puresecurity

Provider-1/ Product Description

The Provider-1®/SiteManager-1™

SiteManager-1 centralized security management

solution is designed to meet the
unique challenges of large-scale
Scalable security management enterprises. Provider-1/SiteManager-1
easily scales to enable security
for multi-domain environments managers to efficiently manage
multiple management domains for
a widely distributed system, thereby
ensuring that the entire corporate IT
YOUR CHALLENGE architecture is adequately protected.
Business conglomerates, holding companies, Data Centers, and Managed
Service Providers (MSPs) face security management challenges due to the Product features
diverse nature of their businesses. Security managers at these organizations
n Multi-domain, multi-policy
often need to securely manage large-scale systems with many different
management
customers and access locations.
n Global VPN communities
Large-scale enterprises often have security policies that must be tailored to n Granular, role-based administration
geographically distributed branches with independent network management.
At the same time, security personnel must support a corporate-wide security
n Management high availability
policy with rules that enforce appropriate user access, prevent attacks, and n Global SmartDefense™ Services
enable secure communication and failover capabilities. updates

Service Providers such as Data Centers and MSPs often support customers
with many different LANs, each with its own security policy needs. Service level Product benefits
agreements often require that MSPs maintain the confidentiality and integrity n Simplifies security policy provisioning
of customer data. In addition, MSPs need a management system that enables n Makes VPN community deployment
them to scale quickly to support a changing customer base, while minimizing easy across different networks
support and hardware costs.
n Reduces administrative overhead
and capital investment
OUR SOLUTION n Gives full visibility over your entire
security environment
Check Point Provider-1 /SiteManager-1 is a unique security management
® ™

solution designed to meet the scalability requirements of enterprises with com-

plex security policy needs. By simultaneously supporting central management
for many distinct security management domains, Provider-1/SiteManager-1
dramatically improves the operational efficiency of managing these complex
security deployments. Provider-1/SiteManager-1 consolidates management
for all Check Point products, delivering a robust mechanism for creating and
enforcing security policies and automatically distributing them to multiple
enforcement points.

Multi-domain management
Provider-1/SiteManager-1 provides a multi-domain security management
solution, with each management domain having multiple security policies,
its own database, and logs.

By separating enterprise or Service Provider networks into multiple manage-

ment domains, Provider-1/SiteManager-1 enables enterprises to optimize
policy size and gain better control over security policy updates as changes
made to each management domain can be completed independently. Policy
changes and logs for different domains can be audited separately, as needed,
to meet customer service level agreements or regulatory requirements. The NGX platform delivers a unified
security architecture for Check Point.

