Provider-1/ SiteManager-1
Scalable security management for multi-domain environments

Product descriPtion
The Provider-1®/SiteManager-1™ centralized security management solution is designed to meet the unique challenges of large-scale enterprises. Provider-1/SiteManager-1 easily scales to enable security managers to efficiently manage multiple management domains for a widely distributed system, thereby ensuring that the entire corporate IT architecture is adequately protected.

Business conglomerates, holding companies, Data Centers, and Managed Service Providers (MSPs) face security management challenges due to the diverse nature of their businesses. Security managers at these organizations often need to securely manage large-scale systems with many different customers and access locations. Large-scale enterprises often have security policies that must be tailored to geographically distributed branches with independent network management. At the same time, security personnel must support a corporate-wide security policy with rules that enforce appropriate user access, prevent attacks, and enable secure communication and failover capabilities. Service Providers such as Data Centers and MSPs often support customers with many different LANs, each with its own security policy needs. Service level agreements often require that MSPs maintain the confidentiality and integrity of customer data. In addition, MSPs need a management system that enables them to scale quickly to support a changing customer base, while minimizing support and hardware costs.

Product features

Multi-domain, multi-policy management Global VPN communities Granular, role-based administration Management high availability Global SmartDefense™ Services updates

n n n n

Product benefits
n n

Simplifies security policy provisioning Makes VPN community deployment easy across different networks Reduces administrative overhead and capital investment Gives full visibility over your entire security environment


Check Point Provider-1 /SiteManager-1 is a unique security management solution designed to meet the scalability requirements of enterprises with complex security policy needs. By simultaneously supporting central management for many distinct security management domains, Provider-1/SiteManager-1 dramatically improves the operational efficiency of managing these complex security deployments. Provider-1/SiteManager-1 consolidates management for all Check Point products, delivering a robust mechanism for creating and enforcing security policies and automatically distributing them to multiple enforcement points.
® ™


Multi-domain management Provider-1/SiteManager-1 provides a multi-domain security management solution, with each management domain having multiple security policies, its own database, and logs. By separating enterprise or Service Provider networks into multiple management domains, Provider-1/SiteManager-1 enables enterprises to optimize policy size and gain better control over security policy updates as changes made to each management domain can be completed independently. Policy changes and logs for different domains can be audited separately, as needed, to meet customer service level agreements or regulatory requirements.

The NGX platform delivers a unified security architecture for Check Point.

Provider-1/SiteManager-1 enables granular control of administrative authority. the Multi-Domain GUI (MDG). With Provider-1/SiteManager-1. On the other hand. This ability to centrally create and deploy multi-level policies delivers unparalleled scalability by eliminating the need to make repetitive policy changes to thousands of individual devices. For example. enterprises and network operation centers can more efficiently provide 24/7 administrative security monitoring for their networks. Examples include large enterprises that have created different management domains to manage corporate networks in different cities or countries. Multiple MDSes can be linked in the Provider-1/SiteManager-1 system to manage thousands of policies in a single environment and to provide failover capabilities. Global policy management Besides security policies for specific sets of gateways. the management model has been designed so that network security managers can centrally manage many distributed systems. SmartPortal provides Web-based access to policies. and the Customer Log Module (CLM). Multi-domain server The MDS houses the CMAs. log reports. in enterprise deployments of Provider-1/SiteManager-1. and establish security policies applicable to a specific network. Global VPn community management Sometimes customers need to establish secure VPN connections between different management domains. where the customer management domain typically represents a geographic subdivision of an enterprise. role-based administration In the Provider-1/SiteManager-1 environment. allowing gateways with different functions to receive different global security rules. Because Provider-1/SiteManager-1 supports multiple. each CMA is completely isolated. global policies can be used for crossorganizational compliance and serve as security templates with rules that are applied to all customers or to specific groups of customers. This model enables enterprises to designate trusted administrators with different access rights. The MDS also hosts the Global Policies database. simultaneous administrator access. Although multiple CMAs can be stored on the same MDS. and different rules are established on perimeter gateways. administrators in diverse locations can work autonomously on the same infrastructure. administrators need to create policies that apply to the entire Provider-1/SiteManager-1 environment or to a group of customers. Provider-1/siteManager-1 architecture The components of Provider-1/SiteManager-1 include the Customer Management Add-On (CMA). the Multi-Domain Server (MDS). cross-customer VPN communication is handled easily with global VPN communities. The access privileges are centrally managed. For example. the same administrator can be given different permission profiles for different customer management domains. or customer. Therefore. Web-based access to policies For customers and stakeholders who need access to policies for auditing and troubleshooting purposes. Global security rules can also be established on specific gateways or groups of gateways. The separation between different levels of policies—and different types of policies—means that customer-level security rules do not need to be reproduced throughout the entire Provider-1/SiteManager-1 environment. Each administrator in the system can have different access privileges for different CMAs. In addition. Service Providers will benefit by providing value to their customers with timely delivery of changes and modifications. and systems statuses without the option to edit policy. administrators define. customer Management add-on Each management domain within Provider-1/SiteManager-1 is called a CMA and is the functional equivalent of Check Point SmartCenter™. edit. Via a CMA. the Multi-Domain Log Module (MLM). Therefore.Provider-1/SiteManager-1 flexible. An enterprise may want to use global policy rules to rapidly implement defenses against cyber attacks or viruses. a Service Provider may use global policy rules to provide customers access to commonly used MSP services. which can range from the ability to manage the entire Provider-1/SiteManager-1 system to just the ability to manage a certain aspect of a customer network. providing absolute data privacy. gateway. or an MSP that may need to provide secured communication between partners of different customers. as well as Provider-1/SiteManager-1 system information. 2 . as well as allowing their customers to manage their own management domains. an administrator may configure the global policy so that certain global security rules are established on DMZ gateways in various subdivisions. the Global SmartDashboard™ (GSD). enterprises can allow local department administrators who operate outside of Provider-1/SiteManager-1 to access and manage their own security policies.

