Nebulas Solutions Group | R75 Event


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Technically focused event largely based on experiencesLot of information – all presentations will be available online by the end of the event, do ask questions particularly in informal clinics (designed to be more interactive)Realise a number of you are existing customers however wanted to provide a little information about us, our history of Nebulas working with Check Point, some of work we do and have doneSkills in CP solutions
  • (slow) Main reason for the event – R65 going end of life but also huge number of options now exist, both software and hardware, for customersNo simple solution that fits everyone – depends on the hardware you have and features or functionality you want to useWhen I was heavily involved in CP consultancy 4 or so years ago if you understand import upgrade utilities was fine. With advent of software blades and a rapidly expanding portfolio as a result of numerous acquisitions this is certainly no longer the case.
  • Nebulas Security were founded in 2001, Check Point partner since 200112 engineers: 7 consulting and 5 in support, well over CCSP requirementsHave 5 of my consultants here today plus David and Mark from Check Point and Darren from distribution so a perfect time to answer any questions. All of us will be around throughput the morning and for lunch.
  • Check Point Certified Support PartnerGood relationships within the channel for escalation
  • Invited to join 2 years agoVE – significant amount of testing with the VE product (hypervisor integrated firewall). Inter-vm traffic inspectionAbra – built in sandisk technology, previously a SanDisk partner so understand technology + virtualisation skills e..g around thinappApplication. Control blade – clinic later this morning, ability to control based on application rather than just port. Just entering EA now
  • Rulebase cleanup and firewall consolidation using a combination of Tufin and Nebulas custom scripts (750 rules reduced to 300, no errors).Flow analysis using Sourcefire RNA for hardware consolidation from 20 to 2 mission critical/market data firewall pairs (FTSE 100 Finance Broker). From cisco/juniper to check pointCleanup of Cisco rulebase (10,000 rules) and migration to Check Point using CP confwiz. Large Provider-1 upgrade and migration (Leading UK and Entertainment Business)6.0/r7x upgrades – timkirk (one of our senior CP consultants) provide some of his knowledge gained
  • Previous projects on rulebase analysis – work with tufinTufin – been working with for a few years, offer both hosted and on-site assessment service (for those that need)One of a number of rulebase analysis/compliance solutionsOnly requires an OPSEC object to be created on smartcenter and policy pushedLogs are analysed in our datacenterConsiderations around loggingPriced per firewall + small charge for setup and report generation, doesn’t matter if you have 10 or 10,000 rules – charge is the same. We have to pay for use of Tufin licenses. Purposefully kept costs low in order to encourage usage of the service – helps us and our support teams too
  • Rule and object utilisation breakdown - number of hits + percentage of overall rules - first hit and last hit - unused rules - object utilisation, and rules containing unused objects and/or services - most/least used security and NAT rules - rule shadowing + duplicates flagged up- PCI report available
  • That’s not it! nevertheless, we’ve spent a lot of money on a lot of kitThis is available for customers to use, any of the software you see today we can demonstrate in the lab/you can come in and playSlight change to orderVideo recordingHand over to David Morrow for a section on ‘why upgrade’ and the various software blades
  • I hope you find the day useful, PLEASE ask questions (the more interactive the better)Timings – break about 11am, though likely slightly earlier before break-out/clinic sessions and then some lunch
  • Talk about the differences between SPLAT UTM-1, Power-1 and IP appliances. UTM-1 aimed more at the SMB, with the Power-1 & IP appliances offering Enterprise and large-scale deployment. Also UTM functionality is best suited to the UTM-1 range of appliances, which is mainly due to the hardware architecture and throughput requirements.
  • For example – UTM functionality performs much better on SPLAT. Indeed the latest UTM blades are only available on SPLAT.
  • More information is available at the below link
  • More information is available at the below link
  • Also EOS license receive less trade-in discount
  • For example, if you plan on running new UTM type threat in the near future then perhaps SPLAT is a preferable option.And for dynamic routing and other high-end small packet network requirements the IP appliances might fit best.
