Check Point sizing security

Sizing Your
Security Gateway

CPX – Barcelona
Solution Center
[Protected] For public distribution

©2013 Check Point Software Technologies Ltd.

Agenda

1

Security Gateway Sizing Challenges

2

Appliance Selection Tool ‒ SPU

3

Performance Utility

4

Summary



2

Agenda

1


2


3

Performance Utility

4

Summary



3

Joe Needs a New Security Appliance
Required Security

Available
Appliances

Firewall

IPS

Application
Control

URL
Filtering

Firewall: 3 Gbps
IPS: 2 Gbps

Throughput Needs
350
Mbps

Firewall: 25 Gbps
IPS: 12 Gbps

2000
Users

Joe has a problem.
Which appliance can best match his requirements?


4

Appliance Sizing Challenges
Sizing the right appliance
is often a complex task!
Match appliance to real-world
security requirements
Handle current and future
capacity needs
Effectively compare
among appliances


5

Customize with Software Blades

FW & VPN
Software Blades

IPS
Software Blade

Application
Control
Software Blade

Identity
Awareness
Software Blade

Antivirus
Software Blade

URL Filtering
Software Blade

Anti-Bot
DLP
Software Blade
Software Blade

The Security You Want
The Performance You Need


6

Balancing Security & Performance
Need to protect against a wide spectrum of
attacks, in addition to Firewall and VPN
What is the impact with multiple
Software Blades enabled?

What about future growth?


7

Different Machines Require
Different Power Measurements

Different Machines

Relevant Power Unit

Horsepower
Volts
Router and Switch

Security Gateway


Mbps

?

8

Different Machines Require
Different Power Measurements

Different Machines

Relevant Power Unit

Horsepower
Volts
Router and Switch

Security Gateway


Mbps

SecurityPower

9

Appliance SecurityPower Values

21000

3551*
SPU

12000

14,600
SPU

3300*
SPU

4000

2900*
SPU

61000

2000

* With Security Acceleration Module

1861
SPU

114
SPU

114
SPU

2200

4200

374
SPU

4400

623
SPU

4800

738
SPU

1046
SPU

12200 12400 12600 21400 21600 21700

61000


10

Agenda

1


2


3

Performance Utility

4

Summary



11

Security Power Utilization
 Yesterday’s Performance metrics – sterile
– FW throughput – RFC – large packets

 2012-2013 – Threats call for a more realistic approach!
 Need to measure Security Performance when actually
implementing Multi-Layer Security engines

 Introducing Check Point Security Power Utilization…
 Evolving traffic blend…
Real World, Web,
Video, Social Media,
Mail, SSL

Firewall
Firewall + IPS
Firewall + AV
Firewall + IPS + AV

12

Sizing-Up the Right Appliance for You
Helping You Select the Right Appliance to Meet
Your Security and Performance Requirements
Required SecurityPower:
1308 SPU

Room for
Growth



13

Plan for the Future
Optimal Zone
Recommended!

Customer
Requirements

Extensive
Room for
Growth

Peak Resource
Consumption
(Not Recommended)

Room for Growth
Additional Blades and Throughput until 70% Utilization

For optimal results, use up to 50% of the
appliance’s SecurityPower capacity


14

SPU – Real Performance Traffic

Live Demo
Sizing Appliances
usercenter.checkpoint.com



15


Live Demo
How did we get to the
appliance SPU?
Visit CPX
Performance Lab


16

How to Size Appliances?
 Understand customer Security and
Performance requirements
– Current vs. Future – 3 up to 5 years
– Deployment type, interfaces, cluster, etc.

 Use “cpsizeme” –
accurate method of collecting data

 Use Appliance sizing tool
– Consider future growth



17


Under the hood….



