Sie sind auf Seite 1von 4

puresecurity

Provider-1/ Product Description


The Provider-1®/SiteManager-1™

SiteManager-1 centralized security management


solution is designed to meet the
unique challenges of large-scale
Scalable security management enterprises. Provider-1/SiteManager-1
easily scales to enable security
for multi-domain environments managers to efficiently manage
multiple management domains for
a widely distributed system, thereby
ensuring that the entire corporate IT
YOUR CHALLENGE architecture is adequately protected.
Business conglomerates, holding companies, Data Centers, and Managed
Service Providers (MSPs) face security management challenges due to the Product features
diverse nature of their businesses. Security managers at these organizations
n Multi-domain, multi-policy
often need to securely manage large-scale systems with many different
management
customers and access locations.
n Global VPN communities
Large-scale enterprises often have security policies that must be tailored to n Granular, role-based administration
geographically distributed branches with independent network management.
At the same time, security personnel must support a corporate-wide security
n Management high availability
policy with rules that enforce appropriate user access, prevent attacks, and n Global SmartDefense™ Services
enable secure communication and failover capabilities. updates

Service Providers such as Data Centers and MSPs often support customers
with many different LANs, each with its own security policy needs. Service level Product benefits
agreements often require that MSPs maintain the confidentiality and integrity n Simplifies security policy provisioning
of customer data. In addition, MSPs need a management system that enables n Makes VPN community deployment
them to scale quickly to support a changing customer base, while minimizing easy across different networks
support and hardware costs.
n Reduces administrative overhead
and capital investment
OUR SOLUTION n Gives full visibility over your entire
security environment
Check Point Provider-1 /SiteManager-1 is a unique security management
® ™

solution designed to meet the scalability requirements of enterprises with com-


plex security policy needs. By simultaneously supporting central management
for many distinct security management domains, Provider-1/SiteManager-1
dramatically improves the operational efficiency of managing these complex
security deployments. Provider-1/SiteManager-1 consolidates management
for all Check Point products, delivering a robust mechanism for creating and
enforcing security policies and automatically distributing them to multiple
enforcement points.

Multi-domain management
Provider-1/SiteManager-1 provides a multi-domain security management
solution, with each management domain having multiple security policies,
its own database, and logs.

By separating enterprise or Service Provider networks into multiple manage-


ment domains, Provider-1/SiteManager-1 enables enterprises to optimize
policy size and gain better control over security policy updates as changes
made to each management domain can be completed independently. Policy
changes and logs for different domains can be audited separately, as needed,
to meet customer service level agreements or regulatory requirements. The NGX platform delivers a unified
security architecture for Check Point.

1
Provider-1/SiteManager-1

Flexible, role-based administration On the other hand, global policies can be used for cross-
In the Provider-1/SiteManager-1 environment, the manage- organizational compliance and serve as security templates
ment model has been designed so that network security with rules that are applied to all customers or to specific
managers can centrally manage many distributed systems. groups of customers. For example, a Service Provider
This model enables enterprises to designate trusted adminis- may use global policy rules to provide customers access
trators with different access rights, which can range from to commonly used MSP services. An enterprise may want
the ability to manage the entire Provider-1/SiteManager-1 to use global policy rules to rapidly implement defenses
system to just the ability to manage a certain aspect of a against cyber attacks or viruses. This ability to centrally
customer network. In addition, the same administrator can create and deploy multi-level policies delivers unparalleled
be given different permission profiles for different customer scalability by eliminating the need to make repetitive policy
management domains. Therefore, enterprises can allow changes to thousands of individual devices.
local department administrators who operate outside of
Provider-1/SiteManager-1 to access and manage their Global security rules can also be established on specific gate-
own security policies. ways or groups of gateways, allowing gateways with different
functions to receive different global security rules. For example,
Because Provider-1/SiteManager-1 supports multiple, in enterprise deployments of Provider-1/SiteManager-1, where
simultaneous administrator access, administrators in the customer management domain typically represents a
diverse locations can work autonomously on the same geographic subdivision of an enterprise, an administrator may
infrastructure. Therefore, enterprises and network operation configure the global policy so that certain global security rules
centers can more efficiently provide 24/7 administrative are established on DMZ gateways in various subdivisions,
security monitoring for their networks. Service Providers and different rules are established on perimeter gateways.
will benefit by providing value to their customers with timely
delivery of changes and modifications, as well as allowing Global VPN community management
their customers to manage their own management domains. Sometimes customers need to establish secure VPN
connections between different management domains.
Examples include large enterprises that have created
different management domains to manage corporate
networks in different cities or countries, or an MSP that may
need to provide secured communication between partners
of different customers. With Provider-1/SiteManager-1,
cross-customer VPN communication is handled easily
with global VPN communities.

