After the publication more than two years have passed, the 1400 series models have now been removed from sale. The time has come for changes and innovations, this is the task CheckPoint tried to implement in the 1500 series. In the article, we will consider models for protecting small offices or company branches, we will present technical specifications, delivery features (licensing, control and administration schemes), touch on new technologies and options.
The lineup
As new SMB models are presented: 1530, 1550, 1570, 1570R. You can get acquainted with the products at checkpoint portal. Logically, we will divide them into three groups: WIFI-enabled office security gateway (1530, 1550), WIFI + 4G/LTE-enabled office security gateway (1570, 1550), industrial security gateway (1570R).
Series 1530, 1550
Models have 5 network interfaces for local network and 1 interface for Internet access, their bandwidth is 1 GB. Also available is a USB-C console. As far as technical specifications are concerned, to these models offers a large number of measured parameters, but we will focus on the most important (in our opinion).
Features
1530
1550
Maximum number of connections per second
10 500
14 000
Maximum number of contention connections
500 000
500 000
Bandwidth with Firewall + Threat Prevention (Mbps)
340
450
Bandwidth at Firewall + IPS (Mbps)
600
800
Firewall Bandwidth (Mbps)
1000
1000
*Threat Prevention refers to the following blades running: Firewall, Application Control, and IPS.
Models 1530, 1550 have a number of functionalities:
- Gaia 80.20 Embedded option list is in CheckPoint
- A Mobile Access license for 100 concurrent connections is included with any device purchase. It should be taken into account that this feature of the SMB NGFW model range allows you to save on a separate purchase of Mobile Access licenses that are not included with the purchase of other CheckPoint model series.
- The ability to manage the security gateway using the Watch Tower mobile application (more details were written in our )
For whom series 1530, 1550: this line is suitable for branch offices up to 100 people, provides remote connection, various administration methods are available.
Series 1570, 1590
The older models in the 1500 series line have 8 interfaces for local connections, 1 interface for DMZ and 1 interface for Internet connection (throughput of all ports is 1 GB / s). Also available are USB 3.0 Port and USB-C Console. The models come with support for 4G/LTE modems. Includes support for Micro-SD cards to expand the internal memory of the device.
Specifications are shown below:
Features
1570
1590
Maximum number of connections per second
15 750
21 000
Maximum number of contention connections
500 000
500 000
Threat Prevention Bandwidth (Mbps)
500
660
Bandwidth at Firewall + IPS (Mbps)
970
1300
Firewall Bandwidth (Mbps)
2800
2800
Models 1570, 1590 have a number of functionalities:
- Gaia 80.20 Embedded option list is in .
- Mobile Access license for 200 concurrent connections
supplied with the purchase of any of the devices. It should be taken into account that this feature of the SMB NGFW model range allows you to save on a separate purchase of Mobile Access licenses that are not included with the purchase of other CheckPoint model series. - The ability to manage the security gateway using the Watch Tower mobile application (more details were written in our ).
For whom series 1570, 1590: this line is suitable for offices up to 200 people, provides remote connection, has the highest performance among the SMB family.
For comparison previous models:
Features
1470
1490
Threat Prevention + Firewall Bandwidth (Mbps)
500
550
Bandwidth at Firewall + IPS (Mbps)
625
800
1570R
The NGFW 1570R CheckPoint deserves special attention. It is designed specifically for the industrial industry and will be of interest to companies working in the field: transportation, extraction of useful resources (oil, gas, etc.), production of various products.
1570R is designed taking into account the features and conditions of its use:
- network perimeter security and smart device control;
- support for industrial protocols ICS / SCADA, the presence of a GPS connector;
- fault tolerance when working in extreme conditions (high / low temperature, precipitation, increased vibration).
Characteristics of NGFW
1570 Rugged
Maximum number of connections per second
13 500
Maximum number of contention connections
500 000
Threat Prevention Bandwidth (Mbps)
400
Bandwidth at Firewall + IPS (Mbps)
700
Firewall Bandwidth (Mbps)
1900
Working conditions of application
-40ΒΊC ~ 75ΒΊC (-40ΒΊF ~ +167ΒΊF)
Strength certificates
EN/IEC 60529, IEC 60068-2-27 shock, IEC 60068-2-6 vibration
In addition, we single out a number of functional features of the 1570R:
- Gaia 80.20 Embedded option list is in .
- Mobile Access license for 200 concurrent connections
supplied with the purchase of the device. It should be taken into account that this is a feature of the new SMB NGFW model range, which allows you to save on a separate purchase of Mobile Access licenses that are not included with the purchase of other CheckPoint model series. - The ability to manage the security gateway using the Watch Tower mobile application (more details were written in our )
- Automatic generation of policies/rules for IoT devices when they are connected to your local network. The rule is generated for each smart device and allows only those protocols that it needs to work correctly.
1500 series control
Having considered the technical characteristics and capabilities of the new SMB family of devices, it is worth noting that there are different approaches in terms of their management and administration. There are the following typical schemes:
- Local control.
It is usually used in small businesses where there are several offices and there is no centralized management of the infrastructure. The advantages include: affordable deployment and administration of NGFW, the ability to interact with devices locally. The disadvantages include limitations associated with the capabilities of Gaia: no level of separation of rules, limited monitoring tools, lack of centralized storage of logs.
- Centralized management through a dedicated Management Server. This approach is used when an administrator can manage several NGFWs, they can be located at different sites. The advantage of this approach is flexibility and control over the overall state of the infrastructure, and some Gaia 80.20 Embedded options are only available with this scheme.
- Centralized management via . This is a new NGFW management script from CheckPoint. Your Management Server is deployed in a cloud environment, all management is done through the Web-Interface, allowing you not to depend on the OS of your PC. In addition, the maintenance of the management server remains with CheckPoint specialists, its performance directly depends on the selected parameters and is easily scalable.
- Centralized management via (Security Management Portal). This solution includes deploying in the cloud or locally one shared web portal capable of simultaneously managing up to 10 SMB devices.
- The ability to manage via Watch Tower mobile device is only available after deploying a full management option (see steps 1-4). Learn more about this feature in our
Let's take a look at what we think are the most important:
- Inability to deploy the Mobile Access Portal. Users will be able to use Remote Access to access internal company resources, but will not be able to connect to the SSL portal with your published applications.
- The following blades or options are not supported: Content Awareness, DLP, Updatable Objects, SSL inspection without categorization, Threat Extraction, MTA with Threat Emulation inspection, Antivirus for archive scanning, ClusterXL in Load Sharing mode.
At the end of the article, I would like to note that the topic of the NGFW solution for SMB has moved to a new level of support and interaction, due to the release of version 80.20 Embedded, a balance has been achieved between the options of the full version of Gaia and the hardware capabilities of equipment for small offices. We plan to continue to publish a series of tutorial articles, where we will cover the basic configuration of SMB solutions, performance tuning and their new options.
. Stay tuned (, , , , ).
Source: habr.com