VSX C02 VSX Arch Deployment
-
Upload
bonzecurve -
Category
Documents
-
view
271 -
download
0
Transcript of VSX C02 VSX Arch Deployment
-
8/12/2019 VSX C02 VSX Arch Deployment
1/14
-
8/12/2019 VSX C02 VSX Arch Deployment
2/14
V S X A R C H I T E C T U R E A N D D E P L O Y M E N T
12
2
Key Terms VPN-1/FireWall-1 VSX
Managed Service Provider (MSP)
Customer Management Add-on (CMA)
Virtual System (VS)
VSX GUI Client
VSX Management Server
Multi Domain Server (MDS)
VSX Gateway
Context Identification
Virtual System Matching
VSX Inspection Module
Network Operation Center (NOC)
-
8/12/2019 VSX C02 VSX Arch Deployment
3/14
.
.
.
.
.V S X A R C H I T E C T U R E A N D D E P L O Y M E N T
VSX Overview
13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
V S X O V E R V I E W
VPN-1/FireWall-1 Virtual System Extension(VSX) is a security and VPN
solution, designed to meet the demands of large-scale environments. Centrally
managed and incorporating key network resources internally, VSX allows
businesses to offer comprehensive firewall and VPN functions to their
customers, while reducing production costs and improving efficiency. Through
a virtualization of network infrastructure, VSX allows administrators to use it
to replace a collection of standard hardware devices. The VSX Gateway is
comprised of a virtual topology that includes virtual devices that replace
physical ones, such as routers, traditional firewalls, and even some network
cables.
When managed by Provider-1 NG, the unique architecture of VSX allows data
centers orManaged Service Providers(MSPs) to separate all customer-specific
data, such as objects and rules, not only in the Provider-1 NG environment with
the use of Customer Management Add-ons(CMAs), but also at the
Enforcement Module level through the use of Virtual Systems.
A VSX Gateway recognizes the context of traffic passing through it, and acts on
it. Although configured on the same gateway, multiple Virtual Systems(VSs)
separately enforce each customers Security Policy only on the traffic
associated with the context they are protecting. Each Virtual System acts as asingle standard FireWall-1 enforcement module. With VSX, MSPs can offer
comprehensive security solutions to their customers, by protecting their
sensitive data and consolidating resources. VSX can also be integrated into an
existing Check Point infrastructure.
-
8/12/2019 VSX C02 VSX Arch Deployment
4/14
V S X A R C H I T E C T U R E A N D D E P L O Y M E N T
VSX Overview
14
2
VSX is based on Check Points Next Generation architecture, and is comprised
of the following components:
VSX GUI Client
VSX Management Server
VSX Gateway
VSX Components
-
8/12/2019 VSX C02 VSX Arch Deployment
5/14
.
.
.
.
.V S X A R C H I T E C T U R E A N D D E P L O Y M E N T
VSX Overview
15
VSX GUI Cl ientThe VSX GUI Client allows Security Administrators to manage multiple VSX
Gateways, and multiple Virtual Systems installed on those Gateways. The VSX
GUI Client can also be used to configure Global Policies that can be applied to
multiple VSX Gateways.
The VSX GUI Client can be either the VSX version of the Multi Domain GUI
or the VSX version of the SmartConsole. Even though the both types of VSX
GUI Clients are specific to VSX, they can also be deployed with other Check
Point products. For example, the VSX version of SmartConsole can be used to
configure the VSX Management Server or a standard VPN-1/FireWall-1
Management Module.
VSX Management Server
The VSX GUI Client connects to the VSX Management Server. The VSXManagement Server can be installed on a Provider-1 NGMulti Domain Server
(MDS), or as a standard SmartCenter Server. It is the VSX Management Server
that maintains Check Point databases, including objects, rules, and policies of
VSX Gateways and Virtual Systems. Although a VSX Gateway can only be
managed by a VSX Management Server, a VSX Management Server can also
be used to manage standard Check Point Enforcement Modules.
VSX GatewayThe VSX Gatewayis the Enforcement Module for all protected networks,
including the Network Operations Center (NOC). The VSX Gateway enforces
the Security Policies compiled by the VSX Management Server.
-
8/12/2019 VSX C02 VSX Arch Deployment
6/14
V S X A R C H I T E C T U R E A N D D E P L O Y M E N T
VSX Gateway Security Enforcement
16
2
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
V S X G A T E W A Y S E C U R I T Y E N F O R C E M E N T
VSX is installed between the Data Link and Network Layers of the IP Protocol
Stack on the gateway. Since VSX is installed at the lowest software level and
below the network layer, it functions within the operating-system kernel. The
VSX Gateway performs the following tasks:
Context Identification
Context Inspection
VPN-1/FireWall -1 VSX Context Identi f icat ionVPN-1/FireWall-1 VSX inspects all traffic traveling through the VSX Gateway,
to determine its context. Context Identification is based mainly on the interface
by which traffic enters the gateway. VSX also gathers information about each
packets source and destination IP addresses. Using the collected information,the VSX Gateway routes the packets to the appropriate Virtual System for
inspection. This process is also called Virtual System Matching. Which Virtual
System receives the packets is determined by the configured Virtual System
properties, including interface information.
VSX Context Identification Module
-
8/12/2019 VSX C02 VSX Arch Deployment
7/14
.
.
.
.
.V S X A R C H I T E C T U R E A N D D E P L O Y M E N T
VSX Gateway Security Enforcement
17
VPN/FireWall -1 VSX InspectionEach interface is tied to a specific Virtual System. Once VSX determines the
context of the traffic, including entry point and destination network, it routes
the traffic to the context-related Virtual System for inspection. The Inspection
Module of the Virtual System then applies its Security Policy to the incoming
packets.
