Transcript IAS Bladed Hardware Field Training

Integrated Appliance Solution
(IAS) Bladed Hardware
Technical Training
May 13, 2010
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
Agenda
1
Introducing IAS Bladed Hardware
2
X-Series: Carrier-Grade Chassis
3
Linear Scalability Architecture
4
Selling IAS Bladed Hardware
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
|
2
2
The New Initiative





Check Point and Crossbeam have announced a
new partnership
Crossbeam X-Series platform is now an integral
part of the Check Point portfolio
The X-Series products are part of the Check
Point price list
Hardware/Software/Support all come from Check
Point as an integrated package
Professional Services/Training can also be sold
with the package; will be delivered by
Crossbeam
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
|
3
3
Introducing: IAS Bladed Hardware
Customized Security Chassis for your
Unique Security Needs
Designed to meet
specific business needs
Delivers carrier-grade
platform for security
Single SKU integrated
solution and single
contact for support
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
|
4
4
Carrier-grade Solution Designed for
the Most Demanding Environments


Integrates essential Check Point Security Gateway
Software Blades
Based on Crossbeam X-series chassis
►
Customer
Benefits
►
►
►
Partner
Benefits
►
►
Integrated carrier-grade chassis solution
Meets the needs of the most
demanding networks
Single source of support
Single SKU ordering and fulfillment
Expanded portfolio with scalable
chassis solution
Software Blade upsell opportunities
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
|
5
5
IAS Bladed Hardware—
2 Bundle Options
Security Gateway SG805
VPN-1 Power VSX
Designed for the most demanding,
highest-performance environments
Dedicated gateway for multi-layer,
multi-domain virtualized security
Comprehensive, flexible and
extensible security
The only virtualized security
gateway with FW, VPN, IPS, and
URLF
FW, VPN, IPS, Advanced
Networking, and Acceleration &
Clustering
Best virtualized security
performance with linear scalability
Ideal for the large campus
and data center
Conserves power and space by
consolidating up to hundreds of
gateways on a single platform
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
|
6
6
Crossbeam X-Series
X80
Integrated superior network
processing combined with
exceptional application processing
on an open architecture
Adapt security performance and scaling to
fit your business
Lower total cost of ownership with
dramatic network consolidation and
energy consolidation
X45
Decrease downtime with self-healing
platform
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
|
7
7
Flexibility: Hardware and Software
Modular and Scalable Blade Architecture
X-Series