  • General intro
  • Brief agenda
  • Nokia put up the security arm up for sale in September 2008Check Point completed the acquisition in April 2009IPSO runs on all nokia IP series platform, current version is 6.2BSD package management is simple enough to use, though it has quite a few idiosyncrasies that administrators need to be aware of in order to use it effectively
  • SPLAT is a linux based OS that makes the install of CP and all its blades, mgmt, fw, vpn, remote access, very easyThe install wizard makes an average splat build take around 30 mins depending on modules and hotfixesSPLAT supports dynamic routing when using SPLAT pro, just use the “router” command via the CLI to get into a cisco like shell.----- Meeting Notes (08/11/2010 16:38) -----not fully RFC compliant for OSPF, doesnt support virtual links
  • IPSO was originally a product from IPSILON networks, a Nokia acquistion from 1997, so it’s a very mature platform.Dynamic routing support features the two big ones, OSPF and BGP. Administration has good role based access and external authentication supportVRRP is an RFC that is well known and understood by many vendorsHowever using Voyager has its own nuances, installing packages for example.WUI offers good monitoring of systems stats, CPU, disk, temp, throughput etc.----- Meeting Notes (08/11/2010 16:38) -----NetFlowADP on 695 and above
  • Gaia will be a linux based OS that pulls together the two OS lines within Check Point into a single, supportable product that fulfills all the mgmt and gateway requirements of a Check Point estate----- Meeting Notes (08/11/2010 16:38) -----UTM-1Power-1Partner
  • The best bits of SPLAT – easy install, easy mgmt, quick and simple build with all relevant CP packages pre installedThe best bits of IPSO – advanced dynamic routing, advanced admin access and authMultiple CLI options, CLISH, BASH, CPSHELLClusterXL is still going to be an option for HA and load sharingA single platform to learn for mgmt, gatewayUpgrade paths from all current operating systems----- Meeting Notes (08/11/2010 16:38) -----RIP OSPF and BGPIP clustering is being phased out, vrrp for HA, cluster XL for load balancing
  • Release 1 early 2011
  • Good morning everybody, my name is Tim Kirk (as some of you already know), and I’d to take this opportunity to welcome you all to this event. I’m going to be delivering a presentation focusing on software blade licensing and how to upgrade from your current NGX estate. As many of you are aware Check Point licensing has been notoriously difficult and complex to understand and implement. My objective today is to give you confidence and an understanding when choosing new Check Point products or planning an upgrade. Please feel free to jump in with any questions, or wait until the end Q&A slide. So without any further ado here goes:
  • List recent Check Point projects (ICAP, Gartmore,???)
  • Such as network cards, additional HDDs----- Meeting Notes (08/11/2010 17:07) -----ADD GATEWAYS NOT SITES
  • List recent Check Point projects (ICAP, Gartmore,???)
  • List recent Check Point projects (ICAP, Gartmore,???)
  • License change on MAC, SB licensing enforcement with HFAs
  • UTM 27x & 57x are available with just FW and VPN (with management)
  • Floodgate-1 now part of advanced networking
  • Worth bearing in mind that most of the features haven been enhanced. For example the IPS event analysis SB is a new licensable option within SmartEvent. This is not included for free if upgrading from Eventia Analyser.
  • Use this as an opportunity to audit your Check Point licenses to establish whether or not the SKU are required
  • Nebulas Solutions Group | R75 Event

    1. 1. Welcome<br />Nick Garlick<br />Managing Director<br />
    2. 2. Good News:<br />You’re not alone!<br />Approx. 80% of Check Point’s installed base are on R65 or earlier<br />Bad News:<br />The clock is ticking…<br /> R65 <br />31/3/11*<br />
