由 第五代防火牆 分析看台灣網路系統整合業銷售工作經驗分享 黃淇成 Steven 台灣區資深業務經理 2011 Check Point Software Technologies Ltd. [Unrestricted] For everyone
第 5 代防火牆? 2
概念源起背景 一切歸功於困境 願景及熱情 3
防火牆的過去 Packet Filters Application-Layer Gateways 4
防火牆的演進 1 st Gen 2 nd Gen 3 th Gen 4 th Gen 1993 1994 1997 2000 作業系統 開放式 Solaris, Unix 專屬式 Finesse (Pxx) OS 專屬式 SxxOS 專屬式 FxxOS 軟體特點 網路及應用層 Stateful Inspection NAT/PAT Deep Inspection, Virtual FW Unified Threat Management 硬體特點 Open Server ( 通用處理器 : GPP; HD) Appliance (GPP, Flash, VPN 加速器 ) Appliance (ASIC, 模組化分散式架構 ) Appliance (ASIC) 系統特性 開放性 兼具安全及效能 管理性 安全 穩定 效能 安全 高效能 高擴充性及可用度 廣泛的安全功能 5
防火牆的演進 ( 第一版 ) 1 st Gen 2 nd Gen 3 th Gen 4 th Gen 1993 1994 1997 2000 作業系統 Solaris, Unix 專屬, Finesse (PIX) OS 專屬, ScreenOS 專屬, FortiOS 軟體特點 Network & Application layer Stateful Inspection NAT/PAT DI FW, VPN, virtual/transparent FW, routing UTM, EAL4+, ICSA, NSS certification 硬體特點 Open Server (GPP) Appliance (GPP, flash, VPN accl. Card) Appliance (ASIC, dist., Modular) Appliance (ASICcontent/network proc.) 系統特點代表品牌 開放性 管理性 Check Point 安全 穩定 效能 NTI (Cisco) 高效能 擴充性 高可用度 Netscreen 多功能 Fortinet / 型式 FireWall-1 PIX-515 NS-5400 FortiGate-800 6
閘道器功能演進分析 FW, IPS, AV, A-Spam, WAF NAT, URL filtering, 頻寬控制, AppCtrl, DLP VPN, VoIP(QoS,Sec), WAN 加速 Router WAN 加速頻寬控制 NAT URL IPS WAF AV Client/ Server VPN VoIP A-Spam Mail Server Firewall 兩個大黑洞 App Ctrl DLP Client/ Sever/ Storage 7
次世代防火牆呼聲的濫觴 Next generation Firewalls Include Intrusion Prevention John Pescatore and Greg Young Gartner, 2004 8
什麼是次世代防火牆? Gartner 說是 NGFW Next generation Firewalls Include Intrusion Prevention John Pescatore and Greg Young Gartner, 2004 there will not be a separate MQ [Magic Quadrant] for NGFW: this next generation is not a new product or an artificial label, but a progression of firewall and IPS technology. Greg Young, Defining The Next Generation Firewall Research Note: The Liner Notes. (http://blogs.gartner.com/greg_young/2009/10/15/defining-the-nextgeneration-firewall-research-note-the-liner-notes/) Gartner, 2009 NGFWs are emerging that can detect application-specific attacks and enforce application-specific granular security policy, both inbound and outbound John Pescatore and Greg Young, Defining The Next Generation Firewall Research Note. Gartner, 2009 9
什麼是次世代防火牆? IDC 說是 XTM XTM (extensible Threat Management), 提供更多更好的 : 安全功能 紀錄 (Logging), Reputation-based 防護, 事件關聯, NAC, 弱點管理自動化 網路能力 頻寬管理 高吞吐量 低延遲性, 支援整合通訊 (UC) 管理彈性 XTM 總結 : 彈性投資及未來擴充 建議 : 分支機構 -UTM, 企業總部 -XTM 10
新世代 / 第五代防火牆 整合 Gartner, SANS, ithome 定義 1. 具備傳統防火牆功能 (Stateful Inspection, NAT, VPN etc.) 2. 可彈性擴充其他安全或網路功能 (IPS, Anti-X, QoS etc.) 並具備安全資訊事件管理智慧 3. 或能以業界標準 (RADIUS, ACL etc.) 聯防其他設備 (IPS, Switch etc.) 之網路安全功能 4. 使用者 ( 人及電腦名稱 ) 及應用程式辨識 防護 管理功能 5. 支援雲端運算 虛擬化功能 6. 硬體資源不綁死, 彈性調配並兼顧效能 11