Provider-1/SiteManager-1 architecture
The components of Provider-1/SiteManager-1 include the
Customer Management Add-On (CMA), the Multi-Domain
Server (MDS), the Multi-Domain GUI (MDG), the Global
SmartDashboard™ (GSD), the Multi-Domain Log Module
(MLM), and the Customer Log Module (CLM).

Customer Management Add-On


Provider-1/SiteManager-1 enables granular control of administrative Each management domain within Provider-1/SiteManager-1
authority. is called a CMA and is the functional equivalent of Check Point
SmartCenter™. Via a CMA, administrators define, edit, and
establish security policies applicable to a specific network,
Web-based access to policies
gateway, or customer. Each administrator in the system
For customers and stakeholders who need access to policies
can have different access privileges for different CMAs. The
for auditing and troubleshooting purposes, SmartPortal pro-
access privileges are centrally managed.
vides Web-based access to policies, log reports, and systems
statuses without the option to edit policy. Multi-Domain Server
The MDS houses the CMAs, as well as Provider-1/SiteManager-1
Global policy management
system information. Although multiple CMAs can be stored
Besides security policies for specific sets of gateways,
on the same MDS, each CMA is completely isolated, provid-
administrators need to create policies that apply to the
ing absolute data privacy. Multiple MDSes can be linked in
entire Provider-1/SiteManager-1 environment or to a group
the Provider-1/SiteManager-1 system to manage thousands
of customers. The separation between different levels
of policies in a single environment and to provide failover
of policies—and different types of policies—means that
capabilities. The MDS also hosts the Global Policies database.
customer-level security rules do not need to be reproduced
throughout the entire Provider-1/SiteManager-1 environment.

2
Centralized security management for large enterprises

Multi-domain check Point


server (Mds) enforcement Modules

ent
Multi-domain a g em
an )
Gui (MdG) r M MA t
t o me On (C emen
s -
Cu Add anagA)
M
er (CM ent customer a
s t om -On em
Cu Ad d
nag
r Ma CMA)
me n (
sto -O
Cu Add

r
s fo
g file er A
o
L tom for
s
Cu files r B customer b
Log tome or
s f
Cu files C
o g e r
L tom
s
Cu
Multi-domain Log
Module (MLM) Site 2
Site 1
customer c

Provider-1/SiteManager-1 aggregates multiple, distinct security policies on a single platform.

Multi-Domain GUI Global SmartDashboard


The MDG is designed to simplify multi-policy security The Global SmartDashboard is used to create the global
management. Via the MDG, administrators manage the entire policy rulebase. Rules and network objects are created at
Provider-1/SiteManager-1 environment, easily incorporating the Provider-1/SiteManager-1 system level and apply across
new networks into the Provider-1/SiteManager-1 system. management domains. These global rules may have prece-
Using the MDG, administrators can provision and monitor dence over the customer-level rules created via the customer
security via a single console and oversee policies, logs, and SmartDashboard.
statuses for thousands of users. The MDG also allows a
high-level overview of all enforcement points in the system Customer Log Module and Multi-Domain Log Manager
and their statuses. A CLM is a single customer log server housed within an
MLM. Multiple CLMs can be stored on the same MLM
server and managed with the same administrator access
permissions set up within the Provider-1/SiteManager-1
infrastructure. Redundant log management can also be
created by designating an MLM as a primary log server
and the MDS as a backup server.