The VSX Inspection Modulesfunction similarly to the Inspection Module of aVPN-1/FireWall-1 Gateway. State and context data is stored in dynamic tables,
and information from the communication and application states and, the Virtual
Systems network configuration and Security Policy are used, to determine if
the traffic should be allowed to pass to its destination or should be dropped.
Like the implicit-drop rule of VPN-1/FireWall-1, any traffic not explicitly
allowed by the Security Policy is dropped.
Each Virtual System uses information from the internal structures of the IP
protocol family and relevant applications built on top of them, to extract data
from each packets application content. This information provides the system
with context information not always provided by each application.
-
8/12/2019 VSX C02 VSX Arch Deployment
8/14
V S X A R C H I T E C T U R E A N D D E P L O Y M E N T
VSX Gateway Security Enforcement
18
2
The state and context tables for each transaction are updated dynamically, and
are used to provide continual data for subsequent traffic inspections by the VSX
Inspection Module.
VSX Inspection Module
Virtual System TechnologyThe VS, installed at the VSX Gateway, is a logical system that functions as the
enforcement module for a given network. Although multiple VS modules can
be deployed on a single gateway, all of the network specific data is kept in
separate databases, including the dynamic state tables. Each VS is attached toeither a physical or a virtual interface.
-
8/12/2019 VSX C02 VSX Arch Deployment
9/14
.
.
.
.
.V S X A R C H I T E C T U R E A N D D E P L O Y M E N T
Deployment Scenarios
19
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
D E P L O Y M E N T S C E N A R I O S
VSX allows MSPs to provide cost-effective security services for point-of-
presence-based and hosting environments. These large-scale deployment
environments benefit from VSXs ability to virtualize most network hardware.
Physical hardware is expensive to maintain, takes up valuable space, and
requires a staff to support an ever-growing environment. By consolidating tasks
onto a single machine, VSX gives MSP administrators the ability to reduce
operating costs.
VSX offers MSP Security Administrators the ability to construct a virtual-
network environment to replace a more costly, less-efficient physical-network
environment. VSX uses Virtual Systems in place of physical gateways
functioning as separate firewalls. VSXs Virtual Router eliminates the need for
Security Administrators to purchase a separate physical router. Even some
network cables can be eliminated, through the use of virtual warp links between
Virtual Systems and Virtual Routers.
Point-of-Presence Configuration Without VSXAPoint-of-presence configuration is designed for MSPs who offer other
services to their clients, such as Internet access, in addition to maintaining
company firewalls. Using leased lines, a customer is able to connect securely
with an MSP at a point-of-presence. From the point-of-presence, the customercan send and receive Internet data.
-
8/12/2019 VSX C02 VSX Arch Deployment
10/14
V S X A R C H I T E C T U R E A N D D E P L O Y M E N T
Deployment Scenarios
20
2
In a typical point-of-presence environment, an MSP deploys multiple physical
devices, such as routers and gateways, to regulate network traffic and enforce
multiple Security Policies for its different customers.
Point-of-Presence Configuration without VSX Deployment
-
8/12/2019 VSX C02 VSX Arch Deployment
11/14
.
.
.
.
.V S X A R C H I T E C T U R E A N D D E P L O Y M E N T
Deployment Scenarios
21
Point-of-Presence Configuration with VSXBy replacing most of the physical systems in the typical point-of-presence
environment, VSX reduces the cost of the MSP deployment. Notice in the
example below that the physical routers and gateways, including the NOC
gateway, have been replaced by a single VSX Gateway enforcing multiple
policies, while still protecting the NOC.
Point-of-Presence Configuration With VSX Deployment
-
8/12/2019 VSX C02 VSX Arch Deployment
12/14
V S X A R C H I T E C T U R E A N D D E P L O Y M E N T
Deployment Scenarios
22
2
NOC SecurityWhen operating in a standard configuration, a NOC keeps its own firewall
separate from the Provider-1 NG setup. With VSX, the VSX Gateway functions
as the NOC firewall. The MDS maintaining the VSX Management Server is
connected to the VSX Gateway, by a dedicated link on the protected network. It
is the Security Policy of the VSX Gateway that is used to protect the Provider-1
NG system. Provider-1 is not a firewall, so it depends on a firewall to protect it.
-
8/12/2019 VSX C02 VSX Arch Deployment
13/14
.
.
.
.
.V S X A R C H I T E C T U R E A N D D E P L O Y M E N T
Benefits of VSX 2.0.1
23
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
B E N E F I T S O F V S X 2 . 0 . 1
Security and VPN Functional i tyFunctionality of VSX 2.0.1 is based on NG FP3.
Overlapping IP Space Support
VSX Gateways can support overlapping IP addressing for multiple customers,protected by separate Virtual Systems.
This type of deployment scenario is not supported with
customers whose networks share the same CMA.
Customer-to-Customer Connectivi tyNetworks protected by one VS can now connect to networks protected by
another VS on the same VSX Gateway, with the new inter-VS routing
functionality.
For inter VS routing to occur, traffic from both networks mustbe inspected and allowed by both Virtual Systems.
VSX Gateway High Avai labi l i tyVSX 2.0.1 offers Security Administrators the ability to configure VSX
Gateway clusters for load balancing and High Availability.
Scalable ManagementVSX can now be managed with Provider-1 NG for VSX or from a standard
SmartCenter Server. Additionally, VSX allows Security Administrators to
configure separate management domains for one or more Virtual Systems.
In Provider-1 NG for VSX, multiple Security Administrators can also be
configured with granular permission control. In VSX 2.0.1, a separate
management interface is no longer required. Security Administrators can nowmanage their VSX Gateways or clusters from the Internet, via the external-
gateway interface.
-
8/12/2019 VSX C02 VSX Arch Deployment
14/14