More Related Content Similar to Check Point sizing security (20) More from Group of company MUK (16) Check Point sizing security2. Agenda
1
Security Gateway Sizing Challenges
2
Appliance Selection Tool ‒ SPU
3
Performance Utility
4
Summary
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
2
3. Agenda
1
Security Gateway Sizing Challenges
2
Appliance Selection Tool ‒ SPU
3
Performance Utility
4
Summary
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
3
4. Joe Needs a New Security Appliance
Required Security
Available
Appliances
Firewall
IPS
Application
Control
URL
Filtering
Firewall: 3 Gbps
IPS: 2 Gbps
Throughput Needs
350
Mbps
Firewall: 25 Gbps
IPS: 12 Gbps
2000
Users
Joe has a problem.
Which appliance can best match his requirements?
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
4
5. Appliance Sizing Challenges
Sizing the right appliance
is often a complex task!
Match appliance to real-world
security requirements
Handle current and future
capacity needs
Effectively compare
among appliances
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
5
6. Customize with Software Blades
FW & VPN
Software Blades
IPS
Software Blade
Application
Control
Software Blade
Identity
Awareness
Software Blade
Antivirus
Software Blade
URL Filtering
Software Blade
Anti-Bot
DLP
Software Blade
Software Blade
The Security You Want
The Performance You Need
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
6
7. Balancing Security & Performance
Need to protect against a wide spectrum of
attacks, in addition to Firewall and VPN
What is the impact with multiple
Software Blades enabled?
What about future growth?
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
7
8. Different Machines Require
Different Power Measurements
Different Machines
Relevant Power Unit
Horsepower
Volts
Router and Switch
Security Gateway
[Protected] For public distribution
Mbps
?
©2013 Check Point Software Technologies Ltd.
8
9. Different Machines Require
Different Power Measurements
Different Machines
Relevant Power Unit
Horsepower
Volts
Router and Switch
Security Gateway
[Protected] For public distribution
Mbps
SecurityPower
©2013 Check Point Software Technologies Ltd.
9
11. Agenda
1
Security Gateway Sizing Challenges
2
Appliance Selection Tool ‒ SPU
3
Performance Utility
4
Summary
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
11
12. Security Power Utilization
Yesterday’s Performance metrics – sterile
– FW throughput – RFC – large packets
2012-2013 – Threats call for a more realistic approach!
Need to measure Security Performance when actually
implementing Multi-Layer Security engines
Introducing Check Point Security Power Utilization…
Evolving traffic blend…
Real World, Web,
Video, Social Media,
Mail, SSL
[Protected] For public distribution
Firewall
Firewall + IPS
Firewall + AV
Firewall + IPS + AV
©2013 Check Point Software Technologies Ltd.
12
13. Sizing-Up the Right Appliance for You
Helping You Select the Right Appliance to Meet
Your Security and Performance Requirements
Required SecurityPower:
1308 SPU
Room for
Growth
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
13
14. Plan for the Future
Optimal Zone
Recommended!
Customer
Requirements
Extensive
Room for
Growth
Peak Resource
Consumption
(Not Recommended)
Room for Growth
Additional Blades and Throughput until 70% Utilization
For optimal results, use up to 50% of the
appliance’s SecurityPower capacity
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
14
15. SPU – Real Performance Traffic
Live Demo
Sizing Appliances
usercenter.checkpoint.com
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
15
16. SPU – Real Performance Traffic
Live Demo
How did we get to the
appliance SPU?
Visit CPX
Performance Lab
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
16
17. How to Size Appliances?
Understand customer Security and
Performance requirements
– Current vs. Future – 3 up to 5 years
– Deployment type, interfaces, cluster, etc.
Use “cpsizeme” –
accurate method of collecting data
Use Appliance sizing tool
– Consider future growth
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
17
18. SPU – Real Performance Traffic
Under the hood….
