topic Re: In which cases would you use VSX? in General Topics

In which cases would you use VSX?

AlekseiShelepov — Wed, 24 Jan 2018 16:28:26 GMT

Hello everyone.
I would like to hear your opinion and thoughts on the following topic.

Under which conditions the use of VSX on a cluster would really improve things? When would you prefer to use VSX over a usual setup? In other words, where is the line after which you decide "ok, this must be a VSX setup"?

The reason why I am thinking about this is that I cannot really see a lot of options for myself to use a VSX. I believe that in many usual cases adding VSX would just complicate things. VSX has some limitations, there are some additional things to be taken care of during operations like upgrades or migration, it should require additional hardware resources, as well as additional training of administrators.

Of course, VSX can bring several positive effects, which could weight out everything else (cost saving, flexibility, ease of adding new firewalls). But in my opinion this would work for only very few specific cases.

I can see two options when most probably I would use VSX:

1. One of the cases when VSX could be preferable is when your company is a service provider and needs to support similar services for many customers. It would mean the you need to have many similar firewalls in the same data center, but they also must be separated from each other - own policies and objects, administrators, logs, etc.

So, many similar firewalls for different customers, separated from each other. It will help to minimize cost and time for adding a new customer to the environment.

2. The second case is when you are working in a quite big company which has multiple appliances for different purposes - external/perimeter firewall, VPN and mobile access appliance, internal firewall, separate firewall for server networks, etc.

One company with multiple firewalls for different purposes. It most probably would save quite a lot of money on appliances and their support contracts and would add possibilities to create VS for new purposes without big changes.

But would it be better to use VSX for a new VPN-only gateway for example? Or when you have only external and internal firewalls in your network? What about when you replace your old almost end-of-life internal firewall to a new cluster and besides of that there is only a separate VPN gateway?

Re: In which cases would you use VSX?

Vladimir — Wed, 24 Jan 2018 16:47:06 GMT

One case where I would consider using VSX is where your Perimeter Firewall (Virtual System) is configured in Bridge Mode and has no IPs on its External and Internal interfaces and your Internal Firewall is addressable.

Deploying systems in this configuration allows you to drop a lot of junk before it reaches system that needs to process viable traffic.

Additionally, you have the ability to split IPS policies between different OSes (more applicable to r77.XX), as well as dynamically adjust number of cores (instances) dedicated to protecting particular segments of your network.

With R80.XX concurrent administration, the case for VSX becoming less prevalent than before, but it is still a compelling option when you protecting different entities of parent organization that sharing same hardware.

I would not recommend using VSX on anything smaller than 15000 series appliances where core count is sufficient to warrant it.

The administration overhead is definitely noticeable as are the limitations and the elevated risk of SNAFUs affecting multiple gateway instances.

Option of utilizing Open Platform VMs (with pre-allocated CPUs, RAM, Storage and dedicated NICs) should be weighted against that of VSX when choosing solution suitable for your organization.

Regards,

Vladimir

Re: In which cases would you use VSX?

Kaspars_Zibarts — Wed, 24 Jan 2018 21:39:42 GMT

It's been love and hate relationship with VSX for over 12 years now.. Stated on Nokia IP appliances, went though Crossbeam X series, then more modern days of CP high end appliances and finishing with 40k chassis. Two fairly sized but completely different enterprise networks - so it's case 2 so to say.

Upgrades used to be a big hassle. Especially in early days. But last two releases been noticeable improvement. Especially 77.30 to 80.10. Yes you're absolutely correct, planning upgrades is tougher as it may affect the whole datacenter if not all business. But in last 5 years I cannot recall a single upgrade that would have caused a major disturbance because of VSX. So in some ways it has been a "risky" win situation as you only had to upgrade one or two platforms instead of multiple clusters.

What's really good about VSX is ability to deploy new firewalls literally in the blink of an eye. We actually went through a fairly big network update and this part helped us heaps to save time, effort and $$$.

Downside is always going to be certain limitations - not all bells and whistles that are available on the latest regular gateway will be able fully available on VSX. But then again it is getting better and better with every release.

Yes, you will need powerful HW to run VSX. Lots of CPU cores and memory.

