Firewall Optimization - SCRIB

Getting maximum out of you rewall
SecureXL and CoreXL, pros and cons
CPUG 2011 Chur Switzerland

Wednesday, September 14, 2011
(c) Valeri Loukine 2011
About author
Valeri Loukine
CCMA 0019 Ex-Check Point Senior Security Consultant - Dimension Data Email: varera@gmail.com Blog: http://checkpoint-masterarchitect.blogspot.com/
2
Agenda
FW performance SecureXL Multi-Core Firewalling CoreXL
Firewall is slow

Routing without FW
IP Stack
OS Network Layer
Network Interface Card

Routing with FW
IP Stack Check Point Firewall Kernel OS Network Layer Network Interface Card

FW is slow
Secured kernel Packets quied Packets are matched agains rulebase Rulebases can be huge
System bottlenecks

System bottlenecks
RAM Latency RAM Throughput PCI Bus CPU Speed

System bottlenecks
IP Stack
Check Point Firewall Kernel OS Network Layer Network Interface Card

System bottlenecks
IP Stack

System bottlenecks
IP Stack

System bottlenecks
IP Stack

System bottlenecks
IP Stack

System bottlenecks
IP Stack

System bottlenecks
IP Stack

FW Acceleration
IP Stack Check Point Firewall Kernel OS Network Layer Network Interface Card

FW Acceleration
IP Stack Check Point Firewall Kernel OS Network Layer FW Acceleration Device Network Interface Card

FW Acceleration

FW Acceleration

FW Acceleration

SecureXL
API for FW acceleration HW or SW implementation

We gain
Increased packet rate and throughput Better session rate (with templates) Sync tuning (delayed synchronization)

How much better
Up to 4 times with SecureXL only

Software Acceleration
Check Point Performance Pack SPLAT, Linux, Solaris (no VLANs) IPSO SW

Hardware Acceleration
ADP cards - IP appliances, lately Power-1

How to make it work

Must be installed - Performance Pack or
hardware device
Must be licensed Ways to switch it on/off (CLI):

fwaccel on fwaccel off via cpcong conguration will survive reboot.
16

SecureXL under the hood

First packet
Web Server 10.0.0.1 Firewall Acceleration Device Web Client 192.168.0.1
First packet
Firewall Kernel table Acceleration table

First packet
Firewall Kernel table Acceleration table

First packet
Firewall Kernel table
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table

First packet
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table

First packet
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6

First packet
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6

Next packets
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6

Next packets
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6

Next packets
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6

Next packets
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6

Next packets
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6

Next packets
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6

Next packets
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6

New connection
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6

New connection
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6
Port 10002
New connection
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6
Port 10002
New connection
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6
Port 10002
New connection
192.168.0.1 10001 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6
Port 10002
New connection
192.168.0.1 10001 10.0.0.1 80 192.168.0.1 10002 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6 192.168.0.1 10002 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6

New connection
192.168.0.1 10001 10.0.0.1 80 192.168.0.1 10002 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6 192.168.0.1 10002 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6

New connection
192.168.0.1 10001 10.0.0.1 80 192.168.0.1 10002 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6 192.168.0.1 10002 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6

New connection
192.168.0.1 10001 10.0.0.1 80 192.168.0.1 10002 10.0.0.1 80 6
Acceleration table
192.168.0.1 10001 10.0.0.1 80 6 192.168.0.1 10002 10.0.0.1 80 6
Template:
192.168.0.1 * 10.0.0.1 80 6

Info ofoaded

NAT parameters Encryption (Cryptography) parameters Wire Mode on the connection Accounting Sequence change (SYN defender, SYN Attack) Sequence Verier validations Anti-Spoong Parameters

FW monitor
only sees packets passing FW, not

acceleration device

Acceleration Status
[Expert@cpmodule]# fwaccel stat Accelerator Status : on Templates : enabled Accelerator Features : Accounting, NAT, Cryptography, Routing, HasClock, Templates, Synchronous, IdleDetection, Sequencing, TcpStateDetect, AutoExpire, DelayedNotif, TcpStateDetectV2, CPLS, WireMode Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL, 3DES, DES, CAST, CAST-40, AES-128, AES-256, ESP, LinkSelection, DynamicVPN, NatTraversal, EncRouting

Limitations

Limitations
Per rule:

Limitations
Per rule: some rules cannot be accelerated

Limitations
Per rule: some rules cannot be accelerated Per connection:

Limitations
Per rule: some rules cannot be accelerated Per connection: some packets cannot be accelerated
Non accelerated connections

FW itself is source or destination Connections with handler Non-supported features

Limitations per connections

Only some packets are not accelerated Violations Special Packets Even if packet is forwarded to FW due to
the above reasons, the rest of the connection is still accelerated