Scalable architecture

AC/DC power

NEBS-compliant

Fiber NICs

Modular NICs
X80
X45
firewall blade
IPSec VPN blade
IPS blade
advanced networking blade
VPN-1 Power VSX
©2010 Check Point Software Technologies Ltd.
|
acceleration & clustering blade
[Confidential] For Check Point users and approved third parties
|
8
8
Customer Benefits
VALUE
Single SKU and vendor
FW, VPN, IPS, ACCL, ADN
Better TCO (scalability, lower support rate)
Integrated solutions with software blades
An extended global infrastructure with onsite support
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
|
9
9
Agenda
1
Introducing IAS Bladed Hardware
2
X-Series: Carrier-Grade Chassis
3
Linear Scalability Architecture
4
Selling IAS Bladed Hardware
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 10
10
X-Series Components
NPM
Network connectivity
 2 - 10G ports
 10 - 1G ports
X80
Customers choose for
scale and performance
40Gbps Today
“Change-Ready” to 160G
APM
Application blades run:
 Security Gateway R70
 VSX R65
X80
X45
Customers choose when
space is a premium
20G Today
“Change-ready” to 80G
CPM
Control blades
 Manage and
monitor the
chassis
X45
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 11
11
X-Series—Modules
Network Processing
Modules (NPMs)
 Network connectivity and
flow processing
 Multi-link trunking
 High-speed packet
classification/distribution
 Intelligent flow sequencing
 Built in rate-limiting feature
(per flow rule)
 Fully VLAN capable; > 4000
VLANs per NPM
Application
Processing Modules
(APMs)
 Virtual Application Processor
(VAP) system
► Best-in-class security
engines
► Full hot-swap with no
reconfiguration
► Seamless failover
► Warm (license-less)
standby
 Optional local HD, crypto
accelerator
Control Processing
Modules (CPMs)
 Internal chassis
management
 HA monitoring and failover
 Dynamic load balancing
 Centralized configuration
database
 Dedicated mgt/logging/HA
ports
 Disk sync between dual
CPMs
 Multiple port density options
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 12
12
X-Series—Accessories
Optional Extras
SFP-Q2-LX-2
Two (2) LX SFP 1G Transceiver (LC Connectors) for NPMs
SFP-Q2-SX-2
Two (2) SX SFP 1G Transceiver (LC Connectors) for NPMs
SFP-Q2-T-3
Two 10/100/1000 Copper SFP Transceivers (RJ45 Connectors)
for use with NPM-8600 or later.
XFP-Q2-LR
Two (2) LR XFP 10G Transceiver (LC Connector) for NPM8600 (RoHS Compliant). Use Single Mode fiber
XFP-Q2-SR
Two (2) SR XFP 10G Transceiver (LC Connector) for NPM8600 (RoHS Compliant). Use Multi-mode fiber
XOS-ARM-710CD
X-Series Routing Software version 7.1 on DVD. Requires XOS
8.5.0 or higher. Includes PIM Sparse Mode, OSPFv2, RIP-II,
and BPG-4. Licensed per X-Series Chassis.
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 13
13
The Virtual Infrastructure
What are we solving?
How do we solve it?
Typical multi-box
architectures have
a lot of duplication
and inefficiency
Why is it important?
Real use cases
IPS
FW
L2
LB
LB
L2
LB
LB
Internet
Security changes
require network
changes causing
increased time
to change
©2010 Check Point Software Technologies Ltd.
Difficult to add a
new security
service quickly
|
[Confidential] For Check Point users and approved third parties
| 14
14
The Virtual Infrastructure
What are we solving?
How do we solve it?
Why is it important?
Real use cases
 Crossbeam creates a “Network in a Box”



Network Processor Modules
Application Processor Modules consolidate
Security Gateway Software Blades or VSX
The X-Series Platform becomes a “virtual
Control Processing Modules
infrastructure” integrating both network
processing and application processing within a
single operating system
R70 Blades
R70 Blades
L2
LB
LB
L2
LB
LB
Internet
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 15
15
Network Processing Module (NPM)
What are we solving?
How do we solve it?





NPM-8620 has 10 x 1GbE SFP interfaces
NPM-8650 has 10 x 1GbE SFP and 2 x 10GbE XFP interfaces
Load balancing distributes traffic



Switching fabric connects all NPMS and APMs
5 Gb/s throughput per NPM-8620
Provides 10 Gb/s throughput per NPM-8650
Provides 40 Gb/s throughput per chassis (4 NPM-8650)
Provides physical network interfaces


Real use cases
Provides switching fabric for data plane


Why is it important?
Scales throughput by distributing traffic across APMs
Re-distributes traffic around failed APMs
Consolidates network infrastructure


Virtualizes switches, load balancers, patch and power cords
Eliminates common network devices
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 16
1616
Application Processing Module (APM)
What are we solving?
How do we solve it?



Multiple APMs allow multiple VAPs
These application instances share the traffic load
Allows layered security



Supports “Virtual Application Processor” (VAP)
Application runs within each VAP
Scales performance


Real use cases
Hosts applications


Why is it important?
Different APMs can run different applications
NPM’s network virtualization provides connectivity
between layers
Provides application redundancy



VAPs can run on any APM
APMs can be re-provisioned on-the-fly
Un-provisioned APMs automatically assume warmstandby role
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 17
1717
Control Processing Module (CPM)
What are we solving?
How do we solve it?


