04 vsx power-r65

©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Confidential]—For Check Point users and approved third parties

Check Point VPN-1 VSXCheck Point VPN-1 VSX

Peter SandkuijlEMEA SE High End Solutions

[email protected]

2©2003–2008 Check Point Software Technologies Ltd. All rights reserved. [Confidential]—For Check Point users and approved third parties

AgendaAgenda

What is VSX and why should I consider it? What is VSX and why should I consider it?

How to integrate a VSX infrastructure into my enterprise network?


Is my VSX infrastructure robust,

scalable and fast?


scalable and fast?

Is management of a VSX infrastructure

complex?


complex?


What is VSX?What is VSX?

VSX means Virtual System Extension

A VSX gateway is a physical server capable of running several instances of logical (or virtual) VPN-1 modules each protecting a specific network

Each virtual VPN-1 module enforces its own security and routing policies


Why should customers consider virtualization?Why should customers consider virtualization?

Cost optimizationUp to 250 virtual VPN-1 modules can be deployed on a single physical VSX gateway

Fast ProvisioningFew mouse clicks to create a new virtual VPN-1 module or cluster including its network settings

Better scalability & availabilityLinear performance improvement

Efficient ManagementScalable & granular management with Provider-1

Powerful CLI tool: vsx_util

2 screens wizard !


AgendaAgenda





scalable and fast?


scalable and fast?


complex?


complex?


VSX virtual devices: Firewall objectsVSX virtual devices: Firewall objects

In the VSX world, a VPN-1 module is named a Virtual System (VS)

Each VS functions as a stand-alone, independent VPN-1 gateway

FW

VPN(Inc. SR/SC)

SMDF(Inc. WebInt)

SSL VPN(SNX)

AUTH(Client & Session)

Layer 3

Layer 2

Dynamic Routing

Secure XL

Cluster XLSecurity FeaturesNetwork Features

Scalability & Perf. Features

Virtual System


VSX virtual devices: Network objectsVSX virtual devices: Network objects

Two types of Network Objects:

Why are Network Objects used?To reach the external world according to customer network’s constraints

To route traffic from a Virtual System to another

A Virtual Router:Is protected by its own Security Policy (can be modified)

Like a Layer-3 VS, supports Dynamic Routing

Supports Source Routing

Virtual Routers & Switches use Warp Links to connect to Virtual Systems

Layer 2

Virtual SwitchLayer 3

Virtual Router

192.168.1.0/24


How to attach VSX gateway to the external world?How to attach VSX gateway to the external world?

Physical InterfacesExternal

Internal

Management

Sync

Logical Interfaces 802.1q

Company A

Company B

Company C

Data Center

SY

NC

Internet


How does VSX gateway dispatch packets to virtual devices?How does VSX gateway dispatch packets to virtual devices?

Physical InterfacePacket is immediately forwarded

Logical InterfacePacket is forwarded according to its VLAN ID

Virtual RouterPacket is routed according to its dst or src/dst IP address

Virtual SwitchPacket is switched according to its destination MAC address

Company ASubnet A

Company BSubnet B

Context DeterminationWhen a Virtual Device is connected through a…


VSX Into the WildVirtualizing several DMZ firewallsVSX Into the WildVirtualizing several DMZ firewalls

Customer ProfileBank Company

NeedsHas to host several Customer Projects (1 project = 1 DMZ)

Projects are reachable from the External

Projects use Internal resources

Before VSXTwo layers of firewall clusters to protect the “Project” Infrastructure from Internal & External threats

Secure Customer Projects with additional firewall clusters

With VSX– …

Trunk 802.1Q

eth1 eth0

MGMT

SYNC

DMZ

VS Interface Zone

VS1

eth5.100 DMZ1

eth5.101 DMZ2

eth5.102 DMZ3

eth6.112 External

eth7.116 Internal

VS2

eth4.103 DMZ4

eth4.104 DMZ5

eth4.105 DMZ6

eth6.113 External

eth7.117 Internal

Etc.

eth410Gbs

eth810Gbs

eth910Gbs

Trunk 802.1Qeth3

10GbsTrunk 802.1Q

eth210Gbs

Trunk 802.1Q

eth510Gbs

Core Switch

EXTERNAL

Router

Trunk 802.1Qeth610Gbs

INTERNAL

Router

Trunk 802.1Qeth7

10Gbs

vlan 116vlan 117vlan 118vlan 119

vlan 112vlan 113vlan 114vlan 115

vlan 100vlan 101vlan 102





AgendaAgenda





scalable and fast?


scalable and fast?


complex?


complex?


