Documente Academic
Documente Profesional
Documente Cultură
About author
Valeri Loukine
CCMA 0019 Ex-Check Point Senior Security Consultant - Dimension Data Email: varera@gmail.com Blog: http://checkpoint-masterarchitect.blogspot.com/
2
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011
Agenda
FW performance SecureXL Multi-Core Firewalling CoreXL
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011
Firewall is slow
Routing without FW
IP Stack
OS Network Layer
Routing with FW
IP Stack Check Point Firewall Kernel OS Network Layer Network Interface Card
FW is slow
Secured kernel Packets quied Packets are matched agains rulebase Rulebases can be huge
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011
System bottlenecks
System bottlenecks
RAM Latency RAM Throughput PCI Bus CPU Speed
System bottlenecks
IP Stack
System bottlenecks
IP Stack
System bottlenecks
IP Stack
System bottlenecks
IP Stack
System bottlenecks
IP Stack
System bottlenecks
IP Stack
System bottlenecks
IP Stack
FW Acceleration
IP Stack Check Point Firewall Kernel OS Network Layer Network Interface Card
FW Acceleration
IP Stack Check Point Firewall Kernel OS Network Layer FW Acceleration Device Network Interface Card
FW Acceleration
IP Stack Check Point Firewall Kernel OS Network Layer FW Acceleration Device Network Interface Card
FW Acceleration
IP Stack Check Point Firewall Kernel OS Network Layer FW Acceleration Device Network Interface Card
FW Acceleration
IP Stack Check Point Firewall Kernel OS Network Layer FW Acceleration Device Network Interface Card
SecureXL
API for FW acceleration HW or SW implementation
We gain
Increased packet rate and throughput Better session rate (with templates) Sync tuning (delayed synchronization)
Software Acceleration
Check Point Performance Pack SPLAT, Linux, Solaris (no VLANs) IPSO SW
Hardware Acceleration
First packet
Web Server 10.0.0.1 Firewall Acceleration Device Web Client 192.168.0.1
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011
First packet
Firewall Kernel table Acceleration table
First packet
Firewall Kernel table Acceleration table
First packet
Firewall Kernel table
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
First packet
Firewall Kernel table
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
First packet
Firewall Kernel table
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6
First packet
Firewall Kernel table
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6
Next packets
Firewall Kernel table
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6
Next packets
Firewall Kernel table
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6
Next packets
Firewall Kernel table
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6
Next packets
Firewall Kernel table
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6
Next packets
Firewall Kernel table
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6
Next packets
Firewall Kernel table
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6
Next packets
Firewall Kernel table
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6
New connection
Firewall Kernel table
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6
New connection
Firewall Kernel table
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6
Port 10002
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011
New connection
Firewall Kernel table
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6
Port 10002
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011
New connection
Firewall Kernel table
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6
Port 10002
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011
New connection
Firewall Kernel table
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6
Port 10002
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011
New connection
Firewall Kernel table
192.168.0.1 10001 10.0.0.1 80 192.168.0.1 10002 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6 192.168.0.1 10002 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6
New connection
Firewall Kernel table
192.168.0.1 10001 10.0.0.1 80 192.168.0.1 10002 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6 192.168.0.1 10002 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6
New connection
Firewall Kernel table
192.168.0.1 10001 10.0.0.1 80 192.168.0.1 10002 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6 192.168.0.1 10002 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6
New connection
Firewall Kernel table