    3. 3. Decisions, Decisions..<br /><ul><li>Platforms
    4. 4. OS’s
    5. 5. Versions
    6. 6. Functionality
    7. 7. Management</li></ul>Our aim today:<br />To give you all the information you need to make the best decisions<br />
    8. 8. Agenda:<br />Introduction<br />Why upgrade?<br />> New Features<br />> Software Blades Overview<br />Upgrade considerations<br />> Upgrade paths<br />> Major release overview<br />> Difference between R7x releases<br />Project Gaia (Unified OS)<br />> Features & functionality<br />> Planned releases<br />Licensing: Upgrade to software blades<br />> Overview of blade licensing<br />> Trade-in options<br />> Zero cost software blade license upgrade<br />Summary<br />Technical Clinic Breakout Sessions<br />
    9. 9. Introduction<br />Stuart Brameld<br />Technical Director<br />
    10. 10. Introduction Agenda<br />Why listen to us?<br /><ul><li> Knowledge/Resource
    11. 11. Support
    12. 12. EA Program
    13. 13. Recent Projects
    14. 14. Hosted Assessment Service
    15. 15. Lab Environment</li></li></ul><li>Knowledge/Resource<br /><ul><li> Our largest partner
    16. 16. Partnered for 9 years
    17. 17. 12 Engineers (7 consulting, 5 support)
    18. 18. On-site consultancy
    19. 19. Check Point Experience
    20. 20. Channel SUS and TUS
    21. 21. Check Point University Tours
    22. 22. Active users and participants on CPUG
    23. 23. Distribution
    24. 24. Dedicated AM & SE</li></li></ul><li>Support<br /><ul><li> Check Point Certified Support Partner
    25. 25. We log calls for customers with CES contracts
    26. 26. 24x7x365 support
    27. 27. 286 support calls YTD (avg. 29/month)
    28. 28. Escalate around 25% calls to vendors</li></li></ul><li>EA program<br /><ul><li> Select customers and partners worldwide
    29. 29. 1 of 3 partners selected in the UK
    30. 30. Program benefits:</li></ul> - Early Availability Code<br /> - Demo appliances<br /> - On-site engineer and on-site product training<br /> - 24x7 R&D support until GA<br /> - Feedback to R&D and Management<br /><ul><li>Abra, Check Point VE and Application Control Blade</li></li></ul><li>Recent Projects<br /><ul><li>Rulebase clean-up, Cisco/Juniper migrations and firewall consolidation project for a FTSE 100 Finance Broker
    31. 31. Rulebase cleanup of large Cisco rulebase (approx 10,000 rules), migration to Check Point and P1 upgrade for leading UK Communications and Entertainment Business
    32. 32. Numerous IPSO 6.x and Check Point R7x Upgrades in critical infrastructure environments</li></li></ul><li>Hosted Tufin Service<br /><ul><li> Hosted service
    33. 33. No hardware required on site
    34. 34. Very simple setup
    35. 35. Implementation Guide
    36. 36. Reports + Call
    37. 37. Low cost</li></li></ul><li>Hosted Tufin Service<br />
    38. 38. Lab Environment<br /><ul><li> > £250,000 kit
    39. 39. 8 ESX servers
    40. 40. Multiple switching stacks & SANs
    41. 41. CP Lab/demo kit</li></ul> - Power-1 11070<br /> - UTM-1 1070<br /> - Nokia IP260<br /> - Nokia IP695<br /> - kit from distribution<br />
    42. 42. Thank You<br />
    43. 43. Why Upgrade?<br />David Morrow<br />Channel Account Manager<br />Check Point Software Technologies<br />
    44. 44. Software Blades Overview<br /><ul><li>IPS
    45. 45. DLP
    46. 46. Application control
    47. 47. Mobility
    48. 48. URL Filt. AS, AV & WS
    49. 49. Smart Event
    50. 50. Workflow</li></ul>User awareness – R70.20+<br />
    51. 51. Upgrade Considerations<br />Presenter: Tim Kirk<br />Check Point Product Champion<br />
    52. 52. Contents<br />Platforms & main differences<br />Supported software & hardware<br />Trade-in offers<br />Upgrade gotchas<br />
    53. 53. Platforms & main differences<br />0.2<br />
    54. 54. Platforms & main differences<br /><ul><li>No “one-size fits all” approach
    55. 55. Hardware CPU, memory and disk specifications