1
 Provider-1/SiteManager-1
Flexible, role-based administration
In the Provider-1/SiteManager-1 environment, the manage-
ment model has been designed so that network security
managers can centrally manage many distributed systems.
This model enables enterprises to designate trusted adminis-
trators with different access rights, which can range from
the ability to manage the entire Provider-1/SiteManager-1
system to just the ability to manage a certain aspect of a
customer network. In addition, the same administrator can
be given different permission profiles for different customer
management domains. Therefore, enterprises can allow
local department administrators who operate outside of
Provider-1/SiteManager-1 to access and manage their
own security policies.
Because Provider-1/SiteManager-1 supports multiple,
simultaneous administrator access, administrators in
diverse locations can work autonomously on the same
infrastructure. Therefore, enterprises and network operation
centers can more efficiently provide 24/7 administrative
security monitoring for their networks. Service Providers
will benefit by providing value to their customers with timely
delivery of changes and modifications, as well as allowing
their customers to manage their own management domains.
Provider-1/SiteManager-1 enables granular control of administrative
authority.
Web-based access to policies
For customers and stakeholders who need access to policies
for auditing and troubleshooting purposes, SmartPortal pro-
vides Web-based access to policies, log reports, and systems
statuses without the option to edit policy.
Global policy management
Besides security policies for specific sets of gateways,
administrators need to create policies that apply to the
entire Provider-1/SiteManager-1 environment or to a group
of customers. The separation between different levels
of policies—and different types of policies—means that
customer-level security rules do not need to be reproduced
throughout the entire Provider-1/SiteManager-1 environment.
2
On the other hand, global policies can be used for cross-
organizational compliance and serve as security templates
with rules that are applied to all customers or to specific
groups of customers. For example, a Service Provider
may use global policy rules to provide customers access
to commonly used MSP services. An enterprise may want
to use global policy rules to rapidly implement defenses
against cyber attacks or viruses. This ability to centrally
create and deploy multi-level policies delivers unparalleled
scalability by eliminating the need to make repetitive policy
changes to thousands of individual devices.
Global security rules can also be established on specific gate-
ways or groups of gateways, allowing gateways with different
functions to receive different global security rules. For example,
in enterprise deployments of Provider-1/SiteManager-1, where
the customer management domain typically represents a
geographic subdivision of an enterprise, an administrator may
configure the global policy so that certain global security rules
are established on DMZ gateways in various subdivisions,
and different rules are established on perimeter gateways.
Global VPN community management
Sometimes customers need to establish secure VPN
connections between different management domains.
Examples include large enterprises that have created
different management domains to manage corporate
networks in different cities or countries, or an MSP that may
need to provide secured communication between partners
of different customers. With Provider-1/SiteManager-1,
cross-customer VPN communication is handled easily
with global VPN communities.
Provider-1/SiteManager-1 architecture
The components of Provider-1/SiteManager-1 include the
Customer Management Add-On (CMA), the Multi-Domain
Server (MDS), the Multi-Domain GUI (MDG), the Global
SmartDashboard™ (GSD), the Multi-Domain Log Module
(MLM), and the Customer Log Module (CLM).
Customer Management Add-On
Each management domain within Provider-1/SiteManager-1
is called a CMA and is the functional equivalent of Check Point
SmartCenter™. Via a CMA, administrators define, edit, and
establish security policies applicable to a specific network,
gateway, or customer. Each administrator in the system
can have different access privileges for different CMAs. The
access privileges are centrally managed.
Multi-Domain Server
The MDS houses the CMAs, as well as Provider-1/SiteManager-1
system information. Although multiple CMAs can be stored
on the same MDS, each CMA is completely isolated, provid-
ing absolute data privacy. Multiple MDSes can be linked in
the Provider-1/SiteManager-1 system to manage thousands
of policies in a single environment and to provide failover
capabilities. The MDS also hosts the Global Policies database.
 Centralized security management for large enterprises

Multi-domain check Point

server (Mds) enforcement Modules

ent
Multi-domain a g em
an )
Gui (MdG) r M MA t
t o me On (C emen
s -
Cu Add anagA)
M
er (CM ent customer a
s t om -On em
Cu Ad d
nag
r Ma CMA)
me n (
sto -O
Cu Add

r
s fo
g file er A
o
L tom for
s
Cu files r B customer b
Log tome or
s f
Cu files C
o g e r
L tom
s
Cu
Multi-domain Log
Module (MLM) Site 2
Site 1
customer c

Provider-1/SiteManager-1 aggregates multiple, distinct security policies on a single platform.

Multi-Domain GUI Global SmartDashboard

The MDG is designed to simplify multi-policy security
management. Via the MDG, administrators manage the entire
Provider-1/SiteManager-1 environment, easily incorporating
new networks into the Provider-1/SiteManager-1 system.
Using the MDG, administrators can provision and monitor
security via a single console and oversee policies, logs, and
statuses for thousands of users. The MDG also allows a
high-level overview of all enforcement points in the system
and their statuses.
The Global SmartDashboard is used to create the global
policy rulebase. Rules and network objects are created at
the Provider-1/SiteManager-1 system level and apply across
management domains. These global rules may have prece-
dence over the customer-level rules created via the customer
SmartDashboard.
Customer Log Module and Multi-Domain Log Manager
A CLM is a single customer log server housed within an
MLM. Multiple CLMs can be stored on the same MLM
server and managed with the same administrator access
permissions set up within the Provider-1/SiteManager-1
infrastructure. Redundant log management can also be
created by designating an MLM as a primary log server
and the MDS as a backup server.

