Checkpoint VSX Overview:
The Check Point 12200 VSX Appliance is a dedicated solution for multi-layer, multi-domain virtualized security. Check Point 12200 VSX Appliance provides maximum security allowing enterprises and data centers to consolidate up to 10 security gateways with firewall, IPsec and SSL virtual private network (VPN), intrusion prevention and URL filtering on a single device. The VSX bundle offering provides linear performance scalability with system high availability. Note: These products are based on NGX architecture.
Check Point VSX and VPN-1 Power VSX enable organizations to consolidate infrastructure in high-performance environments, such as large campuses or data centers, by virtualizing physical network components into one physical device. They include firewall, Virtual Private Network (VPN), URL filtering and intrusion prevention technology (IPS).
VSX Benefits:
Hardware cost savings and comprehensive security via a virtual platform:
- Consolidate hundreds of security gateways into one physical device
- Includes firewall, IPS, URL filtering, IPSec and SSL VPN
- Increased hardware utilization and reduced power, space and cooling
Simplified management and flexible deployment:
- Service multiple customers, groups and business units from a single system
- Centralized management unifies both physical and virtual management
- Flexible deployment-open platforms and full line of turnkey appliances
High availability and easy scalability:
- Easily add and extend virtual systems without purchasing more hardware
- Delivers linear scalability, load sharing and multi-gigabit performance
- Cost-efficiency, redundancy and performance via ClusterXL and SecureXL
Features:
Scalable Virtual Environment
With VSX-deployed as VSX Software or VSX turnkey appliances-administrators can create virtualized implementations of conventional physical topologies and designs such as central and remote DMZs. The Virtual System Extension (VSX) platform can create and manage up to 250 fully independent security systems on a single or clustered hardware platform. This delivers scalability while dramatically reducing hardware investment, space requirements and maintenance costs.
Flexible Virtual Connectivity
Virtual routers and switches can be used to forward traffic between networks located behind virtual systems, much in the same manner as their physical counterparts. VSX supports a wide range of routing scenarios, enabling flexible network connectivity.
- Virtual System in Bridge Mode - VSX has the ability to host virtual systems running in either router or bridge mode. The ability to deploy virtual systems in bridge mode allows administrators to implement native layer-2 bridging instead of IP routing, and transparently add a virtual system to the network without reconfiguring network settings and topologies.
- Route Propagation - When a virtual system is connected to a virtual router or to a virtual switch, an administrator can choose to propagate its routing information to adjacent virtual devices. This feature enables network nodes located behind neighboring virtual systems to communicate without the need for manual configuration.
- Overlapping IP Address Space - VSX facilitates connectivity when multiple network segments share the same IP address range. This scenario occurs when a single VSX gateway protects several independent networks that assign IP addresses to endpoints from the same pool of IP addresses. Thus, more than one endpoint in a VSX environment may share the same IP address, provided that each is located behind different virtual systems. Overlapping IP address space in VSX environments is possible because each virtual system maintains its own unique state and routing tables. These tables can contain identical entries, but within different, segregated contexts.
- Source-based Routing - Source-based routing allows an administrator to define routing definitions that take precedence over ordinary, destination-based, routing decisions. This allows the administrator to route packets according to their source IP address or a combination of their source IP address and destination IP address. Source-based routing is useful in deployments where a single physical interface without VLAN tagging connects several protected customer networks. Each virtual system is connected to an internal virtual router. The virtual router routes traffic to the appropriate virtual system based on the source IP address, as defined in source-based routing tables.
- Dynamic Routing - Virtual devices can communicate and distribute routes amongst themselves using dynamic routing. VSX provides full layer-3 dynamic routing for virtual systems and virtual routers. The following unicast and multicast dynamic routing protocols are supported: OSPF, RIP-v1/2, BGP-v4, IGMP, PIM-SM, PIM-DM.
