VMware Cloud Community
slord
Contributor
Contributor

vShield vs. Check Point Security Gateway VE

We are a large enterprise that uses Check Point firewalls, so ideally to manage our security in our VMware environments I would like to use the Check Point security/management products and separation of duties the firewall admins currently have.  Has anyone used the Check Point Security Gateway VE in lieu of using the VMware vShield applications?  If so what are your experiences with it?

Reply
0 Kudos
9 Replies
manythanks
Contributor
Contributor

realy no brainer slord , compare vshield fw feature set with a 50$ fw you buy at office depo ...

(check it for yourself , install , login and tell what features of a common fw do you have ...)

then compare it with checkpoint , send back your thoughts ...

Reply
0 Kudos
mreferre
Champion
Champion

I am wondering if you have a real job other than monitoring this forum to state (and re-state, and re-state) always the same things.

You don't like vShield. Point taken. Understood. Let's move on. Please.

And if you have a real job I am wondering who pays you to come on this board posting these things.

Massimo.

Massimo Re Ferre' VMware vCloud Architect twitter.com/mreferre www.it20.info
Reply
0 Kudos
mreferre
Champion
Champion

Slord,

on a serious note consider that vCloud Director is really meant to be able to provide self service capabilities to the end-user. The way you can achieve this is by leveraging the vCD / vShield Edge integration we have built. This way you can create an Edge instance that fronts the organizations you create and let the organization administrators manage the firewall rules. It's all about giving them the power to configure these rules.

If, on the other hand, you want to keep the consumption of IaaS resources separated from the security mechanisms that governs the workloads you deploy within the organizations you can certainly do that creating what we refer to "External Networks". An External Networks simply maps a vSphere PortGroup directly so that you can have that PortGroup/VLAN be protected by your check-point devices. End-users within the organizations will continue to have self-service capabilities to deploy new workloads but they will have to come to "you" (via a ticket or something) to reconfigure firewall rules. But if that is what you want that's ok... you can do that.

For completeness of information the problem may arise when you want to use Check-Point AND you want to give organization administrators self-service security. In that case you'd need to create your own orchestrated portal that talks both to the vCloud APIs (vCD) as well as the Firewall APIs to give the end-user in the organization a portal where they can deploy workloads and set firewall rules in self-service mode. Our out-of-the-box portal provides this integration with vShield edge... and that's the value.

Hope this helps.

Massimo.

Massimo Re Ferre' VMware vCloud Architect twitter.com/mreferre www.it20.info
slord
Contributor
Contributor

Thanks Massimo,

The infromation does help some, but I am looking for someone with some experience with the Check Point VE application, how well it integrated with their Check Point managment software and VM deployments, and if they would have any recommendations for others to use it.

Reply
0 Kudos
manythanks
Contributor
Contributor

Totaly not about anybody's preference or not ...

at first i thought somebody is pulling a joke comparing checkpoint to vshiled, but because it seem serious here is

some simple checkpoint capabilities:

1. support more then just 2 interfaces (more then 2 vnic on VE)

2. support multiple networks (internal subnet- to - internal subnet communication)

3. stateful inspection

4. RFC compliance and stateful check per many protocols.

5. naming objects (networks,protocols,services and more..).

6. authentication rules.

7. policy rules with drug-n-drop and 'regular stuff' common to FWs.

8. static routes (you know , this thing that office depo firewalls do ...)

9. dynamic routing. (some bit more expensive ones can do RIPv1 for example ...)

10. stateful failover mechanism (you know, when fw fail another one used to still hold the sessions establishe so applications will not crush)

11. common criteria certification (you know, to certified it as a real FW)

vshield edge with or without vcloud GUI can do NONE of the above, it is not that someone likes it or not

it is the truth for an A on VE vs VSE question.

btw : 'you can create an Edge instance that fronts the organizations you create' - is totaly wrong.
fact is: 'you must create an edge instance per each network per each organization , you create multiple ones to front the same ORG'

Slord - VE is just like your normal FW/VPN-1 integrates well into smart center full OPSEC etc, no issues their , tested and verified by me , ping me for details ...

so like vmware response: 'your own orchestrated portal that talks both to the vCloud APIs (vCD) as well as the Firewall APIs (OPSEC) is what you need (many of them available) , you can also talk directly to Vcenter APIs for making it easier to orchestrate

mreferre
Champion
Champion

That's pretty much what I was saying. I have never said that Edge is at feature parity with the well known firewall vendors. What I said is whether you want "out-of-the-box integration" or "pick the best technologies available on the market and do the integration yourself".

You talk like if this integration is a piece of cake. You are probably better than everyone out there. I have seen a lot of people investing months (if not years) trying to do that and still today they are going nowhere (cloud-wise).

Massimo Re Ferre' VMware vCloud Architect twitter.com/mreferre www.it20.info
Reply
0 Kudos
manythanks
Contributor
Contributor

It is possible to orchestrate best-of-breed cloud, including stuff like bare-metal provisioning etc , and it works well ...

many of the vcloud director capabilities are cool (i can list many) , the networking and security pieces are just MIA, hope somebody bring them back soon.

Reply
0 Kudos
mreferre
Champion
Champion

I am not arguing you can't do that... I am arguing how much that cost (time and money wise).

Also the provisioning of the hw infrastructure is a piece of the equation (albeit important). The multi tenant support is not trivial and when you start scripting a traditional orchestration engine to create complex structures such as the "virtual datacenter" (i.e. sharing hw resources among tenants) and things like that.. that's where the limits start to show.

As I said multiple times I am not a security champion but it's clear that when you have capabilities to run hundreds of customers and thousends of VMs in single rack, things like VLANs and traditional security hw devices show their limits as well. It's a long journey and I can understand there is a lot of push back from "traditional security" people.. (and I am not implying you are a tradtitional security person.... we don't even know who you are unless you want at some point to introduce yourself).

Some of your points re vShield even make some sense... so you are not all rubbish after all. You just need to be a little bit less obsessed about it. 🙂

Massimo.

Massimo Re Ferre' VMware vCloud Architect twitter.com/mreferre www.it20.info
Reply
0 Kudos
slord
Contributor
Contributor

My thanks to the both of you for responding to my question.  I am leaning towards using Check Point VE due to the reasons you have listed, managability/integration/experience we have with Check Point and for separation of duties.

Though it still would be nice to hear some real world experiences from someone using the Check Point VE product.

Reply
0 Kudos