Total availability management

Provider-1/SiteManager-1 delivers a fully redundant manage-
ment architecture for rapid disaster recovery. High availability
is supported at multiple levels—from the CMA customer level
to the MDS global level. An administrator can implement
failover gateway management for a customer network by
deploying two CMAs in high availability mode. Data synchro-
nization between the two CMAs improves fault tolerance and
enables the administrator to seamlessly activate a standby
CMA when required. Distributed high availability options are
MDG presents a comprehensive view of all networks and policies also available for each CMA. The administrator can deploy a
under management. SmartCenter server to serve as a high availability peer for the

Continued on page 4

3
 CMAs, but it would actually be located closer to the gateway
and allow for full security management and provisioning
even when there is no communication between the remote
site and the network operations center. Multiple MDSes can
also be deployed to provide mutually redundant failover
capabilities and configured to automatically synchronize
global policy data. For example, an enterprise can centralize
the Provider-1/SiteManager-1 management network at one
branch yet have one or more backup MDSes at other locations.

Global, ongoing threat defense updates

Administrators can centrally update SmartDefense™ and Web
Intelligence™ security configurations and defenses, ensuring
security systems are always up-to-date to defend against
new and evolving threats. Enterprises will have the flexibility
to define settings at the global level as well as those specific Provider-1/SiteManager-1 enables administrators to receive the latest
to their subnetworks. features without undergoing complete version upgrades.

Global reporting and event correlation

In a Provider-1/SiteManager-1 environment, Eventia Suite™
provides real-time and historical security event analysis and
reporting. Real-time event correlation and reporting can
be performed at the global level or targeted at a specific
network segment or customer. Reports can be generated
on a per-customer or cross-customer basis. Enterprise and
Service Provider administrators can automatically generate
reports to be sent to various stakeholders for overall security
performance analysis or auditing purposes. Multiple Eventia
Reporter™ and Eventia Analyzer™ correlation units can be
implemented to run in parallel, scaling to meet the needs of
large-scale environments.

Real-time management plug-ins

The Provider-1/SiteManager-1 management plug-in
architecture enables administrators to receive incremental
functionality upgrades. When new features for VPN-1®
gateways are introduced or new products become available,
customers will be able to incrementally update their
Provider-1/SiteManager-1s with new features rather than
completely upgrading. New features can be implemented
for all customers or specific customers. This feature helps
streamline the upgrade process, enabling administrators
to perform a major release upgrade on their own schedules,
while enabling them to keep current with security management.

supported operating systems

Provider-1/SiteManager-1 enables configuring of global Multi-Domain Server SecurePlatform™, Solaris 8/9/10,
SmartDefense settings for protection against the latest threats and RedHat Linux Enterprise 3.0
tailoring these to the local environments of different management
domains by introducing granular exceptions to global policy. Multi-Domain GUI Windows 2000/2003/XP, Solaris 8/9/10

©2003–2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point
logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding
Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT,
INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management,
Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL
Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense
Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network
Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1
Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm
Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks
of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered
trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by
other U.S. Patents, foreign patents, or pending applications.

March 5, 2007 P/N 502348

Worldwide Headquarters U.S. Headquarters

3A Jabotinsky Street, 24th Floor 800 Bridge Parkway
Ramat Gan 52520, Israel Redwood City, CA 94065
Tel: 972-3-753-4555 Tel: 800-429-4391; 650-628-2000
Fax: 972-3-575-9256 Fax: 650-654-4233
Email: info@checkpoint.com www.checkpoint.com
4