1. ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Введение в R71 Антон Разумов arazumov@checkpoint.com Консультант по безопасности Check Point Software Technologies

2. 2 2©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | R71 New feature release Released in Q2 2010 What’s new with IPS ? IPSec VPN Enhancements Improved Anti-Virus Performance SecureXL by default in UTM-1 appliances Security Management Enhancements Firewall Rule Expiration Automatic Deletion of Old Database Versions Object Management Improvements Other Enhancements Data Loss Prevention (DLP) Blade SSL VPN Blade

3. 3 3©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Agenda IPS 2 1 Introduced in R70.20 (and now integral part of R71) 3 R71 IPS contract enforcement R71 IPS other news

4. 4 4©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | IPS Event Analysis (IPSA) Old front pageTimelineStatisticsCritical events

5. 5 5©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Prevention – Block Specific Region Geo-Protection allows Complying with certain regulation by blocking and logging of traffic from certain states Analyzing where attacks come from Increase/Decrease confidence a certain event is an attack based on where it came from Identify malware trying to “call home”

6. 6 6©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Geo Protection View

7. 7 7©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Other Web Intelligence Log improvements Web server type and Browser type is included in IPS logs of Web related protections Logs now show the original IP addresses of proxied connections Packet capture on first trigger of any protection

8. 8 8©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | IPS R71 Management – Overview Located in IPS tab of the SmartDashboardInformation on unified updates available. RSS feed of recently updated protections Quick view of alerts in the network

9. 9 9©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | IPS-1 Sensor – Management Choose to also manage IPS-1. Each sensor/GW is listed. Profiles contain both IPS-1 and IPS Software Blade protections, and can be applied to both IPS-1 appliances and GWs. Profiles contain both IPS-1 and IPS Software Blade protections, and can be applied to both IPS-1 appliances and GWs. Select which type of sensor to add. List of IPS-1 and IPS Software Blade GWs.

10. 10 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Agenda IPS 2 1 Introduced in R70.20 (and now integral part of R71) 3 R71 IPS contract enforcement R71 IPS other news

11. 11 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | R71 IPS contract enforcement Software blade Architecture was released in March of 2009 as R70 The IPS Software Blade is a Service Blade, which requires an annual subscription in order to use it and download protection updates Starting R71, each Security Gateway must have a valid subscription, also known as an “IPS contract”

12. 12 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Contract types There are 4 types of IPS Software Blade contracts: CPSB-IPS – This contract covers most Open server gateways, all Power-1 gateways and some of the UTM-1 models CPSB-IPS-S1- This contract covers UTM-1 130, UTM-1 270, UTM- 1 570 and SG101 CPSB-IPS-HA - This contract is for secondary cluster members in a gateway cluster, and covers most Open server gateways, all Power-1 gateways and some of the UTM-1 models CPSB-IPS-S1-HA- This contract is for secondary cluster members in a gateway cluster and covers UTM-1 130, UTM-1 270, UTM-1 570 and SG101 Each contract must be attached to a Blade Container

13. 13 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Contracts information To check if a gateway has a valid contract just locate the gateway container in the UserCenter Choosing a container, you will be able to see associated contracts Contracts information must be imported into SmartUpdate in order to use IPS Blade See sk44245

14. 14 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Contract notifications SmartUpdate can show notifications about expired contracts Messages window in IPS tab will also show this information

15. 15 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Contract notifications Policy install will also notify about IPS contract issues

16. 16 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Insufficient IPS contract coverage If an IPS contract is not available the IPS Blade functionality will be restricted as follows: Protections will be limited to only those protections which were available as of March 2009 (the same protection set which existed when R70 was released). All protections introduced after March 2009 will be disabled.

17. 17 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | IPS Blade Grace periods Grace periods are periods after the IPS blade license expires, in which the protections will still be active and no restrictions are made, but warnings are issued regarding the missing contracts. The grace period is set for 60 days starting from the latest contract expiration date on that gateway. The grace periods are calculated per gateway individually.

