VSX-1.虚拟化安全课件

CheckPoint的虚拟安全解决方案

—VSX-1如今企业安全挑战HeterogeneousITenvironmentToomanysingle-functionsecurityappliancesComplexmanagementandprovisioningUnderutilizedhardwarewastesspaceandpowerLimitedscalability虚拟防火墙满足企业安全挑战需求ConsolidateSecurityHardwareCostSavingsSimplifiedSecurityManagementBetterAvailabilityandScalabilitySimplifiedSecurityProvisioningIntroducingtheVSX-1Appliances10–150HAVSTheonlyvirtualizedsecuritysolutiononadedicatedappliancewithmulti-layeredsecurityandcomprehensivesecuritymanagementBestvirtualizedsecurityperformancewithlinearscalabilityIncreasedeviceutilizationandconservepower,spaceandcoolingbyconsolidatingupto150securitygatewaysinasingledeviceVSX-13070VSX-19070VSX-190905–10VS10–150VSVSX如何帮您降低TCO大幅度降低数据中心空间3个物理机架设备整合到一台单一设备节省数千瓦能源150台1U设备

消耗能源超过

11,500wattsVSX-19070虚拟出150个虚拟系统

只需要消耗

140watts150台UTM-13070需要3个机柜空间(1rackusuallyholds40to42U).一台VSX-19070仅仅2U.*Basedon150UTM-13070业解唯一的多层次安全防护的虚拟安全网关CompletefunctionalityofaphysicalgatewayonavirtualplatformFullIPSecandSSLVPNclientlesssecureremoteaccessComprehensivesecurityservicesincludingURLfilteringSinglevendorsourcingandsupportCentrallymanagedthroughSmartCenterandProvider-1集中管理CheckPointreducesTCOandraisessecurity单一控制台管理:VPN-1VECheckPointApplianceCheckPointSoftware“SecuredbyCheckPoint”Appliances降低管理开销确保安全一致性VSX-1AppliancesVSX-13070VSX-19070VSX-19090PackageTargetMarketMidEnterpriseLargeEnterpriseHighEndLicenseBundleVirtualFirewall,IPS,PerformancePack,IPSEC

HighAvailability/LoadSharing(VSLS)NumberofVSes5or1010(Upgradeableto150)10(Upgradeableto150)BasePrice$34,0005VS$60,00010VS$110,00010VSPerformanceFWThroughput4.5Gbps13.5Gbps27GbpsVPNThroughput1.2Gbps3.5Gbps7GbpsConcurrentSessions1.1Million1.1Million1.8MillionUpgradeOntopofbaseAdditionalAdd-OnPacks$10,0005VS20VSes$30,00020VSes$55,000FullRedundantNEW!DistributedEnterpriseLANLANSegment2LANSegment3VS2VS3VSX-1centralizesdeploymentSmartCenter/Provider-1usedformanagementifeachLANsegmenthasitsownsecuritypolicyLANSegment1VS1SmartCenter/Provider-1VSX-19090VSX发展历程VSX1.0–Athena(2001)–MultipleSecurityPoliciesVSX2.0.1–Brazil(2002)–FirstversionofProvider-1Mgmt,OverlappingIPsupportVSXNGAIR2–Canada(2003-4)–ApplicationIntelligence,SmartDefense,DesktopSecuritySupportVSXNGX–Denmark(2005)–L2/L3support,DynamicRouting,Multicast,SimplifiedProvisioning/MgmtVSXNGXwithScalabilityPack(2006)–Dextra–VSLS,ResourceControlandLightweightQoSVSXNGXR65–Ecuador(2007)–SNX,URLFVSX-1技术介绍VSX虚拟防火墙一个VSX网关上运行多个单独的防火墙，每个防火墙保护一个不同的网络（客户）进入VSX网关的包根据进入接口，源地址或目的地址被路由到相关的防火墙VSX功能Firewall功能VPN功能入侵防护功能URL过滤功能伸缩自如的管理Provider-1和SmartCenter管理一个VSX网关支持250个虚系统千兆性能HardwareCostSavingsBetteravailability

andscalabilityConsolidatingHardwareConsolidatingSecurity!HardwareCostSavingsBetteravailability

andscalabilitySimplifiedSecurity

ManagementSimplifiedSecurity

ProvisioningVSX的基本元素VPN-1VSXNGX建立了包括多个虚拟设备的虚拟网络环境虚拟系统(VS)虚拟电缆（Warp链接）虚拟路由器(VR)虚拟交换机(V-SW)虚拟系统（VirtualSystem）一个虚拟系统是一个唯一的路由和安全域，提供一般的CheckPoint网关绝大部分防火墙和VPN功能存在于相同的物理机器时，每个虚拟系统拥有自己单独的:状态表安全和VPN策略配置参数安全内部通信证书每个虚系统都拥有一个虚拟IP堆栈虚拟路由器一个虚拟路由器允许:共享物理接口内部虚拟系统通信VS1VS2JInternet虚拟交换机虚拟交换机设施在多个VS之间共享物理接口内部VS通讯降低跳的数量无需IP分配流程802.1q192.168.1.1172.169.1.1192.150.2.1200.128.4.1虚拟交换机不需要IP地址便于内外部连接Internet212.150.48.254212.150.48.1212.150.48.3212.150.48.4212.150.48.2接口支持的接口Vlan物理Warp链接支持的接口数量多达60个虚拟接口VLAN(802.1q)接口通常用于连接虚系统到被保护的网络InternetSwitchVS1VS2J管理模型Provider-1支持每个或多个虚系统单独的管理域,允许:多个管理员细致的权限划分单独数据库SmartCenter支持一个管理域：一个管理员一个目标库多策略三级分域管理模型:Provider-1支持VSXGatewayMulti-DomainGUI(MDG)CustomerManagementAdd-On(CMA)CustomerManagementAdd-On(CMA)CustomerManagementAdd-On(CMA)CustomerBCustomerACustomerCCustomerManagementAdd-On(“MainCMA”)P-1多级分域管理模型三级集中管理模型:SmartCenterSmartDashboardCustomerBCustomerACustomerCSmartCenterVSXGateway集中管理CheckPointreducesTCOandraisessecurity单一控制台管理:VPN-1VECheckPointApplianceCheckPointSoftware“SecuredbyCheckPoint”Appliances降低管理开销确保安全一致性企业分布式环境LAN部门2LAN部门3VS2VS3VSX-1虚拟防火墙部署SmartCenter/Provider-1集中管理不同部门/虚拟墙，使用自己专有安全策略LAN部门1VS1SmartCenter/Provider-1VSX-19090VSX-1设备VSX-13070VSX-19070VSX-19090PackageTargetMarketMidEnterpriseLargeEnterpriseHighEndLicenseBundleVirtualFirewall,IPS,PerformancePack,IPSEC

