Check Point started 2019 quite briskly with several announcements at once. It will not work to tell about everything in one article, so let's start with the most important thing - . Maestro is a new scalable platform that allows you to increase the "power" of the security gateway to "indecent" numbers and almost linearly. This is achieved naturally by load balancing between individual gateways that operate in a cluster as a single entity. Someone might say -Was! There are already 44000 blade platforms/64000". However, Maestro is a completely different matter. Within the framework of this article, I will briefly try to explain what it is, how it works and how this technology will help save on network perimeter protection.
Was - Became
The easiest way to understand is how the new scalable platform differs from the good old 44000/64000 is look at the picture below:
The difference is obvious.
Legacy Check Point 44000 platform/64000
As you can see from the picture above, the first option is a fixed platform (chassis) into which a limited number of special “blade modules” can be inserted (Check Point SGM). All this is connected to Security Switch Module (SSM), which balances traffic between gateways. The picture below shows the components of this platform in more detail:
This is a great platform if you know exactly what performance you need now and in what limits it can grow. However, due to the fixed form factor (12 or 6 blades), you are limited in further scaling. In addition, you are forced to use exclusively SGM blades, without the ability to connect conventional uplines, which have a much wider range. With the advent Maestro Hyperscale Network Security the situation is changing dramatically.
New Check Point Maestro Hyperscale Network Security Platform
Check Point Maestro was first introduced on January 22 at the CPX conference in Bangkok. The main characteristics can be seen in the picture below:
As you can see, the main advantage of Check Point Maestro is the ability to use regular gateways (appliances) for balancing. Those. We are no longer limited to SGM blades. You can distribute the load between any devices starting from the 5600 model (SMB models and Chassis 44000/64000 are not supported). The picture above shows the main indicators that can be achieved when using the new platform. We can combine into one computing resource up to 31! gateway. Your firewall should now look like this:
Maestro Hyperscale Orchestrator
I'm sure many of you already have a question:What is an Orchestrator?"Well, get acquainted. Maestro Hyperscale Orchestrator — this piece is responsible for load balancing. The operating system installed on this device Gaia R80.20SP. There are currently two models of Orchestrators − MHO-140 и MHO-170. Characteristics in the picture below:
At first glance, it may seem that this is an ordinary switch. In fact, this is a “switch + balancer + resource management system”. All in one box.
Gateways connect to these Orchestrators. If the balancers are fail-safe, then each gateway is connected to each orchestrator. An optical fiber (sfp+ / qsfp+ / qsfp28+) or a DAC cable (Direct Attach Copper) can be used for connection. At the same time, there should naturally be a synchronization link between the orchestrators:
In the picture below you can see how the ports of these orchestrators are distributed:
security groups
In order for the load to be distributed between gateways, these gateways must be in the same Security Group. Security Group it is a logical group of devices that functions as an active/active cluster. This group functions independently from other Security Groups. From the point of view of the management server, the Security Group looks like one device with one IP address.
If necessary, we can bring one or more gateways into a separate Security Group and use this group for other purposes, like a separate firewall from a management point of view. An example of usage is shown in the picture below:
Important limitation, only the same gateways (model) can be used in the same Security Group. Those. if you want to linearly increase the capacity of your security gateway (which is a cluster of multiple devices), then you must add exactly the same gateways. In the next software releases, this limitation should disappear.
In the video below you can see the process of creating a Security Group. The procedure is intuitive.
Again, if we compare the Maestro components with the chassis platform, we get something like the following “before and after” picture:
What is the benefit of the new platform?
There are actually a lot of pluses, both from a technical point of view and from an economic one. I'll summarize the most important ones:
- We are practically unlimited in scaling. Up to 31 gateways within one Security Group.
- We can add gateways as needed. The minimum purchase set is one orchestrator + two gateways. There is no need to lay models “for growth”.
- Another plus follows from the previous point. We no longer need to change gateways that have ceased to cope with the load. Previously, this problem was solved using the trade-in procedure - they handed over the old hardware and received a new one at a discount. With such a scheme, financial “losses” are inevitable. The new scaling procedure eliminates this factor. You don’t have to give up anything, you can just continue to increase productivity with the help of additional hardware.
- The ability to combine existing resources to distribute the load. For example, you can “drag and drop” all your clusters onto the Maestro platform and assemble several Security Groups, depending on the load.
Maestro Hyperscale Network Security Bundles
At the moment, there are several options for purchasing the so-called bundles with the Maestro platform. Solution based on 23800, 6800 and 6500 gateways:
In this case, you can choose from two standard types of equipment:
- One orchestrator and two gateways;
- One orchestrator and three gateways.
You can see indicative prices. Naturally, you can additionally lay one more orchestrator and as many gateways as you like. Additional information on specifications can be requested. .
Devices 6500 и 6800 these are the latest models that were also introduced earlier this year. But we will talk about them in more detail in the next article.
When can you buy?
There is no clear answer here. At the moment, there is no notification for the import of these solutions to our country. As soon as information on the timing appears, we will immediately make an announcement in our public pages (, , ). In addition, a webinar dedicated to the Check Point Maestro solution is planned in the near future, where all technical features will be discussed. And of course you can ask questions. Stay tuned!
Conclusion
Definitely a new platform is a great addition to Check Point hardware solutions. In fact, this product opens a new segment, for which not every information security vendor has a similar solution. Moreover, today Check Point Maestro has almost no alternatives when it comes to providing such unprecedented “security power”. However, Maestro Hyperscale Network Security will be of interest not only to owners of data centers, but also to ordinary companies. Those who own or intend to purchase devices starting from the 5600 model can already “look closely” at Maestro. In some cases, using Maestro Hyperscale Network Security can be a very profitable solution, both from an economic and technical point of view.
PS The article was prepared with the participation Anatoly Masover - Scalable Platform Expert, Check Point Software Technologies.
Source: habr.com