18. 18 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Agenda IPS 2 1 Introduced in R70.20 (and now integral part of R71) 3 R71 IPS contract enforcement R71 IPS other news

19. 19 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | IPS updates With R71 it is now possible to schedule IPS updates Policy can also be installed after updates Offline updates are available after special EULA terms (next slide)

20. 20 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Offline update Customer must send Check Point a mail to get access to offline updates at this page: http://www.checkpoint.com/defense/updates/index.html

21. 21 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Service based link selection

22. 22 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Agenda Service Based Link Selection 2 1 Introduction 3 Overview and technology Scenarios

23. 23 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Introduction and terminology Source based routing Not to be confused with “source routing” where the source determines the network route This means to decide a route down the network based on the source IP of the packet and is typyically considered a part of: Policy based routing Policy-based routing may also be based on the size of the packet, the protocol of the payload, or other information available in a packet header or payload such as the service. This permits routing of packets originating from different sources to different networks even when the destinations are the same and can be useful when interconnecting several private networks.

24. 24 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | What does R71 introduce ? Expansion on existing technologies IPSEC VPN Link selection on VPN gateway ► Outgoing packet (ergo outbound) ► Remote peer selection (ergo inbound) ► Uses probing mechanism (UDP 259) Only method available up to R71 was hot standby HA, one link active at any given time. R71 introduces VPN link loadsharing Service based link selection

25. 25 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Agenda Service Based Link Selection 2 1 Introduction 3 Overview and technology Scenarios

26. 26 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Link Selection …Why ?

27. 27 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | When all else fails, use dial- up (or DSL or FR ) Link Selection – how should the gateway behave ? ISP 2 ISP 1 ISDN Use primary ISP to establish VPN with peer GW Use another ISP as backup Test peer GW availability through each link “ping” Peer’s available on this link “pong” “ping” Peer’s available on this link, too “pong”

28. 28 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Link Selection The challenge is connectivity How should remote peers select the IP of the Gateway? How should the Gateway route its own outgoing VPN traffic? The mechanisms used for this feature have been enhanced since ‘NGX R60’

29. 29 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Link Selection The first mechanism determines how remote peers resolve the IP address of the local Gateway Remote peers can connect to: The main IP Address of the Gateway A single IP address reserved for VPN (which does not have to be an interface IP ( the address could be the statically NATed IP address of the VPN Gateway) One of Multiple IP addresses available for VPN traffic If a Gateway has multiple IP addresses available for VPN traffic, then the correct address for VPN is discovered through one of the following: Topology information contained in the network object DNS lookup One-time RDP probing (via RDP packets) On-going probing (via RDP packets) For both the probing options (one-time and on-going) a Primary Interface can be assigned. If not all of Gateway’s interfaces are used for VPN, a smaller set of interfaces can be selected

30. 30 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Link Selection The second mechanism, Route Based Probing (for link selection), also uses RDP probing to determine how the local Gateway selects an interface for outgoing VPN traffic. Using Route Based Probing, the Gateway consults the routing tables, and selects an active link with the lowest metric (highest priority). These 2 mechanisms cover a lot of connectivity scenarios: As examples the manual covers the following ► Gateways with a single IP for VPN ► Gateways with several IP addresses used by different parties for VPN  Gateways hidden behind a static NAT device  Gateways located on an internal private network ► Gateways with a dynamic IP address for VPN ► Gateways with multiple IPs providing High Availability (HA)

31. 31 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Link Selection High Availability, incoming tunnel Remote peer polls Local Gateway to discover the IP associated with the interface available for VPN If one link goes down, an alternative link is used for VPN traffic. Remote peer eth0 eth1 Local gateway

32. 32 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Link Selection - Example The IP used for outgoing traffic on the Local Gateway is determined via the Route Based Probing mechanism Each entry in the routing table contains the following information: Destination IP Address Prefix Source Interface IP address of the next-hop router After probing all routing possibilities, the Gateway selects the best match (highest prefix length) active route with the lowest metric, and hence the highest priority High Availability, outgoing tunnel eth0 eth1 Local gateway Remote peer

33. 33 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Agenda Service Based Link Selection 2 1 Introduction 3 Overview and technology Scenarios

34. 34 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Link Selection eth0 eth1 eth0 eth1 primary High Availability

35. 35 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Link Selection eth0 eth1 eth0 eth1 Load Sharing

36. 36 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Link Selection eth0 eth1 eth0 eth1 Service Based VoIP All other traffic

37. 37 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | VoIP ISP-1 VoIP ISP-2 All other traffic ISP-3 All other traffic ISP-4 All other traffic Link Selection Service Based

38. 38 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | VoIP ISP-1 VoIP ISP-2 All other traffic ISP-3 All other traffic ISP-4 All other traffic Link Selection Service Based VoIP VoIP Failover

39. 39 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | VoIP ISP-1 VoIP ISP-2 All other traffic ISP-3 All other traffic ISP-4 All other traffic Link Selection Service Based VoIP Failover 

