Integrated Appliance Solution (IAS) Bladed Hardware Technical Training

©2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties

Integrated Appliance Solution (IAS) Bladed HardwareTechnical Training

May 13, 2010

22©2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |

Agenda

1 Introducing IAS Bladed Hardware

2 X-Series: Carrier-Grade Chassis

3 Linear Scalability Architecture

4 Selling IAS Bladed Hardware


The New Initiative

Check Point and Crossbeam have announced a new partnership

Crossbeam X-Series platform is now an integral part of the Check Point portfolio

The X-Series products are part of the Check Point price list

Hardware/Software/Support all come from Check Point as an integrated package

Professional Services/Training can also be sold with the package; will be delivered by Crossbeam


Introducing: IAS Bladed Hardware

Customized Security Chassis for yourUnique Security Needs


Delivers carrier-grade platform for security


Single SKU integrated solution and single contact for support


Designed to meet specific business needs


NEW!


Carrier-grade Solution Designed for the Most Demanding Environments

Integrates essential Check Point Security Gateway Software Blades

Based on Crossbeam X-series chassis

Customer Benefits

Customer Benefits

PartnerBenefitsPartnerBenefits

► Single SKU ordering and fulfillment► Expanded portfolio with scalable

chassis solution► Software Blade upsell opportunities

► Single SKU ordering and fulfillment► Expanded portfolio with scalable

chassis solution► Software Blade upsell opportunities

► Integrated carrier-grade chassis solution► Meets the needs of the most

demanding networks► Single source of support

► Integrated carrier-grade chassis solution► Meets the needs of the most

demanding networks► Single source of support


VPN-1 Power VSXDedicated gateway for multi-layer, multi-domain virtualized security

VPN-1 Power VSXDedicated gateway for multi-layer, multi-domain virtualized security

IAS Bladed Hardware—2 Bundle Options

The only virtualized security gateway with FW, VPN, IPS, and

URLF

The only virtualized security gateway with FW, VPN, IPS, and

URLF

Best virtualized security performance with linear scalability

Best virtualized security performance with linear scalability

Conserves power and space by consolidating up to hundreds of gateways on a single platform

Conserves power and space by consolidating up to hundreds of gateways on a single platform

Security Gateway SG805Designed for the most demanding, highest-performance environments

Security Gateway SG805Designed for the most demanding, highest-performance environments

Comprehensive, flexible and extensible security

Comprehensive, flexible and extensible security

FW, VPN, IPS, Advanced Networking, and Acceleration &

Clustering

FW, VPN, IPS, Advanced Networking, and Acceleration &

Clustering

Ideal for the large campus and data center

Ideal for the large campus and data center


Integrated superior network processing combined with

exceptional application processing on an open architecture

Integrated superior network processing combined with

exceptional application processing on an open architecture

Crossbeam X-Series

Adapt security performance and scaling to fit your business

Adapt security performance and scaling to fit your business

Lower total cost of ownership with dramatic network consolidation and

energy consolidation

Lower total cost of ownership with dramatic network consolidation and

energy consolidation

Decrease downtime with self-healing platform

Decrease downtime with self-healing platform

X80

X45


Flexibility: Hardware and Software

firewall blade

IPSec VPN blade

IPS blade

advanced networking blade

acceleration & clustering blade

X80X45

X-Series Scalable

architecture

AC/DC power

NEBS-compliant

Fiber NICs

Modular NICs

X-Series Scalable

architecture

AC/DC power

NEBS-compliant

Fiber NICs

Modular NICs

Modular and Scalable Blade ArchitectureModular and Scalable Blade Architecture

VPN-1 Power VSX


Customer Benefits

Single SKU and vendor

FW, VPN, IPS, ACCL, ADN

Better TCO (scalability, lower support rate)

Integrated solutions with software blades

An extended global infrastructure with onsite support

V A

L U

E


Agenda






X80

X45

X80

Customers choose for scale and performance

40Gbps Today

“Change-Ready” to 160G

X45

Customers choose when space is a premium

20G Today

“Change-ready” to 80G

APM

Application blades run: Security Gateway R70 VSX R65

CPM

Control blades Manage and

monitor the chassis

NPM

Network connectivity 2 - 10G ports 10 - 1G ports

X-Series Components


X-Series—Modules

Internal chassis management

HA monitoring and failover

Dynamic load balancing

Centralized configuration database

Dedicated mgt/logging/HA ports

Disk sync between dual CPMs

Control Processing Modules (CPMs)

Network connectivity and flow processing

Multi-link trunking

High-speed packet classification/distribution

Intelligent flow sequencing

Built in rate-limiting feature (per flow rule)

Fully VLAN capable; > 4000 VLANs per NPM

Multiple port density options

Network Processing Modules (NPMs)

Virtual Application Processor (VAP) system

► Best-in-class security engines

► Full hot-swap with no reconfiguration

► Seamless failover► Warm (license-less)

standby Optional local HD, crypto

accelerator

Application Processing Modules

(APMs)


X-Series—Accessories

Optional ExtrasSFP-Q2-LX-2 Two (2) LX SFP 1G Transceiver (LC Connectors) for NPMs

SFP-Q2-SX-2 Two (2) SX SFP 1G Transceiver (LC Connectors) for NPMs

SFP-Q2-T-3Two 10/100/1000 Copper SFP Transceivers (RJ45 Connectors) for use with NPM-8600 or later.

