• Like
04 vsx power-r65
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

04 vsx power-r65

  • 357 views
Published

Check Point VPN-1 VSX

Check Point VPN-1 VSX

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
357
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
21
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Three objectives: Scale Enterprise perimeter and core side security Ease Security Management (VSX enhancements like no dedicated Ips, one sync network, etc. & P-1) And of course: reduce TCO
  • Vsx_util reconfigure, redistribute
  • Three objectives: Scale Enterprise perimeter and core side security Ease Security Management (VSX enhancements like no dedicated Ips, one sync network, etc. & P-1) And of course: reduce TCO
  • Network 192.168.1.0/24 is covering vr-001 external interface, all vsw-001 interfaces, and vs-003/vs-004 external interfaces.
  • Focus on the fact that only 1 IP address is required to manage a VSX gateway with several VSs.
  • Begin this slide by “Virtual Devices are connected through a…” TODO: add a screenshot of the advanced routing rules view…
  • Three objectives: Scale Enterprise perimeter and core side security Ease Security Management (VSX enhancements like no dedicated Ips, one sync network, etc. & P-1) And of course: reduce TCO
  • Per VS failover…
  • L2 VS: complete network transparancy Secure XL: Optimise CPU allocation VSLS: increase scalability & perf. No STP, using Active Standby/Bridge Mode.
  • Three objectives: Scale Enterprise perimeter and core side security Ease Security Management (VSX enhancements like no dedicated Ips, one sync network, etc. & P-1) And of course: reduce TCO

