Check Point Product Overview

Presentation on theme: "Check Point Product Overview"— Presentation transcript:

1 Check Point Product Overview
Jovi Chen Jan 2008

2 議題 今日的安全挑戰 Check Point 發展策略 統一安全架構的未來 PURE security 新的解決方案
新的市場領域－Data security 統一安全架構的未來

3 Check Point – 全球資安市場的領導者
全球FW/VPN市場領導者* 客戶含括財星雜誌前百大企業(100%) 、 前五百大企業(98%) 市場領導地位 2006年總收益- 美金5億7千5百萬元 公司市值- 美金54億元 現金儲備- 美金16.5億元 財報資訊 擁有1,500 位員工 (600 R & D) 在全球28個國家中擁有69個辦公據點 在全球88個國家中擁有2,200合作夥伴 總部位於以色列與美國加州 全球佈局 * Frost & Sullivan, World Firewall IPSec VPN Gateway Markets, 2006

4 Check Point – 全球資安市場的領導者
93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 併購 智慧型應用 創立 VPN-1 VPN-1 Power, VPN-1 UTM 網路安全 併購 Pointsec 小型企業 FireWall-1 1.0, Stateful inspection IDS/IPS SSL VPN 架構 2007: 資安大革新 網路與基礎架構 資料安全 統ㄧ安全架構

5 企業、小型公司以及消費者對於以下事項都有急迫的需求：
今日的安全挑戰 企業、小型公司以及消費者對於以下事項都有急迫的需求： 保護其電腦與網路 防禦資料遺失 安全與可靠的存取 管理與控制其系統

6 Security is as strong as the weakest link
今日「資安延伸」的困境 部門間互相獨立，而非中央控制 反應性的、事件導向性的方法 缺乏對未來清楚的準則與路徑 雷同而無效率的花費，永遠無法與問題同步 今日的根本問題： 未詳加計畫、「已經夠好了」 以及殘缺不足的安全方案 結果： 防禦裂縫－安全出現缺口 市場趨勢： 供應商整合 客戶更少尋求安全供應商的協助 　（從大於10至小於5） 市場對架構性解決方案的需求 Security is as strong as the weakest link

7 Unified Security Architecture
Check Point 終止安全缺口 安全管理 資料安全 終端安全 / AV 威脅管理 – IDS, IPS, VA 驗證與授權 Network Security 身份認證 和通行管理系統 Check Point 2007– PURE Security Check Point 2004 – Unified Security Architecture Check Point VPN Check Point FireWall

8 Protect the network from attacks
Check Point 產品線 Small business Medium business Data center CUSTOMER NEED Consumer Enterprise VPN-1 UTM VPN-1 Power Protect the network from attacks ZoneAlarm Router Office VPN-1 UTM Edge VPN-1 Power VSX Remote, mobile connection, protect corporate web assets SecureClient & Connectra SmartDefense UTM InterSpect / IPS SmartDefense PA SmartDefense Power Latest security updates, detailed attack information Integrity Security at the endpoint ZoneAlarm Security Suite SmartCenter SMART Smart Portal / SMP Provider-1 Eventia Centralized configuration, monitoring, logging, reporting OPSEC

9 市場定位 – 中階市場 效能 UTM-1 價格US$ 家庭使用/ 大型企業/ 分公司或者中型企業 小型公司 資料中心 VPN-1 UTM,
硬體設備 10 Gbps VPN-1 UTM, VPN-1 Power 效能 The right Platform UTM-1 1 Gbps Edge 100 Mbps $300 $3,000 $15,000 價格US$

10 Check Point’s Proven Security
你所需要的網路安全產品 Check Point’s Proven Security 提供你所需要的網路安全 內建中央管理功能 超過十個網路安全相關軟體 整合於一個裝置上

11 Delivering Total Security
standard The best Firewall in the market VoIP SQL Instant Msg P2P HTTP FTP VPN (site-to-site, remote access) standard subscription Antivirus (at the gateway) UTM-1 includes Check Point’s industry leading firewall which protects over 150 applications and services including business critical applications such as Voice over IP, as well as productivity killers such as Instant Messaging and Peer-to-Peer file sharing applications For intrusion prevention, UTM-1 also includes Check Point’s SmartDefense intrusion prevention standard, as well as key malware protection with gateway antivirus and gateway spyware blocking. With version R65, UTM-1 appliances now integrate best of breed SurfControl web filtering. Web filtering settings and policy configuration have been neatly integrated into Check Point’s SmartCenter management to make setting up an acceptable use policy for web surfing easy. For secure connectivity, UTM-1 includes complete IPSec based site to site connectivity and remote access with the ability to easily add SSL VPN remote access capabilities without the need for additional hardware. The ability to add SSL VPN easily is a great example of how UTM-1 appliances can easily be expanded to add customized security features. Beyond SSL VPN, other add-ons are also available such as Web application firewall and other specialized security features. This gives you the ability to tailor the features you need specifically for your environment. Intrusion prevention subscription subscription Web Filtering subscription Anti spyware subscription SSL VPN subscription Messaging security NEW! * End of Q1 2007

