veve meet the comp

1、Security Gateway VE Meet the CompetitionFOR INTERNAL USE ONLYAugust 31, 20102010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individualsMeet the Competitionn Altor Networks (Juniper partner)n Reflex Systemsn VMware vShieldn Cisco Nexus 1000vn IBM ISSn SourceFiren

2、 Astaron Trend Micro22010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 2Altor Networks: In Briefn Startup, founded in 2007n Venture-fundedn Accel Partners and Foundation Capital Seed: $1.5 million (Summer 2007) Series A: $6 million (April 2008)n Junip

3、er investment companyn Check Point alumnin Amir Ben-Efraim, CEOn Poornima DeBolle, Sr. Director of Business Developmentn Moshe Litvin, VP Engineeringn Kevin Piper, Director of Technical Operationsn Grant Asplund, Head of Market Developmentn Gadi Naor, Senior Software Engineer32010 Check Point Softwa

4、re Technologies Ltd.|Restricted ONLY for designated groups and individuals| 3Altor Networks: Productsn Altor Management Centern Administrative console and central dashboard for Altor Virtual Firewalln 2 GB virtual appliancen 4 16 GB database partition requiredn 1 GB memory requiredn Altor Virtual Fi

5、rewall (VF) Version 4.0n Network firewalln Network Visibilityn IDSn Deployment options Vmsafe mode and Bridge Moden 1GB virtual appliancen 512 MB memory required42010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 4Altor: Main Screen (screenshots are v3

6、)52010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 5Altor: Network Screen62010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 6Altor: Firewall Screen72010 Check Point Software Technologies Ltd.|Restricte

7、d ONLY for designated groups and individuals| 7Altor: Firewall Logs82010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 8Altor: Analysis Screen92010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 9Altor: Se

8、ttings Screen102010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 10Altor: Settings Screen, Virtual Center112010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 11Altor: Settings, External Inspection122010

9、Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 12Altor: How It Works: Bridge Mode132010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 13Altor: How It Works VMSafe Mode142010 Check Point Software Technologi

10、es Ltd.|Restricted ONLY for designated groups and individuals| 14;niAltar VF VMsafe Fast Path lmpl,em,entationAU data connections flow through VMsafe Fast Path APls!WrtuaI Switch: VMw e vSwitch Cisco 1OOOvAltor buiilt a custom kernell enforcement module in ESX HypervisoraoPartne Server (IDS, Syslog,

11、 Netflow匾一 1155Altor Strengthsn Established position in a niche marketn Addresses per-VM security issues and has VMsafen Integration with vCenter and VMware APIn Auto discovers virtual machine inventory, IP addresses, and virtual network topologiesn Automates creation of secured port groups and vSwi

12、tchesn Unique Policy Management Paradigmn Provides global, group, and individual VM policies that work in concert to protect a virtual machinen Altor Applies Policy to UUIDsn Provides security even when virtual appliance IP address changesn Strong Reference Customersn Hearst Corporationn Nielsenn Se

13、rviceMaster162010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 16Altor Strengths continuedn Full Integrated IDS - Policies, alerts, and reports now include IDS as well as firewall components, enabling coordinated, per-VM enforcement of both security l

14、ayers.n Cisco Nexus 1000v Support - This tight integration also allows Altor VF to secure Cisco Nexus 1000V distributed vSwitches without effecting the virtual network structure or centralized Cisco management.n VMsafe Fast-Path technology 10Gbps, As a module in the hypervisor kernel, Altor VF optim

15、izes packet processing to achieve 10Gbps performance.n VMSafe - VMsafe integration also reduces operating complexity and eliminates Cisco vSwitch reconfigurations.172010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 17Altor Weaknessesn Altor Lacks Basi

16、c Enterprise Firewall Featuresn No NAT, VPN, IPS, QoS, etc.n Check Point expects future Altor releases to address this issuen Altor Uses TCP Resets Bridge Moden Controls communication between hosts in the same port group using TCP RST packetsn Not a dependable method of performing access controln Ne

17、w Company Enterprises might be worried about the longevity of the company182010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 18Altor Opportunitiesn Acquisition (Juniper invested 15%)n Support other virtualization platformsn Citrixn Microsoftn Regulati

