More recently, Check Point presented a new scalable platform . We have already published a whole article about . In short, it allows you to almost linearly increase the performance of a Security Gateway by combining several devices and balancing the load between them. Surprisingly, the myth still persists that this scalable platform is only suitable for large data centers or giant networks. This is absolutely not true.
Check Point Maestro was developed for several categories of users at once (we will look at them a little later), among which there are medium-sized businesses. In this short series of articles, I will try to reflect technical and economic advantages of Check Point Maestro for medium-sized organizations (from 500 users) and why this option can be better than a classic cluster.
Target Audience Check Point Maestro
First of all, let's look at the user segments for which Check Point Maestro was designed. There are only 4 of them:
1. Companies that lacked chassis capabilities. Check Point Maestro is not Check Point's first scalable platform. We already wrote that earlier there were such models as 64000 and 44000. Although they had GREAT performance, there were still companies for which this was not enough. Maestro eliminates this shortcoming, as allows you to collect up to 31 devices in one high-performance cluster. At the same time, you can assemble a cluster from top-end devices (23900, 26000), thereby achieving tremendous throughput.
In fact, in the field of security gateways, Check Point is the only one that implements this capability so far.
2. Companies that want to be able to choose hardware. One of the disadvantages of the old scalable platforms is the need to use strictly defined blade modules (Check Point SGM). The new Check Point Maestro platform allows you to use a huge number of different devices. You can choose both models from the middle segment (5600, 5800, 5900, 6500, 6800) and from the High End segment (15000 series, 23000 series, 26000 series). Moreover, you can combine them, depending on the tasks.
This is very convenient in terms of optimal use of resources. You can buy only the performance you need by choosing the right model.
3. Companies for whom the chassis is too big, but scalability is still needed. Another “disadvantage” of the old scalable platforms (64000, 44000) was the high entry threshold (from an economic point of view). For a long time, scalable platforms were only available to large businesses with “good” IT budgets. With the advent of Check Point Maestro, everything has changed. The cost of a minimal bundle (an orchestrator + two gateways) is comparable (and sometimes even lower) to a classic active/standby cluster. Those. entry threshold has been significantly reduced. When choosing a solution, a company can immediately lay down a scalable architecture, while not overpaying for a possible subsequent growth in needs. Are there more users a year after the implementation of Check Point Maestro? Just add one or two gateways, without any replacements for existing ones. You don't even have to change the topology. Just connect new gateways to the orchestrator and apply settings to them in just a couple of clicks.
4. Companies that want to make optimal use of existing devices. I think many people are familiar with the Trade-In procedure. When the performance of existing devices is no longer enough and you need to upgrade the hardware to meet current needs. Quite an expensive procedure. Plus, quite often there is a situation when a customer has several Check Point clusters for different tasks. For example, a cluster for perimeter protection, a cluster for remote access (RA VPN), a cluster for VSX, etc. Moreover, one cluster may not have enough resources, while the other has an abundance of them. Check Maestro is an excellent opportunity to optimize the use of these resources by dynamically distributing the load between them.
Those. you get the following benefits:
- There is no need to “throw out” the existing hardware. You can buy one or two gateways, or ...
- Set up dynamic load balancing between other existing gateways to make better use of resources. If the load on the perimeter gateway increases sharply, then the orchestrator will be able to use the “bored” resources of the remote access gateways and vice versa. This helps smooth out seasonal (or temporary) load peaks.
As you probably understood, the last two segments are just for mid-sized businesses, which can now also afford to use scalable security platforms. However, a reasonable question may arise:How is Check Point Maestro better than a regular cluster?“We will try to answer this question.
Classic cluster vs Check Point Maestro
If we talk about the classic Check Point cluster, then two modes of operation are supported: High Availability (i.e. Active / Standby) and Load Sharing (i.e. Active / Active). We briefly describe their meaning of work, as well as their pros and cons.
High Availability (Active/Standby)
As the name implies, in this mode of operation, one node passes all traffic through itself, and the second one is in standby mode and picks up traffic if the active node starts to experience any problems.
Pros:
- The most stable mode;
- Supports proprietary SecureXL mechanism to speed up traffic processing;
- In the event of an active node failure, the second one is guaranteed to be able to “digest” all the traffic (because it is exactly the same).
Cons:
In fact, there is only one minus - one node is completely idle. In turn, because of this, we are forced to buy more powerful hardware so that it can handle traffic alone.
Of course, HA mode is more reliable than Load Sharing, but resource optimization leaves much to be desired.