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
18
19. Measuring Appliance SecurityPower
SecurityPower Integrates Multiple
Performance Measurements Based On:
Real-World Traffic
Multiple Security
Functions
Typical Security Policy
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
19
20. SecurityPower ‒ Traffic Blend
Measuring Real-World Traffic Blend
The Old Way
UDP large
packets ‒ RFC
Real-World Traffic Blend*
10%
9%
13%
68%
HTTP
SMTP
HTTPS
Other
*Based on customer research conducted by Check Point performance labs
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
20
21. SecurityPower ‒ Software Blades
SecurityPower Measures Performance
Under Advanced Security Functions
The Old Way
FW & VPN
Software
Blades
Application
IPS
Control
Software Blade Software Blade
Identity
Awareness
Software Blade
Antivirus &
Anti-Malware
Software Blade
URL Filtering
Software Blade
DLP
Software Blade
Firewall only
Any-Any-Accept
SecurityPower
Security Appliance
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
21
22. SecurityPower ‒ Security Policy
Applying a True Security Policy
Policy with 100 Rules!
The Old Way
One rule:
Allow all traffic
Rule
Protocol
Action
#1
POP3
Accept
#2
FTP
Accept
#3
ICMP
Drop
# 98
HTTP
Accept
#99
SMTP
Accept
#100
ANY
Drop
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
22
23. SecurityPower ‒ Security Policy
Applying a True Security Policy
The Old Way
No Logging
No NAT
No IPS
No signatures
Log All Connections
Network Address Translation
IPS Recommended Protection
Up-to-Date Signature Databases
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
23
25. Agenda
1
Security Gateway Sizing Challenges
2
Appliance Selection Tool ‒ SPU
3
Performance Utility
4
Summary
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
26
27. Doctor – I Am Not Feeling Well!!!!
How are you feeling today?
What is the problem?........
Prognosis – Diagnosis?
Tools often used….
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
28
28. Introducing Performance Utility
Performance Utility
Customer
Requirements
Collect real performance
Recommended
Appliance
data from existing appliance
over 24 hours
Appliance Selection Tool
Collect customer requirements
Translate Performance Utility output to
Translate requirements to SecurityPower
Customer Requirements
Suggest the right appliance for the job
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
29
29. Introducing Performance Utility
XYZ
Cloud Based Analysis
Evaluate Security Gateway
Performance
View Multi-Security
Functions Impact
Capacity Planning
Performance Impact –
Minimal
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
30
30. Case Study #1
Customer Requirements
From Appliance Selection Tool
Secure Perimeter
FW, VPN, IPS. MAB, URLF, APP
1000 Users / 100 remote users
ISP Pipe: 300Mbps
Total Throughput: 800 Mbps
Required SPU: 433 SPU
Customer’s Choice
Customer selected 4800 (~38% utilization estimation)
Customer has room for future growth:
‒ Add Antivirus Software Blade or
‒ 85% traffic growth
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
31
31. Case Study #1
300Mbps
“Effective” Max
Throughput
(600 Mbps)
Exceptional throughput
peak – low impact on CPU
[Protected] For public distribution
(48%)
“Effective” Max
Kernel CPU
©2013 Check Point Software Technologies Ltd.
32
32. Two Facts to Know
About the Sizing Tool
We used the Performance Utility to
Measure the Performance on 95 Appliances in
Different Customers’ Product Environments
The Appliance Selection Tool Predicted
the CPU Utilization in 82% of the Cases*
*Accepted variation was
[Protected] For public distribution
15 points
©2013 Check Point Software Technologies Ltd.
33
33. Agenda
1
Security Gateway Sizing Challenges
2
Appliance Selection Tool ‒ SPU
3
Performance Utility
4
Summary
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
34
34. Field Feedback
Reliable and trusted tool
Partners say…
– The report is great.. Very helpful.
– “None of the other vendors have anything like this”
– Can’t wait till we get the cpsizeme report
– Availability? ‒ ”We want direct access!”
Next steps…
– IP series
– Virtual Systems, HTTP Encryption
– QoS
– Traffic blend, packet size
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
37
35. SecurityPower
The New Way to Measure the
Real Power of Security Appliances
Performance on Real-World Traffic
and Advanced Security Functions
Enables Planning and
Maximization of Security
[Protected] For public distribution
©2013 Check Point Software Technologies Ltd.
38
Editor's Notes In order to overcome the challenges we need more security functions and this requires much more power from the appliance stock-photo-16468646-balancing-stones.jpg Now, there is a full line of new security appliances delivering integrated security ranging from the small offices all the way up to the large data centers and Telco service provider environments Add interactive discussion slides