Transcript

  • 1. Check Point VPN-1 VSX Peter Sandkuijl EMEA SE High End Solutions [email_address]
  • 2. Agenda What is VSX and why should I consider it? How to integrate a VSX infrastructure into my enterprise network? Is my VSX infrastructure robust, scalable and fast? Is management of a VSX infrastructure complex?
  • 3. What is VSX?
    • VSX means Virtual System Extension
    • A VSX gateway is a physical server capable of running several instances of logical (or virtual) VPN-1 modules each protecting a specific network
    • Each virtual VPN-1 module enforces its own security and routing policies
  • 4. Why should customers consider virtualization?
    • Cost optimization
      • Up to 250 virtual VPN-1 modules can be deployed on a single physical VSX gateway
    • Fast Provisioning
      • Few mouse clicks to create a new virtual VPN-1 module or cluster including its network settings
    • Better scalability & availability
      • Linear performance improvement
    • Efficient Management
      • Scalable & granular management with Provider-1
      • Powerful CLI tool: vsx_util
    2 screens wizard !
  • 5. Agenda What is VSX and why should I consider it? How to integrate a VSX infrastructure into my enterprise network? Is my VSX infrastructure robust, scalable and fast? Is management of a VSX infrastructure complex?
  • 6. VSX virtual devices: Firewall objects
    • In the VSX world, a VPN-1 module is named a Virtual System (VS)
    • Each VS functions as a stand-alone, independent VPN-1 gateway
    FW VPN (Inc. SR/SC) SMDF (Inc. WebInt) SSL VPN (SNX) AUTH ( Client & Session) Layer 3 Layer 2 Dynamic Routing Secure XL Cluster XL Security Features Network Features Scalability & Perf. Features Virtual System
  • 7. VSX virtual devices: Network objects
    • Two types of Network Objects:
    • Why are Network Objects used?
      • To reach the external world according to customer network’s constraints
      • To route traffic from a Virtual System to another
    • A Virtual Router:
      • Is protected by its own Security Policy (can be modified)
      • Like a Layer-3 VS, supports Dynamic Routing
      • Supports Source Routing
    • Virtual Routers & Switches use Warp Links to connect to Virtual Systems
    Layer 2 Virtual Switch Layer 3 Virtual Router 192.168.1.0/24
  • 8. How to attach VSX gateway to the external world?
    • Physical Interfaces
      • External
      • Internal
      • Management
      • Sync
    • Logical Interfaces
      • 802.1q
    Company A Company B Company C Data Center SYNC Internet
  • 9. How does VSX gateway dispatch packets to virtual devices?
    • Physical Interface
      • Packet is immediately forwarded
    • Logical Interface
      • Packet is forwarded according to its VLAN ID
    • Virtual Router
      • Packet is routed according to its dst or src/dst IP address
    • Virtual Switch
      • Packet is switched according to its destination MAC address
    Company A Subnet A Company B Subnet B Context Determination When a Virtual Device is connected through a…
  • 10. VSX Into the Wild Virtualizing several DMZ firewalls
    • Customer Profile
      • Bank Company
    • Needs
      • Has to host several Customer Projects (1 project = 1 DMZ)
      • Projects are reachable from the External
      • Projects use Internal resources
    • Before VSX
      • Two layers of firewall clusters to protect the “Project” Infrastructure from Internal & External threats
      • Secure Customer Projects with additional firewall clusters
    • With VSX
    MGMT SYNC DMZ Core Switch vlan 116 vlan 117 vlan 118 vlan 119 vlan 112 vlan 113 vlan 114 vlan 115 vlan 100 vlan 101 vlan 102 vlan 103 vlan 104 vlan 105 vlan 104 vlan 105 vlan 106 vlan 107 vlan 108 vlan 109 Trunk 802.1Q eth1 eth0 VS Interface Zone VS1 eth5.100 DMZ1 eth5.101 DMZ2 eth5.102 DMZ3 eth6.112 External eth7.116 Internal VS2 eth4.103 DMZ4 eth4.104 DMZ5 eth4.105 DMZ6 eth6.113 External eth7.117 Internal Etc. eth4 10Gbs eth8 10Gbs eth9 10Gbs Trunk 802.1Q eth3 10Gbs Trunk 802.1Q eth2 10Gbs Trunk 802.1Q eth5 10Gbs EXTERNAL Router Trunk 802.1Q eth6 10Gbs INTERNAL Router Trunk 802.1Q eth7 10Gbs
  • 11. Agenda What is VSX and why should I consider it? How to integrate a VSX infrastructure into my enterprise network? Is my VSX infrastructure robust, scalable and fast? Is management of a VSX infrastructure complex?
  • 12. Clustering Introduction to VSLS
    • Two clustering levels
      • VSX Gateways: active/active
      • Virtual Systems: active/standby
    • Don’t need to assign dedicated IP addresses to each cluster’s members
    • Only one sync network
    • Easy provisioning
    VIP: IP1 VIP: IP2 192.168.196.0/22 192.168.196.0/22 Created by the VSX Administrator Created by the VSX Management Infrastructure SYNC
  • 13. Clustering Virtual System Load Sharing
    • Distributes VS instances between different VSX gateways
    • Sync improvements
      • New state: Backup
      • Sync only between active & standby (unicast sync)
    • VS distribution
      • Performed automatically or manually ( vsx_util redistribute_vsls )
      • Depends on priorities and weights
    SYNC
  • 14. Clustering Active/Standby Bridge Mode
    • Relevant for VSX gateways hosting Layer-2 VS clusters
    • Offers the following advantages over STP:
      • Path redundancy
      • Loop prevention
      • Immediate failover
      • Control over bridge failover
      • Works with VSLS
    • VSs sync & publish their MAC forwarding table
    STP STP STP STP STP STP Cluster XL
  • 15. VSX into the Wild Splitting a big firewall into specialized virtual firewalls
    • Customer Profile
      • Retailer Company
    • Needs
      • Simplify Security Policy Management
      • Simplify Network Management
      • Improve Scalability & Performance
    • Before VSX
      • Very large rulebase
      • Not scalable
      • Performance bottleneck
    • With VSX
    EXTERNAL Core Switch INTERNAL Core Switch eth1 eth0 eth6 MGMT SYNC INTERNAL EXTERNAL Core Switch eth5 eth4 eth3 eth2 Core Switch eth7 eth8 eth9 Performance Pack VSLS Active/Standby Brige Mode Emails Hosting VPN Browsing vlan 100 VS Interface Browsing eth5.100 Eth6.100 Emails eth4.101 Eth7.101 Etc. vlan 100 vlan 101 vlan 102 vlan103 vlan 101 vlan 102 vlan 103
  • 16. Agenda What is VSX and why should I consider it? How to integrate a VSX infrastructure into my enterprise network? Is my VSX infrastructure robust, scalable and fast? Is management of a VSX infrastructure complex?
  • 17. VSX management
    • 3-tier management architecture with either SmartCenter or Provider-1
    • Only one Mgmt IP address is used per VSX gateway
    SMART Consoles SmartCenter Provider-1 VSX Gateways
  • 18. VSX management Provider-1 focus
    • Main CMA manages the VSX infrastructure
    • Target CMAs manage one or more Virtual Devices
    • Multiple concurrent administrators
    • Granular permissions
    • Separate object databases
  • 19. Conclusion
    • Scale both enterprise perimeter & core sides security
      • VSX objects allow fast and complete integration anywhere in the Enterprise
      • Scalable & resilient security with VSX clustering
    • Powerful Management
      • Fast VSs or VSs clusters provisioning
      • Central VSX infrastructure database including network settings
      • IP addresses optimization (1 Mgmt IP per VSX gateway, 1 sync network, no dedicated IPs)
      • Scalable & granular management with P-1
      • Easy recovery of a failed gateway with CLI tool vsx_util
    • Reduce TCO