Administration overhead.. I don't notice it that much after 12 years

If you have only two firewalls/clusters I would probably stay away from VSX as you would not get return for your money.

Re: In which cases would you use VSX?

Maarten_Sjouw — Fri, 26 Jan 2018 08:06:27 GMT

As an MSP, we run several different setups with VSX, most are perimeter VS'es per customer. Next to that we have a few customer that run different VS'es for different functions, like Dev/test, acceptance and a Guest network. Another customer is a holding with 3 companies that use the same perimeter hardware but with a VS per company.

So you can really say we run all kinds of setups with VSX.

The biggest hassle is how you have a mix and match on the management side, when you need to move to a different version or another management server, all connected CMA's need to be moved in one go. You also need to be very aware of what you are doing here as there is a lot of different parameters that need to be adjusted during the move.

Regards, Maarten.

Re: In which cases would you use VSX?

Philip_W1 — Fri, 26 Jan 2018 08:28:15 GMT

I used to work in a company that (like Maarten) hosted VSes per customer in a Datacenter. In another case, I deployed a VSX with 2 VSes because the customer had 2 separate environments (company network vs iot)

Another customer was hosting his own (electronics retail) website and once got DDOS'ed, which not only took down the website but the whole firewall and thus the company. He was considering migrating to VSX to be able to separate his website networks from the other company networks, so in case of another attack only the website's VS would go down. Never implemented due to 'other important projects' though.

Re: In which cases would you use VSX?

AlekseiShelepov — Fri, 26 Jan 2018 22:46:55 GMT

That's an interesting idea - DDoS resiliency. Would it really work in that way though? Have you maybe tested it somehow?

I would expect that a DDoS attack still affects performance of the whole device. In theory, if you have an appliance with 2 VSX, it could be that only cores and interfaces assigned to only one VS are fully loaded with this garbage traffic and other ones function normally. Not sure how it would affect RAM and HDD. Looks quite plausible, but I still have doubts.

Re: In which cases would you use VSX?

Kaspars_Zibarts — Sat, 27 Jan 2018 07:34:23 GMT

It would work as long as you set up CoreXL correctly and separate cores for each VS. By default in R77 all VSes would share all available cores. So it can be tricky depending on number of cores you have. Memory is not such a big issue in R80 as VSes run 64bit kernel each in own RAM space. So as long as you have enough RAM for all tenants on the box it should be ok. We've seen it in practice - not because we were ddosed but some other "unexpected" internal traffic

Re: In which cases would you use VSX?

Oliver_Fink — Mon, 29 Jan 2018 10:07:13 GMT

For me VSX seems to be very useful when implementing microsegmentation. You gain flexibility in building new firewalls regarding "provisioning", "installation" and "network cabeling". Such, you are able to build new firewalls for different segments or security domains with little effort and on short notice.

You can stay with one hardware platform for all different performance requirements for the gateways and balance the load via VSLS.

Re: In which cases would you use VSX?

AlekseiShelepov — Mon, 29 Jan 2018 13:23:05 GMT

How "micro" is your microsegmentation?

Could you elaborate a little bit more on what segments could be in your case? Something like I mentioned in the second case for my initial message or like in this comment? I try to understand when you decide that one firewall could be connected to 10 networks with different purposes (users, servers, printing, VoIP, etc.) and when it must be two separate VS, for example.

What series of appliances you are using for VSX? Some very powerful ones, or 5000 series too?

Re: In which cases would you use VSX?

Oliver_Fink — Tue, 30 Jan 2018 12:33:09 GMT

It is a first step from a flat firewall infrastructure with one gateway towards micro segmentation. We did it at a customer of us, a media company. One challenge was that endpoints – mainly this of journalists – have to be considered insecure for the future – even more if the access via wlan. Such we decided to build on "external" firewall to control outgoing traffic and to be a first "wave-breaker" for incoming connections. Behind that we built 3 main firewall gateways: one data center firewall to protect the crown jewels of the customer, one dmz firewall with several zones with different kinds of services of services and one client firewall to separate different security levels of client endpoints, to host the terminal servers and to connect branch offices. Furthermore we implemented a vpn and remote access firewall inside one of the dmzs.