Total availability management


Provider-1/SiteManager-1 delivers a fully redundant manage-
ment architecture for rapid disaster recovery. High availability
is supported at multiple levels—from the CMA customer level
to the MDS global level. An administrator can implement
failover gateway management for a customer network by
deploying two CMAs in high availability mode. Data synchro-
nization between the two CMAs improves fault tolerance and
enables the administrator to seamlessly activate a standby
CMA when required. Distributed high availability options are
MDG presents a comprehensive view of all networks and policies also available for each CMA. The administrator can deploy a
under management. SmartCenter server to serve as a high availability peer for the

Continued on page 4

3
CMAs, but it would actually be located closer to the gateway
and allow for full security management and provisioning
even when there is no communication between the remote
site and the network operations center. Multiple MDSes can
also be deployed to provide mutually redundant failover
capabilities and configured to automatically synchronize
global policy data. For example, an enterprise can centralize
the Provider-1/SiteManager-1 management network at one
branch yet have one or more backup MDSes at other locations.

Global, ongoing threat defense updates


Administrators can centrally update SmartDefense™ and Web
Intelligence™ security configurations and defenses, ensuring
security systems are always up-to-date to defend against
new and evolving threats. Enterprises will have the flexibility
to define settings at the global level as well as those specific Provider-1/SiteManager-1 enables administrators to receive the latest
to their subnetworks. features without undergoing complete version upgrades.

Global reporting and event correlation


In a Provider-1/SiteManager-1 environment, Eventia Suite™ on a per-customer or cross-customer basis. Enterprise and
provides real-time and historical security event analysis and Service Provider administrators can automatically generate
reporting. Real-time event correlation and reporting can reports to be sent to various stakeholders for overall security
be performed at the global level or targeted at a specific performance analysis or auditing purposes. Multiple Eventia
network segment or customer. Reports can be generated Reporter™ and Eventia Analyzer™ correlation units can be
implemented to run in parallel, scaling to meet the needs of
large-scale environments.

Real-time management plug-ins


The Provider-1/SiteManager-1 management plug-in
architecture enables administrators to receive incremental
functionality upgrades. When new features for VPN-1®
gateways are introduced or new products become available,
customers will be able to incrementally update their
Provider-1/SiteManager-1s with new features rather than
completely upgrading. New features can be implemented
for all customers or specific customers. This feature helps
streamline the upgrade process, enabling administrators
to perform a major release upgrade on their own schedules,
while enabling them to keep current with security management.

supported operating systems


Provider-1/SiteManager-1 enables configuring of global Multi-Domain Server SecurePlatform™, Solaris 8/9/10,
SmartDefense settings for protection against the latest threats and RedHat Linux Enterprise 3.0
tailoring these to the local environments of different management
domains by introducing granular exceptions to global policy. Multi-Domain GUI Windows 2000/2003/XP, Solaris 8/9/10

©2003–2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point
logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding
Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT,
INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management,
Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL
Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense
Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network
Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1
Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm
Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks
of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered
trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by
other U.S. Patents, foreign patents, or pending applications.

March 5, 2007 P/N 502348

Worldwide Headquarters U.S. Headquarters


3A Jabotinsky Street, 24th Floor 800 Bridge Parkway
Ramat Gan 52520, Israel Redwood City, CA 94065
Tel: 972-3-753-4555 Tel: 800-429-4391; 650-628-2000
Fax: 972-3-575-9256 Fax: 650-654-4233
Email: info@checkpoint.com www.checkpoint.com
4