Service Providers such as Data Centers and MSPs often support customers
with many different LANs, each with its own security policy needs. Service level Product benefits
agreements often require that MSPs maintain the confidentiality and integrity n Simplifies security policy provisioning
of customer data. In addition, MSPs need a management system that enables n Makes VPN community deployment
them to scale quickly to support a changing customer base, while minimizing easy across different networks
support and hardware costs.
n Reduces administrative overhead
and capital investment
OUR SOLUTION n Gives full visibility over your entire
security environment
Check Point Provider-1 /SiteManager-1 is a unique security management
® ™
Multi-domain management
Provider-1/SiteManager-1 provides a multi-domain security management
solution, with each management domain having multiple security policies,
its own database, and logs.
1
Provider-1/SiteManager-1
Flexible, role-based administration On the other hand, global policies can be used for cross-
In the Provider-1/SiteManager-1 environment, the manage- organizational compliance and serve as security templates
ment model has been designed so that network security with rules that are applied to all customers or to specific
managers can centrally manage many distributed systems. groups of customers. For example, a Service Provider
This model enables enterprises to designate trusted adminis- may use global policy rules to provide customers access
trators with different access rights, which can range from to commonly used MSP services. An enterprise may want
the ability to manage the entire Provider-1/SiteManager-1 to use global policy rules to rapidly implement defenses
system to just the ability to manage a certain aspect of a against cyber attacks or viruses. This ability to centrally
customer network. In addition, the same administrator can create and deploy multi-level policies delivers unparalleled
be given different permission profiles for different customer scalability by eliminating the need to make repetitive policy
management domains. Therefore, enterprises can allow changes to thousands of individual devices.
local department administrators who operate outside of
Provider-1/SiteManager-1 to access and manage their Global security rules can also be established on specific gate-
own security policies. ways or groups of gateways, allowing gateways with different
functions to receive different global security rules. For example,
Because Provider-1/SiteManager-1 supports multiple, in enterprise deployments of Provider-1/SiteManager-1, where
simultaneous administrator access, administrators in the customer management domain typically represents a
diverse locations can work autonomously on the same geographic subdivision of an enterprise, an administrator may
infrastructure. Therefore, enterprises and network operation configure the global policy so that certain global security rules
centers can more efficiently provide 24/7 administrative are established on DMZ gateways in various subdivisions,
security monitoring for their networks. Service Providers and different rules are established on perimeter gateways.
will benefit by providing value to their customers with timely
delivery of changes and modifications, as well as allowing Global VPN community management
their customers to manage their own management domains. Sometimes customers need to establish secure VPN
connections between different management domains.
Examples include large enterprises that have created
different management domains to manage corporate
networks in different cities or countries, or an MSP that may
need to provide secured communication between partners
of different customers. With Provider-1/SiteManager-1,
cross-customer VPN communication is handled easily
with global VPN communities.
Provider-1/SiteManager-1 architecture
The components of Provider-1/SiteManager-1 include the
Customer Management Add-On (CMA), the Multi-Domain
Server (MDS), the Multi-Domain GUI (MDG), the Global
SmartDashboard™ (GSD), the Multi-Domain Log Module
(MLM), and the Customer Log Module (CLM).
2
Centralized security management for large enterprises
ent
Multi-domain a g em
an )
Gui (MdG) r M MA t
t o me On (C emen
s -
Cu Add anagA)
M
er (CM ent customer a
s t om -On em
Cu Ad d
nag
r Ma CMA)
me n (
sto -O
Cu Add
r
s fo
g file er A
o
L tom for
s
Cu files r B customer b
Log tome or
s f
Cu files C
o g e r
L tom
s
Cu
Multi-domain Log
Module (MLM) Site 2
Site 1
customer c
Continued on page 4
3
CMAs, but it would actually be located closer to the gateway
and allow for full security management and provisioning
even when there is no communication between the remote
site and the network operations center. Multiple MDSes can
also be deployed to provide mutually redundant failover
capabilities and configured to automatically synchronize
global policy data. For example, an enterprise can centralize
the Provider-1/SiteManager-1 management network at one
branch yet have one or more backup MDSes at other locations.
©2003–2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point
logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding
Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT,
INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management,
Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL
Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense
Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network
Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1
Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm
Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks
of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered
trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by
other U.S. Patents, foreign patents, or pending applications.