12 UTM-1 450 UTM-1 1050 UTM-1 2050 UTM-1 Models $531, 000 Unlimited 5
3 Sites 15 Days 2 Years UTM $885,000 Unlimited 5 3 Sites 15 Days 2 Years UTM $1,097,400 Unlimited 5 5 Sites 15 Days 2 Years Pricing Users Remote Users Management Subscription HW Warranty

13 Different Appliances for Different Needs
UTM-1 450 4 GE 400 Mbps 190 Mbps 500,000 250 1 UTM 4 GE + 4 FE 1Gbps 250 Mbps 1.2 million 500 2 UTM 4 GE + 4 FE 2 Gbps 400 Mbps 2 million 1,000 2 More models to be released soon Ethernet ports FW throughput VPN throughput Sessions Users (rec.) USB ports

14 Management Flexibility
Appliance can work stand-alone Appliance can be used to manage other appliances Appliance can be managed by existing SmartCenter / Provider-1 infrastructure Management platform pre-loaded, no separate system required Existing Check Point management platform Fits in the Check Point Unified Security Architecture

15 Check Point : IPS-1家族 高效能的入侵防禦系統(IPS) 對已知與未知攻擊的精準防護
合適與可管理的網路安全 動態環境中安全政策的智慧型應用 對已知與未知攻擊的精準防護 來自Smart Defense先發制人的防護整合，並擁有IPS-1引擎所提供的粒狀攻擊偵測，具有精準、即時的攻擊防護 NFR/InterSpect整合成VPN-1 使用簡便，高效能的立即使用裝置

16 Check Point： 獨一無二的完整網路安全架構
一個完整整合的安全架構 先行制止網路攻擊 消滅蠕蟲、病毒、間諜軟體與垃圾郵件 保護個人電腦、行動裝置、遠端連線 符合控制與管理的需求 完整網路安全的提供以及點對點的覆蓋 Check Point是唯一提供此種整合性架構的安全供應商 Unified Security Architecture: SMART Management Policy management User provisioning Event management and reporting Auditing and compliance VPN tunnel Endpoint control Security suite – AV, etc. Remote access Application awareness IDS/IPS Firewall VPN gateway Content security VPN client Personal firewall Security suite – AV, etc. Network security End-to-end security Remote client Data center Perimeter Mobile Desktop

17 Unified security architecture
全部整合… 網路安全 已經全面涵蓋 Network security End-to-end security Unified security architecture

18 …仍是不夠 我們的資料仍有 更多的威脅 利用電子傳輸來挪動資料比你想像中容易！

19 資料安全 資料安全層面 Unified security architecture Network security 端對端安全
VPN tunnel Endpoint control Security suite – AV, etc. Remote access Application awareness IDS/IPS Firewall VPN gateway Content security VPN client Personal firewall Security suite – AV, etc. Network security 端對端安全 Remote client Data center Perimeter Mobile Desktop Unified security architecture Policy management User provisioning Event management and reporting Auditing and compliance 資料安全 Port control Media encryption Disk encryption Gateway protection

20 資料安全之挑戰 資訊外洩 新聞頭條中的資料安全議題 有心或意外 大型檔案：電子郵件傳輸、上傳 資料收集：複製 (USB/DVD)
整體系統：遺失或遭竊 手提式電腦位於第一線 新聞頭條中的資料安全議題 60%的資訊盜竊產生自遺失或被偷的裝置 在美國，超過8千4百萬的個人資訊在2005年2月至2006年5月間曝光 有鑒於合法公開的規定，對於責任與隱私的關切逐步上升

21 Pointsec: 保護資料安全最重要的第一步
資料安全的領導方案 100%的資料加密（磁碟與通道） 最高階的認證 非點擊操作 企業管理 適用於所有平臺 微軟個人電腦 行動電話 個人數位助理 Pointsec簡介 1987年建立於斯德哥爾摩 ：重大突破 2006年銷售量高達美金七千四百ㄧ十萬元 2007：由Check Point併購 成為統一安全架構的一部分 粗估美金6億元 Data security layer Port control Media encryption Disk encryption Gateway protection End-to-end security Remote client Data center Perimeter Mobile Desktop

