Overview of information security management architecture in Check Point R80.10. Part 1 (Translation)

The exponential growth of data coming from various sources, such as network, cloud, mobile and virtual systems, leads to the emergence of new threats. Organizations must quickly adapt and protect themselves, demanding more powerful and high-performance information security tools. Check Point Infinity , the first consolidated information security system, operating in both conventional networks and cloud and mobile networks, provides the highest level of prevention against both known and unknown targeted attacks to protect you now and in the future.

The Check Point R80.10 management system being a part of Check Point Infinity ensures the management of an information security system at a new level. With a single management console, providing a simple and effective tool for managing policies and viewing events. Next, we take a closer look at the technical features of the new architecture.

R80.10 implements the possibility of competitive work of several administrators with editing policies and objects on the same management server. It is also possible to delegate a number of routine tasks to other administrators, which allows you to focus on security monitoring and incident handling.
')
A unified policy allows organizations to translate their security policies into a simple set of rules, which simplifies policy administration and compliance throughout the organization. Policy Layers allow you to divide a policy into independent segments that can be independently controlled and automated.
R80.10 improves overall management performance with advanced orchestration capabilities. The Automation API allows you to manage workflows by ensuring the consistency of information security services with IT processes and systems.

Main components of the management server R80.10

Smartconsole

Check Point R80.10 is managed using the new SmartConsole application. The new application allows in one application to perform tasks on:

1. Policy Management
2. Log Analysis
3. Health monitoring
4. Management Multi Domain Management

R80.10 SmartConsole provides a range of amenities that increase productivity. For example, you can easily switch between viewing a change log and changing policies. The R80.10 SmartConsole communicates with the management server on port 19009 .

Part of the Check Point Blades uses old services to interact with the client part. They use the FWM and CPMI API on TCP port 18190 for this .

Check Point R80.10 Management Server Software Processes

For more information about Check Point software processes, see sk52421 .

Management Server Database R80.10

The new database architecture of the management server R80.10 allows you to implement new features when performing daily tasks on the administration of Check Point R80.10.

1. Database sessions - allows multiple administrators to work competitively in a single management domain without conflicts.
2. Database revisions - allows you to view the history of changes and improve the performance of many operations, such as setting policies and High Availability.
3. Database domains is a solution used in both SMS management and MDS management, which improves the performance of global policies, threat updates, and application management updates.

Database Sessions

With R80.10, several administrators can work on a SmartConsole in the same domain, with the same policies and at the same time. To avoid configuration conflicts, all work is performed in sessions, as shown in the diagram below.



Each session is private and isolated. Changes cannot be seen by other administrators until they are published. However, objects edited by one administrator are blocked by other administrators, and they can see who blocked the object. This helps administrators coordinate with shared resources. After the publication of changes, they will become visible to all administrators. When a policy is installed, only published data is uploaded to the gateways.

All changes are saved instantly in the management server database. If an accidental shutdown occurs, the work done is not lost. Administrators can undo changes during a session, and they can open a new session. If necessary, administrators with appropriate permissions can participate in sessions of other administrators.

Database Domains

In R80.10, the control configuration is stored in a PostgreSQL database. This data is divided into several database domains. Consider the difference between the following terms:

1. Database Domains - Database segments in the Postgres database in which data is stored for both the simple management server (SMS) and the multi-domain management server (MDS).
2. Multi Domain Domains (Multi Domain Domains) are logical domains created by administrators in a Multi-Domain Server (MDS) and used to manage various parts of an organization’s network.

Types of database domains

User Domain - stores the configuration of objects modified by administrators, for example, network objects and security policies.
Data Domains - In R80.10 there are several data domains (Data Domains):

1. Default Data Domain - contains network objects and services created by default.
2. Threat Prevention Domain - Stores updates for Threat Prevention blades.
3. Application Control Domain — Stores updates for the Application Control blade.

The content of the Data Domains is only changed by updates downloaded from Check Point.
System Domain - contains information about administrators, rights profiles and management settings.

