CHECK POINT & VMWARE NSX
AUTOMATING ADVANCED SECURITY
FOR THE SOFTWARE-DEFINED DATACENTER
Aleksandr Nosits
Security Engineer, Baltics
©2015
©2015 Check
Check Point
Point Software
Software Technologies
Technologies Ltd.
Ltd.
[Restricted] ONLY for designated groups and individuals
1
DATA CENTERS
are rapidly evolving.
©2015 Check Point Software Technologies Ltd.
2
DATA CENTER EVOLUTION
Virtual
Software
Defined
Datacenter
Datacenter
Private Cloud
•
•
Server (compute) virtualization
Network operation is manual
©2015 Check Point Software Technologies Ltd.
•
•
Network are is also virtualized
Services can be dynamically inserted and
orchestrated via automation
[Restricted] ONLY for designated groups and individuals
3
VMWARE NSX - NETWORK VIRTUALIZATION
Network & Security Services in the
Hypervisor - Programmatic control
s
•
•
•
Virtual Switching and Routing
Virtual Load Balancing
Virtual L2-L4 Firewalling
Centrally and automatically manage network and advanced security
services in the data center
©2015 Check Point Software Technologies Ltd.
[Restricted] ONLY for designated groups and individuals
4
SECURITY CHALLENGES IN THE
CURRENT DATACENTER
©2015 Check Point Software Technologies Ltd.
5
Challenge #1: Increasing Traffic Inside the Datacenter
NORTH
WEST
EAST
SOUTH
Perimeter (north-south) security is
blind to 80% of the east-west data center traffic
©2015 Check Point Software Technologies Ltd.
[Restricted] ONLY for designated groups and individuals
6
Challenge #2: Lateral Threats Inside the Data Center
•
Lack of security control between VMs
•
Threat can easily traverse VLANs
•
Threats attack low-priority service and
then move to critical systems
Modern threats can spread laterally inside the data center, moving
from one application to another
©2015 Check Point Software Technologies Ltd.
[Restricted] ONLY for designated groups and individuals
7
Challenge #3: Security Ignores Data Center Changes
•
New Virtual Machines
•
Virtual Machine movement
•
VM that change IP address
•
Dormant VMs that wakes up
•
VMs move between VLANs
Traditional static controls fail to secure dynamic networks and
highly mobile applications
©2015 Check Point Software Technologies Ltd.
[Restricted] ONLY for designated groups and individuals
8
Challenge #4: Security Inhibits Data Center Agility
How to define secure policy for catalog
applications that have not been
provisioned and still don’t have IP
address?
Lack of security automation impacts business agility in delivering
services, results in security gaps
©2015 Check Point Software Technologies Ltd.
[Restricted] ONLY for designated groups and individuals
9
WHAT IS NEEDED?
©2015 Check Point Software Technologies Ltd.
10
SECURITY REQUIREMENTS INSIDE THE DATA CENTER
1
Automated insertion and deployment of advanced threat prevention to
protect inside the data center
2
Automated security provisioning to keep pace with dynamic data
center changes
3
Security visibility into traffic inside the data center
©2015 Check Point Software Technologies Ltd.
[Restricted] ONLY for designated groups and individuals
11
Introducing:
Check Point Teams with VMware to Automate Advanced Security for the
Software-Defined Data Center
©2015 Check Point Software Technologies Ltd.
[Restricted] ONLY for designated groups and individuals
