CheckPoint的虛擬安全解決方案

—VSX-1如今企業安全挑戰HeterogeneousITenvironmentToomanysingle-functionsecurityappliancesComplexmanagementandprovisioningUnderutilizedhardwarewastesspaceandpowerLimitedscalability虛擬防火墻滿足企業安全挑戰需求ConsolidateSecurityHardwareCostSavingsSimplifiedSecurityManagementBetterAvailabilityandScalabilitySimplifiedSecurityProvisioningIntroducingtheVSX-1Appliances10–150HAVSTheonlyvirtualizedsecuritysolutiononadedicatedappliancewithmulti-layeredsecurityandcomprehensivesecuritymanagementBestvirtualizedsecurityperformancewithlinearscalabilityIncreasedeviceutilizationandconservepower,spaceandcoolingbyconsolidatingupto150securitygatewaysinasingledeviceVSX-13070VSX-19070VSX-190905–10VS10–150VSVSX如何幫您降低TCO大幅度降低數據中心空間3個物理機架設備整合到一臺單一設備節省數千瓦能源150臺1U設備

消耗能源超過

11,500wattsVSX-19070虛擬出150個虛擬系統

只需要消耗

140watts150臺UTM-13070需要3個機柜空間(1rackusuallyholds40to42U).一臺VSX-19070僅僅2U.*Basedon150UTM-13070業解唯一的多層次安全防護的虛擬安全網關CompletefunctionalityofaphysicalgatewayonavirtualplatformFullIPSecandSSLVPNclientlesssecureremoteaccessComprehensivesecurityservicesincludingURLfilteringSinglevendorsourcingandsupportCentrallymanagedthroughSmartCenterandProvider-1集中管理CheckPointreducesTCOandraisessecurity單一控制臺管理:VPN-1VECheckPointApplianceCheckPointSoftware“SecuredbyCheckPoint”Appliances降低管理開銷確保安全一致性VSX-1AppliancesVSX-13070VSX-19070VSX-19090PackageTargetMarketMidEnterpriseLargeEnterpriseHighEndLicenseBundleVirtualFirewall,IPS,PerformancePack,IPSEC

HighAvailability/LoadSharing(VSLS)NumberofVSes5or1010(Upgradeableto150)10(Upgradeableto150)BasePrice$34,0005VS$60,00010VS$110,00010VSPerformanceFWThroughput4.5Gbps13.5Gbps27GbpsVPNThroughput1.2Gbps3.5Gbps7GbpsConcurrentSessions1.1Million1.1Million1.8MillionUpgradeOntopofbaseAdditionalAdd-OnPacks$10,0005VS20VSes$30,00020VSes$55,000FullRedundantNEW!DistributedEnterpriseLANLANSegment2LANSegment3VS2VS3VSX-1centralizesdeploymentSmartCenter/Provider-1usedformanagementifeachLANsegmenthasitsownsecuritypolicyLANSegment1VS1SmartCenter/Provider-1VSX-19090VSX發展歷程VSX1.0–Athena(2001)–MultipleSecurityPoliciesVSX2.0.1–Brazil(2002)–FirstversionofProvider-1Mgmt,OverlappingIPsupportVSXNGAIR2–Canada(2003-4)–ApplicationIntelligence,SmartDefense,DesktopSecuritySupportVSXNGX–Denmark(2005)–L2/L3support,DynamicRouting,Multicast,SimplifiedProvisioning/MgmtVSXNGXwithScalabilityPack(2006)–Dextra–VSLS,ResourceControlandLightweightQoSVSXNGXR65–Ecuador(2007)–SNX,URLFVSX-1技術介紹VSX虛擬防火墻一個VSX網關上運行多個單獨的防火墻，每個防火墻保護一個不同的網絡（客戶）進入VSX網關的包根據進入接口，源地址或目的地址被路由到相關的防火墻VSX功能Firewall功能VPN功能入侵防護功能URL過濾功能伸縮自如的管理Provider-1和SmartCenter管理一個VSX網關支持250個虛系統千兆性能HardwareCostSavingsBetteravailability

andscalabilityConsolidatingHardwareConsolidatingSecurity!HardwareCostSavingsBetteravailability

andscalabilitySimplifiedSecurity

ManagementSimplifiedSecurity

ProvisioningVSX的基本元素VPN-1VSXNGX建立了包括多個虛擬設備的虛擬網絡環境虛擬系統(VS)虛擬電纜（Warp鏈接）虛擬路由器(VR)虛擬交換機(V-SW)虛擬系統（VirtualSystem）一個虛擬系統是一個唯一的路由和安全域，提供一般的CheckPoint網關絕大部分防火墻和VPN功能存在于相同的物理機器時，每個虛擬系統擁有自己單獨的:狀態表安全和VPN策略配置參數安全內部通信證書每個虛系統都擁有一個虛擬IP堆棧虛擬路由器一個虛擬路由器允許:共享物理接口內部虛擬系統通信VS1VS2JInternet虛擬交換機虛擬交換機設施在多個VS之間共享物理接口內部VS通訊降低跳的數量無需IP分配流程802.1q192.168.1.1172.169.1.1192.150.2.1200.128.4.1虛擬交換機不需要IP地址便于內外部連接Internet212.150.48.254212.150.48.1212.150.48.3212.150.48.4212.150.48.2接口支持的接口Vlan物理Warp鏈接支持的接口數量多達60個虛擬接口VLAN(802.1q)接口通常用于連接虛系統到被保護的網絡InternetSwitchVS1VS2J管理模型Provider-1支持每個或多個虛系統單獨的管理域,允許:多個管理員細致的權限劃分單獨數據庫SmartCenter支持一個管理域：一個管理員一個目標庫多策略三級分域管理模型:Provider-1支持VSXGatewayMulti-DomainGUI(MDG)CustomerManagementAdd-On(CMA)CustomerManagementAdd-On(CMA)CustomerManagementAdd-On(CMA)CustomerBCustomerACustomerCCustomerManagementAdd-On(“MainCMA”)P-1多級分域管理模型三級集中管理模型:SmartCenterSmartDashboardCustomerBCustomerACustomerCSmartCenterVSXGateway集中管理CheckPointreducesTCOandraisessecurity單一控制臺管理:VPN-1VECheckPointApplianceCheckPointSoftware“SecuredbyCheckPoint”Appliances降低管理開銷確保安全一致性企業分布式環境LAN部門2LAN部門3VS2VS3VSX-1虛擬防火墻部署SmartCenter/Provider-1集中管理不同部門/虛擬墻，使用自己專有安全策略LAN部門1VS1SmartCenter/Provider-1VSX-19090VSX-1設備VSX-13070VSX-19070VSX-19090PackageTargetMarketMidEnterpriseLargeEnterpriseHighEndLicenseBundleVirtualFirewall,IPS,PerformancePack,IPSEC