22 Data security 資料安全：只是第一步 在發展資料安全方面， 我們還有許多產品需要研發
Unified security architecture Policy management User provisioning Event management and reporting Auditing and compliance VPN tunnel Endpoint control Security suite – AV, etc. Remote access Application awareness IDS/IPS Firewall VPN gateway Content security VPN client Personal firewall Security suite – AV, etc. Network security Data security Port control Media encryption Disk encryption Gateway protection 在發展資料安全方面， 我們還有許多產品需要研發 End-to-end security Remote client Data center Perimeter Mobile Desktop

23 Application awareness Personal firewall Security suite – AV, etc.
統一安全架構的未來藍圖 統一安全架構 Policy management User provisioning Event management and reporting Auditing and compliance 完整的終端安全 VPN tunnel Endpoint control Security suite – AV, etc. Remote access Application awareness IDS/IPS Firewall VPN gateway Content security VPN client Personal firewall Security suite – AV, etc. Network security 資料與網路整合閘道 整合型行動客戶 Data security Port control Media encryption Disk encryption Gateway protection End-to-end security Remote client Data center Perimeter Mobile Desktop

24 Endpoint Security  Integrity

25 Integrity Functions Endpoint Protection Access Control Management Stop
… Keystroke Loggers … Trojan Horses … Network Infections … Hacker Intrusions … Unsafe Connections … IM Threats Enforce … AV, Patches, FW … Application Policy … Remote & LAN … Employee & Guest … Wired & Wireless … Silent Remediation 能力 … 部屬與整合 … 集中政策管理與執行 … 彈性及高可用性 中止 … Port Scans … 駭客入侵 … 新的惡意程式 … 應用程式攻擊 … 間諜程式 … 即時通訊的威脅 實行 … 防毒, 補丁, 防火牆 … 應用程式政策 … 遠端及內部存取 … 員工及訪客 … 無線及有線 Management Enable … Rapid Deployment & Integration … Central Administration & Enforcement … Automated Client and Security Updates 25

26 Integrity Components Endpoint Protection Access Control
Stateful PC Firewall Check Point Integration Application Controls VPN Integration Intrusion Prevention 802.1x Integration Anti-Spyware Total Client Lockdown Surprisingly, not all enterprise personal firewalls are stateful. And not all make it easy to define rules for Trusted and Untrusted network zones like Integrity does. “Stealthing” the PC is a supplemental function of the stateful FW. App controls include auto-discovery of all apps seeking network connections and creation of a “black list”; stopping many varieties of spyware; and stopping worms from ing themselves to users’ address books. Most products stop only some of these things. Host IPS can be done in different ways: via complex rule scripting, or using sophisticated packet inspection technology that doesn’t require administrator to write rules. We use CP technologies like MCP to do this. Anti-spyware: beyond stopping spyware from sending info out to an attacker, AS should include removal of installed spies (in next Integrity release) and preventing installation of spies in the first place (as ZASS technology will do for Integrity). Doesn’t make sense for a customer to have to install separate client software and use a separate management console and server. Standalone enforcement: for when integration with a network device isn’t possible, and when user isn’t connected to the enterprise Secure remediation: either easy end user process, or automated process that uses checksums to ensure that update files haven’t been spoofed before they’re installed (in Integrity NGX release) Central management includes both manual and automated app rule definition. SDPA service is huge benefit to admins because it greatly reduces need to research discovered apps. Deployment includes mgt server set-up and silent, remote installs of client SW. Integration includes DBs, user directories, and SW mgt tools in addition to gateways Scalability includes ability to manage unlimited numbers of users at the same time with minimum server cost; load balancing; customizable admin roles and domains, and hot failover to multiple servers if desired. Not all endpoint security products have all these capabilities – in fact, this comprehensive set is unique to Integrity. IM Security Secure Remediation Management Central Policy Management & Enforcement Deployment & Integration Automated Updates 26

27 Unified Security Management
Single Management System Universal Updates Objective of Unified Security Management is to greatly simplify enterprise security administration, improve incident response, and reduce the huge training and maintenance expense associated with having separate management systems for each security point product. In this implementation of TAP, Integrity cooperates with Check Point gateways at each PC access point to control network access and enforce policy. Because its been integrated into the NGX platform for unified management, Integrity endpoint security and TAP can now be managed in sync with enterprise-wide security functions, all from a common server, management console, and reporting and analysis system. Only Check Point offers such comprehensive and unified enterprise security management of endpoint security, NAC, and other critical security layers. The NGX platform delivers unified security architecture across the most critical layers of network security: the network perimeter, network core, Web applications and the endpoints. Specifically: Unified security management reduces overhead by allowing administrators to define, manage and update policies on the PIWE from a single SmartCenter console From that same console, network administrators can upload the latest security signatures to defenses on the PIWE without service interruptions Intelligent inspection technologies are shared across all layers of the network ensuring consistent protection Total Visibility 27

28 Thank you!