Templates
The Performance Pack notifys FW about
new opened connection and about each state change connection tablewith updated status
These connection will appear in the FW Each template has a timeout of 60 seconds With a new connection matching the same
template timeout is reset to 0
Templates - limitations
Time objects Dynamic objects Domain objects Source port ranges. Some IPS features
Templates - limitations
[expert@cpmodule]# fwaccel stat Templates : disabled by FireWall-1 starting from rule # 5

No templates for
Any F2F (complex connections H323, etc) FTP,
Encrypted connections NAT-ed connections

Template table size
! of the FireWall-1 connection table

SecureXL limitations
SDF QoS Multicast of SPLAT VLAN IF on Solaris
Multi-Core

FW kernel
Does complicated security enforcement Before R70 - uses only a single core Only one packet can be handled at a time
regardless of CPU/cores number

Performance Pack kernel

Handles simplier security enforcement
(TCP state etc.)
Code is light and optimized Locking paradigm allows parallel packet

processing
Can utilize multiple CPUs/cores

Challenges
Use more cores for FW kernel Advanced security features (IPS)

Medium path

Old way of doing things

Firewall path - slow, FW kernel Accelerated path - fast, SecureXL, limited

New way - middle path

Firewall path Accelerated path




Firewall path Middle path - ALMOST accelerated Accelerated path

Medium path
The packet is handled by the SecureXL
device, except for IPS processing
The CoreXL layer passes the packet to one

of the rewall instances, to perform IPS processing
Only available when CoreXL is enabled

CoreXL

CoreXL
The rewall kernel is replicated on multiple
cores
Each instance is a complete and

independent FW kernel
Instances run concurrently They need a dispatcher

Dispatcher
Secure Network Dispatcher (SND) It component distributes the packets
between the instances connection
Maintains perfect stickiness of a

How does it look

FW path Medium path
Core 2
FW path
Medium path
Core 3
FW path
Medium path
Core 4
FW path
Queue
Queue
Queue
Queue
Dispatcher PPK
Core 0
Dispatcher PPK
Core 1
eth0
eth1

How does it work

FW path Medium path
Core 2
FW path
Medium path
Core 3
FW path
Medium path
Core 4
Queue
Queue
Queue
Dispatcher PPK
Core 0
Dispatcher PPK
Core 1
eth0
eth1

Accelerated - Syn
FW path Medium path
Core 2
FW path
Medium path
Core 3
FW path
Medium path
Core 4
Queue
Queue
Queue
Dispatcher PPK
Core 0
Dispatcher PPK
Core 1
eth0
eth1

Accelerated - Syn
FW path Medium path
Core 2
FW path
Medium path
Core 3
FW path
Medium path
Core 4
Queue
Queue
Queue
Dispatcher PPK
Core 0
Dispatcher PPK
Core 1
eth0
eth1

Accelerated - SynAck
FW path Medium path
Core 2
FW path
Medium path
Core 3
FW path
Medium path
Core 4
Queue
Queue
Queue
Dispatcher PPK
Core 0
Dispatcher PPK
Core 1
eth0
eth1

Accelerated - SynAck
FW path Medium path
Core 2
FW path
Medium path
Core 3
FW path
Medium path
Core 4
Queue
Queue
Queue
Dispatcher PPK
Core 0
Dispatcher PPK
Core 1
eth0
eth1

No template
FW path Medium path
Core 2
FW path
Medium path
Core 3
FW path
Medium path
Core 4
Queue
Queue
Queue
Dispatcher PPK
Core 0
Dispatcher PPK
Core 1
eth0
eth1

No template
FW path Medium path
Core 2
FW path
Medium path
Core 3
FW path
Medium path
Core 4
Queue
Queue
Queue
Dispatcher PPK
Core 0
Dispatcher PPK
Core 1
eth0
eth1

No template
FW path Medium path
Core 2
FW path
Medium path
Core 3
FW path
Medium path
Core 4
Queue
Queue
Queue
Dispatcher PPK
Core 0
Dispatcher PPK
Core 1
eth0
eth1

No template
FW path Medium path
Core 2
FW path
Medium path
Core 3
FW path
Medium path
Core 4
Queue
Queue
Queue
Dispatcher PPK
Core 0
Dispatcher PPK
Core 1
eth0
eth1

CoreXL OS
SPLAT IPSO Crossbeam XOS

Not supported

QoS Trafc view in SVM GX Route based VPN IPv6 SMTP resource Overlapping NAT

VPN challenge
VPN has a state per tunnel, not just per
connection
A tunnel can serve many connections
which might be handled on different cores

VOIP challenge
A VoIP session contains many connections Session data is shared by all connections Its difcult to know in advance which
connection belongs to which session instance.
Hard to get all of them on the same