HighAvailability/LoadSharing(VSLS)NumberofVSes5or1010(Upgradeableto150)10(Upgradeableto150)PerformanceFWThroughput4.5Gbps13.5Gbps27GbpsVPNThroughput1.2Gbps3.5Gbps7GbpsConcurrentSessions1.1Million1.1Million1.8Million全新!KeyFeaturesCheckPointCiscoJuniperFortinetCommentsPerimeterFirewallMarket-leadingfirewallvendorIPSecVPNSupportcommontypesofVPN

inavirtualcontextSSLVPNIntegratedpervirtualcontextIntegratedIPSperVirtualSystemHighlyintegratedIPSwithsimpleone-clickdatabaseupdateVoIPSecurityCapableofdeepinspectionofVoIPprotocolspervirtualsystemApplicationSecuritySupportSupportsWebapplicationfirewallwithextensivegranularityHAandLoadSharingSeamlessHAfailoverURLFilteringperVirtualSystemIntegratedURLfilteringDynamicRoutingSupportDynamicroutingsupportpervirtualsystemScalablePolicyManagementSMC/PV-1bringssimplicityandscalablepolicymanagementonvirtualizedenvironments.VirtualsystemsareprovisionedfromDashboardDelegation/SeparationofDutiesSoftwareorApplianceDeploymentSimpleandquickdeploymentVSXCompetitiveLandscapeNEW!NEW!VSX-1SummaryComprehensiveVirtualizedSecurityScalableVirtualizedArchitectureEverythingyouneedinavirtualsecuritygatewaysolution.ConsolidationofHundredsofSecurityGateways10–150HAVSVSX-13070VSX-19070VSX-190905–10VS10–150VSVSX用戶收益重疊的IP地址范圍支持CustomerA10.0.0.0InternetCustomerB10.0.0.0CustomerC10.0.0.0單獨的VSX網關可以支持保護擁有重疊IP地址范圍的網絡；每一個網絡由一個單獨的虛擬系統保護Switch橋接模式的虛擬系統“橋接模式的虛擬系統”透明地提供了安全服務

為基礎構架添加一個安全層促進了核心處的安全性橋接模式的VS與傳統的VS的相同模型相對應每個橋接模式的VS保持一個專有的橋接表

與體系結構協議集成支持所有xSTP協議、PVST+和管理協議(VTP)路由核心Vlan200Vlan210Vlan240Vlan320802.1q802.1q虛擬網絡環境

動態路由虛擬網絡環境擴展了對動態路由協議的支持單播路由

—RIPv1/2、OSPFv2和BGP-4多播路由

—IGMPv2、PIM-DM和PIM-SM每個虛擬設備保持對所有路由協議的支持協議便于以下之間的連接：虛擬設備到虛擬設備虛擬設備到外部路由器802.1q802.1q虛擬交換機虛擬路由器OSPFOSPFPIM-SM市場營銷IGMPv2BGP-4OSPFVPN-1VSXNGX集群VSX提供了從一個VSX集群成員到另一個VSX集群成員無縫的連接和路由故障恢復狀態和路由同步恢復故障模塊向現有集群中添加成員/從現有集群中刪除成員升級集群成員單個虛擬系統故障恢復更多集群成員VSX集群現在支持多達12個成員每個成員的接口配置主要好處在彈性和可擴展性上增強粒度控制VSX應用場景1—大型企業FloorL-2AccessSwitchesFinanceNetworksMainBuildingHybridnetworksR&DNetworksaggregationSwitches802.1qconnectivitymatrixRoutedCore802.1qTrunksVlanIPinterface–InterVlanconnectivityVSX應用場景2—動態路由環境ApplicationNetworksMainBuildingHybridnetworksR&D-LabsandDevelopmentNetworksIntranetSAPGatekeepersDevelopmentServersFinancePurchasingIPTelephonyLab1Lab2QABusinessDevelopment802.1q802.1q802.1qInternetPerimeterSecurityVSXClusterVirtualSystemVirtualSystemInBridgemodeVirtualSwitchVirtualRouter802.1q802.1qOSPFconnectivityCore->VirtualRouterVSSpecificIGPconnectivityBGPneighborupdatesbythecoredevices/reflectorSelectiveredistributionintoOSPF案例：為學校提供“清潔寬帶接入”客戶問題CheckPoint強大的管理解決方案互聯網已成為一個