High Performance Security
High bandwidth networks require high-performance gateways in order to support thousands of users and applications. VSX employs Check Point-patented SecureXL™ security acceleration, enabling maximum performance from open servers and appliances. To provide security at wire speed, VSX can be deployed on multiple carrier-class platforms using Check Point high-performance technology, ensuring secure, resilient, multi-gigabit throughput. And to maximize performance, capacity and system scalability, VSX provides the following features and technologies:
- Virtual System Load Sharing (VSLS) provides the ability to distribute virtual systems across cluster members, effectively distributing traffic load within a cluster.
- VSX Resource Control allows administrators to manage the processing load by guaranteeing that each virtual system will receive its minimum CPU allocation. Resources not needed by one virtual system are automatically made available to other virtual systems. Administrators can also limit the CPU time available to a lower-priority virtual system and assign more capacity to mission-critical virtual systems.
- VSX QoS Enforcement provides the ability to control network quality of service in the VSX network environment by supporting the Differentiated Services (DiffServ) protocol and assigning different transmission characteristics to different classes of service. This helps prioritize the order in which traffic will be processed when resources are under heavy load.
- ClusterXL provides high availability and load sharing to keep businesses running. It distributes traffic between clusters of redundant gateways so that the computing capacity of multiple machines may be combined to increase total throughput. If an individual gateway becomes unreachable, all connections are redirected to a designated backup without interruption.
- Link Aggregation, also known as interface bonding, is a powerful feature that provides support for bonding interfaces either in a high-availability or load sharing mode. This networking technology binds multiple physical interfaces together in parallel to increase throughput beyond the limits of a single interface and/or to provide redundancy.
Comprehensive Security Services
Based on FireWall-1 and SmartDefense intrusion prevention technologies, VSX provides comprehensive protection to multiple networks or VLANs within complex infrastructures, securely connecting them to shared resources like the Internet and DMZs. VSX gateways are based on Check Point-patented Stateful Inspection, the de facto standard for Internet security. VSX examines more than 150 predefined applications, services, and protocols out-of-the-box, ensuring that the vast majority of applications used by businesses are free of threats when entering the network. Examples include:
- URL Filtering: Protects users or restricts access from an array of continually updated pre-profiled content
- Voice over IP: With many companies rushing to adopt VoIP applications to lower telecommunications costs, VSX offers comprehensive VoIP protocol support to secure critical business communications. VoIP protocols supported include H.323, SIP, MGCP and Skinny (SCCP).
- Instant messaging and P2P applications: These are common attack vectors for worms, viruses, and spyware. VSX provides security for these applications by inspecting their content or preventing them from entering the corporate network
VSX is supported by SmartDefense Services, which maintain the most current preemptive security for the Check Point security infrastructure. VSX also provides flexibility in secure remote access, supporting the most complete range of client access options (IPSec, SSL VPN, mobile access)
Proven, Mature Security Management Architecture
VSX is managed with Check Point's SmartCenter and Multi-Domain Security Management solutions. Both provide powerful tools for centrally configuring, managing, and monitoring multiple VSX security operations platforms, virtual systems, and physical VPN-1 gateways. VSX appliances feature hardware health monitoring capabilities over SNMP.
Based on Check Point Security Management Architecture (SMART), these solutions deliver the flexibility of choosing the appropriate management solution based on your network requirements. Check Point One-Click VPN technology also enables virtual systems to be added seamlessly to a VPN community. The new virtual system automatically inherits the appropriate properties and can immediately establish secure sessions with all other VPN community members within the enterprise network. Additional tools such as virtual system creation wizards and templates assist in enforcing server image standardization and further streamline the process of deploying and configuring VSX.
Used in conjunction with Multi-Domain Security Management, an enterprise can use VSX to segment different business groups or customers and classify the network either by function or by network segment. Therefore, administrators can maintain separate policies for different network segments and can delegate or divide large rule-bases into several smaller rule-bases for ease-of-management and better control of network security.
Service Provider Enablement
VSX delivers security service provisioning at the click of a button, enabling service providers to monetize virtual security service offerings at the lowest possible cost. Capabilities now include new URL filtering capability which protects users or restricts access from an array of profiled content. This adds to the best-in-class security services already available.