Transcript Slide 1
Введение в R71 Антон Разумов [email protected] Консультант по безопасности Check Point Software Technologies ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone R71 New feature release What’s new with IPS ? IPSec VPN Enhancements Improved Anti-Virus Performance SecureXL by default in UTM-1 appliances Security Management Enhancements Released in Q2 2010 Firewall Rule Expiration Automatic Deletion of Old Database Versions Object Management Improvements Other Enhancements Data Loss Prevention (DLP) Blade SSL VPN Blade ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 2 2 Agenda IPS 1 Introduced in R70.20 (and now integral part of R71) 2 R71 IPS contract enforcement 3 R71 IPS other news ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 3 3 IPS Event Analysis (IPSA) Timeline Critical events Statistics Old front page ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 4 4 Prevention – Block Specific Region Geo-Protection allows Complying with certain regulation by blocking and logging of traffic from certain states Analyzing where attacks come from Increase/Decrease confidence a certain event is an attack based on where it came from Identify malware trying to “call home” ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 5 5 Geo Protection View ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 6 6 Other Web Intelligence Log improvements Web server type and Browser type is included in IPS logs of Web related protections Logs now show the original IP addresses of proxied connections Packet capture on first trigger of any protection ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 7 7 IPS R71 Management – Overview Located in IPS tab of the SmartDashboard Information on unified updates available. Quick view of alerts in the network RSS feed of recently updated protections ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 8 8 IPS-1 Sensor – Management List of IPS-1 and IPS Software Blade GWs. Choose to also manage IPS-1. Profiles contain both IPS-1 and IPS Software Blade protections, and can be applied to both IPS-1 appliances and GWs. Each sensor/GW is listed. Select which type of sensor to add. ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 9 9 Agenda IPS 1 Introduced in R70.20 (and now integral part of R71) 2 R71 IPS contract enforcement 3 R71 IPS other news ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 10 10 R71 IPS contract enforcement Software blade Architecture was released in March of 2009 as R70 The IPS Software Blade is a Service Blade, which requires an annual subscription in order to use it and download protection updates Starting R71, each Security Gateway must have a valid subscription, also known as an “IPS contract” ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 11 11 Contract types There are 4 types of IPS Software Blade contracts: CPSB-IPS – This contract covers most Open server gateways, all Power-1 gateways and some of the UTM-1 models CPSB-IPS-S1- This contract covers UTM-1 130, UTM-1 270, UTM1 570 and SG101 CPSB-IPS-HA - This contract is for secondary cluster members in a gateway cluster, and covers most Open server gateways, all Power-1 gateways and some of the UTM-1 models CPSB-IPS-S1-HA- This contract is for secondary cluster members in a gateway cluster and covers UTM-1 130, UTM-1 270, UTM-1 570 and SG101 Each contract must be attached to a Blade Container ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 12 12 Contracts information See sk44245 To check if a gateway has a valid contract just locate the gateway container in the UserCenter Choosing a container, you will be able to see associated contracts Contracts information must be imported into SmartUpdate in order to use IPS Blade ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 13 13 Contract notifications SmartUpdate can show notifications about expired contracts Messages window in IPS tab will also show this information ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 14 14 Contract notifications Policy install will also notify about IPS contract issues ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 15 15 Insufficient IPS contract coverage If an IPS contract is not available the IPS Blade functionality will be restricted as follows: Protections will be limited to only those protections which were available as of March 2009 (the same protection set which existed when R70 was released). All protections introduced after March 2009 will be disabled. ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 16 16 IPS Blade Grace periods Grace periods are periods after the IPS blade license expires, in which the protections will still be active and no restrictions are made, but warnings are issued regarding the missing contracts. The grace period is set for 60 days starting from the latest contract expiration date on that gateway. The grace periods are calculated per gateway individually. ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 17 17 Agenda IPS 1 Introduced in R70.20 (and now integral part of R71) 2 R71 IPS contract enforcement 3 R71 IPS other news ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 18 18 IPS updates With R71 it is now possible to schedule IPS updates Policy can also be installed after updates Offline updates are available after special EULA terms (next slide) ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 19 19 Offline update Customer must send Check Point a mail to get access to offline updates at this page: http://www.checkpoint.com/defense/updates/index.html ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 20 20 Service based link selection ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 21 21 Agenda Service Based Link Selection 1 Introduction 2 Overview and technology 3 Scenarios ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 22 22 Introduction and terminology Source based routing Not to be confused with “source routing” where the source determines the network route This means to decide a route down the network based on the source IP of the packet and is typyically considered a part of: Policy based routing Policy-based routing may also be based on the size of the packet, the protocol of the payload, or other information available in a packet header or payload such as the service. This permits routing of packets originating from different sources to different networks even when the destinations are the same and can be useful when interconnecting several private networks. ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 23 23 What does R71 introduce ? Expansion on existing technologies IPSEC VPN Link selection on VPN gateway Outgoing packet (ergo outbound) ► Remote peer selection (ergo inbound) ► Uses probing mechanism (UDP 259) ► Only method available up to R71 was hot standby HA, one link active at any given time. R71 introduces VPN link loadsharing Service based link selection ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 24 24 Agenda Service Based Link Selection 1 Introduction 2 Overview and technology 3 Scenarios ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 25 25 Link Selection …Why ? ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 26 26 Link Selection – how should the gateway behave ? Use another ISP as backup Use primary ISP to Test peer establish VPNGW with availability through peer GW each link Peer’s available on this link, too “ping” ISP 2 “pong” “ping” ISP 1 “pong” Peer’s available on this link ISDN When all else fails, use dialup (or DSL or FR) ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 27 27 Link Selection The challenge is connectivity How should remote peers select the IP of the Gateway? How should the Gateway route its own outgoing VPN traffic? The mechanisms used for this feature have been enhanced since ‘NGX R60’ ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 28 28 Link Selection The first mechanism determines how remote peers resolve the IP address of the local Gateway Remote peers can connect to: If a Gateway has multiple IP addresses available for VPN traffic, then the correct address for VPN is discovered through one of the following: The main IP Address of the Gateway A single IP address reserved for VPN (which does not have to be an interface IP ( the address could be the statically NATed IP address of the VPN Gateway) One of Multiple IP addresses available for VPN traffic Topology information contained in the network object DNS lookup One-time RDP probing (via RDP packets) On-going probing (via RDP packets) For both the probing options (one-time and on-going) a Primary Interface can be assigned. If not all of Gateway’s interfaces are used for VPN, a smaller set of interfaces can be selected ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 29 29 Link Selection The second mechanism, Route Based Probing (for link selection), also uses RDP probing to determine how the local Gateway selects an interface for outgoing VPN traffic. Using Route Based Probing, the Gateway consults the routing tables, and selects an active link with the lowest metric (highest priority). These 2 mechanisms cover a lot of connectivity scenarios: As examples the manual covers the following ► ► ► ► Gateways with a single IP for VPN Gateways with several IP addresses used by different parties for VPN - Gateways hidden behind a static NAT device - Gateways located on an internal private network Gateways with a dynamic IP address for VPN Gateways with multiple IPs providing High Availability (HA) ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 30 30 Link Selection High Availability, incoming tunnel eth0 Local gateway eth0 Remote peer eth1 Remote peer polls Local Gateway to discover the IP associated with the interface available for VPN If one link goes down, an alternative link is used for VPN traffic. ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 31 31 Link Selection - Example High Availability, outgoing tunnel eth0 eth0 Local gateway eth1 The IP used for outgoing traffic on the Local Gateway is determined via the Route Based Probing mechanism Each entry in the routing table contains the following information: Remote peer Destination IP Address Prefix Source Interface IP address of the next-hop router After probing all routing possibilities, the Gateway selects the best match (highest prefix length) active route with the lowest metric, and hence the highest priority ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 32 32 Agenda Service Based Link Selection 1 Introduction 2 Overview and technology 3 Scenarios ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 33 33 Link Selection High Availability eth0 primary primary eth0 eth1 eth1 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 34 34 Link Selection Load Sharing eth0 eth0 eth1 eth1 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 35 35 Link Selection Service Based eth0 eth1 VoIP All other traffic VoIP eth0 eth1 All other traffic ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 36 36 Link Selection Service Based VoIP VoIP All other traffic All other traffic ISP-1 ISP-2 ISP-3 ISP-4 VoIP VoIP All other traffic All other traffic ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 37 37 Link Selection Service Based VoIP Failover VoIP VoIP All other traffic VoIP All other traffic VoIP ISP-1 ISP-2 ISP-3 ISP-4 VoIP VoIP All other traffic VoIP All other traffic VoIP ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 38 38 Link Selection Service Based VoIP Failover VoIP VoIP All other traffic All other traffic ISP-1 ISP-2 ISP-3 ISP-4 VoIP VoIP All other traffic All other traffic ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 39 39 Link Selection Service Based All other traffic failover VoIP All other traffic VoIP All other traffic All other traffic All other traffic ISP-1 ISP-2 ISP-3 ISP-4 All other traffic VoIP All other traffic VoIP All other traffic All other traffic It is not possible to disallow failover for ‘All other traffic’ ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 40 40 Link Selection Service Based Configuration Link Selection Load Sharing Route Based Probing Configuration file on the management: A eth1 eth0 VoIP VoIP All other traffic Gateway Interface eth0 B All other traffic Service A eth0 VoIP B eth0 VoIP eth1 [dont_failover] ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 41 41 vpn_service_based_routing.conf The configuration file includes the following fields: Gateway Interface Service A eth0 ABC B eth0 XYZ, group [dont_failover] Gateway: the gateway that sends the traffic according to the service. Valid values: single VPN gateway\cluster object. Interface: Outgoing interface for the following services. Valid values: single interface name (as shown in the Topology page of the gateway in the SmartDashboard). Note that specific interface can appear only once in the configuration file. Service: Specific service configuration for the given interface. Valid values: group or single service object. dont_failover flag (optional): if this string is present the service stays sticky on the configured interface. Even if the link associated with the interface reported as “down” by the probing session, the connections of the configured service will still be routed through the configured interface ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 42 42 R71 UTM AV and URLF acceleration ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 43 43 Agenda 1 What’s new? 2 Anti Virus in detail 3 URL Filtering in detail 4 Performance ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 44 44 What’s New? Anti Virus Move to industry-leading AV engine by Kaspersky, provide better coverage than current AV solution Use two detection modes: New stream mode (default) - new kernel stream architecture, based on Virus signatures ► Proactive mode – Similar architecture to R70 AV solution, but based on improved engine Performance is significantly better, higher than IPS recommended feature set: Focusing on viruses in the wild (“WildList”) UTM-1 3070: 1.3 Gbps throughput, Power-1 9070: 3.6 Gbps throughput. Improve stability and memory consumption ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 45 45 What’s New? URL Filtering Move to SecureComputing URL Filtering engine improving coverage and accuracy Move to a new kernel architecture This new architecture eliminates the limitation of concurrent connections which was dictated by the Security Servers architecture and improves the performance numbers of URL Filtering: UTM-1 3070: ~ 500K concurrent connections, Power-1 9070: ~ 750K concurrent connections. Improve stability and memory consumption. Support wild characters (‘*’) in Allow/Block lists ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 46 46 Agenda 1 What’s new? 2 Anti Virus in detail 3 URL Filtering in detail 4 Performance ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 47 47 Antivirus in detail Stream mode Default operation mode Kernel streaming architecture based on signatures provided by Kaspersky – currently more than 13,000 signatures Focusing on viruses in the wild - Excellent detection rate of (“WildList”) Performance is significantly higher, similar and even better than IPS recommended feature set: UTM-1 3070: 1.3 Gbps throughput, Power-1 9070: 3.6 Gbps throughput. Latency is minimal. Limitations: ► ► Zoo viruses Polymorphic viruses or ones that their signatures require multiple passes or other heuristics Proactive mode Same as R70 architecture using security servers Based on Kaspersky KAV engine which performs advanced heuristics, including sandbox simulation ► ► Enable decompressing files, multiple passes and other heuristics Number of signatures is irrelevant – using both proactive heuristics and signatures Excellent detection rate and Proactive capabilities of all viruses Wild and Zoo Performance is similar to current AV solution ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 48 48 Antivirus in detail II Common Update of AV database is done via current Update mechanism – no change in GUI compared to R70 ► ► Same behavior of FileType feature ► Automatic update – recommended Manual Update Note that file type policy is available in stream mode as well, One little check implemented in kernel box that makes a Upgrade world of change if a customer that is currently using the existing AV solution, upgrades to R71, his GWs will continue to work in Proactive mode (!), until he decides to move to stream mode ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 49 49 Antivirus in detail III Traffic Flow ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 50 50 Antivirus in detail III Kernel AV Kernel Module Parser Generic Filters File Type Sigs. DB Block connection if necessary Pattern Matcher Streaming