XFP-Q2-LRTwo (2) LR XFP 10G Transceiver (LC Connector) for NPM-8600 (RoHS Compliant). Use Single Mode fiber

XFP-Q2-SRTwo (2) SR XFP 10G Transceiver (LC Connector) for NPM-8600 (RoHS Compliant). Use Multi-mode fiber

XOS-ARM-710CD

X-Series Routing Software version 7.1 on DVD. Requires XOS 8.5.0 or higher. Includes PIM Sparse Mode, OSPFv2, RIP-II, and BPG-4. Licensed per X-Series Chassis.


The Virtual Infrastructure

What are we solving? How do we solve it? Why is it important? Real use cases

FW

Internet

IPS

L2

L2

LB

LB

LB

LB

Typical multi-box architectures have a lot of duplication

and inefficiency

Security changes require network

changes causing increased time

to change

Difficult to add a new security

service quickly



R70 Blades

Internet

R70 Blades

L2

L2

LB

LB

LB

LB

Crossbeam creates a “Network in a Box” Network Processor Modules Application Processor Modules consolidate

Security Gateway Software Blades or VSX Control Processing ModulesThe X-Series Platform becomes a “virtual

infrastructure” integrating both network processing and application processing within a

single operating system


http://images.google.com/imgres?imgurl=www.trendmicro.co.uk/corporate/images/crlogo1dir.gif&imgrefurl=http://www.trendmicro.co.uk/corporate/directions.htm&h=273&w=260&prev=/images?q=trend+micro&svnum=100&hl=en&lr=&ie=UTF8&oe=UTF8&safe=off

http://images.google.com/imgres?imgurl=www.trendmicro.co.uk/corporate/images/crlogo1dir.gif&imgrefurl=http://www.trendmicro.co.uk/corporate/directions.htm&h=273&w=260&prev=/images?q=trend+micro&svnum=100&hl=en&lr=&ie=UTF8&oe=UTF8&safe=off

1616©2010 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties | 16

Network Processing Module (NPM)

Provides switching fabric for data plane Switching fabric connects all NPMS and APMs 5 Gb/s throughput per NPM-8620 Provides 10 Gb/s throughput per NPM-8650 Provides 40 Gb/s throughput per chassis (4 NPM-8650)

Provides physical network interfaces NPM-8620 has 10 x 1GbE SFP interfaces NPM-8650 has 10 x 1GbE SFP and 2 x 10GbE XFP interfaces

Load balancing distributes traffic Scales throughput by distributing traffic across APMs Re-distributes traffic around failed APMs

Consolidates network infrastructure Virtualizes switches, load balancers, patch and power cords Eliminates common network devices



Application Processing Module (APM)

Hosts applications Supports “Virtual Application Processor” (VAP) Application runs within each VAP

Scales performance Multiple APMs allow multiple VAPs These application instances share the traffic load

Allows layered security Different APMs can run different applications NPM’s network virtualization provides connectivity

between layers

Provides application redundancy VAPs can run on any APM APMs can be re-provisioned on-the-fly Un-provisioned APMs automatically assume warm-

standby role



Control Processing Module (CPM)

System management Provides out-of-band management of chassis Centralized configuration of all elements in the system

Provision applications based on configuration Ensures desired configuration

Health monitoring Continuously checks health of APMs, and NPMs Failover control Collects statistics (CPU, I/O, etc) from all other modules Routes around failures



XOS


Broad support of best-in-class security applications

Optimizes data flow between the network and application processors

Protects and ensures optimum network processing

Optimizes and controls flows between apps

Provides Superior Network Performance

Network

Processing

Environment

Chassis Resource

Protection

Secure Flow Processing

Switched Data Path

Management

Ensures Exceptional Application Processing

Automatic performance capacity restoration

Allows application performance to scale

independently

Provides a responsive system to application

processing needs

Application

Processing

Environment

Self-Healing

Virtual Application

Processor / Grouping

Dynamic Resource

Allocation

Open Secure OS



A virtual infrastructure Creates a very responsive on-demand architecture Move, add, remove applications without impacting the

network Create logical application groups that can be scaled or

changed depending upon performance demands Self-healing architecture

Green Zone► Reduces waste by removing network

inefficiencies► Reduce # Ethernet connections to a

single “virtual infrastructure”



Simplifying the Complex


Which Network Rack can be Upgraded Faster?Which Network Rack can be Upgraded Faster?

