4 Firewall Deployment Mode Options ● 1.5 Check Point Software Blade Architecture Overview ● 1.6 Check Point Gateway Software Blades ● 1.7 Check Point Management Software Blades Who is Check Point Software Technologies ?
● Israeli multinational company founded in1993,provider
of software and combined hardware and software products for IT Cyber Security
● Check Point’s focus is real time PREVENTION and NOT
DETECTION with the best technologies, across the entire attack surface, with consolidated management Prevention vs Detection
● Detection – the action of monitoring a network or
system for malicious activity or policy violation ● Prevention – the action of monitoring and identifying a malicious activity, logging this information, reporting it AND attempting to BLOCK or STOP it. ● Check Point implements Prevention in REAL TIME Check Point Complete Security Architecture
● We need to protect all entry points into the
organization; Can you guess what are these ? ● Endpoint – laptops, PCs ● Mobile – phones, tablets ● Cloud – public, private or hybrid ● Data Center – prevent threats lateral movement inside ● the DC ● What’s missing ? What is the most implemented and ● widely spread security solution ? ● Exactly – The FIREWALL – Network Perimeter Check Point Security Management ● RECAP : Check Point delivers best in class security for all entry points in the organization: endpoint, mobile,cloud and network perimeter & data centers ● How do we manage all these solutions ? ● Consolidated Security Management through R80.10 ● Smart Console, one single pane of glass for the entire ● security portfolio solutions and products !!! The Basic Components of Check Point Perimeter Security Architecture
Basic Components of Perimeter Security
● Security Gateway – The Firewall ● Appliance is placed at the perimeter of the network topology ● Protects the organization through enforcement of security policies ● Security Management Server (SMS) ● Manage Security Gateways, define security policies and push policies to Security Gateways The Basic Components of Check Point Perimeter Security Architecture
● Monitors security events in the network, logs events,
corelates ● events and provides meaningful info to administrator ● Smart Console – GUI for management of SMS(s) Check Point Security Gateway Appliances Portfoli Security Gateway Appliances Overview ● Security gateways are available in three different flavors: ● Check Point dedicated appliances ● Gaia OS running on 3 rd party servers ● CloudGuard – virtual FW in cloud environment ● Check Point dedicated appliances split into 6 categories: Small Business Branch Office Small-Midsize Enterprise Large Enterprise Data Center and High-End Enterprise High Performance and Scalable Platforms Small Business ● 700/900 series appliances ● Powerful security features encompassed in all security ● gateway sizes: ● Next Generation Firewall ● IPsec VPN & SSL VPN ● Application Control & Web Filtering ● Intrusion Prevention ● Antivirus ● Anti-Bot ● SandBlast Threat Emulation Small Business Branch Office 5-100 users ● Multiple options available: ● 1430 ● 1450 ● 1470 - interfaces supported RJ45 or SFP ● 1490 - interfaces supported RJ45 or SFP ● 3100 ● 3200 ● How is this information relevant ? ● Appliance sizing is part of the initial stage while architecting and creating the solution design How Do Security Gateways Look ?
● Browse to www.checkpoint.com and then
navigate to:Products Security Gateways Appliances ● Navigate to a category and click on View Interactive Demo Virtual Firewall - CloudGuard
● CloudGuard is the virtual Check Point NGFW for cloud
● Available for private, public or hybrid cloud environment ● Use Case Example: ● Running workloads on AWS VPC ● Protect Assets in Public Cloud using CloudGuard ● Licensing PAYG or BYOL ● Public Clouds: AWS, Azure, Google Cloud Platform Virtual Firewall - CloudGuard ● Supported Private Cloud Platforms: ● Cisco ● VMware NSX ● OpenStack ● VMware ESXi ● Microsoft Hyper-V ● KVM ● Any differences in capabilities when comparing physical ● security gateways with virtual ones ? --> NO Gaia OS running on 3rd party servers
● Version to run in the LAB environment
● Download and run the GAiA R80.10 .ISO image in our virtualized environment Firewall Deployment Mode Options
● Deployment Modes Overview
● Different aspects need to be considered when ● choosing the deployment mode ● Can we change IP routing schema ? ● Are we deploying Security Gateway and Security ● Management Server on the same machine or not ? ● What is the deployment size ?(i.e. number of users,etc) Standalone Deployment Mode ● Security Management Server (SMS) and Security ● Gateway are installed on the the same machine Solution is suited for small-medium sized organizations Distributed Deployment Mode ● Security Management Server (SMS) and Security Gateway are installed on different appliances ● Solution is suited for medium-large sized organizations Key differences: ● Better performance since the Software Blades are running on dedicated machines ● Robust environment; if the Security Gateway fails, the policy remains on the SMS; if the SMS fails, the Security Gateway will still be up and continue to run ● Obviously, this solution involves a higher investment or cost Bridge Deployment Mode ● Security Gateway is added to an existing environment without changing the existing IP routing schema ● Bridge interfaces connect two different interfaces(bridge ports) – Layer 2 Check Point Software Blade Architecture Overvie
● What is a Software Blade ?
● A Software Blade is a security application or module such as afirewall, Virtual Private Network (VPN), Intrusion Prevention System (IPS), or Application Control to name a few, that isindependent, modular and centrally managed. (source: www.checkpoint.com)
● Security features pack, that can be activated a-la-carte, in
order to customize the security configuration and activate(pay $) functionalities, as per business needs. ● Additional Blades can be easily activated when needed. Software Blades Types