18

Measuring Appliance SecurityPower
SecurityPower Integrates Multiple
Performance Measurements Based On:
Real-World Traffic
Multiple Security
Functions
Typical Security Policy



19

SecurityPower ‒ Traffic Blend
Measuring Real-World Traffic Blend

The Old Way
UDP large
packets ‒ RFC

Real-World Traffic Blend*
10%

9%

13%
68%

HTTP
SMTP
HTTPS
Other

*Based on customer research conducted by Check Point performance labs


20

SecurityPower ‒ Software Blades
SecurityPower Measures Performance
Under Advanced Security Functions

The Old Way
FW & VPN
Software
Blades

Application
IPS
Control
Software Blade Software Blade

Identity
Awareness
Software Blade

Antivirus &
Anti-Malware
Software Blade

URL Filtering
Software Blade

DLP
Software Blade

Firewall only
Any-Any-Accept

SecurityPower

Security Appliance



21

SecurityPower ‒ Security Policy
Applying a True Security Policy

Policy with 100 Rules!
The Old Way
One rule:
Allow all traffic

Rule

Protocol

Action

#1

POP3

Accept

#2

FTP

Accept

#3

ICMP

Drop

# 98

HTTP

Accept

#99

SMTP

Accept

#100

ANY

Drop



22

SecurityPower ‒ Security Policy
Applying a True Security Policy

The Old Way






No Logging
No NAT
No IPS
No signatures

Log All Connections

Network Address Translation

IPS Recommended Protection

Up-to-Date Signature Databases


23

Advanced
Clusters, Packet Sizes,
Amount of Interfaces, Management



24

Agenda

1


2


3

Performance Utility

4

Summary



26

Customer Story

cpsizeme



27

Doctor – I Am Not Feeling Well!!!!
 How are you feeling today?
 What is the problem?........
 Prognosis – Diagnosis?
 Tools often used….



28

Introducing Performance Utility
Performance Utility
Customer
Requirements
Collect real performance

Recommended
Appliance

data from existing appliance
over 24 hours

Appliance Selection Tool
 Collect customer requirements
 Translate Performance Utility output to
 Translate requirements to SecurityPower
Customer Requirements
 Suggest the right appliance for the job


29

Introducing Performance Utility

XYZ

Cloud Based Analysis

 Evaluate Security Gateway
Performance
 View Multi-Security
Functions Impact
 Capacity Planning
 Performance Impact –
Minimal



30

Case Study #1
Customer Requirements








From Appliance Selection Tool

Secure Perimeter
FW, VPN, IPS. MAB, URLF, APP
1000 Users / 100 remote users
ISP Pipe: 300Mbps
Total Throughput: 800 Mbps
Required SPU: 433 SPU
Customer’s Choice

 Customer selected 4800 (~38% utilization estimation)
 Customer has room for future growth:
‒ Add Antivirus Software Blade or
‒ 85% traffic growth



31

Case Study #1
300Mbps
“Effective” Max
Throughput

(600 Mbps)
Exceptional throughput
peak – low impact on CPU


(48%)
“Effective” Max
Kernel CPU


32

Two Facts to Know
About the Sizing Tool

We used the Performance Utility to
Measure the Performance on 95 Appliances in
Different Customers’ Product Environments

The Appliance Selection Tool Predicted
the CPU Utilization in 82% of the Cases*
*Accepted variation was


15 points


33

Agenda

1


2


3

Performance Utility

4

Summary



34

Field Feedback
 Reliable and trusted tool
 Partners say…
– The report is great.. Very helpful.
– “None of the other vendors have anything like this”
– Can’t wait till we get the cpsizeme report
– Availability? ‒ ”We want direct access!”

 Next steps…
– IP series
– Virtual Systems, HTTP Encryption
– QoS
– Traffic blend, packet size



37

SecurityPower
The New Way to Measure the
Real Power of Security Appliances
Performance on Real-World Traffic
and Advanced Security Functions

Enables Planning and
Maximization of Security



38

Thank You!



Check Point sizing security

More Related Content

Viewers also liked

Similar to Check Point sizing security

More from Group of company MUK

Recently uploaded

Check Point sizing security

Editor's Notes