SMB solutions Check Point. New models for small companies and branches

Relatively recently (in 2016) the company Check Point presented its new devices (both gateways and management servers). The key difference from the previous line is a significantly increased performance.

In this article, we will focus exclusively on the younger models. Let's describe the advantages of new devices and possible pitfalls that are not always talked about. We will also share our personal impressions of their use.

Lineup Check Point

As you can see from the picture, Check Point divides its devices into three broad categories:

• High End Enterprise and Data Center (models 23800, 23500, 15600, 15400)
• Enterprise (models 5900, 5800, 5600, 5400, 5200, 5100)
• Small and Medium Enterprise (models 3200, 3100, 1490, 1470, 1450, 1430, 1200R)

At the same time, one of the main characteristics is the so-called SPU - Security Power Units. This is Check Point's own measure of the actual performance of a device. As an example, let's compare the traditional method of measuring Firewall throughput (Mbps), with the “new” method from Check Point (SPU).

Traditional technique - Firewall Throughput

• Measurements are carried out in laboratory conditions on "artificial" traffic.
• The performance is evaluated only for the Firewall function, without additional modules such as IPS, Application Control, etc.
• Testing is usually done with one Firewall rule.

Check Point Method - Security Power

• Measurements on real user traffic.
• The performance of all functionality (Firewall, IPS, Application Control, URL-filtering, etc.) is evaluated.
• Tested on a model policy that includes many rules.

Check Point Appliance Sizing Tool

Thus, when choosing a suitable Check Point model, it is better to rely on the parameter Security Power Unit. It is indicated in any datasheet on the device. It is not possible to independently calculate the appropriate SPU for your network. This can only be done with the help of a partner who has access to the tool Check Point Appliance Sizing Tool:

To select the optimal solution, you need to take into account such parameters as:

• Internet channel width;
• The total throughput of the gateway (may differ from the Internet channel if, for example, you segmented the local network using Check Point);
• The number of users in the network;
• Required features (Firewall, Anti-Virus, Anti-Bot, Application Control, URL Filtering, IPS, Threat Emulation, etc.).

There are also more subtle settings that describe what traffic these blades will apply to:

After specifying all the characteristics, you can get a report describing the suitable devices:

Here you can also see the required SPU (72 in our case) and the recommended one (144). As well as the models themselves with a description of their load and “reserve” in terms of traffic and blades. When choosing a model, it is always recommended to take a device from the green zone (i.e. loading up to 50 percent):

This ensures that there are no problems during peak load or a planned increase in the bandwidth of the Internet channel. When choosing a device, always ask the partner to provide a similar report. An example can be downloaded here.

Old vs New

Having dealt with the main parameter that characterizes the performance of devices, we can take a closer look at new models for small and medium businesses. As mentioned above, Check Point has a whole segment - Small and Medium Enterprise (models 3200, 3100, 1490, 1470, 1450, 1430, 1200R). These devices can be called an update of the old 2012 series (2200, 1180, 1140, 1120). To understand the key differences, consider the picture below:

(prices are in GPL, excluding VAT and technical support)

As you can see, the 2016 series has a significant increase in performance (SPU), while prices have remained about the same level (with the exception of the 3200 model). The new line also includes a model 3100, but still no notification and import to Russia is prohibited! Remember this!

If you recalculate the cost of one SPU, then the 1450 model is the most balanced. Below we will take a closer look at the new Check Point series.

Implementation schemes for SMB devices

As you can see from the figure, there are two main deployment scenarios for SMB devices:

1. In the main gateway mode. In this case, Check Point is installed as a perimeter device and administered locally.
2. Gateway for the branch. In this case, the branch hardware is centrally controlled (using the Management server) from the head office.

For series 3000 и 1400 There are some features in each of the modes. We will review them below.

SMB 3000 series

At the moment there are two "pieces of iron" - 3200 и 3100. As mentioned earlier, 3100 cannot yet be brought into the country. As for the 3200, this is a great replacement for the old 2200 series. The full version of Gaia (both R77.30 and R80.10) works on board the device. In the case of using the device as the main gateway in a small business, you can expect the following performance:

1. Internet channel - 50 Mbit;
2. Total bandwidth - 300 Mbps;
3. The number of users is 200.

As you can see, the device load in this case is 47%, and this is with local management, i.e. Standalone configuration (more about standalone and distributed here). From personal experience, I can say that with local management it is not recommended to exceed the load of 50%, because. control problems may appear (it will slow down).
If the device is considered as a branch device (that is, with a separate centralized management), then the indicators will be much higher. And you can already enter the yellow zone in sizing (i.e. with a load from 50% to 70%). Device datasheet can be viewed here.

SMB 1400 series

This series includes several devices at once: 1490, 1470, 1450, 1430 (Logical replacement of obsolete 1120, 1140 and 1180).

Despite the fact that these are the youngest Check Point models, they have all the necessary functionality:

• SMB devices can be assembled into a HA cluster (Active/Standby);
• almost all software blades are available (as on “large” pieces of iron);
• can be managed both locally and centrally (using a traditional Management Server);
• there are modifications with WiFi, ADSL and PoE;
• you can connect 3G modems;
• There are rack mounting kits.

However, it is worth warning about some limitations / features:

• On board the device is an inferior Gaia, and Gaia 77.20 Embedded. This limitation is related to the device architecture (ARM processors are used). In the case of local management (standalone), you will not be able to use the familiar SmartConsole. Instead, there is a web interface. You can check it out in this video:
  
  The example considers the 700 series, but in principle it is not sold in Russia.
• Threat Extraction does not work. Only Threat Emulation. You can see what it is here
• You cannot build a cluster in Load Sharing mode. Those. cheating by buying two “cheap” pieces of iron and distributing the load between them in the cluster will not work.
• With local management, there are serious limitations in terms of HTTPS inspection.
• Antivirus scanning of archives does not work.
• No DLP function.

The last points are perhaps the most important restrictions, which are often silent. For full HTTPS inspection, you will be forced to use a traditional dedicated Management server. In this case, you will control the device as a gateway with a full (almost full) version of Gaia.

For other Gaia Embedded restrictions, see here. Be sure to read them before making a purchase decision.

For example, consider a small office with the following parameters:

• Internet channel - 50 Mbit;
• Total bandwidth - 200 Mbps;
• Number of users - 200;
• Local management (Web interface).

As can be seen from the sizing, the 1490 model successfully copes with this task with a load of 46% (without getting out of the green zone). With dedicated management, the 1470 will also cope with this task.
Datasheet for 1400 series devices can be viewed here.

Model 1200R

This model is difficult to call SMB. This is already an industrial solution and perhaps deserves a separate article. Now we will not consider this model in detail.

Webinar

For more information about SMB devices, see our previous webinar:

Conclusions

In my opinion, the new SMB models turned out to be quite successful. Significantly increased the performance of devices while maintaining the price level. I’m not ready to talk about the high cost / cheapness of devices, because. For different companies, these concepts are very different.

Model 3200 I would recommend to small companies that are interested in the maximum level of protection for a reasonable price. Plus, this is a good choice for those who are already used to working with a full-fledged version of Gaia. The R80.10 version is also available here. When a notification for 3100 is received, the price tag will drop a little more. For branches, this is ideal.

Series devices 1400 are a good compromise and have the best price / quality ratio (especially in terms of the price per 1 SPU). These units are great for branch offices on a budget. Using centralized management, you can manage devices like regular gateways with a full version of Gaia. But, again, do not forget about restrictionswhich you should definitely check out.

PS I would like to thank Alexey Matveev (RRC company) for help in preparing the material.

Source: habr.com