40. 40 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | VoIPAll other traffic VoIPAll other traffic VoIP All other traffic ISP-1ISP-2 All other traffic ISP-3 All other traffic ISP-4 All other traffic Link Selection Service Based All other traffic failover It is not possible to disallow failover for ‘All other traffic’

41. 41 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Link Selection Service Based Configuration Link Selection Load Sharing Route Based Probing Configuration file on the management: GatewayInterfaceService[dont_failover] Aeth0VoIP Beth0VoIP eth0 eth1 eth0 eth1 VoIP All other traffic AB

42. 42 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | vpn_service_based_routing.conf The configuration file includes the following fields: Gateway: the gateway that sends the traffic according to the service. Valid values: single VPN gateway\cluster object. Interface: Outgoing interface for the following services. Valid values: single interface name (as shown in the Topology page of the gateway in the SmartDashboard). Note that specific interface can appear only once in the configuration file. Service: Specific service configuration for the given interface. Valid values: group or single service object. dont_failover flag (optional): if this string is present the service stays sticky on the configured interface. Even if the link associated with the interface reported as “down” by the probing session, the connections of the configured service will still be routed through the configured interface GatewayInterfaceService[dont_failover] Aeth0ABC Beth0XYZ, group

43. 43 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | R71 UTM AV and URLF acceleration

44. 44 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Agenda 1 What’s new? 2 Anti Virus in detail 3 URL Filtering in detail 4 Performance

45. 45 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | What’s New? Anti Virus Move to industry-leading AV engine by Kaspersky, provide better coverage than current AV solution Use two detection modes: New stream mode (default) - new kernel stream architecture, based on Virus signatures ► Focusing on viruses in the wild (“WildList”) Proactive mode – Similar architecture to R70 AV solution, but based on improved engine Performance is significantly better, higher than IPS recommended feature set: UTM-1 3070: 1.3 Gbps throughput, Power-1 9070: 3.6 Gbps throughput. Improve stability and memory consumption

46. 46 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | What’s New? URL Filtering Move to SecureComputing URL Filtering engine improving coverage and accuracy Move to a new kernel architecture This new architecture eliminates the limitation of concurrent connections which was dictated by the Security Servers architecture and improves the performance numbers of URL Filtering: UTM-1 3070: ~ 500K concurrent connections, Power-1 9070: ~ 750K concurrent connections. Improve stability and memory consumption. Support wild characters (‘*’) in Allow/Block lists

47. 47 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Agenda 2 Anti Virus in detail 1 What’s new? 3 URL Filtering in detail 4 Performance

48. 48 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Antivirus in detail Stream mode Default operation mode Kernel streaming architecture based on signatures provided by Kaspersky – currently more than 13,000 signatures Focusing on viruses in the wild - Excellent detection rate of (“WildList”) Performance is significantly higher, similar and even better than IPS recommended feature set: UTM-1 3070: 1.3 Gbps throughput, Power-1 9070: 3.6 Gbps throughput. Latency is minimal. Limitations: ► Zoo viruses ► Polymorphic viruses or ones that their signatures require multiple passes or other heuristics Proactive mode Same as R70 architecture using security servers Based on Kaspersky KAV engine which performs advanced heuristics, including sandbox simulation ► Enable decompressing files, multiple passes and other heuristics ► Number of signatures is irrelevant – using both proactive heuristics and signatures Excellent detection rate and Proactive capabilities of all viruses Wild and Zoo Performance is similar to current AV solution

49. 49 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Antivirus in detail II Common Update of AV database is done via current Update mechanism – no change in GUI compared to R70 ► Automatic update – recommended ► Manual Update Same behavior of FileType feature ► Note that file type policy is available in stream mode as well, implemented in kernel Upgrade if a customer that is currently using the existing AV solution, upgrades to R71, his GWs will continue to work in Proactive mode (!), until he decides to move to stream mode One little check box that makes a world of change

50. 50 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Antivirus in detail III Traffic Flow HTTP request HTTP response

51. 51 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Antivirus in detail III Parser Kernel Streaming Layer Connection Layer File TypePattern Matcher AV Kernel Module Sigs. DB Generic Filters Block connection if necessary

52. 52 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Antivirus in detail III Traffic Flow HTTP response

53. 53 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Antivirus in detail IV Environment UTM peripheral capabilities did not change: ► File Type and general settings ► Fallbacks options – block or accept ► Logs, SmartViewTracker, SmartViewMonitor Backward compatibility is supported Reports have been added to SmartEvent

