Check Point NGFW
19 likes10,153 views
This document discusses next generation firewalls (NGFWs) and factors to consider when choosing one. It provides an overview of NGFW capabilities according to Gartner, and compares NGFWs to UTMs. The document then focuses on Check Point's NGFW approach, highlighting its multi-layered security architecture using software blades, management tools, and performance testing methodology. Buyers are advised to carefully evaluate a vendor's security, management, and ability to perform well without shortcuts.
![Shortcuts Can Cost You
SIP traffic pollutes FW APP Cache allowing all HTTP traffic
Generates multiple
SIP connections to
www.facebook.com
Access to
www.facebook.com
allowed!
SIP connection
is blocked
[Protected] For public distribution
After multiple
SIP connections
system stops inspecting
©2013 Check Point Software Technologies Ltd.
30](https://image.slidesharecdn.com/ngfw-131204084919-phpapp02/85/Check-Point-NGFW-29-320.jpg)
![Summary
Today the NGFW Technologies Are Widely Tested and
Reviewed by Independent 3rd Parties
and they have spoken: we are the best!!
Security
Your NGFW should be
secure without shortcuts
Management
Your NGFW should have
super easy, intuitive and
scalable management
Performance
Your NGFW should perform well
in a real world traffic without
shortcuts
©2013 Check Point Software Technologies Ltd.
|
[Restricted] ©2013 for designated groups Technologies Ltd.|
ONLY Check Point Software and individuals
44
44](https://image.slidesharecdn.com/ngfw-131204084919-phpapp02/85/Check-Point-NGFW-43-320.jpg)
Check Point NGFW
- 1. Choosing The Right Next Generation Firewall ©2013 Check Point Software Technologies Ltd. 1
- 2. Agenda NGFW 101 NGFW ‒ The Check Point Approach NGFW ‒ Things to Look Out For ©2013 Check Point Software Technologies Ltd. 2
- 3. If you can’t explain it simply, you don’t understand it well enough. Albert Einstein NGFW 101 ©2013 Check Point Software Technologies Ltd. 3
- 4. NGFW First Time Definition by Gartner ©2013 Check Point Software Technologies Ltd. 4
- 5. NGFW Must Haves According to Gartner Layer 2 Functionality Integrated IPS Stateful Inspection Application Awareness Identity Awareness ©2013 Check Point Software Technologies Ltd. 5
- 6. NGFW vs. UTM It’s more like Gartner (NGFW) vs. IDC (UTM) Gartner target NGFW as an Enterprise Network FireWall Gartner target UTM as an SMB Segment FireWall IDC which coined UTM refers to it just the same as NGFW Interesting read “Anitian Blog” “UTM vs. NGFW a single shade of gray” ©2013 Check Point Software Technologies Ltd. 6
- 7. Which Brings Us to the Question ―Is It All Just Marketing?‖ ©2013 Check Point Software Technologies Ltd. 7
- 8. Agenda NGFW 101 NGFW ‒ The Check Point Approach NGFW ‒ Things to look out for or Buyer Beware ©2013 Check Point Software Technologies Ltd. 8
- 9. Proven NGFW Leadership: NSS Labs 2013 NGFW SVM 98.5% 99.0% 100% NGFW IPS Firewall Management and Security Effectiveness Overall Protection Management and Security Effectiveness 2013 NGFW Group Test Product Analysis Report 2013 Firewall Group Test NSS ON Check Point ©2013 Check Point Software Technologies Ltd. 9
- 10. And a Little More… Best IPS/IDS Product Reader Trust Award Leader, Magic Quadrant Enterprise Network Firewall Best Enterprise FW Reader Trust Award 2010–2013 2004–2013 Firewall Earns ―Recommend‖ Rating from NSS 2013 NGFW Earns ―Recommend‖ Rating from NSS 2013 Leader, Magic Quadrant UTM IPS Earns ―Recommend‖ Rating from NSS 2013 Network Security Vendor of the Year 2011 ©2013 Check Point Software Technologies Ltd. 10
- 11. This Is the Secret on How to Be #1 NGFW: 3D Security Policies Practical and relevant to daily operations People Different People – Different needs Involve & Engage users in the security process Enforcement Multi-layer controls for strong security ©2013 Check Point Software Technologies Ltd. 11
- 12. Let’s See Some of It in Action ©2013 Check Point Software Technologies Ltd. 12
- 13. Layered Defenses & Software Blades IPS Anti-Bot Antivirus Network Threat Prevention Mobile Access DLP Sensitive Data Application Control URLF Identity Awareness Internet Applications Usage Granular Visibility Mobile Access SmartEvent User Access ©2013 Check Point Software Technologies Ltd. 13
- 14. Video cameras Armed guards Vault with 20 ton door Fortress-like structure Minefields ©2013 Check Point Software Technologies Ltd. 14
- 15. Check Point Multi-Layer Product Architecture Data Leakage Prevention Antivirus IPS Anti-Bot Anti-Spam Application Control URL Filtering Protocol and Application Decoder SSL Stream Reassembly Engine Identity Awareness Layer 2–4 Firewall & IPS IPsec Multi-Core Packet Queuing and Dispatching ©2013 Check Point Software Technologies Ltd. 15
- 16. Check Point Multi Layered Threat Prevention ©2013 Check Point Software Technologies Ltd. 16
- 17. Multi Layered Threat Prevention ‒ Firewall Protect against unauthorized access Contain Infections in Network Segments ©2013 Check Point Software Technologies Ltd. 17
