An Overview of Checkpoint VSX

Why Virtual Firewalls?

With recent advances in architecture and storage capacities, virtualization is at its peek. Servers, routers, and even workstations are being virtualized in an effort to consolidate and share resources. Sizes of data centers are shrinking to the point where many companies find it beneficial to lease a couple of racks from a Network Operations Center (NOS) than spend money to build out a dedicated data center.

But traditionally firewalls are placed at a company's perimeter and layering is usually achieved by mixing vendors. So how would firewall virtualization benefit? The answer lies in multi-customer environments like ISPs, NOCs, Managed Security Service Providers (MSS) and college campuses. Virtual firewalls work great in these environments because ISPs can now bundle security services in their management packages as a customizable option. College campuses can segment traffic for students and administrators on one gateway. In the past, a global firewall policy was applied to all (or most) customers, One throat to choke. One firewall to rule them all. The master key to all doors. I hope you see where I'm going with this by now. ISPs are buying one beefy system and segmenting resources, policies, and interfaces (or VLANS) to individual customers at a tremendous cost savings over stand alone appliances. This saves on rack space, power utilization, maintenance, and TCO.

The first virtual firewall we are going to take a look at is possibly the most robust. Crossbeams Systems' X series appliance is designed for super redundancy. Dual back plains and power along with redundant management, interfaces, and applications. Speaking of applications, they run on APM cards (Application Process Module) that contains a VAP (Virtual Application Processor) which consists of an OS, system software, and applications that can run concurrently. Multiple APMs can be added to a VAP group for load balancing. All of this is controlled by the CPM, which manages and stores all global configurations. And last but not least, the NPM assigns traffic flows to the VAP. This makes a Crossbeam X series the perfect candidate for a Virtual System. Checkpoint’s own Power-1 appliance boosts comparable throughput statistics as the X series but does not have the redundancy necessary to support large implementations like ISPs.

Each Virtual Firewall, known as VSX, acts as a separate Firewall. The gateway decides which virtual instance will handle the packet based on VLAN tagged interfaces (bridged mode) or routing. Interfaces can be dedicated or shared, including the Management interface. As you will learn in future articles, this is very different from many of the other virtual systems that actually makes each virtual firewall look like a stand alone entity.

Each Virtual System maintains its own state tables, security policies, VPNs, logging, and configuration settings. Virtual Routers are used to route traffic between Virtual Systems and traffic to or from shared resources (DMZ) or interfaces. A Virtual Switch is also configured to establish connectivity between Virtual Systems. It contains its own ARP table.

Warp Links are used to establish a point to point connection between a Virtual Switch/Router and a Virtual System. Each side of a link in a Virtual System has a wrpj# interface.

Unlike some other Virtual Systems, VSX also supports overlapping IP Addresses since each Virtual System maintains its own arp and route table.

VSX licenses are purchased in 10, 25, 50, 100, or 250 unit blocks and can be pretty pricey compared to other Virtual Systems.

Setup is fairly painless. There is a VSX wizard that will walk you though the setup. Cluster options are also available via the Wizard, which eases the hassle of designing an HA environment. Troubleshooting is done typical Checkpoint style. Smartview Tracker combined with a series of "fw" commands can give you all the info you need.

With regards to support, Checkpoint has released several hot fixes to address known VSX issues involving VPNs, asynchronous routing, and disappearing routing tables. That can either be good or bad news, depending on how you look at it. Their KB is pretty extensive with regards to Checkpoint specific (software) issues. Like all Checkpoint products, their KB does not contain much information regarding platform specific issues like Proxy Arps on Crossbeams (known issue) or failover on Nokia’s.