Hello, dear readers of habr! This is the corporate blog of the company . We are a system integrator and mainly specialize in IT infrastructure security solutions (, ) and machine data analysis systems (). We will start our blog with a short introduction to Check Point technologies.
We thought for a long time about whether to write this article, because. there is nothing new in it that cannot be found on the Internet. However, despite such an abundance of information, when working with clients and partners, we often hear the same questions. Therefore, it was decided to write some kind of introduction to the world of Check Point technologies and reveal the essence of the architecture of their solutions. And all this within the framework of one “small” post, so to speak, a quick digression. And we will try not to go into marketing wars, because. we are not a vendor, but just a system integrator (although we love Check Point very much) and just go over the main points without comparing them with other manufacturers (such as Palo Alto, Cisco, Fortinet, etc.). The article turned out to be quite voluminous, but it cuts off most of the questions at the stage of familiarization with Check Point. If you are interested, then welcome under the cat…
UTM/NGFW
When starting a conversation about Check Point, the first thing to start with is an explanation of what UTM, NGFW are and how they differ. We will do this very concisely so that the post does not turn out to be too large (perhaps in the future we will consider this issue in a little more detail)
UTM - Unified Threat Management
In short, the essence of UTM is the consolidation of several security tools in one solution. Those. all in one box or some all inclusive. What is meant by “multiple remedies”? The most common option is: Firewall, IPS, Proxy (URL filtering), Streaming Antivirus, Anti-Spam, VPN and so on. All this is combined within one UTM solution, which is easier in terms of integration, configuration, administration and monitoring, and this, in turn, has a positive effect on the overall security of the network. When UTM solutions first appeared, they were considered exclusively for small companies, because. UTMs couldn't handle large volumes of traffic. This was for two reasons:
- Packet handling. The first versions of UTM solutions processed packets sequentially, by each “module”. Example: first the packet is processed by the firewall, then by IPS, then it is checked by Anti-Virus and so on. Naturally, such a mechanism introduced serious traffic delays and heavily consumed system resources (processor, memory).
- Weak hardware. As mentioned above, sequential packet processing ate up resources and the hardware of those times (1995-2005) simply could not cope with high traffic.
But progress does not stand still. Since then, hardware capacities have increased significantly, and packet processing has changed (it must be admitted that not all vendors have it) and began to allow almost simultaneous analysis in several modules at once (ME, IPS, AntiVirus, etc.). Modern UTM solutions can “digest” tens and even hundreds of gigabits in deep analysis mode, which makes it possible to use them in the segment of large businesses or even data centers.
Below is Gartner's famous Magic Quadrant for UTM solutions for August 2016:
I will not comment strongly on this picture, I will just say that there are leaders in the upper right corner.
NGFW - Next Generation Firewall
The name speaks for itself - next generation firewall. This concept appeared much later than UTM. The main idea of NGFW is deep packet inspection (DPI) using built-in IPS and access control at the application level (Application Control). In this case, IPS is just what is needed to identify this or that application in the packet stream, which allows you to allow or deny it. Example: We can allow Skype to work but prevent file transfers. We can prohibit the use of Torrent or RDP. Web applications are also supported: You can allow access to VK.com, but prevent games, messages, or watching videos. Essentially, the quality of an NGFW depends on the number of applications it can define. Many believe that the emergence of the concept of NGFW was a common marketing ploy against which Palo Alto began its rapid growth.
May 2016 Gartner Magic Quadrant for NGFW:
UTM vs NGFW
A very common question, which is better? There is no single answer here and cannot be. Especially when you consider the fact that almost all modern UTM solutions contain NGFW functionality and most NGFWs contain functions inherent in UTM (Antivirus, VPN, Anti-Bot, etc.). As always, “the devil is in the details”, so first of all you need to decide what you need specifically, decide on the budget. Based on these decisions, several options can be selected. And everything needs to be unambiguously tested, not believing marketing materials.