12
•
Distributed Firewall (DFW) protects East-West L2-L4 traffic.
• Operates at the kernel level and processes packets close to line rate.
•
Check Point vSEC Security Gateway also protects East-West traffic but can operate at
L2-L7. vSEC provides additional L5-L7 capabilities like application identification,
application inspection and user identification to NSX environments.
• vSEC Gateway operates at user space and processes packets up to 2 Gbps (per
instance).
• vSEC Security Gateway uses NET-X API to redirect and inspect traffic.
•
By default, traffic is secured by DFW unless explicit traffic redirection to vSEC Gateway is
defined.
•
Traffic redirection provides capability to steer specific traffic to vSEC Gateway.
•
Traffic redirection policy is expressed by the user through NSX Service Composer.
©2015 Check Point Software Technologies Ltd.
13
CHECK POINT & VMWARE
Automating Security inside the Data Center
+
Virtual Security with Advanced
Threat Prevention
Lateral
Threat
Prevention
©2015 Check Point Software Technologies Ltd.
Next Generation Networking and
security
Automated
Security
Provisioning
[Restricted] ONLY for designated groups and individuals
Security Control
&
Visibility
14
vSEC & NSX DATACENTER SECURITY
100% Software Based: Service, Network & Security
Micro-Segmentation
with advanced threat
prevention
Automation of Virtual
Network & Security
s
Segmented Data Center
©2015 Check Point Software Technologies Ltd.
Security Control for
All Data Center Traffic
s
Security Orchestration
between Virtual Machines
[Protected] Non-confidential content
Consistent security for N-S and
E-W traffic
15
VMWARE CORE PRODUCTS FOR
SOFTWARE DEFINED DATACENTER (SDDC)
©2015 Check Point Software Technologies Ltd.
16
VMWARE PLATFORM
FOR SOFTWARE DEFINED DATACENTER (SDDC)
Virtual Machines
NSX Virtual Network
ESX Hosts
(Cluster)
©2015 Check Point Software Technologies Ltd.
17
vSEC Architecture and Components
Virtual or Physical Appliance
GAIA OS
Check Point
Management Server
vSEC Controller
Check Point Secure
Internal Communication (SIC)
SSL
SSL
SmartConsole
Windows Client
SSL
TCP/443
Check Point Secure
Internal Communication (SIC)
REST API
VMware
NSX
Manager
vSphere API
NetX API
VMware
vCenter
VMware
ESX
©2015 Check Point Software Technologies Ltd.
[Restricted] ONLY for designated groups and individuals
18
vSEC Solution Components
 GAIA OS with Check Point Management Server (R77.30) + Add-On (R77.30) on Virtual or Physical
Appliance
•
For vSEC to work, an Add-On to enable additional functionality must be installed.
•
The Check Point Management Server manages both virtual and physical Check Point Security Gateways. Can be deployed on virtual or
physical appliance.
 vSEC Security Controller Version (R77.30)
•
Installed as a hotfix. The controller learns the Security Groups and specific vCenter inventory
which can be used via security rules.
 vSEC Security Gateway Version (R77.20)
•
Virtual appliance running vSEC firewall and advanced security blades/features; integrates with NSX via NetX API
•
Protects virtualized environments from internal and external threats
.
 Check Point SmartConsole
•
Windows client application, used to manage the security policies.
©2015 Check Point Software Technologies Ltd.
19
vSEC Controller

