Check Point and Cisco: Securing the Private Cloud

1©2017 Check Point Software Technologies Ltd.©2017 Check Point Software Technologies Ltd.
Advanced and Agile Threat Prevention Security for
Private Cloud Data Centers
CISCO AND CHECK POINT: JOINT
SOLUTION ARCHITECTURE AND USE CASES
May 16, 2017

2©2017 Check Point Software Technologies Ltd.
Ahmed Dessouki
Product Manager
Cisco Insieme Business Unit
Krish Subramanian
Product Marketing Manager
Check Point Software Technologies
TODAY’S SPEAKERS

• Ecosystem Overview
• Joint Architecture Overview
• Features and Benefits
• Deployment Use Cases
• Roadmap
• Demo
• Q&A
Agenda

CISCO ACI SOLUTION OVERVIEW
PRIVATE CLOUD DATA
CENTERS BUILT ON
SOFTWARE DEFINED
NETWORKING (SDN)

Cisco Insieme Business Unit Vision
1
2
3

Strong Momentum in the Marketplace
ECOSYSTEM PARTNERS
Nexus 9K
Customers Globally
ACI
Customers
Ecosystem
Partners
10,800+ 65+3,100+
Business
Run Rate
$3B

The network is not
responsive
No network
automation
Turn-key automated
DC fabric
Business Problem Technical Problem Solution
Security / services are way
behind
L4-7 configuration /
forwarding is manual and
per-device
Integrate L4-7 stitching
into network automation
SLAs aren’t being met
No direct mapping of app
requirements to network
forwarding
Automate forwarding /
policy based on application
requirements

App Based Automation
Automated L4-7 Services
Turn-key network automation

What’s the Problem?
Logical Device Cluster
Web App
• Prior to Service Graph, deploying services has been very error prone:
VLAN mismatch between
hypervisor & switch?
Firewall/Load Balancer/SSL
misconfiguration?
VLAN allocation?
VLAN missing?
Trunk not configured properly?
Physical or Virtual L4-L7 Devices

With Service Graph
Web App
ACI Fabric
Device automation
Network
automation
EPG
App
Service Graph
EPG
Web Contract
Logical Device Cluster
Physical or Virtual L4-L7 Devices

• APIC 2.0 or later
• Use case: Inspect all OR specific traffic by FW
Policy Based Redirect (PBR)
Overview
EPG Client EPG Web
Only HTTP traffic is redirected to FW, and
then forwarded onto Web endpoint by FW
Other traffic permitted by contract are
going to Web endpoint directly.
EPG
Client
EPG
WebContract
Redirect
providerconsumer
Traffic from client
Policy applied (PBR)
Return traffic

Copy Service
Overview
• APIC 2.0
• Service Graph is mandatory and EX hardware is required
• Copy specific traffic
EPG Client EPG Web
Traffic is copied to IDS
Original traffic goes to
Web endpoint directly.
EPG
Client
EPG
WebContract
Copy
providerconsumer
IDS

EPG
Web
EPG
Client
192.168.1.254
Self_IP: 172.16.10.1/24
Default GW: 172.16.10.254/24
172.16.10.254 192.168.2.254
VRF1
All BDs are in same VRF
BD1 BD2BD:
ADCSvcBD
IP: 192.168.1.100
Default GW: 192.168.1.254
IP: 192.168.2.200
Default GW: 192.168.2.254
EPG
Client
EPG
Web
Contract
Redirect
providerconsumer
Return traffic
ACI ADC Design
One-arm with PBR
SNAT is not required and server
sees real client IP
ADC
VIP:
172.16.10.200
Incoming Traffic
Source: 192.168.1.100
Dest: 172.16.10.200 (VIP)
Return Traffic
Source: 192.168.2.200
Dest: 192.168.1.100

• APIC dynamically detect new endpoint, then the endpoint is automatically
added to the pool member of VIP
Dynamic Attach Endpoint
EPG
Web
192.168.1.1
VIP Web-Pool
192.168.1.2
New
192.168.1.3
New
EPG
Client