We, in turn, within the framework of several articles, will try to tell you about Check Point, how you can try it and what, in principle, you can try (almost all the functionality).
Three Check Point Entities
When working with Check Point, you will definitely come across three components of this product:
- Security Gateway (SG) - the security gateway itself, which is usually placed on the network perimeter and performs the functions of a firewall, streaming antivirus, anti-bot, IPS, etc.
- Security Management Server (SMS) - gateway management server. Almost all settings on the gateway (SG) are performed using this server. SMS can also act as a Log Server and process them with the built-in event analysis and correlation system - Smart Event (similar to SIEM for Check Point), but more on that later. SMS is used to centrally manage multiple gateways (the number of gateways depends on the SMS model or license), but you must use it even if you have only one gateway. It should be noted here that Check Point was one of the first to use such a centralized management system, which has been recognized as the “gold standard” according to Gartner reports for many years in a row. There is even a joke: “If Cisco had a normal control system, then Check Point would never have appeared.”
- Smart Console — client console for connecting to the management server (SMS). Typically installed on the administrator's computer. Through this console, all changes are made on the management server, and after that you can apply the settings to the security gateways (Install Policy).
Check Point operating system
Speaking about the Check Point operating system, three can be recalled at once: IPSO, SPLAT and GAIA.
- IPSO is the operating system of Ipsilon Networks, which was owned by Nokia. In 2009, Check Point bought this business. No longer developed.
- SPLAT - own development of Check Point, based on the RedHat kernel. No longer developed.
- Gaia - the current operating system from Check Point, which appeared as a result of the merger of IPSO and SPLAT, incorporating all the best. Appeared in 2012 and continues to develop actively.
Speaking of Gaia, it should be said that at the moment the most common version is R77.30. Relatively recently, the R80 version has appeared, which differs significantly from the previous one (both in terms of functionality and control). We will devote a separate post to the topic of their differences. Another important point is that at the moment only version R77.10 has the FSTEC certificate and version R77.30 is being certified.
Options (Check Point Appliance, Virtual machine, OpenServer)
There is nothing surprising here, as many Check Point vendors have several product options:
- appliance - hardware and software device, i.e. own "piece of iron". There are a lot of models that differ in performance, functionality and design (there are options for industrial networks).
- Virtual Machine - Check Point virtual machine with Gaia OS. Hypervisors ESXi, Hyper-V, KVM are supported. Licensed by the number of processor cores.
- Openserver - Installing Gaia directly on the server as the main operating system (the so-called "Bare metal"). Only certain hardware is supported. There are recommendations for this hardware that must be followed, otherwise there may be problems with drivers and those. support may refuse service to you.
Implementation options (Distributed or Standalone)
A little higher, we have already discussed what a gateway (SG) and a management server (SMS) are. Now let's discuss options for their implementation. There are two main ways:
- Standalone (SG+SMS) - an option when both the gateway and the management server are installed within the same device (or virtual machine).
This option is suitable when you have only one gateway, which is lightly loaded with user traffic. This option is the most economical, because. no need to buy a management server (SMS). However, if the gateway is heavily loaded, you may end up with a slow control system. Therefore, before choosing a Standalone solution, it is best to consult or even test this option. - Distributed — the management server is installed separately from the gateway.
The best option in terms of convenience and performance. It is used when it is necessary to manage several gateways at once, for example, central and branch ones. In this case, you need to purchase a management server (SMS), which can also be in the form of an appliance (piece of iron) or a virtual machine.
As I said just above, Check Point has its own SIEM system - Smart Event. You can use it only in case of Distributed installation.
Operating modes (Bridge, Routed)
The Security Gateway (SG) can operate in two basic modes:
- routed - the most common option. In this case, the gateway is used as an L3 device and routes traffic through itself, i.e. Check Point is the default gateway for the protected network.
- Bridge - transparent mode. In this case, the gateway is installed as a normal “bridge” and passes traffic through it at the second layer (OSI). This option is usually used when there is no possibility (or desire) to change the existing infrastructure. You practically do not have to change the network topology and do not have to think about changing IP addressing.