Centralized security management for large enterprises Multi-domain server (Mds) Multi-domain Gui (MdG) nt me age) n Ma A er (CM ent tomd-On gem s Cu Ad ana A) rM M me n (C ment sto dd-O ge Cu A ana ) r M (CMA me n sto -O Cu Add r s fo file A og omer or L t f s Cu files r B Log tome or s f Cu files C og omer L t s Cu check Point enforcement Modules customer a customer b Multi-domain Log Module (MLM) Site 2 Site 1 customer c Provider-1/SiteManager-1 aggregates multiple. High availability is supported at multiple levels—from the CMA customer level to the MDS global level. Data synchronization between the two CMAs improves fault tolerance and enables the administrator to seamlessly activate a standby CMA when required. administrators manage the entire Provider-1/SiteManager-1 environment. distinct security policies on a single platform. Continued on page 4 3 . Using the MDG. and statuses for thousands of users. Rules and network objects are created at the Provider-1/SiteManager-1 system level and apply across management domains. Via the MDG. administrators can provision and monitor security via a single console and oversee policies. customer Log Module and Multi-domain Log Manager A CLM is a single customer log server housed within an MLM. Global smartdashboard The Global SmartDashboard is used to create the global policy rulebase. These global rules may have precedence over the customer-level rules created via the customer SmartDashboard. Distributed high availability options are also available for each CMA. Redundant log management can also be created by designating an MLM as a primary log server and the MDS as a backup server. total availability management Provider-1/SiteManager-1 delivers a fully redundant management architecture for rapid disaster recovery. The administrator can deploy a SmartCenter server to serve as a high availability peer for the MDG presents a comprehensive view of all networks and policies under management. logs. Multiple CLMs can be stored on the same MLM server and managed with the same administrator access permissions set up within the Provider-1/SiteManager-1 infrastructure. Multi-domain Gui The MDG is designed to simplify multi-policy security management. easily incorporating new networks into the Provider-1/SiteManager-1 system. An administrator can implement failover gateway management for a customer network by deploying two CMAs in high availability mode. The MDG also allows a high-level overview of all enforcement points in the system and their statuses.

