Check Point 虚拟化解决方案.pptVIP

Check Point为虚拟化世界提供安全保障 Mar 30, 2010 硬件虚拟化 防火墙虚拟化 VSX虚拟防火墙系统（Virtual System） 一个VSX虚拟防火墙系统是一个独立的路由和安全域，提供一般的Check Point网关绝大部分的防火墙、VPN及其他安全功能 运行在同一台物理机器上时，每个虚拟防火墙系统拥有自己单独的: 状态表 安全和VPN策略 配置参数 安全内部通信证书 每个虚系统都拥有一个虚拟IP堆栈 桥接模式的VSX虚拟防火墙系统 “桥接模式的虚拟系统” 透明地提供了安全服务 为基础构架添加一个安全层 促进了核心处的安全性 桥接模式的 虚拟防火墙 与传统防火墙的相同模型相对应 每个桥接模式的 虚拟防火墙都拥有自己独立的桥接表 与体系结构协议集成 支持所有 xSTP 协议、PVST+ 和管理协议 (VTP) 动态路由环境的VSX虚拟防火墙系统 VSX虚拟网络环境扩展了对动态路由协议的支持 单播路由 — RIPv1/2、OSPFv2 和 BGP-4 多播路由 — IGMPv2、PIM-DM 和 PIM-SM 每个虚拟设备保持对所有路由协议的支持 便于彼此之间的连接与交互： 虚拟设备到虚拟设备 虚拟设备到外部路由器 Abra Summary Questions ? The virtual system in bridge mode is new virtual security device, which provides security services on top of a virtual bridge. This VS operates as a true native bridge. Each virtual system in bridge mode supports two interfaces, inbound and outbound. The Vlan ID is the same for both directions creating a completely transparent solution, no change to the Vlan structure. The VS in bridge mode supports all the features of the a regular VS with the exception of VPN and NAT. The integration with the switched network is seamlessly, such VSs are aware of all xSTP protocols and variations. VSs in bridge mode understands both standard STP as STP, Rapid STP multiple STP, etc and proprietary protocols as Cisco’s PVST+. At the same time, in order to keep the switched network structure, VSX also recognizes protocols as VTP in order to maintain the all the previous services that were available to the networking groups. This feature allows network engineers to secure their core network with minimal interruption and NO change to their production network. It allows them to move away from the current long and complex ACLs they manage across their core switch routers and move into a structured centrally managed solution that provides them advantages as: Stateful inspection Smart Defense Detailed logging information for troubleshooting purposes and correlation systems Structured management – role based management based on provider-1, w