©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Что нового появилось после выхода R70 Антон Разумов Консультант по безопасности Check Point Software Technologies

2 2©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | R70 introduced with:

3 3©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | R70.1

4 4 Introducing R70.1 SmartWorkflow blade Hardware monitoring Various features GUI enhancements

5 5©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Introducing SmartWorkflow Check Point’s SmartWorkflow software blade automates security policy change management Enforces a formal process of tracking, approving and auditing security policy changes Reduces errors by providing granular visibility into policy changes Enhances compliance through audit trails and built-in role segregation Aligns to an organization’s existing change management approval process Streamlines change management increasing operational efficiency One-stop, total policy lifecycle management integrated into SmartDashboard

6 6©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | SmartWorkflow Operation Mode

7 7©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Smart Workflow Automatic security database revisions Highlighting the changes in SmartDashboard Allowing visual navigation between the changes Allow discarding the changes and returning back to the previous database revision. Allow generating change comparison report Audit trailing change R70.1 SmartWorkflowplanned for R70.1

8 8©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Hardware Health Monitoring Capabilities RAID Health: Monitor the health of the disks in the RAID array, and be notified of the states of the volumes and disks. The information is available via SNMP. Sensors: Monitor fan speed, voltages, and temperatures on the hardware. The information is available via SNMP and, for Check Point appliances, also via the SecurePlatform Web interface. R70.1 HW monitoring:

9 9©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Link Aggregation 802.3ad  Both interfaces need to be connected to the same switch when aggregating  Up to 8 NIC’s in a bond  No limit besides the SPLAT limit of 1015 total interfaces  Both HA and LS are supported Ability to set IP address trough LCD Changed URLF filter database provider Remote Deployment Tool (USB based tool to allow initial OS configuration) R70.1 additional features:

10 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Quick Add Object - Allows you to easily find and insert objects into the Security Rule Base Where Used > Go To - Allows you to jump from the Where Used window to the locations it references. Easily View Group Members - When hovering over a Group in the Rule Base, a tooltip displays the Group members. Extended Clone Functionality - The Clone functionality, which allows creating a new object based on an existing one, is extended to include Services, IP ranges, Group objects, etc. Read Only State for Object Properties - In numerous key fields of the object properties it is now possible to copy the text of the fields while in ‘Read-only’ state. Delete Multiple Database Versions – While in the Database Revision Control window, it is possible to select multiple Database Versions and delete them at once. R70.1 GUI enhancements

11 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | R70.20

12 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Event Correlation & IPS Event Analysis Software Blades Update Reporting Blade Updates IPS Software Blade Update Multi-Core Licensing Moving on to R70.20, what’s new:

13 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | IPS Event Analysis Client

14 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | New Real Time Views & Simplified Events Processing Timeline View Charts View Maps View Group By – Real Time Pivots and Graphs for Data User / machine identification

15 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Timeline View

16 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Charts View

17 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Maps View

18 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Group By – Real Time Pivots and Graphs for Data

19 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | User / machine identification: The challenge Ability to identify users and computers passing through the firewall Distinguish between corporate and unmanaged devices Traffic monitoring and network maintenance Network and Security events analysis

20 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | User / machine identification: The Solution Introducing new Check Point firewall capability to provide Identity-based auditing Present user and machine identity in the firewall logs Leveraging Check Point SmartView Tracker and Eventia logging solutions The identity information is based on Microsoft Active Directory integration Identity-based Auditing User and machine identity in Check Point SmartView Tracker

21 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | User / machine identification: The use case Security and compliance audit Troubleshooting network issues Ability to distinguish corporate and unmanaged assets Helpdesk and maintenance Analyzing network usage Bring Identity Awareness to your Check Point firewall

22 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | User / machine identification: How it works User and Computer Identity is obtained from Active Directory (AD) security event logs The gathered AD log information is used to build an association map that is referenced for enriching Check Point logs with the AD username and computer name based on users’ IP address. Check Point Log Server uses WMI protocol to communicate with Active Directory Supported in SmartCenter management from R70.2 SmartView Tracker Eventia Reporter and Analyzer Does not require any installations on Active Directory server Does not require any installations on Active Directory server Leverage your existing security gateways, no upgrade is needed Leverage your existing security gateways, no upgrade is needed