192.168.0.1 10001 10.0.0.1 80 192.168.0.1 10002 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6 192.168.0.1 10002 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6
Info ofoaded
NAT parameters Encryption (Cryptography) parameters Wire Mode on the connection Accounting Sequence change (SYN defender, SYN Attack) Sequence Verier validations Anti-Spoong Parameters
(c) Valeri Loukine 2011
FW monitor
Acceleration Status
[Expert@cpmodule]# fwaccel stat Accelerator Status : on Templates : enabled Accelerator Features : Accounting, NAT, Cryptography, Routing, HasClock, Templates, Synchronous, IdleDetection, Sequencing, TcpStateDetect, AutoExpire, DelayedNotif, TcpStateDetectV2, CPLS, WireMode Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL, 3DES, DES, CAST, CAST-40, AES-128, AES-256, ESP, LinkSelection, DynamicVPN, NatTraversal, EncRouting
Limitations
Limitations
Per rule:
Limitations
Per rule: some rules cannot be accelerated
Limitations
Per rule: some rules cannot be accelerated Per connection:
Limitations
Per rule: some rules cannot be accelerated Per connection: some packets cannot be accelerated
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011
Templates
The Performance Pack notifys FW about
new opened connection and about each state change connection tablewith updated status
These connection will appear in the FW Each template has a timeout of 60 seconds With a new connection matching the same
template timeout is reset to 0
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011
Templates - limitations
Time objects Dynamic objects Domain objects Source port ranges. Some IPS features
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011
Templates - limitations
[expert@cpmodule]# fwaccel stat Templates : disabled by FireWall-1 starting from rule # 5
No templates for
Any F2F (complex connections H323, etc) FTP,
SecureXL limitations
SDF QoS Multicast of SPLAT VLAN IF on Solaris
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011
Multi-Core
FW kernel
Does complicated security enforcement Before R70 - uses only a single core Only one packet can be handled at a time
regardless of CPU/cores number
Challenges
Use more cores for FW kernel Advanced security features (IPS)
Medium path
Medium path
The packet is handled by the SecureXL
device, except for IPS processing
CoreXL
CoreXL
The rewall kernel is replicated on multiple
cores
Dispatcher
Secure Network Dispatcher (SND) It component distributes the packets
between the instances connection
FW path
Medium path
Core 3
FW path
Medium path
Core 4
FW path
Queue
Queue
Queue
Queue
Dispatcher PPK
Core 0
Dispatcher PPK
Core 1
eth0
eth1
FW path
Medium path
Core 3
FW path
Medium path
Core 4
Queue
Queue
Queue
Dispatcher PPK
Core 0
Dispatcher PPK
Core 1
eth0
eth1
Accelerated - Syn
FW path Medium path
Core 2
FW path
Medium path
Core 3
FW path
Medium path
Core 4
Queue
Queue
Queue
Dispatcher PPK
Core 0
Dispatcher PPK
Core 1
eth0
eth1
Accelerated - Syn
FW path Medium path
Core 2
FW path
Medium path
Core 3
FW path
Medium path
Core 4
Queue
Queue
Queue
Dispatcher PPK
Core 0
Dispatcher PPK
Core 1
eth0
eth1
Accelerated - SynAck
FW path Medium path
Core 2
FW path
Medium path
Core 3
FW path
Medium path
Core 4
Queue
Queue
Queue
Dispatcher PPK
Core 0
Dispatcher PPK
Core 1
eth0
eth1
Accelerated - SynAck
FW path Medium path
Core 2
FW path
Medium path
Core 3
FW path
Medium path
Core 4
Queue
Queue
Queue
Dispatcher PPK
Core 0
Dispatcher PPK
Core 1
eth0
eth1
No template
FW path Medium path
Core 2
FW path
Medium path
Core 3
FW path
Medium path
Core 4
Queue
Queue
Queue
Dispatcher PPK
Core 0
Dispatcher PPK
Core 1
eth0
eth1
No template
FW path Medium path
Core 2
FW path
Medium path
Core 3
FW path
Medium path
Core 4
Queue
Queue
Queue
Dispatcher PPK
Core 0
Dispatcher PPK
Core 1
eth0
eth1
No template
FW path Medium path
Core 2
FW path
Medium path
Core 3
FW path
Medium path
Core 4
Queue
Queue
Queue
Dispatcher PPK
Core 0
Dispatcher PPK
Core 1
eth0
eth1
No template
FW path Medium path
Core 2
FW path
Medium path
Core 3
FW path
Medium path
Core 4
Queue
Queue
Queue
Dispatcher PPK
Core 0
Dispatcher PPK
Core 1
eth0
eth1
CoreXL OS
SPLAT IPSO Crossbeam XOS
Not supported
QoS Trafc view in SVM GX Route based VPN IPv6 SMTP resource Overlapping NAT
(c) Valeri Loukine 2011
VPN challenge
VPN has a state per tunnel, not just per
connection
VOIP challenge
A VoIP session contains many connections Session data is shared by all connections Its difcult to know in advance which
connection belongs to which session instance.
Summary
Different ways to boost performance SecureXL CoreXL Limitations, limitations, limitations
CPUG 2011 Chur Switzerland
Wednesday, September 14, 2011