I would like to note that there are some functional limitations in the Bridge mode, therefore, as an integrator, we advise all our clients to use the Routed mode, of course, if possible.
Software Blades (Check Point Software Blades)
We got almost to the most important Check Point topic, which raises the most questions from customers. What are these “software blades”? Blades refer to certain Check Point functions.
These features can be turned on or off depending on your needs. At the same time, there are blades that are activated exclusively on the gateway (Network Security) and only on the management server (Management). The pictures below show examples for both cases:
1) For Network Security (gateway functionality)
Let us describe briefly, because each blade deserves a separate article.
- Firewall - firewall functionality;
- IPSec VPN - building private virtual networks;
- Mobile Access - remote access from mobile devices;
- IPS - intrusion prevention system;
- Anti-Bot - protection against botnet networks;
- AntiVirus - streaming antivirus;
- AntiSpam & Email Security - protection of corporate mail;
- Identity Awareness - integration with the Active Directory service;
- Monitoring - monitoring of almost all gateway parameters (load, bandwidth, VPN status, etc.)
- Application Control - application level firewall (NGFW functionality);
- URL Filtering - Web security (+proxy functionality);
- Data Loss Prevention - information leakage protection (DLP);
- Threat Emulation - sandbox technology (SandBox);
- Threat Extraction - file cleaning technology;
- QoS - traffic prioritization.
In just a few articles, we will take a closer look at the Threat Emulation and Threat Extraction blades, I'm sure it will be interesting.
2) For Management (management server functionality)
- Network Policy Management - centralized policy management;
- Endpoint Policy Management - centralized management of Check Point agents (yes, Check Point produces solutions not only for network protection, but also for protecting workstations (PCs) and smartphones);
- Logging & Status - centralized collection and processing of logs;
- Management Portal - security management from the browser;
- Workflow - control over policy changes, audit of changes, etc.;
- User Directory - integration with LDAP;
- Provisioning - automation of gateway management;
- Smart Reporter - reporting system;
- Smart Event - analysis and correlation of events (SIEM);
- Compliance - automatic check of settings and issue of recommendations.
We will not now consider licensing issues in detail, so as not to inflate the article and confuse the reader. Most likely we will take it out in a separate post.
The blade architecture allows you to use only the functions you really need, which affects the budget of the solution and the overall performance of the device. It is logical that the more blades you activate, the less traffic can be “driven away”. That is why the following performance table is attached to each Check Point model (for example, we took the characteristics of the 5400 model):
As you can see, there are two categories of tests here: on synthetic traffic and on real - mixed. Generally speaking, Check Point is simply forced to publish synthetic tests, because. some vendors use such tests as benchmarks without examining the performance of their solutions on real traffic (or deliberately hide such data due to their unsatisfactoriness).
In each type of test, you can notice several options:
- test only for Firewall;
- Firewall + IPS test;
- Firewall+IPS+NGFW (Application control) test;
- Firewall+Application Control+URL Filtering+IPS+Antivirus+Anti-Bot+SandBlast test (sandbox)
Carefully look at these parameters when choosing your solution, or contact for .
I think this is the end of the introductory article on Check Point technologies. Next, we will look at how you can test Check Point and how to deal with modern information security threats (viruses, phishing, ransomware, zero-day).
PS An important point. Despite the foreign (Israeli) origin, the solution is certified in the Russian Federation by supervisory authorities, which automatically legalizes their presence in state institutions (comment by ).
Only registered users can participate in the survey. , you are welcome.
What UTM/NGFW tools do you use?
-
Check Point
-
cisco firepower
-
Fortinet
-
Palo Alto
-
Sophos
-
Dell SonicWALL
-
Huawei
-
WatchGuard
-
Juniper
-
UserGate
-
traffic inspector
-
Rubicon
-
Ideco
-
open source solution
-
Other
134 users voted. 78 users abstained.
Source: habr.com