Log Domain - stores configuration for logs that are automatically generated and provided upon request by administrators.

Global Domain - stores the configuration of Global Policies and Global Objects. This domain is used only in the multi-domain configuration of the management server.

Peer Domains

Security policy configuration requires the use of data from multiple domains, and some domains must recognize and share their data with other domains. These domains are peer to each other.

In a multi-domain environment (Multi Domain environment), a global domain (Global Domain) is equivalent to user domains (User Domain). The alignment of the domain structure eliminates the need to copy all global objects into a user domain. This leads to increased performance and scalability.

Domains in multi-domain environment

In a multi-domain environment, each domain (also known as Customer) is represented by a separate database domain of type User Domain. Each of the other types of database domains has its own domain both in a multi-domain environment and on a regular management server. This separation within a single database has several advantages:

1. Separation of user domains . Using different database domains to store information from different management domains ensures complete separation of their data. User Domains are not peer domains, and therefore sharing their data is not possible.
2. Advanced Global Policy Assignment . Prior to R80.10, the global policy assignment copied all global objects into the domain database ($ FWDIR / conf domain directory). In R80.10, the global policy assignment operation assigns the user domain a new version of the global domain.
3. Extended Threat Prevention updates in multi-domain environments . When the administrator updates the Threat Prevention domain, it is updated only in the domain with which it is associated. The administrator has the choice in which domain the update revision should be applied. With the Threat Prevention rollback, the administrator can only roll back this domain, not the entire database.

MDMS data is stored in the System Domain. This data is administrators, rights profiles, trusted clients, server configurations, management domains, domain servers. This allows you to manage this data in parallel on all MDS servers.

Database Revisions

In versions earlier than R80.10, revisions were stored on the management server as backup copies in case of an accident. Each revision completely repeated the database. The new architecture R80.10 has a built-in mechanism for creating revisions. Each time a change is posted to the management server, a new database revision is automatically created and saved. Each new revision contains only changes from the previous revision. This saves disk space and allows you to create revisions faster. This solution improves productivity, and many new management features are based on it:

1. Faster policy check using differences between installed versions.
2. More efficient work of Management High Availability based on changes made from previous synchronization.

The following charts illustrate the process of creating database revisions over time:

Database Audits



Database Audits and Peer Domains



In this example:

The Assign Global Policy operation created revision 4 in the user domain and aligned it with version 1 of the global domain. The publication that created revision 2 in the global domain was not displayed in the user domain prior to the global policy reassignment operation. The policy remapping operation has updated the user domain to point to the latest version (2) of the Global Domain.

The same method is used to update the Threat Prevention and Application Control blades. Each update creates a new revision in the corresponding data domain. And the user domain is aligned with the corresponding revision of the data domain. In a multi-domain environment, each user domain can be aligned with its version of the global or data domain.

Examples of the use of revisions

Case # 1 : There was a problem after the policy was installed (loss of connectivity or security error).

Decision:

1. Open Security Policies > Installation History .
2. In Installation History, select the latest trouble-free policy and select Install specific version
3. After the gateway is safely reinstalled, request audit data and changes made to each of the management audits.

Case # 2 : Problems in the network after updating Threat Prevention data and installing them on gateways.

Solution: Choose the problem-free upgrade option Threat Prevention in Threat Prevention> Updates .

Case №3 : It is necessary to restore the state to the specified point in time. As a rule, this operation is performed by restoring from the backup, but this will lead to the loss of all the work results after the backup.

Solution : You can perform the Revert Policy operation. This will allow you to roll back the state of the politician to the specified point in time, but will not lead to a rollback of object properties.

So, we are familiar with the changes that have occurred to the storage architecture in the new version of the R80.10 and with the possibilities that opened up these changes.
To be continued…

Original article .

If you are interested in courses or articles about Check Point, then you can subscribe to our VKontakte group, as well as our group of colleagues - TS Solution .