- 18. Multi Layered Threat Prevention – IPS Stop attacks exploiting vulnerabilities Protect Against Exploit of Vulnerabilities in: Word, Excel, PDF, Browsers, Operating Systems... ©2013 Check Point Software Technologies Ltd. 18
- 19. Multi Layered Threat Prevention – Antivirus Block Malware Download Block Malware File Download and Access to Malware Containing Sites ©2013 Check Point Software Technologies Ltd. 19
- 20. Multi Layered Threat Prevention – Anti-Bot Discover and stop Bot Attacks Post Infection Solution to Stop Data Theft and Targeted APT Attacks ©2013 Check Point Software Technologies Ltd. 20
- 21. Multi Layered Threat Prevention – ThreatCloud™ Global collaboration to fight new threats Powering Threat Prevention Software Blades with Real-time Security Intelligence ©2013 Check Point Software Technologies Ltd. 21
- 22. Introducing Check Point Threat Emulation Fight Against Unknown Threats ! Stop Targeted Zero-day Attacks ©2013 Check Point Software Technologies Ltd. 22
- 23. Summary – Check Point Multi Layered Threat Prevention ©2013 Check Point Software Technologies Ltd. 24
- 24. Things to Look Out for When Selecting Your NGFW ©2013 Check Point Software Technologies Ltd. 25
- 25. SECURITY “for the imagination of man’s heart is evil from his youth” ©2013 Check Point Software Technologies Ltd. 26
- 26. Questions You Should Ask Yourself and the Vendor Security Do you scan both Direction of traffic ALWAYS? Do you use caching mechanisms for detection? Do you by default leave all ports open? Do you scan only part of the session? Do you fail-open by default? Can I run both IPS and APP-Ctrl at the same time? ©2013 Check Point Software Technologies Ltd. 27 27
- 27. More is Better: Visibility and Security Check Point has the largest application database in the industry and the highest rate of adding new apps Check Point Nearest Competitor Applications ~5000 ~2500 Social Network Widgets 244,081 None Less applications = less visibility and control ©2013 Check Point Software Technologies Ltd. 28
- 28. Shortcuts Can Cost You Scanning part of IPS session and fail-open enable gives better Performance, but what about Security? ©2013 Check Point Software Technologies Ltd. 29
- 29. Shortcuts Can Cost You SIP traffic pollutes FW APP Cache allowing all HTTP traffic Generates multiple SIP connections to www.facebook.com Access to www.facebook.com allowed! SIP connection is blocked [Protected] For public distribution After multiple SIP connections system stops inspecting ©2013 Check Point Software Technologies Ltd. 30
- 30. Shortcuts Can Cost You Results of port scan: ©2013 Check Point Software Technologies Ltd. 31
- 31. Security Summary: Your Security Solution Should be Secure! Security We scan both Direction of traffic ALWAYS We use no shortcuts for detection it’s a Firewall all ports are closed by default We scan all parts of the session We fail-close by default We can run both IPS and APP-Ctrl at the same time ©2013 Check Point Software Technologies Ltd. 32
- 32. “God is in the Details” — Ludwig Mies Van Der Rohe Management ©2013 Check Point Software Technologies Ltd. 33
- 33. Questions You Should Ask Yourself and the Vendor Management Do you have an Event Analysis Solution? Are you able to add IPS-exception from the LOG Do you have an efficient way to troubleshoot a session? Do you have Hit Count , expiry… in the security rules? When you make a change does it commit right away? ©2013 Check Point Software Technologies Ltd. 34
- 34. Check Point SmartLog ‒ Simple Log Searches Simple Log Analysis with 360o Visibility John Smith yesterday Check Point SmartLog provides simple, intuitive search Check Point split-second search results provide instant visibility into billions of log records ©2013 Check Point Software Technologies Ltd. 35
- 35. Check Point Simplified 1-Step Policy Creation Check Point Provides 1-Step Policy Creation ©2013 Check Point Software Technologies Ltd. 36
- 36. Complemented by SmartEvent for Overall Security Analysis and Forensics SmartEvent SmartEvent Translates Security Information into Action! Unified view of all security events Geo-location views and analysis of security events Historical views with timeline analysis Correlations and forensics activities Reports …and more! ©2013 Check Point Software Technologies Ltd. 37
- 37. “Less is More” — Ludwig Mies Van Der Rohe Performance ©2013 Check Point Software Technologies Ltd. 38
- 38. Questions You Should Ask Yourself and the Vendor Performance How do you test Performance? NAT? How many rules? What's the traffic blend? Logging on or off? What's the Packets sizes? Any shortcuts? ©2013 Check Point Software Technologies Ltd. 39
- 39. How We Measure Real World Performance THE OLD WAY: Firewall Throughput Based on large UDP packets Only firewall security “Allow all” policy (one rule) THE NEW WAY: SecurityPower™ Based on real-world traffic mix Advanced security functions Real security policy (many rules) SecurityPower The New Way To Measure the Real Power of Security Appliances ©2013 Check Point Software Technologies Ltd. 40