54. 54 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Antivirus in detail V Even though a R71 system will prevent a live virus in its default mode, EICAR is handled per the following command. fw ctl set int g_ci_av_eicar_handling_mode mode can be: 0 – monitor only 1 – ignore 2 - block The default is 0

55. 55 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Agenda 2 Anti Virus in detail 1 What’s new? 3 URL Filtering in detail 4 Performance

56. 56 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | URL Filtering in details I Our new kernel architecture Connections are all handled in kernel mode and not folded to Security Servers Eliminates the limitation of concurrent connections which was dictated by the Security Servers architecture and improves the performance numbers: UTM-1 3070: ~ 500K concurrent connections, Power-1 9070: ~ 750K concurrent connections Results are cached in kernel, thus actual categorization is often skipped, and leads to even better performance In cases that the URL is not in cache, categorization is done in user mode, but connection handling is all done in kernel ► The flow is not blocking and does not interrupt other connections

57. 57 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | URL Filtering in details II Clean installation and upgrade Must perform a URLF DB update, this process may take several minutes the first time Upgrade GWs that are upgraded to R71 will automatically start using the new URLF engine in the kernel if URLF was enabled before upgrade Backward compatibility is supported

58. 58 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | URL Filtering in details III Traffic Flow HTTP request

59. 59 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | URL Filtering in details III Parser Kernel Streaming Layer Connection Layer CachingMatcher UF Kernel Module Generic Filters User Mode UF queries Queue UF DBHold ResponseResume Response or Block connections

60. 60 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | URL Filtering in details III Parser Kernel Streaming Layer Connection Layer CachingMatcher UF Kernel Module Generic Filters User Mode UF queries Queue UF DBURL in Cache Filter – no need to hold Response Block connection if necessary

61. 61 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | URL Filtering in details III Traffic Flow HTTP request

62. 62 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Agenda 2 Anti Virus in detail 1 What’s new? 3 URL Filtering in detail 4 Performance

63. 63 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | R71 UTM-1 Boost - AV / URLF UTM-1 276UTM-1 1076UTM-1 3076 Maximum Performance and Capacity R70R71BoostR70R71BoostR70R71 FW (1518 bytes), Mbps 6001,500 X2.5 2,0003,000 x1.5 4,500 IPS Throughput - Default Protections, Mbps 3801,000 X2.6 9002,200 X2.7 4,000 Anti-Virus, Mbps 30120 X4 75300 X4 1751,200 Connection rate (cps) 3,40010,000 X2.9 8,80025,000 X2.8 35,00054,000 Max concurrent HTTP AV & URLF 2,50050,000 X20 4,000110,000 X27 6,500280,000 All UTM-1 platforms include SecureXL (R71)

64. 64 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Q&AQ&A Q: does AV use CoreXL? A: Yes. Q: Does changing stream mode to proactive mode, require restart of FW service? A: No, only policy installation. Q: what's the upgrade process? A: If AV was activated in the old version it will continue to work in proactive mode after the upgrade, and if it was initially disabled, it’s default mode will be stream mode. Q: Do we support Antivirus offline updates? A: Yes, the process is being defined. Planned to be available during Q2/Q3 2010 Q: Is FTP accelerated as well? A: No, FTP is handled as before in proactive mode

65. 65 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Summary Anti Virus Moved to industry-leading AV engine by Kaspersky New stream mode utilizing > 13,000 signatures, updated daily to protect against Viruses in the wild Performance is significantly higher Eliminated the limitation of connection concurrency Significant improvement in memory consumption as well URL Filtering Move to SecureComputing URL Filtering engine Move to a new kernel architecture Performance is significantly higher Eliminated the limitation of connection concurrency Significant improvement in memory consumption as well Support wild characters (‘*’) in Allow/Block lists

66. 66 ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | Security Management Enhancements Firewall Rule expiration: In SmartDashboard, Temporary Rules and Expired rules are marked by new clocked-shaped icons. Rule expiration can be added to existing rules, or created as an independent object and applied to multiple rules. New filtering options enable you to quickly find in SmartDashboard's Security RuleBase all temporary rules, or only those rules which have expired. Automatic Deletion of Old Database Versions Object Management Improvements Define default acces mode for SmartDashboard Multi select and group

67. ©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Антон Разумов arazumov@checkpoint.com Консультант по безопасности Check Point Software Technologies