The X-Series Platform is the entire infrastructure—a single management interface for all security and network changes

Firmware and system software upgrades only need to be applied once using the Automated Workflow System




Solving the Problem Crossbeam collapsed 800 Cisco ASA Firewall appliances into 4 X80

chassis running Check Point VSX National Communications Co. now scales without adding additional

hardware

Solving the Problem Crossbeam collapsed 800 Cisco ASA Firewall appliances into 4 X80

chassis running Check Point VSX National Communications Co. now scales without adding additional

hardware

Business Outcome National Telco was able to reduce the staff required for manage this service

from 12 to just 3

Business Outcome National Telco was able to reduce the staff required for manage this service

from 12 to just 3

Crossbeam Validation Crossbeam was able to validate up to 250 virtual firewalls running on each

X80 Chassis

Crossbeam Validation Crossbeam was able to validate up to 250 virtual firewalls running on each

X80 Chassis

The Technical Problem Current managed firewall service to local government education agency

was overly complex, requiring 12 operational staff to maintain

The Technical Problem Current managed firewall service to local government education agency

was overly complex, requiring 12 operational staff to maintainNationalCommunicationsNationalCommunications


Agenda






Linear Scalability Architecture

Networking Platforms

Application Server

Platforms


Excellent for controlling the flow of data packets

Poor at actually processing the data

Excellent for processing the data

Poor at controlling the flow of latency-sensitive data

Need to Maintain a Perfect Relationship Between Network and Application Processing in Order to Optimize a System

Need to Maintain a Perfect Relationship Between Network and Application Processing in Order to Optimize a System



System Performance

Connections per Second

Total Connections

Latency

Mixed Packet Size Throughput

Application Inspection

Throughput

Application Throughput Under Load


True system scalability demands that every performance factor

scales linearly


Networking Platforms

Integrated network and application processing facilitates true linear scalability

Application Server

Platforms

X-Series Architecture




APM 8650

Up to 8 CPU Cores per Module

Up to 80 CPU Cores per Chassis

Up to 12.8 Gbps of Backplane Connectivity

Up to 16 GB of Memory

Diskless Design• Optional up to 2 HDD‘s available with Raid 1/0

Fully Hot-Swappable

NPM 8650 NPM 8620

Up to 10 Gbps Processing

Up to 5Gbps Processing

10 Million Flows 8 Million Flows

105,000 Connections per

second

45,000 Connections per

second

320,000 Connections per second / Chassis

Switched Data Paths (SDP)

NPM APM

What are we solving? How do we solve it? Why is it important? Real Use-Cases


Traffic flow controlled down to the individual

processor core


Check Point R70 Performance

The X-Series can scale to 40Gbps firewall throughput with iMIX UDP traffic The X-Series also is the fastest firewall platform on the market in small packet

performance, capable of scaling to 18M Packets Per Second with 64 byte packets


1 APM 2 APM 3 APM 4 APM 5 APM 6 APMs 7 APM 8 APM0

5

10

15

20

25

30

35

40

45

1518Byte Throughput

IMIX Throughput

64Byte ThroughputGb

ps


Throughput…Think Real WorldG

iga

bit

s

Pe

r S

ec

on

d

Packet Size

X80 with NPM and APM 8650 Modules Running Check Point R70

1518 1280 1024 768 512 256 128 640.0

5.0

10.0

15.0

20.0

25.0

30.0

35.0

40.0


The X80 Achieves the Maximum Throughput of 40Gbps with Real-World Packet Sizes, Not Just with Large Packets

The X80 Achieves the Maximum Throughput of 40Gbps with Real-World Packet Sizes, Not Just with Large Packets

iMIX Performance


X80 SRX0

20

40

60

80

100

120

Large Packet (1518)

X80 SRX0

20

40

60

80

100

120

iMIX

Platform Performance

We must push back on overinflated SRX performance claims

X80 SRX0

20

40

60

80

100

120

Firewall + IPS

X80 iMIX performance doesn’t budge from our max throughput of 40Gbps

SRX throughput for iMIX traffic plummets by nearly 65% Clear demonstration of how

unrealistic the 120Gb claim is

Gig

abit

s p

er

Sec

on

d

SRX performance drops even further when IPS is turned on

Check Point Firewall + IPS on X80 has always outperformed SRX

The Honeymoon is Over for the SRXThe Honeymoon is Over for the SRX


Packet forwarding rate directly affects real-world throughput

This performance is achieved with 8-core APM-8650 modules

Utilizing Check Point CoreXL technology

Platform Performance—Packet Forwarding Rate

X80 SRX0

2

4

6

8

10

12

14

16

18

20

Mil

lio

ns

of

Pac

kets

pe

r S

eco

nd

Packet Forwarding Rate

(64 byte packets)

At 18 Million Packets per Second,

the X-Series is the Fastest Firewall on the Market!