HighAvailability/LoadSharing(VSLS)NumberofVSes5or1010(Upgradeableto150)10(Upgradeableto150)PerformanceFWThroughput4.5Gbps13.5Gbps27GbpsVPNThroughput1.2Gbps3.5Gbps7GbpsConcurrentSessions1.1Million1.1Million1.8Million全新!KeyFeaturesCheckPointCiscoJuniperFortinetCommentsPerimeterFirewallMarket-leadingfirewallvendorIPSecVPNSupportcommontypesofVPN

inavirtualcontextSSLVPNIntegratedpervirtualcontextIntegratedIPSperVirtualSystemHighlyintegratedIPSwithsimpleone-clickdatabaseupdateVoIPSecurityCapableofdeepinspectionofVoIPprotocolspervirtualsystemApplicationSecuritySupportSupportsWebapplicationfirewallwithextensivegranularityHAandLoadSharingSeamlessHAfailoverURLFilteringperVirtualSystemIntegratedURLfilteringDynamicRoutingSupportDynamicroutingsupportpervirtualsystemScalablePolicyManagementSMC/PV-1bringssimplicityandscalablepolicymanagementonvirtualizedenvironments.VirtualsystemsareprovisionedfromDashboardDelegation/SeparationofDutiesSoftwareorApplianceDeploymentSimpleandquickdeploymentVSXCompetitiveLandscapeNEW!NEW!VSX-1SummaryComprehensiveVirtualizedSecurityScalableVirtualizedArchitectureEverythingyouneedinavirtualsecuritygatewaysolution.ConsolidationofHundredsofSecurityGateways10–150HAVSVSX-13070VSX-19070VSX-190905–10VS10–150VSVSX用户收益重叠的IP地址范围支持CustomerA10.0.0.0InternetCustomerB10.0.0.0CustomerC10.0.0.0单独的VSX网关可以支持保护拥有重叠IP地址范围的网络；每一个网络由一个单独的虚拟系统保护Switch桥接模式的虚拟系统“桥接模式的虚拟系统”透明地提供了安全服务

为基础构架添加一个安全层促进了核心处的安全性桥接模式的VS与传统的VS的相同模型相对应每个桥接模式的VS保持一个专有的桥接表

与体系结构协议集成支持所有xSTP协议、PVST+和管理协议(VTP)路由核心Vlan200Vlan210Vlan240Vlan320802.1q802.1q虚拟网络环境

动态路由虚拟网络环境扩展了对动态路由协议的支持单播路由

—RIPv1/2、OSPFv2和BGP-4多播路由

—IGMPv2、PIM-DM和PIM-SM每个虚拟设备保持对所有路由协议的支持协议便于以下之间的连接：虚拟设备到虚拟设备虚拟设备到外部路由器802.1q802.1q虚拟交换机虚拟路由器OSPFOSPFPIM-SM市场营销IGMPv2BGP-4OSPFVPN-1VSXNGX集群VSX提供了从一个VSX集群成员到另一个VSX集群成员无缝的连接和路由故障恢复状态和路由同步恢复故障模块向现有集群中添加成员/从现有集群中删除成员升级集群成员单个虚拟系统故障恢复更多集群成员VSX集群现在支持多达12个成员每个成员的接口配置主要好处在弹性和可扩展性上增强粒度控制VSX应用场景1—大型企业FloorL-2AccessSwitchesFinanceNetworksMainBuildingHybridnetworksR&DNetworksaggregationSwitches802.1qconnectivitymatrixRoutedCore802.1qTrunksVlanIPinterface–InterVlanconnectivityVSX应用场景2—动态路由环境ApplicationNetworksMainBuildingHybridnetworksR&D-LabsandDevelopmentNetworksIntranetSAPGatekeepersDevelopmentServersFinancePurchasingIPTelephonyLab1Lab2QABusinessDevelopment802.1q802.1q802.1qInternetPerimeterSecurityVSXClusterVirtualSystemVirtualSystemInBridgemodeVirtualSwitchVirtualRouter802.1q802.1qOSPFconnectivityCore->VirtualRouterVSSpecificIGPconnectivityBGPneighborupdatesbythecoredevices/reflectorSelectiveredistributionintoOSPF案例：为学校提供“清洁宽带接入”客户问题CheckPoint强大的管理解决方案互联网已成为一个