You are hereCheck Point VE
Check Point VE
Some time ago Check Point http://www.checkpoint.com/press/2008/demovpn-1ve150908.html
">announced on VMWorld they were launching VE (Virtual Edition), their software for VMware ESX and ESXi.
Yesterday I had the opportunity to go to a Technical Update Session of Check Point. Perfect place to ask more details over this new VE.
Unfortunately I misunderstood the design of Check Point VE which lead to a great disappointment.
In marketing terms they describe it as :"It enables you to segregate virtual systems from each other as well as from external threats."
Usually they draw you this drawing:
Analyzing this drawing, together with their explanation you understand the Firewall is really in between the hosts and enables you to filter all incoming and outgoing traffic from the virtual machines.
A question I asked was what would happen when a virtual machine is being VMotion-ned to another ESX. "Good question ! Well, it's simply VMnet that handles this." is the answer you get. And then you suddenly realize their drawing is not really what you get with CPVE.
In the reality they 'forgot' to draw the virtual switch that interconnects all the VM's. This simple switch changes the whole story as direct communication is possible between the hosts in the same subnet. CPVE plays exactly the same role as another firewall could do, routing and filtering the packets between networks. It will not firewall your individual virtual machines, except if you put them in different subnets.
In human-readable-forms Check Point's VE is "just the VPN-1 that runs in a VM". (and is officially supported by CP) Nothing more, nothing less.
The good news is that VMware opened up their API and Check Point says they are starting to work on implementing the first drawing I made, where the VE is between the hosts, and not next to them. But don't expect it to soon...
Hello Christophe,
I think we may have gone to the same TUS session ;) (Kobbegem? - hope you liked the gueuze)
I had written just about the same report on my tech blog - with the same conclusion. ( http://www.radical-it.be/blog/ ).
I will link to this explanation on my blog.
Good idea of you to provide some nice schematics to explain this better.
I am also looking forward to the work that Check Point promise to do with the API, but don't hold your breath - don't know when VMWare will bring it out. Let me know if you have more info.
Meanwhile, I think the plain installation of SPLAT on vmware is usable in some cases. I have some customers that have extra gateway licenses so I think I might actually install the SPLAT on Vmware for some extra firewalling possibilities in some cases.
I might in the future also consider installing firewalls on VM instead of buying appliances.
What are your thoughts on that?
Keep it up.
Wouter
Hi Wouter,
I was indeed also there during the session, to be more precise, I was the guy asking the annoying question to the CP techie.
I read your post and we indeed think the same.
Concerning the installation of VPN-1/SPLAT on a Hypervisor: I wouldn't do this for a customer of me, except maybe if I get a written confirmation that he knows and accepts the consequences (in term of support). You must understand that Check Point will not give you support if they discover you're running it in a VM. (even if it works like a charm).