SYNCSYNC

ClusteringIntroduction to VSLSClusteringIntroduction to VSLS

Two clustering levelsVSX Gateways: active/active

Virtual Systems: active/standby

Don’t need to assign dedicated IP addresses to each cluster’s members

Only one sync network

Easy provisioning

VIP: IP1VIP: IP1

VIP: IP2VIP: IP2

192.168.196.0/22

192.168.196.0/22

Created by the VSX Administrator

Created by the VSX Administrator

Created by the VSX Management Infrastructure

Created by the VSX Management Infrastructure


SYNCSYNC

ClusteringVirtual System Load SharingClusteringVirtual System Load Sharing

Distributes VS instances between different VSX gateways

Sync improvementsNew state: Backup

Sync only between active & standby (unicast sync)

VS distributionPerformed automatically or manually (vsx_util redistribute_vsls)

Depends on priorities and weights


ClusteringActive/Standby Bridge ModeClusteringActive/Standby Bridge Mode

Relevant for VSX gateways hosting Layer-2 VS clusters

Offers the following advantages over STP:

Path redundancy

Loop prevention

Immediate failover

Control over bridge failover

Works with VSLS

VSs sync & publish their MAC forwarding table

Cluster XLCluster XL

STPSTP

STPSTP

STPSTP

STPSTP

STPSTP

STPSTP


VSX into the WildSplitting a big firewall into specialized virtual firewallsVSX into the WildSplitting a big firewall into specialized virtual firewalls

Customer ProfileRetailer Company

NeedsSimplify Security Policy Management

Simplify Network Management

Improve Scalability & Performance

Before VSXVery large rulebase

Not scalable

Performance bottleneck

With VSX– …

EXTERNAL

CoreSwitch

INTERNAL

Core Switch

Emails

Hosting

VPN

Browsing

vlan 100

eth1eth1 eth0eth0

eth6eth6

MGMT

SYNC

INTERNAL EXTERNAL

VS Interface

Browsingeth5.100

Eth6.100

Emailseth4.101

Eth7.101

Etc.

Core Switch

vlan 100

vlan 101

vlan 102vlan103

eth5eth5

eth4eth4

eth3eth3

eth2eth2

CoreSwitch

vlan 101

eth7eth7

vlan 102eth8eth8

vlan 103

eth9eth9

Performance PackPerformance Pack

VSLSVSLS

Active/StandbyBrige Mode

Active/StandbyBrige Mode


AgendaAgenda





scalable and fast?


scalable and fast?


complex?


complex?


VSX managementVSX management

3-tier management architecture with either SmartCenter or Provider-1

Only one Mgmt IP address is used per VSX gateway

SMART ConsolesSMART

Consoles

SmartCenterSmartCenter

Provider-1Provider-1

VSX GatewaysVSX Gateways


VSX managementProvider-1 focusVSX managementProvider-1 focus

Main CMA manages the VSX infrastructure

Target CMAs manage one or more Virtual Devices

Multiple concurrent administrators

Granular permissions

Separate object databases


ConclusionConclusion

Scale both enterprise perimeter & core sides security– VSX objects allow fast and complete integration anywhere in the

Enterprise– Scalable & resilient security with VSX clustering

Powerful Management– Fast VSs or VSs clusters provisioning– Central VSX infrastructure database including network settings– IP addresses optimization (1 Mgmt IP per VSX gateway, 1 sync

network, no dedicated IPs)– Scalable & granular management with P-1– Easy recovery of a failed gateway with CLI tool vsx_util

Reduce TCO

04 vsx power-r65

Technology

Transcript of 04 vsx power-r65