1©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. ©2014 Check Point Software Technologies Ltd

Peter Kovalcik| SE Eastern Europe

Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud

2©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

3©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

4©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

5©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

6©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

7©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

8©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

9©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

10©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

11©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

12©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

13©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

14©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

Growing enterprise complexity

[Protected] Non-confidential content

15©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

METHODOLOGY OF SDP

STEP 1: SEGMENTATION

STEP 2: DEFINE PROTECTIONS

STEP 3: CONSOLIDATION

STEP 4: POLICY DEFINITION

16©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

Segmentation

17©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

METHODOLOGY OF SDP

STEP 1: SEGMENTATION

STEP 2: DEFINE PROTECTIONS

18©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

Access Control vs. Threat Prevention

[Protected] Non-confidential content

19©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

Risk-based Selection

[Protected] Non-confidential content

20©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

Threat PreventionSegment Target Protections

DMZ Servers IPS

LAN Client machines IPS, AV, TE

DC Servers IPS

21©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

Threat PreventionSegment Target Protections

DMZ Servers IPS

LAN Client machines IPS, AV, TE

DC Servers IPS

LAN Users AB

C&C

22©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

Data Protection

Segment Target Protections

LAN Users DLP

DC Servers, Data DLP

24©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

METHODOLOGY OF SDP

STEP 1: SEGMENTATION

STEP 2: DEFINE PROTECTIONS

STEP 3: CONSOLIDATION

25©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

Consolidation

26©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

Virtual Edition: zabezp. VMware ESX

Inspect traffic between

Virtual Machines (VMs)

Secure new Virtual Machines

automatically

Protection from external

threats

Security Challenges

in Virtual Environments

[Restricted] ONLY for designated groups and individuals

27©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

Network Mode Hypervisor Mode

vSwitch 1

ExtGW

Pk

t

Security API

vSwitch

Agent

Ext

Ext

Agent

Pkt

2.1.1.12.1.1.1 2.1.1.2

VE

Pkt

Operation Mode

• Protection from External threats

• Not aware of inter-vSwitch traffic

• Protects VMs with inter-vSwitch inspection

• Supports dynamic virtual environment

vSwitch 2

Pk

t

[Restricted] ONLY for designated groups and individuals

28©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

2.1.1.1 2.1.1.32.1.1.1

vSwitch

2.1.1.2 2.1.1.52.1.1.4

Ext

GW

Gateway is not aware of inter-vSwitch traffic

Packets not

inspected inside

vSwitch

Deployments before VMsafeintegration

Pkt

[Restricted] ONLY for designated groups and individuals

29©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

Agent Agent Agent Agent Agent

2.1.1.1 2.1.1.32.1.1.32.1.1.1

Layer 2 security packet flow

vSwitch

2.1.1.2 2.1.1.52.1.1.4

Pkt

Pkt

VE

Security API

ESX Server

2.1.1.1 sends

packet to 2.1.1.3

Packet is not

inspected again

Packet passed firewall

inspection and is sent

back to the Agent

Packet intercepted in the

Agent and forwarded to the

Gateway for inspection

Pkt

Packet continues the

flow from where it was

intercepted

[Restricted] ONLY for designated groups and individuals

30©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

2.1.1.2

Layer 2 security in dynamic environments

2.1.1.12.1.1.1

Security API

vSwitch

VE

Ext

Security API

vSwitch

VEExtExt

ExtExt

ESX 1 ESX 2

Sync

2.1.1.32.1.1.32.1.1.2

Pkt

Agent AgentAgentAgent

Pkt

Connection initiated from

2.1.1.1 to 2.1.1.3

[Restricted] ONLY for designated groups and individuals

31©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

2.1.1.2

Layer 2 security in dynamic environments

2.1.1.12.1.1.1

Security API

vSwitch

Agent

Ext

Security API

vSwitch

ExtExt

ESX 1 ESX 2

2.1.1.3

Agent

Sync

2.1.1.3

AgentAgentAgent

2.1.1.2

ExtExt

VM is migrating

to ESX 2

Connections related with

2.1.1.3 will be marked that

they are handled by ESX 1

SG VE SG VE

[Restricted] ONLY for designated groups and individuals

32©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

Agent

Layer 2 security in dynamic environments

Security API

vSwitch

Agent

Security API

vSwitch

ExtExt

ExtExt

ESX 1 ESX 2

2.1.1.3

Sync

Agent

Pkt

Pkt

Pkt

2.1.1.12.1.1.1 2.1.1.2

Pkt

Packet not

forwarded

Packet

forwarded to

ESX 1

New

connection

VE VE

Pkt

Pkt

Existing

connection

Pkt

[Restricted] ONLY for designated groups and individuals

33©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

VM 3VM 1 VM 2 VM 5VM 4

Installation automation

2.1.1.1

Security API

vSwitch

VM 3VM 1 VM 2

SG VE

Ext

External

SwitchExt

Service Console

VM 3VM 1 VM 2 VM 5VM 4VM 3VM 1 VM 2

Agent Agent Agent Agent Agent

ESX Server

Seamless security for dynamic environments

VE installed

VE retrieves

information on

VMs/Port

groups/vSwitches

Event sent to VE

informing of new VMs

VE attaches the Fast Path

Agents on the vNICs of

the new VMs

VE attaches the Fast Path

Agents on the vNICs of

the new VMs

[Restricted] ONLY for designated groups and individuals

34©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

METHODOLOGY OF SDP

STEP 1: SEGMENTATION

STEP 2: DEFINE PROTECTIONS

STEP 3: CONSOLIDATION

STEP 4: POLICY DEFINITION

35©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

Management

36©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.

Summary

Physical Security Gateway Management Server

21400 VSLS

Virtual security Gateway (VSX)

Security Gateway Virtual Edition

• Hypervisor Mode

• Network Mode

• Security Management

• Multi-Domain Management

Cloud Orchestration

37©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. ©2014 Check Point Software Technologies Ltd

THANK YOU!