18、ons requiring virtualized securityn PCI192010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 19Altor Threatsn Large players entering the marketn Juniper, Cisco, Check Pointn Fundingn Difficulty raising new roundn Ability to weather the economic downturn

19、202010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 20Juniper and Altor ?21Solution briefAll the integratio n I could findq White2010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 21Check Point Advantage

20、s vs. Altorn Full firewall with UTM and VPN capabilitiesn IPSn Despite Altors partnership with Juniper, no IPS available only IDSn Existing SmartCenter install basen SG VE is ideal for existing Check Point shops222010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and i

21、ndividuals| 22Meet the Competitionn Altor Networks (Juniper partner)n Reflex Systemsn VMware vShieldn Cisco Nexus 1000vn IBM ISSn Sourcefiren Astaron Trend Micro232010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 23Reflex Systems: In Briefn Privately

22、held; founded in 2000n Formerly Reflex Securityn Changed name in 2008n Prior focus was IPS space, now completely focused on virtualizationn First company to sell virtual security242010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 24Reflex Systems: Pro

23、ductsn Virtualization Management Center (Version 2.1)n Multi-hypervisor management tooln Virtual Security Appliance (Version 1.9.0)n Virtual Firewall, IDS, IPS252010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 25Reflex Strengthsn Supports multiple vi

24、rtualization platformsn VMware with limited support for Citrix, Microsoftn Further enhancements for Citrix and Microsoft coming in 2009n Automates error-prone tasks using vCenter APIn Automatic creation and deployment of firewall instancesn Manages virtual networkn Offers multiple modes of protectio

25、n for VMsn Off-line passive (monitor only mode)n In-line active Inspects traffic as it enters and leaves physical ports of ESX servern In-line segmented Restricts and inspects host-to-host guest VM trafficn Won best of VMworld 2008 awardn OEM deals with Dell, Novell262010 Check Point Software Techno

26、logies Ltd.|Restricted ONLY for designated groups and individuals| 26Reflex Strengths: Continuedn vTrust (Vmsafe)n Dynamic Policy Enforcement and Management the ability to specify security rules that adapt and move with the virtual assetsn Policy Extends into the Cloud - providing a cloud security A

27、PIn Virtual Segmentation - create virtual trust zones on shared resources by dynamically partitioning the virtual infrastructuren Virtual Quarantine - enforce data center policy when VMs are provisionedn Virtual Networking Policies - create and enforce a DMZ, block specific kinds of network traffic

28、between virtual machines272010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 27Reflex: Virtualization Management Center282010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 28Reflex Weaknessesn No redundan

29、cyn VMC is a single-threaded solution that relies solely on the redundancy of virtual environments, rather than any redundancy within the application itselfn Supportn Reflex Systems doesnt sell directly to customers, and instead uses resellers and integrators. This means that your initial support ca

30、lls go to the company from which you purchased; Reflex Systems only becomes involved when an issue is escalated.292010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 29Reflex Opportunitiesn More OEMsn Acquisitionn Regulations requiring virtualized secur

31、ityn PCI302010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 30Reflex Threatsn Company “respin” failsn Inability to establish itself in crowded management marketn Competitive product releases from larger, dominant players312010 Check Point Software Tec

32、hnologies Ltd.|Restricted ONLY for designated groups and individuals| 31Check Point Advantages vs. Reflexn Full firewall with UTM and VPN capabilitiesn Existing SmartCenter install basen SG VE is ideal for existing Check Point shopsn Check Point is focused on security, Reflex is focused on multi-hyp

33、ervisor management322010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 32Reflex Feature ComparisonNo teardown performed; some information missingProductFeatureCheck Point SG VER70Reflex 1.9.0Runs as a VM applianceYesYesAutomated provisioning to protect

34、 new hosts and networksNoYesWorks with vMotionYesUnknownProtects by UUID rather than IPNoUnknownL2 ProtectionPartialVMsafeL3 ProtectionYesYesvCenter IntegrationNoYesRequires vCenterNoUnknownCan monitor traffic to the Service ConsoleYesUnknownProtects the Hypervisor kernelNoUnknownMonitoring & loggin