Resides on the management server and learns information about vCenter and NSX

Communication done between vSEC controller and NSX Manager/vCenter is
via secure SSL connection and REST API and vSphere API

Polling occurs from vSEC Controller every 30 seconds
GAIA OS
What is learned from vCenter:
vCenter inventory: VMs, Clusters, vApp, Resource pool,
Data Center, Host, and Cluster Folder
What is learned from NSX Manager:
- Security Groups
©2015 Check Point Software Technologies Ltd.
Check Point
Management Server
vSEC Controller
REST API
VMware
NSX
Manager
vSphere API
VMware
vCenter
2
0
20
vSEC Security Gateway


Software Blade Architecture
If traffic is redirected to the vSEC gateway, without any policies configured on the vSEC Gateway,
the traffic will be dropped.

Traffic actually comes from the User Mode NetX API into Check Point’s user mode fwk, which is actually the same
program that runs in kernel on hardware appliances.

vSEC GW will be updated only in case of policy installation and changes in the virtual objects used in the policy.
VM User Space:
fwk (firewall engine)
cpd (handles mgmt communication)
fwd (sends log messages)
NetX API SDK
©2015 Check Point Software Technologies Ltd.
21
vSEC Solution Requirements
•
vSphere Requirements:
VMware Component
Validated Build
Notes
ESXi host
5.5 GA update 2 (build 2068190)
Testing for 6.0 in progress
vCenter Server
5.5 GA update 2 (build 2063318)
Testing for 6.0 in progress
NSX Manager
6.1.2 (build 2318232)
6.1.2 or later
* Currently vSEC supports only one NSX and one vCenter instance
GAIA OS with Management Server and VSEC Controller Requirements for VM:
VM Resource
Minimum
Recommended with Reporting
CPU
2
4
RAM
4 GB
8 GB
Disk
50 GB
100 GB
©2015 Check Point Software Technologies Ltd.
22
vSEC Solution Requirements
•
vSEC Gateway Requirements:
VMware Component
Minimum
Recommended
Memory
1 GB
2 GB
Disk Space
32 GB
80 GB
# of Virtual CPUs
1
5
OVF Space
4 GB
4 GB
vSEC Controller Requirements:
•
Installed as a Patch on the Checkpoint Security Management Server
•
At least 1 GB free disk space should be allocated
©2015 Check Point Software Technologies Ltd.
23
Deployment of Check Point vSEC Solution
1.• Install GAIA OS with Check Point Management Server R77.30 + Add-On R77.30 as a virtual
appliance or on hardware appliance or install Add-On onto existing R77.30 Management Server.
2. Install the hotfix: “Check_Point_VSEC_R77_30_HF_MGMT.linux.tgz”. This installs the vSEC
Controller. For the vSEC Controller, Make sure you have 1 GB free disk space on the server.
This
hotfix can also be installed via the Web UI as well.
3. . The Check Point Management Server can be used to manage both virtual and physical
gateways. If physical gateways will also be used, the following hotfix must also be applied
on the physical gateway.
fw1_wrapper_HOTFIX_R77_20_VSEC_HF_GW.tgz
fw1_wrapper_HOTFIX_R77_30_VSEC_HF_GW.tgz
©2015 Check Point Software Technologies Ltd.
24
Deployment of Check Point vSEC Solution
4. Upload vSEC OVF image to Check Point Management Server (or other web server).
•
5. Register the vSEC service using vsec_config client on Check Point Management Server
©2015 Check Point Software Technologies Ltd.
25
Deployment of Check Point vSEC Solution
6. Deploy the service from the vCenter Network & Security under Installation  Service
Deployments
•
©2015 Check Point Software Technologies Ltd.
26
Deployment of Check Point vSEC Solution
7. Configure a policy via SmartConsole and push down to respective hosts. Below two vSEC
Gateways were added as members of a cluster and a rule accepting all traffic is pushed down
•
to both members of the cluster.
©2015 Check Point Software Technologies Ltd.
27
Deployment of Check Point vSEC Solution
8. Configure Security Groups and Security Policy to redirect traffic to Check Point vSEC Gateway.
•
©2015 Check Point Software Technologies Ltd.
28
Deployment of Check Point vSEC Solution
9. Can log directly into a vSEC gateway and confirm traffic is being redirected to it. In this case,
two VMs with IP addresses 10.114.215.11 and 10.114.215.12 are sending ICMP pings to each
•
other. The below console output is from the vSEC gateway where the VM with IP
address 10.114.215.12 resides. The VM with IP address 10.114.215.11 resides on another host.
©2015 Check Point Software Technologies Ltd.
29
Deployment of Check Point vSEC Solution
10. We can easily enable additional blades/features on the vSEC Gateways.
•
©2015 Check Point Software Technologies Ltd.
30
Performance and Guidelines
 vSEC Gateway operates at user space and processes packets up to 2 Gbps (per instance)
 • Enabling additional software blades consumes more CPU and impacts performance
 The vSEC controller polls NSX and vCenter every 30 seconds for updates and communicates any changes
as needed to the vSEC Gateways.
 30 seconds is the maximum update time it can take for a vSEC controller to update the respective vSEC
Gateway(s).
What does this imply?
If a VM is added to a security group it can take up to 30 seconds for the respective vSEC
Gateway(s) to be updated with the correct IP of the VM.
©2015 Check Point Software Technologies Ltd.
31
vSEC - VMotion Scenario

In case of a vMotion event all the traffic which is related to the old connections will be inspected by the new firewall.
Information on old vSEC Gateway won’t pass to the new Gateway.

vMotion is not relevant to vSEC Gateway rules, as rules are applied at a cluster level, and all Gateways in the
cluster will have the same rules applied.


In general, vSEC Gateway clusters should parallel vSphere clusters.
CheckPoint rules are updated only in an Install Policy event. Virtual Objects are updated in the rules as objects
are learned from NSX/vCenter
©2015 Check Point Software Technologies Ltd.
32
vSEC - Controller HA Scenario

The vSEC controllers reside on the Check Point Management Server.