Load Sharing (Active/Active)
In this mode, all cluster nodes process traffic. Up to 8 devices can be combined into such a cluster (more than 4 ).
Pros:
- It is possible to distribute the load between the nodes, due to which less productive devices are required;
- Possibility of smooth scaling (adding up to 8 nodes to the cluster).
Cons:
- Oddly enough, but the pros immediately fall out into the cons. They like to use the Load Sharing mode even when there are only two nodes in the company. Wanting to save money, devices are bought, each of which is loaded by 40-50%. And everything seems to be fine. But if one node falls, we get a situation where the entire load is transferred to the remaining one, which simply cannot cope. As a result, there is no fault tolerance in such a scheme as such.
- Add to that a bunch of Load Sharing restrictions (). And the most important limitation is that SecureXL is not supported, a mechanism that significantly speeds up traffic processing;
- As for scaling by adding new nodes to the cluster, unfortunately Load Sharing is far from ideal here. If more than 4 devices are added to the cluster, then performance starts .
Given the first two disadvantages, in order to implement fault tolerance when using two nodes, we are also forced to purchase more productive hardware so that it can “digest” traffic in a critical situation. As a result, we do not have any economic benefit, but we get a large number of . Moreover, it is worth noting that since version R80.20 the Load Sharing mode is not supported. This restricts users from required updates. Whether Load Sharing will be supported in newer releases is still unknown.
Check Point Maestro as an alternative
From the point of view of the cluster, Check Point Maestro took the main advantages of High Availability and Load Sharing modes:
- Gateways connected to the orchestrator can use SecureXL, which ensures maximum traffic processing speed. There are no other restrictions inherent in Load Sharing;
- Traffic is distributed between gateways in one Security Group (a logical gateway consisting of several physical ones). Thanks to this, it is possible to lay down less productive devices, because we no longer have idle gateways, as in the High Availability mode. At the same time, you can increase the power almost linearly, without such serious losses as in the Load Sharing mode (more details a little later).
All this is great, but let's look at two specific examples.
Example № 1
Suppose company X is going to install a cluster of gateways on the perimeter of the network. They have already familiarized themselves with all the limitations of Load Sharing (which are unacceptable to them) and are considering exclusively High Availability mode. After sizing, it turns out that the 6800 gateway is suitable for them, which should not be loaded by more than 50% (so that there is at least some performance margin). Since this will be a cluster, you need to buy a second device, which will simply “smoke” air in standby mode. A very expensive "smoke lamp" comes out.
But there is an alternative. Take a bundle from an orchestrator and three 6500 gateways. In this case, traffic will be distributed between all three devices. If you look at the specifications of the two models, you will see that three 6500 gateways are more powerful than one 6800.
Thus, Company X, when choosing Check Point Maestro, receives the following benefits:
- The company immediately lays down a scalable platform. The subsequent increase in performance will come down to the simple addition of another piece of hardware 6500. What could be simpler?
- The solution is still fault-tolerant, because if one node fails, the remaining two will be able to cope with the load.
- An equally important and surprising advantage is that it is cheaper! Unfortunately, I can not post prices in the public domain, but if you are interested, you can
Example № 2
Let company Y already have a HA cluster of 6500 models. The active node is loaded at 85%, which at peak loads leads to losses in productive traffic. The logical solution to the problem seems to be updating the hardware. The next model is 6800. That is. the company will need to hand over the gateways under the Trade-In program and purchase two new (more expensive) devices.
But there is also an alternative. Purchase an orchestrator and another exactly the same node (6500). Assemble a cluster of three devices and “smear” these 85% of the load over three gateways. As a result, you will get a huge performance margin (on average, three devices will be loaded by only 30%). Even if one node out of three “dies”, the remaining two will still cope with traffic with an average load of 45%. At the same time, for peak loads, a cluster of three active 6500 gateways will be more powerful than one 6800 gateway that is in the HA cluster (ie active / standby). In addition, if in a year or two the needs of company Y increase again, then all they need to do is add one / two more 6500 nodes. I think the economic benefit is obvious here.
Conclusion
Yes, Check Point Maestro is not a SMB solution. But even a medium-sized business can already think about this platform and at least try to calculate the cost-effectiveness. You will be surprised to find that scalable platforms can be more profitable than a classic cluster. At the same time, there are advantages not only economic, but also technical. However, we will talk about them in the next article, where, in addition to technical "chips", I will try to show several typical cases (topology, scenarios).
You can also subscribe to our publics (, , , ), where you can follow the emergence of new materials on Check Point and other security products.
Source: habr.com