Check Point and VMware Solution | Solution Brief

Check Point vSEC for VMware NSX

Dynamic orchestration of advanced threat prevention for all data center traffic

VMware NSX MODERN DATA CENTER SECURITY OVERVIEW

is the industry’s leading network
virtualization platform that delivers Organizations today demand an agile data center environment to reduce IT costs,
the same benefits to the network that increase business agility and remain competitive. At the same time, integrated
VMware delivered for compute. applications, increasingly virtualized data centers and dynamic environments have led
Virtual networks can be
to a dramatic increase in network traffic going east-west, or laterally within the data
programmatically managed and
created on demand. The result is center.
dramatically simplified network and
When it comes to security, the focus has mainly been on protecting the perimeter, or
security operations, fast provisioning
of networking and security services - north-south traffic, going into and out of the data center. There are few controls to
from weeks to minutes, and secure east-west traffic inside the data center. This presents a security risk where
fundamentally better data center threats can traverse unimpeded once inside the data center.
security.
Traditional security approaches to this problem are manual, operationally complex and
Check Point vSEC for slow, and are unable to keep pace with dynamic virtual network changes and rapid
VMware NSX delivers advanced virtual application provisioning.
threat prevention security for VMware
NSX software defined data centers.
Designed for the dynamic AUTOMATED ADVANCED FOR THE SOFTWARE-DEFINED DATA
requirements of VMware NSX
deployments, vSEC provides
CENTER
automated security provisioning The Software Defined Data Center (SDDC) is defined by three pillars – virtualized
coupled with the most comprehensive compute, virtualized storage and virtualized network, and NSX provides the network
protections. Fully integrated security virtualization component. NSX provides the equivalent of a hypervisor for the network,
features include: Firewall, IPS, and reproduces all networking and security services including switching, routing,
Application Control, IPsec VPN, firewalling, load balancing, etc., entirely in software.
Antivirus, Anti-Bot and award-winning
SandBlast sandboxing technology. NSX native security capabilities, automation and extensibility framework are leveraged
by Check Point vSEC to dynamically insert, deploy and orchestrate advanced security
Centrally managed by the gold- services inside the Software-Defined Data Center. Network isolation and
standard in security management, segmentation inherent to the NSX platform enable feasible micro -segmentation,
vSEC provides consistent security allowing the SDDC to deliver a fundamentally more secure approach to data securit y.
policy enforcement, full threat visibility Policy is enforced at the virtual interface, and security policies follow workloads.
across physical and virtual data center
network environments. The integration of Check Point vSEC with NSX brings together the best of both worlds
- advanced security protection dynamically deployed and orchestrated into a softwar e-
defined data center environment.

©2015 Check Point Software Technologies Ltd. All rights reserved. [Prot ected] Non-confidential content. April 2016
1
 Check Point and VMware Solution | Solution Brief

OpenStack Policy

Comprehensive Threat Prevention

vSEC for VMware NSX provides industry-leading threat
prevention security to keep data centers protected from lateral
movement of threats and the most sophisticated attacks. Fully
integrated multi-layer security protections include:
Context-Aware Security Policies
The integration with VMware NSX controller and vCenter
• Stateful Firewall, Intrusion Prevention System shares context with the Check Point vSEC controller allowing
(IPS), Antivirus and Anti-Bot technology to protect security groups and VM identities to be imported and reused
data centers against lateral movement within Check Point security policies. This reduces security
policy creation time from minutes to seconds. Real-time
• SandBlast Zero-Day Protection sandbox context sharing of security groups is maintained so that any
technology provides the most advanced protection changes or new additions are automatically tracked without
against malware and zero-day attacks the need for administrator intervention . Security protections are
dynamically applied to newly created applications regardless of
• Application Control to help prevent application layer
where they are hosted.
Denial of Service (DoS) attacks and by that protect
the software defined data center

• Data Loss Prevention protects sensitive data from

theft or unintentional loss

Ubiquitous Security Enforcement

Check Point vSEC integration with VMware NSX allows dynamic
insertion of advanced security protection between workloads Complete Visiblity and Control
enabling distributed enforcement at every virtual interface. The
integration automates and simplifies the provisioning of vSEC vSEC for VMware NSX provides consolidated logging and
gateways into the NSX virtual fabric to protect east-west traffic reporting of threats and security events. Check Point logs are
from lateral movement of threats enabling feasible micro- further enriched with NSX context including security group tags.
segmentation. NSX basic firewalling capability can be Additionally, the Check Point SmartEvent platform provides
extended with Check Point’s vSEC, whose layered security advanced incident tracking and threat analysis across both the
policy approach makes it easy to segment a policy, and physical and virtual data-center network traffic.
provide granular rule definitions specific to network segments .