Device Packages
• Service functions are added to APIC through
device package
• Device Package contains a device model and
device python scripts
• Script can interface with the device using REST,
SSH or any mechanism
Device Package
Configuration Model (XML File)
Python Scripts
APIC
Configuration Model
Device Interface: REST/CLI
APIC Script Interface
Python Scripts
Script Engine
APIC Policy Manager
Service Device

ServiceManagerModeServicePolicyMode
• Full L2-L7 automation with
operational flexibility
• Joint management of L4-L7
service devices through Cisco
APIC and a service device
controller
• APIC manages a subset of
features
• Centralized single point of
management for full L2-L7
Service Automation
• APIC manages fabric and
network services
Multiple Operational Modes
L4- L7 Device
Package
Service Cluster
Manager
L4- L7 Device
Package
for Integrated L4-L7 Services Automation
NetworkPolicyMode
• Centralized network automation
L2-L3 (service stitching)
• EPG model or unmanaged service
graphs
Service Cluster
Manager
No Device Package

L4-L7 Service Automation – Support for All Devices
Service Manager Mode General Concept
44
Service device keeps full native functions
and customizable parameters available
3 Deploy L4-7
Configuration
3Deploy L2-3
Configuration
1 Create Template
Service Device Controller
2
Associate template with
service graph

Why Service Manager Mode?
Preserve
Administrative
Boundaries
Deploy
Apps
Faster
Maintain
L2-L7
Automation
Operational
Flexibility

CHECK POINT AND CISCO ACI JOINT
SOLUTION ARCHITECTURE
WHY DO WE NEED AGILE AND
ADVANCED SECURITY INSIDE THE
PRIVATE CLOUD DATA CENTER?

VIRTUAL DATA CENTER HYBRID CLOUD
• Manual operation
• On premises
• Automation & Orchestration
• Software Defined Network
DATA CENTER EVOLUTION

PRIVATE CLOUD SECURITY REQUIREMENTS
Increasing sophistication of threats & malware
Consistent protections and policy management
Consolidated visibility, logging and reporting
Sacrificing speed and agility for security
Lateral spread of threats

Chain of events:
1. Admin used infected laptop to manage
the virtual webserver in the cloud
2. Virtual webserver got infected
3. Oracle released new security patch
4. Infection moved from webserver to
unpatched Oracle servers
1.5M MEDICAL RECORDS EXPOSED FROM PUBLIC
IaaS DATABASE

CHALLENGE #1:
PRIVATE CLOUD IS ALREADY SECURE, WHY DO I
NEED ADDITIONAL SECURITY?
Perception:
• Security handled by perimeter gateway
and network layers
• Segmentation or isolation = security
Network layer provides segmentation and basic
firewall capability
Data isolation does not protect against malware or
other threats

• Perimeter Gateway doesn’t
protect traffic inside the data
center
• Lack of security between
virtual and physical
applications
LATERAL THREATS INSIDE THE DATA CENTER

• New applications provisioned rapidly
• Virtual-app movement
• Change in IP address
• Unpatched dormant VMs that wakes up
TRADITIONAL STATIC SECURITY FAIL TO PROTECT
DYNAMIC DATACENTER

TOP OPERATIONAL CHALLENGES IN LEGACY
DATA CENTERS Cumbersome Ongoing Maintenance
• Deploying & Maintaining
Security Gateways using
traditional networking is:
̶ Complex
̶ Time consuming
̶ Error prone
Traditional networks require Security Gateways to provide networking functions
in addition to security – increasing operational complexity

SOLUTION:
ADVANCED SECURITY PROTECTS CUSTOMER
ASSETS IN THE PRIVATE CLOUD
Advanced security methods in Private Clouds:
• Prevent threats within Private Clouds
− Comprehensive protections to prevent breaches and data loss
• Security Groups with Advanced Threat Prevention:
− Fine-tuned policies and layered protections (Firewall, IPS,
Anti-Virus, AntiBot, and more)
− Security achieved between segments and hosts/VM’s using
network firewall and automated traffic redirection and
service insertion/chaining

CHALLENGE #2:
NETWORK SECURITY SOLUTIONS DON’T FIT IN
PRIVATE CLOUD ARCHITECTURES
Perception:
• Environment is too dynamic
− Rapid adding/removing of VMs, subnets etc.
• Network security solutions single point of failure
/ don’t support HA configuration / cannot scale
automatically / not virtualized
• Traditional perimeter based security and
segmentation is limited