23 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | User / machine identification: Flow Corporate Network HR Database Finance Database Microsoft Active Directory Data Center SmartCenter Log Server Security Gateway SmartView Tracker Logon to Domain - Username - Computer name - IP address 1 Send Logs (WMI) - User name - Computer name - IP address 2 User’s connection - Source IP address 3 Log: - Source IP address - Destination 4 Log Entry: - Destination Computer name - Source User & Computer name - Source & Destination IP address 5

24 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | SmartView Tracker Example – Identity auditing

25 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | User / machine identification: Summary Bring Identity-based auditing capability to you Check Point logging system to you Check Point logging system Leverage existing Check Point management and logging infrastructure: and logging infrastructure: SmartView Tracker and Eventia SmartView Tracker and Eventia Plug and Play clientless solution (no installations required on endpoints or AD) (no installations required on endpoints or AD) Simple and easy way to audit your users and machines activity on the network and machines activity on the network

26 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Real-Time Analysis & Action Group By - On-Line Pivoting of Data (no need to export data externally) New Search Feature Forensics: Drill down from the “big picture” to events, then use advanced filtering / search / group / sort to go deeper, and finally go to raw logs / packet capture to understand exactly what happened.

27 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | New Search Feature

28 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Forensics

29 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Forensics

30 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Workflow Open tickets, manage life cycle

31 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Tickets

32 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Tickets

33 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Tickets

34 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | IPS Specific reports Overview Page showing everything IPS – Critical Issues, Top Events, Sources & Destinations, Latest Protections Detailed Hourly, Weekly and Monthly Reports with many categories IPS Event Analysis reports relating specifically to IPS events. Share IPS Event & Packet Capture with Check Point Security Research Team

35 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | IPS Event Analysis reports relating specifically to IPS events.

36 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Share IPS Event & Packet Capture with Check Point Security Research Team

37 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Reporting Blade Updates

38 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Reporting Blade Updates 18 new regulatory compliance reports Standard web filtering activity report Additional information available for Endpoint Security reports

39 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Compliance Reports

40 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Standard web filtering activity report

41 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Endpoint Security reports

42 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | IPS Software Blade Update

43 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | IPS Software Blade Update New Protection Category - Block by Country (called "Geo Protection" in IPS) Web Intelligence Log improvements Logs now show the original IP addresses of proxied connections Optional Packet Capture on First Instance of any Protection Several False Positive Fixes

44 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Geo Protection

45 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Multi-Core Licensing

46 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Multi-Core Licensing The Check Point Security Gateway software license for multi-core, open server platforms allows you to use less than the number of physical cores on the system. R70.20 will automatically use the number of cores allowed by the license.

47 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | R70.30 and R70.40

48 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | What’s new in ? Maintenance HFA Non-English regional formats are now supported in the map visualization features of SmartDashboard. IPS Event Analysis and Eventia Analyzer. SmartWorkflow reports can now be viewed in Windows 7. It is now possible to use the SSL Network Extender client to access internal resources behind the Security Gateway, using a client digital certificate that is signed by a subordinate CA. The certificate need not be directly signed by a trusted CA. For example, the certificate can be signed by a CA that belongs to the organization itself, which is in turn signed by a trusted root CA.

49 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | What’s new in ? The R70.40 Security Management Server can manage: New to be introduced UTM-1 gateway for centrally managed branch offices UTM-1 Edge N Series and Embedded NGX 8.1 Release gateways VSX R67 and includes enhancements to the vsx_util command for improved user experience and IPSO 6.2 IP appliances with SmartProvisioning, including the ability to modify Interfaces, Routing, Backup, DNS, Domain Name, Hosts, and Host Names additional functionality

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Антон Разумов Консультант по безопасности Check Point Software Technologies