Layer Connection Layer ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 51 51 Antivirus in detail III Traffic Flow ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 52 52 Antivirus in detail IV Environment UTM peripheral capabilities did not change: ► ► ► File Type and general settings Fallbacks options – block or accept Logs, SmartViewTracker, SmartViewMonitor Backward compatibility is supported Reports have been added to SmartEvent ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 53 53 Antivirus in detail V Even though a R71 system will prevent a live virus in its default mode, EICAR is handled per the following command. fw ctl set int g_ci_av_eicar_handling_mode <mode> mode can be: 0 – monitor only 1 – ignore 2 - block The default is 0 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 54 54 Agenda 1 What’s new? 2 Anti Virus in detail 3 URL Filtering in detail 4 Performance ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 55 55 URL Filtering in details I Our new kernel architecture Connections are all handled in kernel mode and not folded to Security Servers Eliminates the limitation of concurrent connections which was dictated by the Security Servers architecture and improves the performance numbers: UTM-1 3070: ~ 500K concurrent connections, Power-1 9070: ~ 750K concurrent connections Results are cached in kernel, thus actual categorization is often skipped, and leads to even better performance In cases that the URL is not in cache, categorization is done in user mode, but connection handling is all done in kernel ► The flow is not blocking and does not interrupt other connections ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 56 56 URL Filtering in details II Clean installation and upgrade Must perform a URLF DB update, this process may take several minutes the first time Upgrade GWs that are upgraded to R71 will automatically start using the new URLF engine in the kernel if URLF was enabled before upgrade Backward compatibility is supported ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 57 57 URL Filtering in details III Traffic Flow ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 58 58 URL Filtering in details III User Mode UF queries Queue UF DB Kernel UF Kernel Module Resume Response or Block Hold Response connections Parser Generic Filters Caching Matcher Streaming Layer Connection Layer ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 59 59 URL Filtering in details III User Mode UF queries Queue UF DB Kernel UF Kernel Module Parser Generic Filters Caching URL in Cache Filter – no Block connection if need to hold Response necessary Matcher Streaming Layer Connection Layer ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 60 60 URL Filtering in details III Traffic Flow ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 61 61 Agenda 1 What’s new? 2 Anti Virus in detail 3 URL Filtering in detail 4 Performance ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 62 62 R71 UTM-1 Boost - AV / URLF UTM-1 276 UTM-1 1076 UTM-1 3076 Maximum Performance and Capacity R70 R71 Boost R70 R71 Boost FW (1518 bytes), Mbps 600 1,500 X2.5 2,000 3,000 x1.5 4,500 IPS Throughput - Default Protections, Mbps 380 1,000 X2.6 900 2,200 X2.7 4,000 Anti-Virus, Mbps 30 120 X4 75 300 X4 175 1,200 Connection rate (cps) 3,400 10,000 X2.9 8,800 25,000 X2.8 35,000 54,000 Max concurrent HTTP AV & URLF 2,500 50,000 X20 4,000 110,000 X27 6,500 280,000 R70 R71 All UTM-1 platforms include SecureXL (R71) ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 63 63 Q&A Q: does AV use CoreXL? Q: Does changing stream mode to proactive mode , require restart of FW service? A: If AV was activated in the old version it will continue to work in proactive mode after the upgrade, and if it was initially disabled, it’s default mode will be stream mode. Q: Do we support Antivirus offline updates? A: No, only policy installation. Q: what's the upgrade process? A: Yes. A: Yes, the process is being defined. Planned to be available during Q2/Q3 2010 Q: Is FTP accelerated as well? A: No, FTP is handled as before in proactive mode ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 64 64 Summary Anti Virus Moved to industry-leading AV engine by Kaspersky New stream mode utilizing > 13,000 signatures, updated daily to protect against Viruses in the wild Performance is significantly higher Eliminated the limitation of connection concurrency Significant improvement in memory consumption as well URL Filtering Move to SecureComputing URL Filtering engine Move to a new kernel architecture Performance is significantly higher Eliminated the limitation of connection concurrency Significant improvement in memory consumption as well Support wild characters (‘*’) in Allow/Block lists ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 65 65 Security Management Enhancements Firewall Rule expiration: In SmartDashboard, Temporary Rules and Expired rules are marked by new clocked-shaped icons. Rule expiration can be added to existing rules, or created as an independent object and applied to multiple rules. New filtering options enable you to quickly find in SmartDashboard's Security RuleBase all temporary rules, or only those rules which have expired. Automatic Deletion of Old Database Versions Object Management Improvements Define default acces mode for SmartDashboard Multi select and group ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 66 66 Антон Разумов [email protected] Консультант по безопасности Check Point Software Technologies ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone