Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Moti
Admin
Admin

Check Point Threat Prevention Packet Flow and Architecture

Check Point Security Gateway Architecture and Packet Flow

Abstract

This document describes the packet flow in a Check Point Next Generation Threat Prevention gateway. Stateful inspection, network and port address translation (NAT), Virtual Private Network (VPN) functions and forwarding are applied per-packet on the inbound and outbound interfaces of the device. State-related information is extracted from packets and maintained in dynamic state tables to evaluate subsequent connection attempts. When possible, throughput and session rate are accelerated by a security acceleration (SecureXL) module.

Session-based processing enforces advanced access control and threat detection and prevention capabilities. To do this we assemble packets into a stream, parse the stream for relevant content and then security modules (Software Blades) inspect the content. When possible, a common pattern matcher does simultaneous inspection of the content for multiple security modules. In multi-core systems this processing is distributed amongst the cores to provide near linear scalability on each additional core.

Security modules use a local cache to detect known threats. This local cache is backed up with real-time lookups of an online cloud service. The result of cloud lookups are then cached in the kernel for subsequent lookups. Cloud assist also enhances unknown threat detection and prevention. In particular a file whose signature is not known in a local cache is sent to our sandbox cloud service for processing where compute, disk and memory are virtually unlimited. Our sandboxing technology, SandBlast Threat Emulation, identifies threats in their infancy before malware has an opportunity to deploy and evade detection. If the protocol requires immediate delivery as is the case with HTTP/S, we extract active content from the file and deliver only safe content to the user while the emulation happens in the background. Newly discovered threats are sent to the cloud database to protect other Check Point connected gateways.

Security is applied at every layer and networking, policy lookup, protocol decoding, and content security is performed only once.

References

Content for this document came from the following SecureKnowledge articles. More information is available in the SKs.

source: sk116255

4 Replies
Eric_Beasley
Employee
Employee

Thank you, this is great information for R77.30 and prior.

Do we have an updated version of this for R80.10 and later with the changes from improved SecureXL handling and Unified Policy elements for Access Control, like Data Awareness?

0 Kudos
Alfred_Trevino
Employee
Employee

Moti- awesome info! I second the request for an updated version of the above for R80.10.  Thanks!

0 Kudos
Moti
Admin
Admin

Thx , I think Bob Bent made one 


0 Kudos
Moti
Admin
Admin

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events