CMAs. Cooperative Enforcement. Multiple MDSes can also be deployed to provide mutually redundant failover capabilities and configured to automatically synchronize global policy data. Zone Labs. VPN-1 SecureServer.S. New features can be implemented for all customers or specific customers.com . Turbocard.606. CoSa. SecureServer. Application Intelligence. VPN-1 SecureClient. an enterprise can centralize the Provider-1/SiteManager-1 management network at one branch yet have one or more backup MDSes at other locations. SecureClient Mobile. The products described in this document are protected by U. ZoneAlarm Pro. ZoneAlarm Secure Wireless Router. Check Point Express. SmartView Reporter. Provider-1. NG. IQ Engine. INSPECT XL. SmartCenter UTM.943 and may be protected by other U. SecurePlatform Pro.988.726. SmartDefense Advisor. SiteManager-1.checkpoint. customers will be able to incrementally update their Provider-1/SiteManager-1s with new features rather than completely upgrading. SmartLSM. Connectra Accelerator Card. and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. 24th Floor Ramat Gan 52520. SmartPortal. InterSpect. VPN-1 Accelerator Card. For example. SecureUpdate.com 4 u. OPSEC. FireWall-1. ZoneAlarm Internet Security Suite.935. This feature helps streamline the upgrade process. SmartCenter Express. VPN-1 VSX. Patents. Web Intelligence. SmartView Status. Check Point. IPS-1.835. All rights reserved. SmartView. Solaris 8/9/10. Enterprise and Service Provider administrators can automatically generate reports to be sent to various stakeholders for overall security performance analysis or auditing purposes.496. Dynamic Shielding Architecture. SecurePlatform. SmartViewTracker. Global. UserAuthority. Real-time event correlation and reporting can be performed at the global level or targeted at a specific network segment or customer. INSPECT. VPN-1 Power VSX. SSL Network Extender. IMsecure. SecuRemote. Multiple Eventia Reporter™ and Eventia Analyzer™ correlation units can be implemented to run in parallel. on a per-customer or cross-customer basis. MailSafe. foreign patents. ZoneAlarm Anti-Spyware. DefenseNet. Integrity. enabling administrators to perform a major release upgrade on their own schedules. SmartCenter. VPN-1 UTM. Enterprises will have the flexibility to define settings at the global level as well as those specific to their subnetworks.S. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. the Check Point logo. SmartView Monitor. Open Security Extension. Confidence Indexing. VPN-1 Pro. ZoneAlarm Antivirus. Smarter Security. Check Point Express CI. or its affiliates. SecureClient. AlertAdvisor. SecureXL. SmartCenter Pro. Hacker ID. Eventia. ZoneAlarm is a Check Point Software Technologies. Headquarters 800 Bridge Parkway Redwood City. VPN-1 Express CI. or pending applications. CA 94065 Tel: 800-429-4391. VPN-1 SecuRemote. 2007 P/N 502348 Worldwide Headquarters 3A Jabotinsky Street. VPN-1 Power. VPN-1 Express.668. 5. Company. SmartDefense. Eventia Analyzer. Integrity Clientless Security. RedHat Linux Enterprise 3. OSFirewall.0 Windows 2000/2003/XP. TrueVector. ensuring security systems are always up-to-date to defend against new and evolving threats. ClusterXL. 6. Safe@Home. FloodGate-1. scaling to meet the needs of large-scale environments. Sentivist. Stateful Clustering.873. NGX. SecureXL Turbocard. SmartUpdate. March 5. 6.s. Global reporting and event correlation In a Provider-1/SiteManager-1 environment. Eventia Reporter. Connectra. while enabling them to keep current with security management. ZoneAlarm. Inc. Policy Lifecycle Management. Solaris 8/9/10 ©2003–2007 Check Point Software Technologies Ltd.850. VPN-1. Israel Tel: 972-3-753-4555 Fax: 972-3-575-9256 Email: info@checkpoint. Safe@Office. 650-628-2000 Fax: 650-654-4233 www. Reports can be generated Provider-1/SiteManager-1 enables administrators to receive the latest features without undergoing complete version upgrades. SmartDashboard. Hybrid Detection Engine. FireWall-1 GX. Multi-Domain Server Multi-Domain GUI SecurePlatform™. Cooperative Security Alliance. 5. ConnectControl. SecureKnowledge. ongoing threat defense updates Administrators can centrally update SmartDefense™ and Web Intelligence™ security configurations and defenses. FireWall-1 SecureServer. Patent No. SmartConsole. VPN-1 UTM Edge. and 6. Eventia Suite™ provides real-time and historical security event analysis and reporting. SmartMap. User-to-Address Mapping. real-time management plug-ins The Provider-1/SiteManager-1 management plug-in architecture enables administrators to receive incremental functionality upgrades. UAM. Eventia Suite. When new features for VPN-1® gateways are introduced or new products become available. but it would actually be located closer to the gateway and allow for full security management and provisioning even when there is no communication between the remote site and the network operations center. Integrity SecureClient. VPN-1 Edge. SmartCenter Power. SofaWare. suPPorted oPeratinG systeMs Provider-1/SiteManager-1 enables configuring of global SmartDefense settings for protection against the latest threats and tailoring these to the local environments of different management domains by introducing granular exceptions to global policy.