Provides out-of-band management of chassis
Centralized configuration of all elements in the system
Provision applications based on configuration


Real use cases
System management


Why is it important?
Ensures desired configuration
Health monitoring




Continuously checks health of APMs, and NPMs
Failover control
Collects statistics (CPU, I/O, etc) from all other modules
Routes around failures
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 18
1818
XOS
What are we solving?
Optimizes data flow
between the network and
application processors
How do we solve it?
Why is it important?
Switched Data Path
Management
Dynamic Resource
Allocation
Secure Flow Processing
Virtual Application
Processor / Grouping
Protects and ensures
optimum network
processing
Chassis Resource
Protection
Self-Healing
Provides Superior
Network Performance
Network
Processing
Environment
Application
Processing
Environment
Optimizes and
controls flows
between apps
Real use cases
Provides a responsive
system to application
processing needs
Allows application
performance to scale
independently
Automatic performance
capacity restoration
Ensures Exceptional
Application Processing
Open Secure OS
Broad support of best-in-class security applications
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 19
19
The Virtual Infrastructure
What are we solving?

How do we solve it?
Why is it important?
Real use cases
A virtual infrastructure
 Creates a very responsive on-demand architecture
 Move, add, remove applications without impacting the
network
 Create logical application groups that can be scaled or
changed depending upon performance demands
 Self-healing architecture
 Green Zone
► Reduces
waste by removing network
inefficiencies
► Reduce # Ethernet connections to a
single “virtual infrastructure”
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 20
20
Simplifying the Complex
What are we solving?
How do we solve it?
Why is it important?
Real use cases
Which Network Rack can be Upgraded Faster?
 The X-Series Platform is the entire
infrastructure—a single
management interface for all
security and network changes
 Firmware and system software
upgrades only need to be
applied once using the Automated
Workflow System
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 21
21
The Virtual Infrastructure
What are we solving?
How do we solve it?
Why is it important?
Real use cases
The Technical Problem

National
Communications
Current managed firewall service to local government education agency
was overly complex, requiring 12 operational staff to maintain
Solving the Problem


Crossbeam collapsed 800 Cisco ASA Firewall appliances into 4 X80
chassis running Check Point VSX
National Communications Co. now scales without adding additional hardware
Business Outcome

National Telco was able to reduce the staff required for manage this service
from 12 to just 3
Crossbeam Validation

Crossbeam was able to validate up to 250 virtual firewalls running on each
X80 Chassis
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 22
22
Agenda
1
Introducing IAS Bladed Hardware
2
X-Series: Carrier-Grade Chassis
3
Linear Scalability Architecture
4
Selling IAS Bladed Hardware
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 23
23
Linear Scalability Architecture
What are we solving?
How do we solve it?
Why is it important?
 Excellent for
controlling the flow
of data packets
 Excellent for
processing the data
 Poor at controlling
the flow of latencysensitive data
 Poor at actually
processing the data
Networking
Platforms
Real use cases
Application
Server
Platforms
Need to Maintain a Perfect Relationship Between Network and
Application Processing in Order to Optimize a System
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 24
24
Linear Scalability Architecture
What are we solving?
How do we solve it?
Why is it important?
Real use cases
Connections
per Second
Application
Throughput
Under Load
Total
Connections
System
Performance
Application
Inspection
Throughput
Latency
Mixed
Packet Size
Throughput
©2010 Check Point Software Technologies Ltd.
True system scalability
demands that every
performance factor
scales linearly
|
[Confidential] For Check Point users and approved third parties
| 25
25
Linear Scalability Architecture
What are we solving?
How do we solve it?
Why is it important?
Real use cases
Application
Networking
X-Series Server
Platforms
ArchitecturePlatforms
Integrated network and application processing
facilitates true linear scalability
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 26
2626
Linear Scalability Architecture
What are we solving?
NPM
How do we solve it?
Why is it important?
Real Use-Cases
Traffic flow controlled
down to the individual
processor core
APM
Switched Data Paths (SDP)
NPM 8650
NPM 8620
APM 8650
Up to 10 Gbps
Processing
Up to 5Gbps
Processing
Up to 8 CPU Cores per Module
Up to 80 CPU Cores per Chassis
10 Million Flows
8 Million Flows
Up to 12.8 Gbps of Backplane Connectivity
105,000
Connections per
second
45,000
Connections per
second
Up to 16 GB of Memory
320,000 Connections per second /
Chassis
©2010 Check Point Software Technologies Ltd.
Diskless Design
• Optional up to 2 HDD‘s available with Raid 1/0
Fully Hot-Swappable
|
[Confidential] For Check Point users and approved third parties
| 27
27
Check Point R70 Performance
What are we solving?