As far as I know the customer implemented one more virtual system after the end of the implementation project I was involved in. That was the plan: to gain the flexibility to do that if the need for an additional firewall gateway rises. But at the moment, I do not know what this special firewall gateway is used for.

On network level we tried to suppress any routing between any network segments behind the firewalls, so we are leading all traffic through the firewalls. Traffic from the client networks has normally to pass 2 firewalls concentrating on different key aspects, first the client firewall and after that the dc, dmz or external firewall. This enables clean policy structures for the different purposes and such reduces errors on osi layer 8.

The customer insisted upon using open server. So we used 3 IBM/Lenovo x3650 with 16 processors and 32 GB of RAM and several 10 GE interfaces.

Re: In which cases would you use VSX?

AlekseiShelepov — Tue, 30 Jan 2018 13:16:22 GMT

Many thanks for such detailed and clear response.

Re: In which cases would you use VSX?

Alex_Rozhko — Sat, 10 Mar 2018 02:40:49 GMT

can you elaborate more on your statement : "If you have only two firewalls/clusters I would probably stay away from VSX as you would not get return for your money"

Re: In which cases would you use VSX?

Alex_Rozhko — Sat, 10 Mar 2018 02:46:11 GMT

VSX very cool term, what is the difference between VSX and built in micro-segmentation using sub-interfaces?

Re: In which cases would you use VSX?

Kaspars_Zibarts — Sat, 10 Mar 2018 06:56:45 GMT

I meant to say if for example you had regular external and internal firewall clusters, then converting that to VSX and not adding more virtual gateways would be wasted money and also loosing some functionality as not every feature that's available in regular gateway works in VSX. The only compelling reason I can see physical limitations of datacenter, when you cannot have 4 appliances but 2 still fit in the rackspace...

Re: In which cases would you use VSX?

Vladimir — Sat, 10 Mar 2018 14:08:42 GMT

VSX allows to to have logical segregation of the Virtual Gateways. Each one of the VS' can have its own policy package administered by different people,serving different group of users and protecting different networks. Multi tenant environments are the simplest example of such utilization.

Re: In which cases would you use VSX?

Alex_Rozhko — Sun, 11 Mar 2018 01:15:15 GMT

I understand, but isn't same can be accomplished with sub-interfaces?

Re: In which cases would you use VSX?

Vladimir — Sun, 11 Mar 2018 02:51:50 GMT

You cannot have different policies for different sub/interfaces of single gateway or cluster. Only one policy package could be enforced on non-VSX appliance or cluster.

This policy package will have same administrators and thus is not suitable for multi tenant implementation or segregation by security domains.

Vladimir Yakovlev

973.558.2738

vlad@eversecgroup.com

Re: In which cases would you use VSX?

Alex_Rozhko — Sun, 11 Mar 2018 04:03:14 GMT

Even if you define each sub-interface as zone? With its own spoofing, rules, etc..?

Re: In which cases would you use VSX?

AlekseiShelepov — Sun, 11 Mar 2018 12:26:33 GMT

Zones are not necessary in Check Point policies. You have different spoofing group for each interface without VSX. But you cannot install two policy packages on one logical gateway. You cannot connect one logical gateway to several domain management servers to have totally separate management databases (rules, objects, admins) for each customers/zones. You cannot have different blades enabled/disabled for different customers/zones. You cannot have different routing tables.

This is why we need VSX - we can have several logical systems on one physical device. So, you could have one VS in bridge mode with firewall doing some Geo Policies and checking traffic by IPS. You could have another VS with very strict firewall rules for one part of network, with enabled Anti-Virus, Anti-Bot, Application control blades. You can have another VS for Mobile Access blade. One VS for Customer-1 and one VS for Customer-2 separated from each other.

VSX is needed not for segmentation of just network, but for segmentation of bigger entities - functions, customers, zones (as in production traffic zone, test traffic zone, etc.).

Re: In which cases would you use VSX?

HeikoAnkenbrand — Mon, 12 Mar 2018 18:16:38 GMT

I would use VSX on R77.30 to use more VPN cores. Used this often on 23K or 61K systems. With R80.10 this doesn't matter any more, because it is MultiCore capable.