The Check Point Management Server follows an active-standby model; automatic failover is not supported.
* Two vSEC controllers are supported in an Active-Standby mode with only one controller active at any time.
* A synchronization between the servers is triggered every time a policy is installed.
* If manual failover is not initiated by the user, the vSEC controller
will not update the vSEC gateways with virtual objects learned from
NSX/vCenter.
* If the vSEC controller is down, traffic will keep passing based on rules
already installed on the vSEC Gateways, but no new learning from
NSX/vCenter will occur.

HA is supported over both L2 and L3.
©2015 Check Point Software Technologies Ltd.
33
AUTOMATE ADVANCED SECUREITY FOR SOFTWARE
DEFINED DATACENTER (SDDC)
©2015 Check Point Software Technologies Ltd.
34
PERIMETER SECURITY GATEWAY
Use Check Point Appliances with Advanced Threat Prevention for
Datacenter Perimeter Security (North-South traffic)
©2015 Check Point Software Technologies Ltd.
35
VIRTUAL SECURITY GATEWAY
Use Check Point vSEC Gateway for advanced security between Virtual
Machines (East-West traffic)
©2015 Check Point Software Technologies Ltd.
36
MICRO-SEGMENTATION
NSX Security Group
Finance
Legal
Partners
Web
Database
Use NSX to segment Virtual Machines
into different Security Groups using a flat network
©2015 Check Point Software Technologies Ltd.
37
EAST-WEST SECURITY CONTROL
NSX Service Chain Policy
Traffic from Partner to Legal Security
Group must go through Check Point
vSEC Gateway
Use Check Point vSEC to control traffic access between Virtual Machines
©2015 Check Point Software Technologies Ltd.
38
PREVENT LATERAL THREATS
Use vSEC for Advanced Threat Prevention inside data center
©2015 Check Point Software Technologies Ltd.
39
UNIFIED MANAGEMENT
Use Check Point unified management for consistent policy control and
threat visibility across virtual and perimeter gateways
©2015 Check Point Software Technologies Ltd.
40
APPLICATION-AWARE POLICY
Check Point Access Policy
Rule
3
From
To
WEB_VM
Database
(vCenter Object)
(NSX SecGroup)
Service
Action
SQL
Allow
Check Point dynamically
fetches objects from NSX and
vCenter
Use Fine-grained security policies tied to NSX Security Groups and Virtual
Machine identities
©2015 Check Point Software Technologies Ltd.
41
Check Point vSEC Key Features
Feature
Policy
Management
Check Point
Unified management for Virtual and physical Gateways
Datacenter policy segmentation with sub policies*
Fetch vCenter and NSX objects for use in Check Point policy
Threat Prevention with multi-layered defenses for Virtual Data Center
Security
Tag infected VM and update NSX for automatic remediation
Visibility & Forensics
View VM objects in security logs
Comprehensive Datacenter Threat Visibility
Automation &
Orchestration
Granular privilege down to individual rule for trusted integrations*
* Available in R80
©2015 Check Point Software Technologies Ltd.
[Confidential] For designated groups and individuals
42
FAQ
Q: What is the vSEC product version?
A: vSEc Gateway is R77.20 vSEC. vSEC Controller is based on R77.30
Q: Can I buy and use it today?
A: Yes
Q: Will vSEC be supported in R80?
A: Yes
Q: Was it certified by VMWare NSX
A: Yes. It is certified on ESX5.5 and ESX6.0
Q: Where can I learn more about the solution
A: Visit the vSEC wiki & Check Point vSEC webpage
©2015 Check Point Software Technologies Ltd.
43
CHECK POINT & VMWARE
Automating Advanced Securing Inside the Data Center
+
Virtual Security with Advanced
Threat Prevention
Lateral
Threat
Prevention
©2015 Check Point Software Technologies Ltd.
Next Generation Networking and
Security
Automated
Security
Provisioning
[Restricted] ONLY for designated groups and individuals
Security Control
&
Visibility
44
THANK YOU!
©2015 Check Point Software Technologies Ltd.
[Restricted] ONLY for designated groups and individuals
45