• Operate in HA mode in cloud
• Clusters Within Private Cloud Data Center
• Multi-pod
• Security policies updated automatically
• Auto-discovery of cloud assets (new VM’s ,
subnets, EPG’s) reflected in automated
policy updates
• R80 Automation and Orchestration with
REST API’s
• Deployed in Private cloud Data Center
• Physical and Virtual appliance
• Automated service insertion and chaining
• Integrates with Private Cloud fabric
• Integrates with other L4-L7 services in
private cloud
• Supports both service insertion modes :
Service Manager and Network Policy
SOLUTION:
NETWORK SECURITY FITS IN PRIVATE CLOUD

PROTECTING DATA & APPS IN
PRIVATE CLOUDS
INTRODUCING CHECK POINT VSEC :
A NEW APPROACH TO SECURITY IN DATA CENTERS

ADVANCED THREAT PREVENTION
AND VISIBILITY FOR THE PRIVATE CLOUD
©2016 Check Point Software Technologies Ltd.
+

CHECK POINT VSEC FOR CISCO ACI
Advanced threat prevention and visibility for the private cloud
s
Complete threat visibility
and controls
Automated security provisioning
and policy orchestrations
Automatic insertion of advanced
threat prevention gateways

Solution Components
vSEC GATEWAY
• Comprehensive protections
including: Firewall, IPS,
AntiBot, AntiVirus, VPN, DLP
and SandBlast Zero-Day
Protections
• Secure traffic between
applications in the private
cloud
• Physical and Virtual appliance
vSEC CONTROLLER
• Automated security with
unified management
• Context-aware policies and logs
leveraging ACI defined objects
• Consolidated logging and
reporting across private, public
and hybrid clouds, physical and
virtual appliances
vSEC Device
Package for APIC
• Check Point plug-
in for the APIC

CHECK POINT VIRTUAL AND PHYSICAL
SECURITY APPLIANCES
A single virtual or physical Security Gateway hosts multiple automatically
provisioned security instances inserted to the ACI fabric in every scale
Datacenters &
High End
Enterprises
23000 Appliances
Enterprises
15000 Appliances
Small Enterprises
5000 Appliances
Virtual Appliances

ADVANCED THREAT PREVENTION LATERAL
MOVEMENT OF THREATS
vSEC Gateway prevent lateral threat movement between applications inside
hybrid clouds
Advanced Threat
Prevention Security

USE CHECK POINT SMART MANAGEMENT WITH VSEC
CONTROLLER TO AUTOMATE YOUR SECURITY
vSEC Controller
Check Point Smart Center

Check Point Access Policy
Rule From To Application Action
3 Finance_App1
(vCenter Object)
SAP
(ACI End Point Group)
MSSQL Allow
4 USER_ID
(AD object)
Finance_Group
(Openstack group)
CRM Allow
APPLICATION-AWARE POLICY
TIED TO CISCO ACI & CLOUD MANAGEMENT

LOGS ENRICHED WITH CISCO ACI OBJECTS
4800
12400
Infected Server
Identify Severity Date
SAP
(ACI App)
High 3:22:12 2/4/2016
WEB
(ACI EPG)
High 5:22:12 2/4/2016
VM_AD_15
(vCenter object)
Medium 5:28:12 2/4/2016
Check Point SmartEvent

COMPLETE THREAT VISIBILITY AND CONTROL
• Security operational efficiency with
consistent policy across East-West and
North-South traffic
• Forensics analysis inside your
datacenter with unified logs and reports
• Physical and virtual vSEC gateways

UNIFIED VISIBILITY
UNIFIED MANAGEMENT

SECURITY AS DYNAMIC AS THE PRIVATE
CLOUD
• Full Support for automated service
insertion/chaining and provisioning,
Enhanced PBR and dynamic routing
support, IPv6, multi-pod
• Security policy based on EPG’s and
micro EPG’s - microsegmentation
• Physical and virtual appliances
• Supports Service Manager Mode and
Network Policy Mode