- 40. SecurityPower—Traffic Blend Measuring Real-World Traffic Blend The Old Way UDP large packets Real-World Traffic Blend* 10% 9% 13% 68% HTTP SMTP HTTPS Other *Based on customer research conducted by Check Point performance labs ©2013 Check Point Software Technologies Ltd. 41
- 41. SecurityPower—Security Policy Applying a True Security Policy Policy with 100 Rules! The Old Way Protocol Action #1 One rule: Allow all traffic Rule POP3 Accept #2 FTP Accept #3 ICMP Drop # 98 HTTP Accept #99 SMTP Accept #100 ANY Drop ©2013 Check Point Software Technologies Ltd. 42
- 42. Summary Performance Applying a True Security Policy The Old Way Logging disabled Address translation disabled No IPS protection No signatures Log All Connections Network Address Translation IPS Recommended Protection Up-to-Date Signature Databases ©2013 Check Point Software Technologies Ltd. 43
- 43. Summary Today the NGFW Technologies Are Widely Tested and Reviewed by Independent 3rd Parties and they have spoken: we are the best!! Security Your NGFW should be secure without shortcuts Management Your NGFW should have super easy, intuitive and scalable management Performance Your NGFW should perform well in a real world traffic without shortcuts ©2013 Check Point Software Technologies Ltd. | [Restricted] ©2013 for designated groups Technologies Ltd.| ONLY Check Point Software and individuals 44 44
Editor's Notes
- #15: The data center circa 1936. Fort Know was built in 1936, stores about 5000 tons of US gold reserves.It has complex layered defenses: video, guards, massive vault doors, fortress structure, complete with minefieldsHardened perimeter (layered), very controlled access, high value assets in one locationIt is quite the impressive structure for protecting valuablesSo what does Fort Know have to do with data centers?Think about the data center it holds the valuable assets of a corporation, Fort Know held valuable assets of the USABoth pursue a multi-layered security approachBut Fort Knox was designed to lock things away securely away from everyone, protected.Today the data center has quite the opposite trend as it is becoming arguably more open to support the business.
- #16: Check Point Product Architecture IPS / FW – access control i.e. looking at port, source and destination. Ex. Block FTP, allow http, etc.Identity Awareness – looks at IP address & user – if there is one it assigns an identity, if not it moves up the stackSSL – Decrypt packet so content inspection can be doneContent Inspection – DLP, AV, Anti-Bot, Anti Spam, IPS, App Control URLF
- #18: http://www.istockphoto.com/stock-photo-9306896-man-pushing-blank-cube.php?st=396b026
- #19: http://www.istockphoto.com/stock-photo-9306896-man-pushing-blank-cube.php?st=396b026
- #20: http://www.istockphoto.com/stock-photo-9306896-man-pushing-blank-cube.php?st=396b026
- #21: http://www.istockphoto.com/stock-photo-9306896-man-pushing-blank-cube.php?st=396b026http://www.itworld.com/security/309422/baddest-botnets-2012?page=0,1
- #22: http://www.istockphoto.com/stock-photo-9306896-man-pushing-blank-cube.php?st=396b026http://www.itworld.com/security/309422/baddest-botnets-2012?page=0,1
- #27: (Genesis 8:21)
- #31: PAN is vulnerable to cache poisoning. As an example a SIP session could initially be blocked accurately but by taking advantage of the cache poisoning vulnerability, a SIP session could bypass a PAN gateway.The vulnerability could be exploited as follows:Ports are open with firewall policyOpening a Session Initiation Protocol typically used with VoIP communications is correctly blockedGenerate http traffic which causes the cache to hit it threshold – meaning traffic is going through the cacheGenerate another SIP connection and it’s allowed Background: A Session Initiation Protocol (SIP) connection is a Voice over Internet Protocol (VoIP) service. A SIP connectiontypically uses the same Internet access that is used for data. Users should be aware that a SIP connection can be used as a channel for attacking the company's internal networks, similar to Web and Email attacks.
- #36: Check Point provides a simple, intuitive search. Searches are entered in the system using basic English.Check Point yields results quickly, bringing instant visibility to potentially related events.
- #37: Check Point makes policy creation simple.Security policies are easily viewed within tabs and policy creation is a simple, 1-step process.A Check Point customer recently told us, “With Fortinet, we had 2000 rules combined. When we went to Check Point were able to consolidate them to 230 rules. For us, the way we had it sitting in middle of our network, It was frustrating that you had to write a policy 6 different times. You couldn’t drag drop objects – had to do it manually” Major U.S. Financial Institution