bezpečnostní architektura check point (nejen) pro váš privátní cloud
TRANSCRIPT
![Page 1: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/1.jpg)
1©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. ©2014 Check Point Software Technologies Ltd
Peter Kovalcik| SE Eastern Europe
Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud
![Page 2: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/2.jpg)
2©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
![Page 3: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/3.jpg)
3©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
![Page 4: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/4.jpg)
4©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
![Page 5: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/5.jpg)
5©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
![Page 6: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/6.jpg)
6©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
![Page 7: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/7.jpg)
7©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
![Page 8: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/8.jpg)
8©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
![Page 9: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/9.jpg)
9©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
![Page 10: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/10.jpg)
10©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
![Page 11: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/11.jpg)
11©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
![Page 12: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/12.jpg)
12©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
![Page 13: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/13.jpg)
13©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
![Page 14: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/14.jpg)
14©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Growing enterprise complexity
[Protected] Non-confidential content
![Page 15: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/15.jpg)
15©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
METHODOLOGY OF SDP
STEP 1: SEGMENTATION
STEP 2: DEFINE PROTECTIONS
STEP 3: CONSOLIDATION
STEP 4: POLICY DEFINITION
![Page 16: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/16.jpg)
16©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Segmentation
![Page 17: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/17.jpg)
17©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
METHODOLOGY OF SDP
STEP 1: SEGMENTATION
STEP 2: DEFINE PROTECTIONS
![Page 18: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/18.jpg)
18©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Access Control vs. Threat Prevention
[Protected] Non-confidential content
![Page 19: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/19.jpg)
19©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Risk-based Selection
[Protected] Non-confidential content
![Page 20: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/20.jpg)
20©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Threat PreventionSegment Target Protections
DMZ Servers IPS
LAN Client machines IPS, AV, TE
DC Servers IPS
![Page 21: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/21.jpg)
21©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Threat PreventionSegment Target Protections
DMZ Servers IPS
LAN Client machines IPS, AV, TE
DC Servers IPS
LAN Users AB
C&C
![Page 22: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/22.jpg)
22©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Data Protection
Segment Target Protections
LAN Users DLP
DC Servers, Data DLP
![Page 23: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/23.jpg)
24©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
METHODOLOGY OF SDP
STEP 1: SEGMENTATION
STEP 2: DEFINE PROTECTIONS
STEP 3: CONSOLIDATION
![Page 24: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/24.jpg)
25©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Consolidation
![Page 25: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/25.jpg)
26©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Virtual Edition: zabezp. VMware ESX
Inspect traffic between
Virtual Machines (VMs)
Secure new Virtual Machines
automatically
Protection from external
threats
Security Challenges
in Virtual Environments
[Restricted] ONLY for designated groups and individuals
![Page 26: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/26.jpg)
27©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Network Mode Hypervisor Mode
vSwitch 1
ExtGW
Pk
t
Security API
vSwitch
Agent
Ext
Ext
Agent
Pkt
2.1.1.12.1.1.1 2.1.1.2
VE
Pkt
Operation Mode
• Protection from External threats
• Not aware of inter-vSwitch traffic
• Protects VMs with inter-vSwitch inspection
• Supports dynamic virtual environment
vSwitch 2
Pk
t
[Restricted] ONLY for designated groups and individuals
![Page 27: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/27.jpg)
28©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
2.1.1.1 2.1.1.32.1.1.1
vSwitch
2.1.1.2 2.1.1.52.1.1.4
Ext
GW
Gateway is not aware of inter-vSwitch traffic
Packets not
inspected inside
vSwitch
Deployments before VMsafeintegration
Pkt
[Restricted] ONLY for designated groups and individuals
![Page 28: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/28.jpg)
29©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Agent Agent Agent Agent Agent
2.1.1.1 2.1.1.32.1.1.32.1.1.1
Layer 2 security packet flow
vSwitch
2.1.1.2 2.1.1.52.1.1.4
Pkt
Pkt
VE
Security API
ESX Server
2.1.1.1 sends
packet to 2.1.1.3
Packet is not
inspected again
Packet passed firewall
inspection and is sent
back to the Agent
Packet intercepted in the
Agent and forwarded to the
Gateway for inspection
Pkt
Packet continues the
flow from where it was
intercepted
[Restricted] ONLY for designated groups and individuals
![Page 29: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/29.jpg)
30©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
2.1.1.2
Layer 2 security in dynamic environments
2.1.1.12.1.1.1
Security API
vSwitch
VE
Ext
Security API
vSwitch
VEExtExt
ExtExt
ESX 1 ESX 2
Sync
2.1.1.32.1.1.32.1.1.2
Pkt
Agent AgentAgentAgent
Pkt
Connection initiated from
2.1.1.1 to 2.1.1.3
[Restricted] ONLY for designated groups and individuals
![Page 30: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/30.jpg)
31©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
2.1.1.2
Layer 2 security in dynamic environments
2.1.1.12.1.1.1
Security API
vSwitch
Agent
Ext
Security API
vSwitch
ExtExt
ESX 1 ESX 2
2.1.1.3
Agent
Sync
2.1.1.3
AgentAgentAgent
2.1.1.2
ExtExt
VM is migrating
to ESX 2
Connections related with
2.1.1.3 will be marked that
they are handled by ESX 1
SG VE SG VE
[Restricted] ONLY for designated groups and individuals
![Page 31: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/31.jpg)
32©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Agent
Layer 2 security in dynamic environments
Security API
vSwitch
Agent
Security API
vSwitch
ExtExt
ExtExt
ESX 1 ESX 2
2.1.1.3
Sync
Agent
Pkt
Pkt
Pkt
2.1.1.12.1.1.1 2.1.1.2
Pkt
Packet not
forwarded
Packet
forwarded to
ESX 1
New
connection
VE VE
Pkt
Pkt
Existing
connection
Pkt
[Restricted] ONLY for designated groups and individuals
![Page 32: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/32.jpg)
33©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
VM 3VM 1 VM 2 VM 5VM 4
Installation automation
2.1.1.1
Security API
vSwitch
VM 3VM 1 VM 2
SG VE
Ext
External
SwitchExt
Service Console
VM 3VM 1 VM 2 VM 5VM 4VM 3VM 1 VM 2
Agent Agent Agent Agent Agent
ESX Server
Seamless security for dynamic environments
VE installed
VE retrieves
information on
VMs/Port
groups/vSwitches
Event sent to VE
informing of new VMs
VE attaches the Fast Path
Agents on the vNICs of
the new VMs
VE attaches the Fast Path
Agents on the vNICs of
the new VMs
[Restricted] ONLY for designated groups and individuals
![Page 33: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/33.jpg)
34©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
METHODOLOGY OF SDP
STEP 1: SEGMENTATION
STEP 2: DEFINE PROTECTIONS
STEP 3: CONSOLIDATION
STEP 4: POLICY DEFINITION
![Page 34: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/34.jpg)
35©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Management
![Page 35: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/35.jpg)
36©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Summary
Physical Security Gateway Management Server
21400 VSLS
Virtual security Gateway (VSX)
Security Gateway Virtual Edition
• Hypervisor Mode
• Network Mode
• Security Management
• Multi-Domain Management
Cloud Orchestration
![Page 36: Bezpečnostní architektura Check Point (nejen) pro váš privátní cloud](https://reader033.vdocument.in/reader033/viewer/2022042701/55aef2ff1a28ab7e288b4758/html5/thumbnails/36.jpg)
37©2014 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. ©2014 Check Point Software Technologies Ltd
THANK YOU!