Why is it important?
Real use cases
The X-Series can scale to 40Gbps firewall throughput with iMIX UDP traffic
The X-Series also is the fastest firewall platform on the market in small packet
performance, capable of scaling to 18M Packets Per Second with 64 byte packets
45
40
35
30
Gbps

How do we solve it?
25
1518Byte Throughput
IMIX Throughput
20
64Byte Throughput
15
10
5
0
1 APM
2 APM
3 APM
4 APM
5 APM
6 APMs
©2010 Check Point Software Technologies Ltd.
|
7 APM
8 APM
[Confidential] For Check Point users and approved third parties
| 28
28
Throughput…Think Real World
What are we solving?
How do we solve it?
Why is it important?
Real use cases
The X80 Achieves the Maximum Throughput of 40Gbps with
Real-World Packet Sizes, Not Just with Large Packets
X80 with NPM and APM 8650 Modules Running Check Point R70
40.0
iMIX
Performance
35.0
Gigabits
Per Second
30.0
25.0
20.0
15.0
10.0
5.0
0.0
1518
1280
1024
768
Packet Size
©2010 Check Point Software Technologies Ltd.
512
|
256
128
64
[Confidential] For Check Point users and approved third parties
| 29
29
Platform Performance
The Honeymoon is Over for the SRX
We must push back on overinflated SRX performance claims
Firewall
iMIX+ IPS
Large
Packet
(1518)
120

SRX throughput for iMIX traffic
plummets by nearly 65%

100
Gigabits per
Second

80

X80 iMIX performance doesn’t
budge from our max throughput
of 40Gbps

SRX performance drops even
further when IPS is turned on
60
40
20
0
X80
SRX
Clear demonstration of how
unrealistic the 120Gb claim is
Check Point Firewall + IPS on X80
has always outperformed SRX
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 30
30
Platform Performance—
Packet Forwarding Rate
At 18 Million Packets per Second,
the X-Series is the Fastest Firewall on the Market!
Packet Forwarding Rate
(64 byte packets)

Packet forwarding rate directly
affects real-world throughput

This performance is achieved
with 8-core APM-8650 modules

Utilizing Check Point CoreXL
technology
20
18
Millions of
Packets per
Second
16
14
12
10
8
6
4
2
0
X80
SRX
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 31
31
Scaling Against Juniper SRX
What are we solving?
How do we solve it?
Why is it important?
Real use cases
X-Series Wins Against the SRX
SRX
X80
(November 2009 Datasheet)
Packet Rate
18 Million PPS
15 Million PPS
iMIX Throughput
40 Gigabit / Second
45 Gigabit / Second
Firewall + IPS
Throughput
40 Gigabit / Second
30 Gigabit / Second
Connections per
Second
320,000 CPS
350,000 CPS
Total Concurrent
Connections
10 Million
10 Million
Large Packet
Throughput
40 Gigabit / Second
120 Gigabit / Second
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 32
32
IAS Bladed Hardware—
Performance Bundles
What are we solving?
How do we solve it?
Why is it important?
Real Use-Cases
5 Gbit Solution
10 Gbit
Solution
20 Gbit
Solution
40 Gbit
Solution
The 5 Gbit/s
solution—
running on
an X45
The 10 Gbit/s
solution—
running on
an X45 or X80
The 20 Gbit/s
solution—
running on
an X45 or X80
The 40 Gbit/s
solution—
running on
an X80
1-2-1
2-2-1
2-4-1
4-6-1
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 33
33
Linear Scalability Architecture
What are we solving?

