Monthly Archives: July 2015

2015 CPX Part Zwei – SDN

UPDATE: CheckPoint R80, R77.20(with updates) has announced integration with Vmware 6.0 which is great. Called Vsec. Clarifies many of the questions below. I haven’t seen it (because I’m sitting on a beach in Italy), but hope to do a pro/con when I get back.

========================================Date 5/10/2015 CPX Conference ===============

Summary: CheckPoint R80 is integrating with most the other SDN players: NSX, ACI, OpenStack. Looks great so far. Problem: (Heard this at CPX) Financial IT guy said CIO called him and asked for a 600 server farm to do some big data mining on confidential financial data. Classic physical deployments would take 6 months. They did it in 2 weeks – virtual world and scripting. How does/will CP protect this data mining farm? BEGIN SDN Glossary:

  • North-South Traffic: data traffic in/out of a physical VMware/Virtual host
  • East-West Traffic: data traffic between virtual guests internally within a physical VMware/Virtual host
  • ESXi – VMware’s Hypervisor or operating system that operates on bare metal
  • vSphere – VMware’s total virtual package offering
  • vCenter – VMware’s management station component for managing servers
  • NSX – Networking component of VMware
  • Virtual Guest – A OS environment (Linux, Windows XP, MAC OS, OEM custom product) running in an emulated physical environment on top of a hypervisor (VMware, OpenStack, VirtualBox, KVM, etc). Common operations are virtual guests can be paused, take snapshots, have an API for automating/monitoring guests.

END SDN Glossary; BEGIN CP VE Glossary: CheckPoint VE is CP’s firewall product that runs in a vMware environment. It has two modes:

  • Network mode – Firewall as you know it runs as a guest in a virtual environment, cannot see any other objects  in the virtual environment
  • Hypervisor mode – runs inside the hypervisor, can see all objects in the virtual environment. This allows you to assign a L2 firewall to each virtual guest. So in the end, nothing more than host based firewalling….but saying the word ‘hypervisor’ sounds so much more cool.

END CP VE Glossary So CP has a couple problems with VMware right now:

  • Currently not integrated in the latest ESXi 6.0 release at the Hypervisor level (Hypervisor level is like being inside the Windows OS. In Windows if you want a list of all processes you must ask or be inside of the Windows OS to see all the processes. If you want a ‘firewall’ to protect process A from process B you have to be inside Windows OS. Same thing with Vmware Hypervisor.)
  • Management: R75.20—- cannot grab VMware objects/IP addresses/network fabric
  • Enforcement: So right now CP is not integrated inside ESXi 6.0 VMware Hypervisor so CP cannot protect East-West Traffic.

The fuzzy details are CP has integrated with an old Vmware API 5.5, but not the current 6.0. In order to get into the real SDN game CP firewall must run inside the Vmware Hypervisor which is the Vmware OS. Specifically is must have access to NSX. Now one CAN today manually spin up CP VE network mode instances (as guests) inside the 600 virtual server farm and manually connect into the virtual network…..but a human being has to manually configure the firewalls as we do in the physical world because only humans know the IP addresses and server names and protocols. What R80 WILL do is use the VMware REST API (see my blah blah on REST) to grab all the VMware objects and their IP addresses. They appear as DataCenter objects (if I remember right) in Dashboard and can be referenced like any other object.Note that these objects are really pointers into the VMware environment, and R80 keeps sync with VMware so if the object is deleted in VMware, it disappears from CP (little scary, VMware modifying firewall policy, another discussion). What R80 can’t do is enforce policy on east-west traffic today because 1) There is no R80 firewall and 2) I’m not sure VMware released the latest 6.0 API. So I saw demos of the management integration and it looks good. VMware objects look like any other objects, but note they are pointers into VMware and not managed by CP. If all goes as planned, the R80 firewall should be supported in the NSX 6.0 Hypervisor. What are the bells and whistles?

  • If a new VM is spun up, you can automatically generate a policy and a L2 firewall to protect it
  • If a VM vMotions from Fargo to Shanghai, the firewall follows it
  • At L2, you can redirect a service/port to the firewall for filtering (this host is infected, inspect all its port 80 traffic), and then back to its original route
  • You can quarantine a VM if it misbehaves and not let it talk or shut it down

All this looks good, just hope they can get it to work. You see some of this in EXSi 5.5. So someone ask me “What do I think Software Define Protection” is? Mike what is “Software Defined Protection”??? Glad you asked. Firewall performance in a virtual world is a game changer. CheckPoint’s edge with Software Defined Protection is that it has been designed ground up in software. Performance is based on throwing more CPUs at the problem, and not custom ASICs. Other vendors rely on custom ASICs for performance so migrating their code to a software based virtual world requires re-coding and/or los of hardware based performance gains. In addition, in the virtual world security will become more dynamically scripted with no expensive slow humans in the chain. Firewalls, rules, objects will become more automatically created and destroyed all through software. CheckPoint’s R80 has the API and the tools (so they say) to play in a scripted automated world all managed from a single pane of glass centralized security management platform. Now THAT’s Software Defined Protection

Advertisements
blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.