cp firewall
Post on 08-Apr-2018
232 Views
Preview:
TRANSCRIPT
-
8/6/2019 CP Firewall
1/24
2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Check Point FactsCheck Point Facts HistoryHistory
Founded June 1993Founded June 1993
IPO June 1996IPO June 1996
Strong growth in revenues and profitsStrong growth in revenues and profits
Global market leadershipGlobal market leadership 62% VPN market share (Datamonitor, 2001)62% VPN market share (Datamonitor, 2001)
42% firewall market share (#1 Position42% firewall market share (#1 Position -- IDC, 2000)IDC, 2000)
DeDe--facto standard for Internet securityfacto standard for Internet security
Strong business modelStrong business model
Technology innovation and leadershipTechnology innovation and leadership
Technology partnershipsTechnology partnerships
Strong and diversified channel partnershipsStrong and diversified channel partnerships
Check Point
Software
-
8/6/2019 CP Firewall
2/24
2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
What is a Firewall ?What is a Firewall ? A firewall :A firewall :
Acts as a securityActs as a security
gateway between twogateway between two
networksnetworks
Usually betweenUsually between
trusted and untrustedtrusted and untrusted
networks (such asnetworks (such as
between a corporatebetween a corporate
network and thenetwork and the
Internet)Internet)
Internet
Corporate
Site
Corporate Network
Gateway
-
8/6/2019 CP Firewall
3/24
2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Why Firewalls are NeededWhy Firewalls are Needed
Prevent attacks from untrustedPrevent attacks from untrusted
networksnetworks
Protect data integrity of criticalProtect data integrity of critical
informationinformation
Preserve customer and partnerPreserve customer and partner
confidenceconfidence
-
8/6/2019 CP Firewall
4/24
2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Evolution of FirewallsEvolution of Firewalls
PacketFilter
Stateful
Inspection
Stage of Evolution
Application
Proxy
-
8/6/2019 CP Firewall
5/24
2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Packets examined at the network layerPackets examined at the network layer
Useful first line of defenseUseful first line of defense -- commonlycommonlydeployed on routersdeployed on routers
Simple accept or reject decision modelSimple accept or reject decision model No awareness of higher protocol layersNo awareness of higher protocol layers
Packet FilterPacket Filter
Applications
Presentations
Sessions
Transport
Data Link
Physical
Data Link
Physical
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network
Presentations
Sessions
Transport
Applications
Network Network
-
8/6/2019 CP Firewall
6/24
-
8/6/2019 CP Firewall
7/24
2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Stateful InspectionStateful Inspection
Applications
Presentations
Sessions
Transport
Data Link
Physical
Data Link
Physical
Applications
Presentations
Sessions
Transport
Data Link
Physical
Network Network
Network
Presentations
Sessions
Transport
INSPECT Engine
Applications
DynamicDynamicState TablesState TablesDynamicDynamic
State TablesState TablesDynamicState Tables
Packets Inspected between data link layer and network layer inPackets Inspected between data link layer and network layer in
the OS kernelthe OS kernel
State tables are created to maintain connection contextState tables are created to maintain connection context
Invented by Check PointInvented by Check Point
-
8/6/2019 CP Firewall
8/24
2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Block All Network AttacksBlock All Network Attacks
We block all known network attacksWe block all known network attacks
(Note: Historically not highlighted by Check Point)(Note: Historically not highlighted by Check Point)
20022002 Greater visibility and enhancements are comingGreater visibility and enhancements are coming
IncludingIncluding
LANdLANdICMP FloodICMP Flood
TearTear
DropDrop
Ping ofPing of
DeathDeathBonkBonk
UDP FloodUDP Flood
SpoofingAttackSpoofingAttackDos ProtectionDos Protection
DDoS ProtectionDDoS Protectionoptionsoptions
NetworkAddressNetworkAddress
Translation (NAT)Translation (NAT)SYNSYN
AttackAttack
SmurfSmurf
PortAddressPortAddress
Translation (PAT)Translation (PAT)
NesteaNestea
IGMP FragmentsIGMP Fragments
WinNukeWinNukeIP OptionsIP Options--based attacksbased attacks
And moreAnd more
-
8/6/2019 CP Firewall
9/24
2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Here is the proof!!Here is the proof!!