    56. 56. End of life software and hardware</li></li></ul><li>Supported Software & Hardware<br /><ul><li>NGX R65 End of Support March 2011
    57. 57. NGX R60 SecuRemote/Client June 2011
    58. 58. NGX Eventia Suite December 2010 </li></ul><br />
    59. 59. Hardware Support<br /><ul><li>Old IP appliances such IP260, 350 and 380 not compatible with latest IPSO and CP versions (successor products available)
    60. 60. Old UTM-1 appliances 450, 1050 and 2050 have end of engineering support and end of support dates (successor products available)</li></ul><br />
    61. 61. Supported Software & Hardware<br /><ul><li>End of Support (product no longer officially supported)
    62. 62. End of Engineering Support (only known fixes applied, best endeavour)</li></li></ul><li>Trade-in offers<br /><ul><li>Nokia IP appliance trade-in ($1000 credit)
    63. 63. Save up to 25% off new Check Point IP appliances
    64. 64. All traded in Nokia’s & new IP appliances ship with 1 year IPS subscription
    65. 65. 70% trade in discount for in-support NGX licenses</li></li></ul><li>Upgrade Gotchas<br /><ul><li>ALWAYS complete an upgrade_export before beginning an upgrade
    66. 66. Upgrades from anything before R60 will NOT work
    67. 67. NGX R65.4 will NOT upgrade
    68. 68. Remove softlink rm –f /opt/CPSuite-R65/fw1/PA/conf/PA/PA
    69. 69. Change gateway versions within the cluster configuration to R70
    70. 70. Disable SmartDefense prior to upgrading</li></li></ul><li>Upgrade Considerations<br /><ul><li>IPSO clustering will be dropped with the arrival of Gaia
    71. 71. IPSO to SPLAT be aware of HA mechanism (gratuitous ARP)
    72. 72. Consider future requirements for additional blades</li></li></ul><li>Questions & Answers<br />
    73. 73. Project Gaia<br />The next generation firewall OS<br />Chris Campbell - Consultant<br />
    74. 74. Agenda<br /><ul><li>Brief history
    75. 75. SecurePlatform
    76. 76. IPSO
    77. 77. Gaia</li></li></ul><li>Brief History<br /><ul><li>Check Point acquired Nokia’s security business in April 2009
    78. 78. The acquisition included all of the IP series appliances and the IPSO operating system
    79. 79. IPSO is primarily a routing platform based on BSD
    80. 80. Thanks to the BSD package mgmt’ system installing Check Point packages on IPSO is fairly straightforward
    81. 81. SecurePlatform has been developed alongside IPSO since around 2003</li></li></ul><li>SecurePlatform (SPLAT)<br /><ul><li>SPLAT is any easy to install, easy to configure, Linux based, pre-hardened OS
    82. 82. SPLAT comes with the relevant Check Point binaries pre-installed
    83. 83. It has support for HA, dynamic routing, SNMP etc, though much of the advanced configuration is done on the command line (proxy arp anyone?)
    84. 84. SPLAT is supported on open platform servers and VMware as well as the Check Point branded appliances</li></li></ul><li>IPSO<br /><ul><li>IPSO is a routing platform based on the extremely stable BSD OS
    85. 85. It has powerful dynamic routing and administration options
    86. 86. High availability is done through a standards based protocol (VRRP)
    87. 87. Pretty much all options can be changed in the WebUI (Voyager)
    88. 88. IPSO WUI monitoring options are very extensive</li></li></ul><li>Gaia<br /><ul><li>Gaia is the next Check Point OS, a blend of all the best bits from SPLAT and IPSO, for gateway and management
    89. 89. Gaia will support all current shipping and future hardware platforms
    90. 90. IP series
    91. 91. Power-1
    92. 92. UTM-1
    93. 93. Open Platform
    94. 94. VMware
    95. 95. The first release is going into the EA program this month</li></li></ul><li>Gaia Features<br /><ul><li>Easy install - install wizards, one-step install
    96. 96. Easy management, TACACS+, NetFlow, CLI options etc.
    97. 97. Advanced HA and networking
    98. 98. 64-bit support
    99. 99. All blades supported in first release – SSL VPN, DLP, NAC etc.