新世代 / 第 5 代防火牆 5 th Gen 作業系統 專屬式 1. 具備傳統防火牆功能 (Stateful Inspection, NAT, VPN etc.) 2. 可彈性擴充其他安全或網路功能 (IPS, Anti-X, QoS etc.) 並具備安全資訊事件管理智慧 軟體特點 3. 或能以業界標準 (RADIUS, ACL etc.) 聯防其他設備 (IPS, Switch etc.) 之網路安全功能 4. 使用者 ( 人及電腦名稱 ) 及應用程式辨識 防護 管理功能 5. 支援雲端運算 虛擬化功能 硬體特點 6. 硬體資源不綁死, 彈性調配並兼顧效能 Open Server 實體或虛擬機器伺服器 Appliance 多核心 GPP Network Processor VPN 加速器 多種網路介面模組, HD 或 Flash 儲存媒體選擇 12
正宗的新世代 / 第 5 代防火牆 5 th Gen Check Point 作業系統 軟體特點 專屬式 1. 具備傳統防火牆功能 (Stateful Inspection, NAT, VPN etc.) 2. 可彈性擴充其他安全或網路功能 (IPS, Anti-X, QoS etc.) 並具備安全資訊事件管理智慧 3. 或能以業界標準 (RADIUS, ACL etc.) 聯防其他設備 (IPS, Switch etc.) 之網路安全功能 4. 使用者 ( 人及電腦名稱 ) 及應用程式辨識 防護 管理功能 5. 支援雲端運算 虛擬化功能 SecurePlatform+ IPSO -> Gaia Software Blade 架構 Gateway blades Management blades 硬體特點 6. 硬體資源不綁死, 彈性調配並兼顧效能 Open Server 實體或虛擬機器伺服器 Appliance 多核心 GPP Network Processor VPN 加速器 多種網路介面模組, HD 或 Flash 儲存媒體選擇 Open Performance 架構 CoreXL SecureXL ClusterXL 13
第五代防火牆 Check Point 誰與爭鋒 ( 第一版 ) 5 th Gen 2010 作業系統專屬 SecurePlatform+IPSO -> Gaia 軟體特點 NGFW: 1~5 Software Blades 硬體特點 系統特點 代表品牌 / 型式 NGFW: 6 彈性平台 (adv. w/ multi-core GPP+Network Processor) 兼備前四代所有特性並具獨立擴展彈兼備前四代所性及投資保障 有特性並具獨立擴展彈性及投資保障 Open Performance Architecture CoreXL + multi-core CPUs SecureXL + multi-core network processors ClusterXL Embedded VPN accl. Check Point Power-1, IP, UTM-1 14
未來呢?? 15
Gartner Hype Cycle 2010 16
合久必分, 分久必合? 答案就在第六頁 17
閘道器功能演進分析 FW, IPS, AV, A-Spam, WAF URL filtering, NAT, 頻寬控制, AppCtrl, DLP VPN, VoIP(QoS,Sec), WAN 加速 Router WAN 加速頻寬控制 NAT URL IPS WAF AV Client/ Server VPN VoIP A-Spam Mail Server 兩個大黑洞 Firewall App Ctrl DLP Client/ Sever/ Storage 18
異曲同工之妙 1994 The Firewall and Stateful Inspection 1999 Integrated VPN 2006 UTM Content Services 2010 Content, Application and User-Based Policies 1997 OPSEC 2002 SmartDefense and Application Intelligence 2009 SoftwareBlades SoftwareBlades Revolutionary Architecture for Security Application- and User-Based Policies In-depth application inspection with over 50,000 widgets and applications supported User-based policies Gateway content expansion DLP 19
Check Point 5 th Generation Firewall Meets Gartner s Definition Standard first-generation firewall capabilities Use packet filtering, Network Address Translation (NAT), stateful protocol inspection, VPN capabilities, etc. Integrated rather than merely collocated network IPS Supports in-line bump-in-the-wire configuration without disrupting network operations IPS Software Blade provides 100% unification with the firewall and includes the latest parallel processing DPI technology on the enforcement point, along with seamless management integration for guaranteed performance and unprecedented levels Check Point enforcement points are of protection deployed inline on Layer 3, or in transparent mode on Layer 2. Check Point can perform deep packet inspection and analysis without interrupting network operations with performance up to 15 Gbps 20
Check Point 5 th Generation Firewall Meets Gartner s Definition Application awareness and full stack visibility Extra-firewall intelligence Support upgrade paths for integration of new information feeds and new techniques to address future threats The powerful combination of Check Point s mature Application Intelligence, IPS and endpoint protection provides comprehensive visibility and control over internal and external applications on the network (i.e., Skype, peer-to-peer, social The Check Point 5 network) th Generation security solution automatically correlates and acts on security information from all components including The Check Point Software firewall, Blade IPS, AV, URL Architecture filtering is and unrivaled more. Check in its ability Point to goes beyond quickly and this flexibly requirement extend by security providing services Suspicious on-demand without Activity Monitoring the addition to allow of new the Check hardware Point or management firewall to proactively complexity block suspicious traffic 21
1 Integrated on the Gateway Firewall VPN IPS Application Control Antivirus & Anti-Malware URL Filtering Embrace the 5th-Generation Firewall (Also called NGFW by Gartner and XTM by IDC) 22
Check Point 5 th -Gen Firewall FW & VPN Software Blades IPS Software Blade Application Control Software Blade Identity Awareness Software Blade Antivirus & Anti-Malware Software Blade URL Filtering Software Blade DLP Software Blade Power-1 SmartEvent Software Blade Unified Event Analysis SmartWorkflow Software Blade Policy Change Management Smart-1 CHECK POINT UNIFIED SECURITY MANAGEMENT 23
Check Point 3D Next-Gen Firewall FW & VPN Software Blades IPS Software Blade Application Control Software Blade Identity Awareness Software Blade Antivirus & Anti-Malware Software Blade URL Filtering Software Blade DLP Software Blade Power-1 SmartEvent Software Blade Unified Event Analysis SmartWorkflow Software Blade Policy Change Management Smart-1 CHECK POINT UNIFIED SECURITY MANAGEMENT 24
總結一 產品分析 發揮創意 善用資訊, 你不是最厲害的 25
2010/11 台灣安全閘道市場 景氣強力復甦 +Cloud 造橋鋪路優先, 綠美化再說 ~ Switch, Router OK Security? Firewall! 資安市場沒有新需求, 只有搶換機潮及市占率 Firewall 更名不易, 產品創新 整合力及通路是決勝關鍵 搶 26
總結二 市場分析 面對現實, 說實話 沒有對錯, 只有時機 迪化街 成行成市 共好 的概念 27
輔銷資料 28
主要對手在台灣所做的輔銷資料 搶 29
總結三 銷售工具 腳踏實地 做 聚沙成塔 可以權變但需秉持良知 30
最後總結 良知 願景 熱情 紀律 第八個習慣 - Stephen Covey 人生無常 諸法無我 諸受是苦 ; 隨緣而過 隨遇而安 快樂與痛苦 尊貴的仁欽多吉仁波切 31
Thank You 2011 Check Point Software Technologies Ltd. [Unrestricted] For everyone