-
8/6/2019 CP Firewall
10/24
2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Not Every stateful IsStateful InspectionNot Every stateful IsStateful Inspection
Inspect Sets Check Point ApartInspect Sets Check Point Apart
-
8/6/2019 CP Firewall
11/24
-
8/6/2019 CP Firewall
12/24
2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
VPN device is vulnerable to
attack eg. denial of service
Requires opening multiple
holes in firewall for VPN
traffic
Bypasses security policy
Denial of service
VPN InternetFirewall Internet
VPN
Firewall
Internet
VPNFirewall Internet
Different Types of VPN/FirewallTopologiesDifferent Types of VPN/FirewallTopologies
-
8/6/2019 CP Firewall
13/24
2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Security ManagementArchitecturesSecurity ManagementArchitectures
Does not scaleDoes not scale
Repetitive policy changesRepetitive policy changes
Error prone / inconsistent policyError prone / inconsistent policy
Remote Policy
Editing
Local Policy Storage and
Enforcement
GUI Client
Enforcement Points
Two-Tier London
New York
Paris
-
8/6/2019 CP Firewall
14/24
2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Security ManagementArchitecturesSecurity ManagementArchitectures
Scales very wellScales very well Make changes onceMake changes once
Better securityBetter security
ManagementServer
Centralized Policy Storage
and Deployment
GUI Client
Remote Policy
Editing
Local Policy Enforcement
Enforcement PointsThree-TierLondon
New York
Paris
-
8/6/2019 CP Firewall
15/24
2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Internet
Security ManagementArchitecturesSecurity ManagementArchitectures
Reduces organizational costsReduces organizational costs
Security depends on experienceSecurity depends on experience
and implementation choices ofand implementation choices of
MSPMSP
Security Managementand GUI
Local Policy Enforcement
Enforcement PointsManaged Service ProviderAcme
Corp
New York
Paris
-
8/6/2019 CP Firewall
16/24
-
8/6/2019 CP Firewall
17/24
2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Secure Management Administrator SecuritySecure Management Administrator Security
MultipleAdministratorsMultipleAdministrators
Highly Granular PermissionsHighly Granular Permissions e.g., by job functione.g., by job function
Security Management Cannot Be The Weakest LinkSecurity Management Cannot Be The Weakest Link
Access Control andAccess Control and
AuthenticationAuthentication e.g., by locatione.g., by location
e.g., digital certse.g., digital certs
-
8/6/2019 CP Firewall
18/24
2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
SecureUpdateSecureUpdate
-
8/6/2019 CP Firewall
19/24
2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
AuditingAuditing
Check Point NGCheck Point NG Full Change AuditFull Change Audit Administrator login/logout, Object changes, Rule changes, etc.Administrator login/logout, Object changes, Rule changes, etc.
Critical feature for many companies and industriesCritical feature for many companies and industries e.g., financial institutionse.g., financial institutions
-
8/6/2019 CP Firewall
20/24
2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
AdministratorAuditingAdministratorAuditing
Creates a record for troubleshooting & debuggingCreates a record for troubleshooting & debugging
Tracks information in detail and enables sorting,Tracks information in detail and enables sorting,searching, reporting, etc.searching, reporting, etc.
Who modified the server named tempest?
What has the administrator Gretchen been doing?
-
8/6/2019 CP Firewall
21/24
2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
End-to-End Security SecureClientEnd-to-End Security SecureClient
Must protect all network accessible devicesMust protect all network accessible devices
Especially VPN/mobile computersEspecially VPN/mobile computers
SecureClientSecureClient Corporate Policy at DesktopCorporate Policy at Desktop
Desktop firewallDesktop firewall SCVSCV Secure Configuration VerificationSecure Configuration Verification
Automatic UpdatesAutomatic Updates
Highly scalableHighly scalable tenstens--ofof--thousands of clientsthousands of clients
-
8/6/2019 CP Firewall
22/24
2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
The Security PuzzleThe Security Puzzle
irell
irell P
KI
PKI
PP
IDS
IDS
te t
ilteri
te t
ilteriAntiviruAntiviru
-
8/6/2019 CP Firewall
23/24
2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Check Point Architecture Winning SecurityCheck Point Architecture Winning Security
SVN Connect & ProtectSVN Connect & Protect
Stateful Inspection & SecureXLStateful Inspection & SecureXL
SMARTSMART
OPSEC & SecureChoiceOPSEC & SecureChoice
OPSECOPSEC -- Open &Open &Extensible SecurityExtensible Security Integrated & CertifiedIntegrated & Certified
SolutionsSolutions 300 Security Partners300 Security Partners
120 Certified Applications120 Certified Applications
Open SDKOpen SDK Thousands of OPSECThousands of OPSEC
DevelopersDevelopers
-
8/6/2019 CP Firewall
24/24
2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Reporting GUIReporting GUI
top related