How do we solve it?
Why is it important?
Real Use-Cases
A linear scalable architecture


Provides ability to create an accurate performance
budget and planning for future expansion
Dedicated resources can be allocated to specific
applications ensuring performance service levels
 Green Zone
► Crossbeam
switched data paths
dramatically increase the efficiency of
multi-core processor systems
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 34
34
Linear Scalability Architecture
What are we solving?
How do we solve it?
Why is it important?
Real use cases
The Technical Problem

Critical need to continually increase throughput and concurrent connections
to keep pace with 3G devices on the mobile network
Solving the Problem

Crossbeam used 4th-generation blades to scale the O2 Internet-facing
firewalls to accommodate 6.5 million concurrent connections
Business Outcome

O2 is now able to continue to service their existing subscriber base of
22 million and expand service to remain competitive in the UK market
Crossbeam Validation

Utilized the Linear Scalability validation test plan to show all performance
metrics increased as firewall VAP group members were added
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 35
35
Agenda
1
Introducing IAS Bladed Hardware
2
X-Series: Carrier-Grade Chassis
3
Linear Scalability Architecture
4
Selling IAS Bladed Hardware
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 36
36
Product Solution Examples
Solution Example: CPAP-X45-2B-SG805 : Check
Point IAS X45 Bladed Architecture with 2 Security
Gateways (FW, VPN, IPS, ACCL, ADN)
X80 Chassis
4 NPM 8650
$640K
8 APM 8650
2-4-1
List Price
4-8-1
1 CPM 8600
3 P/S
X80 Chassis
2-2-1
$345K
2 NPM 8650
4 APM 8650
X45 Chassis
2 NPM 8620
$185K
1 CPM 8600
2 P/S
2 APM 8650
1 CPM 8600
NOTE: These are
example configurations.
Each deal will require
some customization
2 P/S
(10G)
(20G)
(40G)
iMIX Performance
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 37
37
IAS Bladed Hardware—SG805
High-performance Security Gateway for the
Most Demanding Environments
Indicates
number of APMs
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 38
38
IAS Bladed Hardware—VSX
Dedicated Gateway for Multi-layer, Multi-domain
Virtualized Security
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 39
39
Strategy for Success
Beating the Competition
Juniper SRX




Real-world performance – Performance hit to firewall when measured
against real world traffic
Management interface – Cumbersome interface/menus loosely unifies
ScreenOS and JunOS
High availability limitations – Choice between high availability and
performance
Inspection performance – Traffic throughput drops when IPS turned on
Cisco ASA



Performance – Security technology lags in the industry
Complexity and cost – Security embedded in each appliance requiring
many appliances
Security – May know the network, but not strong around network security
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 40
40
24/7 Support for the
Most Critical Environments
OTTAWA
TAC
DALLAS
TAC
STOCKHOLM
Endpoint escalation
TEL AVIV
TAC
TOKYO
TAC
©2010 Check Point Software Technologies Ltd.
|
•
Award-winning support
•
Always-on 24 X 7
coverage
•
Best-in-class electronic
support tools
•
World-wide material
inventory
•
Online support in 150
countries / 1,000
metropolitan areas
[Confidential] For Check Point users and approved third parties
| 41
41
Sales Tools
 Sales Tools are available
on PartnerMap




Customer presentation
Technical presentation
At-a-glance sales guides
And more…
 For additional information
please contact your
Check Point Channel
Representative
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 42
42
Summary: IAS Bladed Hardware
Customized Security Chassis for your
Unique Security Needs
Designed to meet
specific business needs
Delivers carrier-grade
platform for security
Single SKU integrated
solution and single
contact for support
©2010 Check Point Software Technologies Ltd.
|
[Confidential] For Check Point users and approved third parties
| 43
43