Centralized and Unified Management

Security management is simplified with centralized configuration
and monitoring of vSEC. Traffic is logged and can be easily
viewed within the same dashboard as other gateways. Security
Auto-Quarantine of Infected Hosts reports can be generated to track security compliance across the
data center network. A layered approach to policy management
Hosts identified by vSEC as infected can be automatically allows administrators to segment a single policy into sub-policies
isolated and quarantined. This is accomplished by vSEC tagging for customized protections and delegation of duties per
the infected hosts and sharing this information with the NSX application or segment. With all aspects of security management
controller. Additionally, automated remediation services can be such as policy management, logging, monitoring, event analysis
triggered by an orchestration platform. Threats are quickly and reporting centralized via a single dashboard, security
contained and the appropriate remediation service can be administrators get a holistic view of security posture across their
applied to the infected VM. organization

©2015 Check Point Software Technologies Ltd. All rights reserved. [Prot ected] Non-confidential content. April 2016
1
 Check Point and VMware Solution | Solution Brief

Automation and Orchestration

Check Point vSEC leverages NSX security automation for dynamic distribution and orchestration of vSEC for protecting east-west traffic.
In the data center environment, there is often a need to integrate different systems that manage the security workflow. Also, repetitive
manual tasks must be automated to streamline security operations. Check Point’s security management API allows for granular privilege
controls, so that edit privileges can be scoped down to a specific rule or object within the policy, restricting what an automated task or
integration can access and change. This ability to automatically provision trusted connectivity provides security teams with the confidence
to automate and streamline the entire security workflow. In addition, predefined Check Point security templates automate the security
of newly provisioned virtual applications.

SOLUTION COMPONENTS
Check Point vSEC gateway
The vSEC gateway provides industry-leading advanced threat prevention security and is deployed into the NSX fabric to prevent
lateral threat movement between applications inside the datacenter.

Check Point Smart Center with vSEC controller

The Check Point vSEC controller integrates with SDN and cloud controllers like the NSX controller. It supports the import of NSX
and vCenter objects, dynamically tracks object changes and allows using NSX security groups in the Check Point security policy
and logs.

©2015 Check Point Software Technologies Ltd. All rights reserved. [Prot ected] Non-confidential content. April 2016
2
 Check Point and VMware Solution | Solution Brief

VMware NSX fabric and controller

The VMware NSX fabric provides a high performance network virtualization platform for the software-defined data center. The NSX
controller provides centralized configuration and management of the NSX fabric. It allows for advanced network security service insertion
(L4-L7) and automation.

KEY FEATURES AND BENEFITS

 Dynamic insertion and orchestration of Check Point’s advanced threat protection with highest malware catch rates
 Operationally feasible micro-segmentation for east-west traffic protection
 Fine-grained access control policies tied to NSX Security Groups and Virtual Machines
 Unified security management for control and visibility across virtual and physical environments
 Security services provisioned in minutes for fast application deployments
 Shared security context to enable better alignment across security controls
 Isolation and remediation of infected virtual machines
 Network complexity is reduced as well as the need to use multiple VLANs and ACL’s inside the data center.

SUMMARY
This joint solution enables enterprises to have fast, simplified provisioning and deployment of Check Point’s advanced securi ty
services in a Software-Defined Data Center, enabling customers to have the same level of security for east-west traffic inside the
data center as Check Point provides at the perimeter gateway. Security teams will be better able to collaborate with network teams
and maintain full control and visibility across both physical and virtual networks.

ABOUT CHECK POINT ABOUT VMWARE

Check Point Software Technologies Ltd. VMware is a leader in cloud infrastructure and business
(www.checkpoint.com), is the largest pure-play security mobility. Build on VMware’s industry-leading virtualization
vendor globally, provides industry-leading solutions, and technology, our solutions deliver a brave new model of IT
protects customers from cyberattacks with an unmatched that is fluid, instant and more secure. Customers can
catch rate of malware and other types of attacks. Check innovate faster by rapidly developing, automatically
Point offers a complete security architecture defending delivering and more safely consuming any application.
enterprises’ networks to mobile devices, in addition to the VMware has more than 500,000 customers and 75,000
most comprehensive and intuitive security management. partners. The company is head-quartered in Silicon Valley
Check Point protects over 100,000 organizations of all sizes. with offices throughout the world and can be found online at
At Check Point, we secure the future. www.vmware.com

Worldwide Headquarters | 5 Ha’Solelim Street, Tel Aviv 67897, Israel | Tel: 972-3-753-4555 | Fax: 972-3-624-1100 | Email: info@checkpoint.com
CONTACT US
U.S. Headquarters | 959 Skyway Road, Suite 300, San Carlos, CA 94070 | Tel: 800-429-4391; 650-628-2000 | Fax: 650-654-4233 | www.checkpoint.com

©2015 Check Point Software Technologies Ltd. All rights reserved. [Prot ected] Non-confidential content. April 2016
2