35、gYesYesPer VM policiesYes (complicated)UnknownCentral managementYesYesRedundancyYesNoIPSYesYesIDSYesYesNATYesUnknownVPNYesUnknownAnti-XYesUnknownAvailabilityYes (R65, R70 soon)YesPriceStarts at $7500 per ESX server (protect up to 5 virtual machines)Unknown332010 Check Point Software Technologies Ltd

36、.|Restricted ONLY for designated groups and individuals| 33Meet the Competitionn Altor Networks (Juniper partner)n Reflex Systemsn VMware vShieldn Cisco Nexus 1000vn IBM ISSn Sourcefiren Astaron Trend Micro342010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and indivi

37、duals| 34VMware (Blue Lane)n vShield Zonesn Announced February 2009, available late 2009n Will use technology from Blue Lane acquisitionn Beta code reportedly does not implement any of the Blue Lane “patching” featuresn Main featuresn Firewall Controls inter-VM traffic within an ESX host or between

38、hosts in a clustern Deep integration with vCentern Verifiable compliance and audit logs352010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 35VMware vShieldCheck Poinf 呵 SOFTW哗 TECHNOLOGIES LTD,vShield Zones - Summary圈lsol1ateVMzones based on logical1o

39、r,91 or network boundarlie sHierar中 ic a rlapp- a v,1:a,reru :les applied to VI containerslntuitiiv,ezon e - b asedrules reduces pol1i ,cyerrors圈0 ne-clii c, k flo,w - t o-fireWal 1 b|ocks匾I， n ter - - V Mv j si b il irtyfor security andprecise ne切 ark trafficcom, plianoewithout diive rting trafficL

40、og anreport an allowed anddisallowed a1c t:i vity by appli:c a:Uon bas,ed protocols圈Assured poides throughout. vMotion and VM llifecyde events Audi扫,ble:securiit y posture w1ithin VIirr:es pe cti -:v,eof phys:i1cal n e tworkI!， 甘IIsoftwareblades.2010 Check Point Software Technologies Ltd.|Restricted

41、 ONLY for designated groups and individuals| 3366vShield Virtual Network Configuration372010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 37Installing Vshieldn Up to 40.000 connections per agentn Need an agent per Vswitchn Need 1Gb per agentn Does not

42、 protect service console or Vmkernel componentsn Default ruleset provides immediate protection and connectivity, cannot be changed382010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 38vShields Zones: Summary View392010 Check Point Software Technologie

43、s Ltd.|Restricted ONLY for designated groups and individuals| 39vShield Zones Configurations: Resource View402010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 40vShield Zones: Network View412010 Check Point Software Technologies Ltd.|Restricted ONLY f

44、or designated groups and individuals| 41VMware vShield Zonesn Need to have VMware ESX or ESXi 4.0 hosts and vCenter Server 4.0.n VShield Zones is available as a free download with the Advanced, Enterprise and Enterprise Plus editions of ESX and ESXi.n The current 1.0 version of vShield Zones is not

45、yet integrated with VMwares new VMsafe technologyn VShield Zones consists of two components, both of which are deployed as virtual appliances from the included Open Virtualization Format (OVF) files.n vShield Manager (2Gb + 2Gb preset)n vShield agents, need one per vSwitch (1Gb + 1Gb preset)422010 C

46、heck Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 42Meet the Competitionn Altor Networks (Juniper partner)n Reflex Systemsn VMware vShieldn Cisco Nexus 1000vn IBM ISSn Sourcefiren Astaron Trend Micro432010 Check Point Software Technologies Ltd.|Restricted O

47、NLY for designated groups and individuals| 43Cisco Nexus 1000v442010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 44Cisco Nexus 1000VCisco VN-Link: Virtual Network LinkPolicy-Based VM ConnectivityMobility of Network & Security PropertiesNon-Disruptive

48、 Operational ModelVMVMVMVMVMVMVMVMNexus 1000V VEMNexus 1000V VEMvSpherevSpherevCenterNexus 1000V VSM452010 Check Point Software Technologies Ltd.|Restricted ONLY for designated groups and individuals| 45Cisco Nexus 1000VFaster VM DeploymentCisco VN-Link: Virtual Network LinkPolicy-Based VM ConnectivityMobility of Network & Security PropertiesNon-Disruptive Operational ModelVMVMVMVMVMVMVMVMPort Pr