Reference Architecture
• Check Point vSEC protects assets
in Cisco ACI data centers
• Complete Reference Architecture
• Deployment Scenarios and Demo
– YouTube video
• End Point Groups and lateral
threat prevention
• Service insertion modes
• Dynamic Peer routing
• Multi-pod

APIC SERVICE INSERTION AUTOMATION
Physical or virtual device is connected to the
ACI fabric
Logical device representing Check Point’s
concrete device – physical or virtual VSX
Security Gateway is configured
Check Point management receives render
command from Cisco APIC, instantiate the
Virtual System and configures it automatically
Check Point Management installs the security
policy automatically on the Virtual System
Service graph is created on APIC and specific
device parameters are configured
APIC generates a render command to the
Management Server
1
2
5
63
4

Reference Architecture
• Auto-discovery of ACI defined
objects
• Leverages ACI objects like EPG’s
in security policies and logs
• Policies updated in real-time
• Improved visibility and forensics
ACI CLOUD OBJECT DISCOVERY WITH VSEC

ROADMAP

ROADMAP
• PBR ( Policy based redirect) in all service modes,
Ability to absorb micro EPG’s, Dynamic peer-peer
routing, IPv6 , Support for R80.10 on VSX and vSEC
gateways, multi-pod support (available in upcoming
release)
• Tagging of infected VM’s for isolation/remediation
• Check Point apps in Cisco ACI AppCenter

CUSTOMER SUCCESSES WITH
CISCO ACI AND CHECK POINT

Customer modernized their Data Center network &
security infrastructure.
Leveraged VSLS technology, multiple cluster members and
cross-site clustering, Check Point expertise and trusted
advisor role.
Aviation industry player achieves better TCO
with joint Cisco ACI and Check Point solution
Joint solution supported the best security, better segmentation
and consolidation of workloads with minimal downtime during
the transition to private cloud.
Customer improves security posture recognizing Check Point’s
industry leading security, innovation and experience in the
banking sector
Leveraged the existing investment in Check Point, resources and
training.
Customer leverages vSEC controller’s comprehensive
integration with ACI and R80 APIs for automation
Achieved better TCO using unified policy that utilizes ACI
objects in security policy
Leveraged existing Check Point infrastructure including
Multi-Domain Manager.
Financial Services industry player transforms
app delivery with Cisco ACI and Check Point
Banking industry players cements future needs
with app-centric secure hybrid infrastructure
CUSTOMER SUCCESSES
Healthcare industry player gains Scalability and
Security with private cloud architecture

SUMMARY

CHECK POINT vSEC FOR CISCO ACI
s
Complete threat visibility
and controls
Automated security provisioning
and policy orchestrations
Prevent lateral movement of
threats between cloud applications
Advanced threat prevention and visibility for the private cloud

SUMMARY: WHY CHECK POINT VSEC FOR CISCO ACI?
Unified Management for Physical and Virtual Environments
Lateral Threat Prevention Inside the Data Center
Automated, Adaptive and Scalable Security
Advanced Threat Prevention for Cisco ACI Data Centers

MORE INFORMATION - RESOURCES
• Check Point vSEC for Cisco ACI product page and collateral
• Check Point vSEC for ACI joint solution brief
• Cisco ACI L4-L7 Partner Compatibility Matrix
• vSEC on Cisco Marketplace for Technology Solutions
• Check Point Reference Architectures for Cisco ACI
• Cisco ACI and Check Point vSEC Deployment Scenarios and Demo - video
• Check Point vSEC Device Package for ACI
• Check Point SmartConsole integration with ACI - video

HOW EASY IS IT DEPLOY VSEC IN
CISCO ACI?
DEMO

• Krish Subramanian – Product Marketing Manager, Check Point - ksubrama@checkpoint.com
• Ahmed Dessouki - Product Manager, Cisco - ahdessou@cisco.com
Q
A

THANK YOU

Check Point and Cisco: Securing the Private Cloud

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Check Point and Cisco: Securing the Private Cloud

Semelhante a Check Point and Cisco: Securing the Private Cloud (20)

Último

Último (20)

Check Point and Cisco: Securing the Private Cloud