    100. 100. Cost savings from a single platform across your entire estate</li></li></ul><li>Gaia Release Timeframe<br />
    101. 101. Overview Screenshot<br />
    102. 102. Thanks!Chris Campbell - Consultant<br />
    103. 103. Upgrading to Software Blade licensing <br />Presenter: Tim Kirk<br />Check Point Product Champion<br />
    104. 104. Content<br />Overview of blade licensing<br /><ul><li>Software Blade feature matching
    105. 105. Trade-in offers
    106. 106. Upgrade gotchas
    107. 107. UserCenter upgrading & attachment
    108. 108. Questions</li></li></ul><li>Overview of blade licensing<br /><ul><li>Hardware platform referred to as a Software Container
    109. 109. Software blades added to a Software Container (FW included as standard)
    110. 110. Consistent principle for management and gateways </li></ul>IP appliances<br />Software Container<br />Etc..<br />FW<br />VPN<br />IPS<br />DLP<br />Crossbeam<br />Open-Platform<br />Power & UTM appliances<br />
    111. 111. Overview of blade licensing<br /><ul><li>Open-Platform Software Container based on number of CPU Cores
    112. 112. Licensed CPU Cores doesn’t have to match the physical number
    113. 113. CoreXL and peripherals attached to Software Container. </li></ul>Open-Platform - Single core - 10 Gateways<br />Management Software Container<br />Network Policy<br />Logging & Status<br />Monitoring<br />
    114. 114. Overview of blade licensing<br />Open-Platform - Dual core - 500 Users<br />Gateway Software Container<br />FW<br />VPN<br />IPS<br />
    115. 115. Overview of blade licensing<br /><ul><li>Software blades are pre-defined or chosen a la carte
    116. 116. All Check Point appliances ship with pre-defined SBs (various options)
    117. 117. A la carte option only available with open-platform hardware
    118. 118. Gateway and management licenses can still be bundled as one SKU
    119. 119. Pre-defined blades cannot be moved between containers
    120. 120. Individually purchased and open-platform software blades can be moved between containers</li></li></ul><li>Blade licensing for IP appliances<br />All IP appliances come pre-bundled with 5 software blades. The last digit of all models signifies the number of pre-defined blades.<br /><ul><li>Previously known Nokia IP390 becomes a IP395</li></ul>Software Container<br />IPS<br />FW<br />VPN<br />Advanced Networking<br />Acceleration & Clustering<br />
    121. 121. Blade licensing for IP appliances<br /><ul><li>The only exception to this rule is the IP282, which ships with just FW and VPN SBs
    122. 122. Gateway & management “Pre-defined Systems” available for simplicity and cost effectiveness</li></li></ul><li>Blade licensing for Power-1 appliances<br />The same principle applies to the Power-1 series appliance. For example the Power-1 9075<br />Software Container<br />IPS<br />FW<br />VPN<br />Advanced Networking<br />Acceleration & Clustering<br />
    123. 123. Blade licensing for UTM-1 appliances<br />The UTM-1 series appliances ships with two major SB options. <br />UTM-1 xxx2 & 3 (includes mgmt for itself/cluster)<br />UTM-1 xxx2 & 3<br />Software Container<br />IPS<br />FW<br />VPN<br />
    124. 124. Blade licensing for UTM-1 appliances<br />UTM-1 xxx6 (includes mgmt for itself/cluster)<br />UTM-1 xxx6<br />Software Container<br />FW<br />VPN<br />IPS<br />URL Filtering<br />Antivirus & Anti-Malware<br />Anti-Spam & Email Security<br />
    125. 125. Software Blade feature matching <br /><ul><li>Some CP features have been re-badged
    126. 126. Zero cost NGX feature license upgrade to equivalent SB </li></li></ul><li>Software Blade feature matching – Security Gateways <br />
    127. 127. Software Blade feature matching – Remote Access<br />
    128. 128. Software Blade feature matching – Management<br />
    129. 129. Upgrade Gotchas<br /><ul><li>NGX licenses still operate up to R71 (reduced functionality)
    130. 130. Version R71 now enforces Software Blade licensing
    131. 131. NGX off management services (Eventia) doesn’t upgrade with base container
    132. 132. R70 and above now enforces SecureClient (Secure Access) licenses
    133. 133. Gateway licenses now map to single gateways not sites (cluster or single device as site)</li></li></ul><li>Trade-in options<br /><ul><li>Example: SKU CPPWR-CKP-U-U
    134. 134. NGX Check Point Power – Mgmt and Gateway Bundle for Unlimited Sites & Users
    135. 135. Converts to:
    136. 136. Management Software Container SKU: CPSM-PU007
    137. 137. Gateway Software Container SKU: CPSG-P805</li></ul>Number of Gateway Software Blades<br />Security Management<br />Unlimited Sites<br />Number of Management Software Blades<br />Security Gateway<br />Number CPU Cores<br />
    138. 138. UserCenter upgrading & attachments<br />
    139. 139. UserCenter upgrading & attachments<br />
    140. 140. UserCenter upgrading & attachments<br /><ul><li>Select the base container (SG401)
    141. 141. Attach any associated peripherals to base container
    142. 142. Attach gateway firewall blades
    143. 143. Download license and attach to appliance</li></ul>FW<br />NICs, HDDs and PSUs<br />
    144. 144. Questions & Answers<br />