Solution for both

Handle all VPN and VoIP connections on
one instance only
Price to pay - no scalability with CoreXL

for both VPN and VOIP

Get some control

[Expert@cpmodule]# fw ctl multik stat ID | Active | CPU | Connections | Peak ------------------------------------------0 | Yes | 7 | 30703 | 34344 1 | Yes | 6 | 31856 | 35504 2 | Yes | 5 | 32181 | 35217 3 | Yes | 4 | 30393 | 33898 4 | Yes | 3 | 30404 | 33928 5 | Yes | 2 | 30471 | 33720

Get some control

[Expert@cpmodule]# fw ctl affinity -l -r CPU 0: eth0 eth1 CPU 1: eth4 eth5 CPU 2: fw_5 CPU 3: fw_4 CPU 4: fw_3 CPU 5: fw_2 CPU 6: fw_1 CPU 7: fw_0 All: eth2 dtlsd in.asessiond fwd vpnd in.aufpd cpd cprid

Get some control

[Expert@cpmodule]# cpconfig .... Configuration Options: ---------------------(1) Licenses and contracts (2) Administrator (3) GUI Clients (4) SNMP Extension (5) PKCS#11 Token (6) Random Pool (7) Certificate Authority (8) Certificate's Fingerprint (9) Configure Check Point CoreXL (10) Automatic start of Check Point Products (11) Exit

Get some control

Configuring Configure Check Point CoreXL... =========================================== CoreXL is currently disabled. Would you like to enable CoreXL (y/n) [y] ? y This machine has 4 CPUs. How many firewall instances would you like to enable (2 to 4) [3] ? 3 CoreXL was enabled successfully with 3 firewall instances. Important: This change will take effect after reboot.

Summary
Different ways to boost performance SecureXL CoreXL Limitations, limitations, limitations
Questions And Answers
Thank You For Your Time!

Firewall Optimization - SCRIB

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Firewall Optimization - SCRIB

Încărcat de

Drepturi de autor:

Formate disponibile

Getting maximum out of you rewall

SecureXL and CoreXL, pros and cons

CPUG 2011 Chur Switzerland

(c) Valeri Loukine 2011

(c) Valeri Loukine 2011

(c) Valeri Loukine 2011

CPUG 2011 Chur Switzerland

(c) Valeri Loukine 2011

Network Interface Card

CPUG 2011 Chur Switzerland

(c) Valeri Loukine 2011

CPUG 2011 Chur Switzerland

(c) Valeri Loukine 2011

(c) Valeri Loukine 2011

CPUG 2011 Chur Switzerland

(c) Valeri Loukine 2011

CPUG 2011 Chur Switzerland

(c) Valeri Loukine 2011

RAM Latency RAM Throughput PCI Bus CPU Speed

Check Point Firewall Kernel OS Network Layer Network Interface Card

CPUG 2011 Chur Switzerland

(c) Valeri Loukine 2011

RAM Latency RAM Throughput PCI Bus CPU Speed

Check Point Firewall Kernel OS Network Layer Network Interface Card

CPUG 2011 Chur Switzerland

(c) Valeri Loukine 2011

RAM Latency RAM Throughput PCI Bus CPU Speed

Check Point Firewall Kernel OS Network Layer Network Interface Card

CPUG 2011 Chur Switzerland

(c) Valeri Loukine 2011

RAM Latency RAM Throughput PCI Bus CPU Speed

Check Point Firewall Kernel OS Network Layer Network Interface Card

CPUG 2011 Chur Switzerland

(c) Valeri Loukine 2011

RAM Latency RAM Throughput PCI Bus CPU Speed

Check Point Firewall Kernel OS Network Layer Network Interface Card

CPUG 2011 Chur Switzerland

(c) Valeri Loukine 2011

RAM Latency RAM Throughput PCI Bus CPU Speed

Check Point Firewall Kernel OS Network Layer Network Interface Card

CPUG 2011 Chur Switzerland

(c) Valeri Loukine 2011

RAM Latency RAM Throughput PCI Bus CPU Speed

Check Point Firewall Kernel OS Network Layer Network Interface Card

CPUG 2011 Chur Switzerland

(c) Valeri Loukine 2011

CPUG 2011 Chur Switzerland

(c) Valeri Loukine 2011

CPUG 2011 Chur Switzerland

(c) Valeri Loukine 2011

CPUG 2011 Chur Switzerland

(c) Valeri Loukine 2011

CPUG 2011 Chur Switzerland

(c) Valeri Loukine 2011

CPUG 2011 Chur Switzerland

(c) Valeri Loukine 2011

CPUG 2011 Chur Switzerland

(c) Valeri Loukine 2011

CPUG 2011 Chur Switzerland

(c) Valeri Loukine 2011

How much better

Up to 4 times with SecureXL only

CPUG 2011 Chur Switzerland

(c) Valeri Loukine 2011