Scaling Against Juniper SRX

X80 SRX(November 2009 Datasheet)

Packet Rate 18 Million PPS 15 Million PPS

iMIX Throughput 40 Gigabit / Second 45 Gigabit / Second

Firewall + IPS Throughput 40 Gigabit / Second 30 Gigabit / Second

Connections per Second 320,000 CPS 350,000 CPS

Total Concurrent Connections 10 Million 10 Million

Large Packet Throughput 40 Gigabit / Second 120 Gigabit / Second


X-Series Wins Against the SRXX-Series Wins Against the SRX


IAS Bladed Hardware—Performance Bundles

The 5 Gbit/s solution—

running on an X45

5 Gbit Solution


running on an X45 or X80

10 Gbit Solution


running on an X45 or X80

20 Gbit Solution


running on an X80

40 Gbit Solution


1-2-1 2-2-1 2-4-1 4-6-1




A linear scalable architecture Provides ability to create an accurate performance

budget and planning for future expansion Dedicated resources can be allocated to specific

applications ensuring performance service levels

Green Zone► Crossbeam switched data paths

dramatically increase the efficiency of multi-core processor systems




Solving the Problem Crossbeam used 4th-generation blades to scale the O2 Internet-facing

firewalls to accommodate 6.5 million concurrent connections

Solving the Problem Crossbeam used 4th-generation blades to scale the O2 Internet-facing

firewalls to accommodate 6.5 million concurrent connections

Business Outcome O2 is now able to continue to service their existing subscriber base of

22 million and expand service to remain competitive in the UK market

Business Outcome O2 is now able to continue to service their existing subscriber base of

22 million and expand service to remain competitive in the UK market

Crossbeam Validation Utilized the Linear Scalability validation test plan to show all performance

metrics increased as firewall VAP group members were added

Crossbeam Validation Utilized the Linear Scalability validation test plan to show all performance

metrics increased as firewall VAP group members were added

The Technical Problem Critical need to continually increase throughput and concurrent connections

to keep pace with 3G devices on the mobile network

The Technical Problem Critical need to continually increase throughput and concurrent connections

to keep pace with 3G devices on the mobile network


Agenda






Product Solution Examples L

ist

Pric

e

(10G) (20G) (40G)

$185K

$345K

$640K

X45 Chassis

2 NPM 8620

2 APM 8650

1 CPM 8600

2 P/S

2-2-1

X80 Chassis

2 NPM 8650

4 APM 8650

1 CPM 8600

2 P/S

2-4-1

X80 Chassis

4 NPM 8650

8 APM 8650

1 CPM 8600

3 P/S

4-8-1

iMIX Performance

Solution Example: CPAP-X45-2B-SG805 : Check Point IAS X45 Bladed Architecture with 2 Security Gateways (FW, VPN, IPS, ACCL, ADN)

NOTE: These are example configurations. Each deal will require some customization


IAS Bladed Hardware—SG805

High-performance Security Gateway for the Most Demanding Environments

High-performance Security Gateway for the Most Demanding Environments

Indicates number of APMs


IAS Bladed Hardware—VSX

Dedicated Gateway for Multi-layer, Multi-domain Virtualized Security

Dedicated Gateway for Multi-layer, Multi-domain Virtualized Security


Strategy for Success

Beating the Competition

Juniper SRX Real-world performance – Performance hit to firewall when measured

against real world traffic Management interface – Cumbersome interface/menus loosely unifies

ScreenOS and JunOS High availability limitations – Choice between high availability and

performance Inspection performance – Traffic throughput drops when IPS turned on

Cisco ASA Performance – Security technology lags in the industry Complexity and cost – Security embedded in each appliance requiring

many appliances Security – May know the network, but not strong around network security


24/7 Support for the Most Critical Environments

DALLASTAC

TEL AVIVTAC

STOCKHOLMEndpoint escalation

TOKYOTAC

OTTAWATAC

• Award-winning support

• Always-on 24 X 7 coverage

• Best-in-class electronic support tools

• World-wide material inventory

• Online support in 150 countries / 1,000 metropolitan areas


Sales Tools

Sales Tools are available on PartnerMap Customer presentation Technical presentation At-a-glance sales guides And more…

For additional information please contact your Check Point Channel Representative


Summary: IAS Bladed Hardware









NEW!

Integrated Appliance Solution (IAS) Bladed Hardware Technical Training

Documents

Transcript of Integrated Appliance Solution (IAS) Bladed Hardware Technical Training