Check Point R80 Firewall

Introduction To Check Point Security Architecture Overview

Sections covered in this Module:

● 1.1 Introduction to Check Point and Next Generation Cyber Security
● 1.2 The Basic Components of Check Point Perimeter Security Arch.
● 1.3 Check Point Security Gateway Appliances Portfolio
● 1.4 Firewall Deployment Mode Options
● 1.5 Check Point Software Blade Architecture Overview
● 1.6 Check Point Gateway Software Blades
● 1.7 Check Point Management Software Blades
 Who is Check Point Software Technologies ?

● Israeli multinational company founded in1993,provider

of software and combined hardware and software
products for IT Cyber Security

● Check Point’s focus is real time PREVENTION and NOT

DETECTION with the best technologies, across the entire
attack surface, with consolidated management
 Prevention vs Detection

● Detection – the action of monitoring a network or

system for malicious activity or policy violation
● Prevention – the action of monitoring and
identifying a malicious activity, logging this
information, reporting it AND attempting to BLOCK
or STOP it.
● Check Point implements Prevention in REAL TIME
 Check Point Complete Security Architecture

● We need to protect all entry points into the

organization; Can you guess what are these ?
● Endpoint – laptops, PCs
● Mobile – phones, tablets
● Cloud – public, private or hybrid
● Data Center – prevent threats lateral movement inside
● the DC
● What’s missing ? What is the most implemented and
● widely spread security solution ?
● Exactly – The FIREWALL – Network Perimeter
 Check Point Security Management
● RECAP : Check Point delivers best in class
security for all entry points in the organization:
endpoint, mobile,cloud and network perimeter &
data centers
● How do we manage all these solutions ?
● Consolidated Security Management through
R80.10
● Smart Console, one single pane of glass for the
entire
● security portfolio solutions and products !!!
 The Basic Components of Check Point
Perimeter Security Architecture

Basic Components of Perimeter Security

● Security Gateway – The Firewall
● Appliance is placed at the perimeter of the network
topology
● Protects the organization through enforcement of security
policies
● Security Management Server (SMS)
● Manage Security Gateways, define security policies and
push policies to Security Gateways
 The Basic Components of Check Point
Perimeter Security Architecture

● Monitors security events in the network, logs events,

corelates
● events and provides meaningful info to administrator
● Smart Console – GUI for management of SMS(s)
 Check Point Security Gateway
Appliances Portfoli
Security Gateway Appliances Overview
● Security gateways are available in three different flavors:
● Check Point dedicated appliances
● Gaia OS running on 3 rd party servers
● CloudGuard – virtual FW in cloud environment
● Check Point dedicated appliances split into 6 categories:
Small Business
Branch Office
Small-Midsize Enterprise
Large Enterprise
Data Center and High-End Enterprise
High Performance and Scalable Platforms
 Small Business
● 700/900 series appliances
● Powerful security features encompassed in all security
● gateway sizes:
● Next Generation Firewall
● IPsec VPN & SSL VPN
● Application Control & Web Filtering
● Intrusion Prevention
● Antivirus
● Anti-Bot
● SandBlast Threat Emulation
Small Business
 Branch Office 5-100 users
● Multiple options available:
● 1430
● 1450
● 1470 - interfaces supported RJ45 or SFP
● 1490 - interfaces supported RJ45 or SFP
● 3100
● 3200
● How is this information relevant ?
● Appliance sizing is part of the initial stage while
architecting and creating the solution design
 How Do Security Gateways Look ?

● Browse to www.checkpoint.com and then

navigate to:Products Security Gateways
Appliances
● Navigate to a category and click on
View Interactive Demo
 Virtual Firewall - CloudGuard

● CloudGuard is the virtual Check Point NGFW for cloud

● Available for private, public or hybrid cloud
environment
● Use Case Example:
● Running workloads on AWS VPC
● Protect Assets in Public Cloud using CloudGuard
● Licensing PAYG or BYOL
● Public Clouds: AWS, Azure, Google Cloud Platform
 Virtual Firewall - CloudGuard
● Supported Private Cloud Platforms:
● Cisco
● VMware NSX
● OpenStack
● VMware ESXi
● Microsoft Hyper-V
● KVM
● Any differences in capabilities when comparing
physical
● security gateways with virtual ones ? --> NO
 Gaia OS running on 3rd party servers

● Version to run in the LAB environment

● Download and run the GAiA R80.10
.ISO image in our virtualized
environment
 Firewall Deployment Mode Options

● Deployment Modes Overview

● Different aspects need to be considered when
● choosing the deployment mode
● Can we change IP routing schema ?
● Are we deploying Security Gateway and Security
● Management Server on the same machine or not ?
● What is the deployment size ?(i.e. number of
users,etc)
 Standalone Deployment Mode
● Security Management Server (SMS) and
Security
● Gateway are installed on the the same machine
Solution is suited for small-medium sized
organizations
 Distributed Deployment Mode
● Security Management Server (SMS) and
Security Gateway are installed on different
appliances
● Solution is suited for medium-large sized
organizations
 Key differences:
● Better performance since the Software Blades
are running on dedicated machines
● Robust environment; if the Security Gateway
fails, the policy remains on the SMS; if the SMS
fails, the Security Gateway will still be up and
continue to run
● Obviously, this solution involves a higher
investment or cost
 Bridge Deployment Mode
● Security Gateway is added to an existing
environment without changing the existing IP
routing schema
● Bridge interfaces connect two different
interfaces(bridge ports) – Layer 2
 Check Point Software Blade
Architecture Overvie

● What is a Software Blade ?

● A Software Blade is a security application or module such
as afirewall, Virtual Private Network (VPN), Intrusion
Prevention System (IPS), or Application Control to name a
few, that isindependent, modular and centrally managed.
(source: www.checkpoint.com)

● Security features pack, that can be activated a-la-carte, in

order to customize the security configuration and
activate(pay $) functionalities, as per business needs.
● Additional Blades can be easily activated when needed.
 Software Blades Types

● Extend your security with a click of a mouse !

(source:
www.checkpoint.com)
● Three types of software blades available:
● Gateway Software Blades
● Management Software Blades
● Endpoint Software Blades
SmartConsole – unique centralized management
Gateway Software Blades Activation
Management Software Blades Activation