Tài liệu Check Point QoS pdf

Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connect

Trang 1

Check Point QoS

Administration Guide Version NGX R65

Trang 3

All rights reserved This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

©2003-2007 Check Point Software Technologies Ltd All rights reserved Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal,

SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-

1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd or its affiliates ZoneAlarm is a Check Point Software Technologies, Inc Company All other product names mentioned herein are trademarks or registered trademarks of their respective owners The products described in this document are protected by U.S Patent No 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S Patents, foreign patents, or pending applications.

For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS

Trang 5

Preface Who Should Use This Guide 10

Summary of Contents 11

Appendices 11

Related Documentation

Related Documentation

The NGX R65 release includes the following documentation

TABLE P-1 VPN-1 Power documentation suite documentation

Title Description

Internet Security Product

Suite Getting Started

Guide

Contains an overview of NGX R65 and step by step product installation and upgrade procedures This document also provides information about What’s New, Licenses, Minimum hardware and software requirements, etc

Upgrade Guide Explains all available upgrade paths for Check Point

products from VPN-1/FireWall-1 NG forward This guide is specifically geared towards upgrading to NGX R65

Virtual Private Networks

Administration Guide

This guide describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure

Trang 13

Provider-1/SiteManager-1

Administration Guide

Explains the Provider-1/SiteManager-1 security management solution This guide provides details about a three-tier, multi-policy management architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments

TABLE P-2 Integrity Server documentation

TABLE P-1 VPN-1 Power documentation suite documentation (continued)

Title Description

Trang 17

Chapter 1

Overview

In This Chapter

Internet Bandwidth Management Technologies page 19

Traditional Check Point QoS vs Check Point QoS Express page 24

Trang 18

What is Quality of Service

What is Quality of Service

Quality of Service is a set of intelligent network protocols and services that are used to efficiently manage the movement of information through a local or wide area networks QoS services sort and classify flows into different traffic classes, and allocate resources to network traffic flows based on user or application ID, source

or destination IP address, time of day, application specific parameters, and other user-specified variables

Fundamentally, QoS enables you to provide better service to certain flows This is done by either raising the priority of a flow or limiting the priority of another flow

Trang 19

Internet Bandwidth Management Technologies

Internet Bandwidth Management

In the past, network bandwidth problems have been addressed either by adding more bandwidth (an expensive and usually short term “solution”) or by router queuing, which is ineffective for complex modern Internet protocols

Superior QoS Solution Requirements

In order to provide effective bandwidth management, a bandwidth management tool must track and control the flow of communication passing through, based on information derived from all communication layers and from other applications

An effective bandwidth management tool must address all of the following issues:

• Fair Prioritization

It is not sufficient to simply prioritize communications, for example, to specify

a higher priority for HTTP than for SMTP The result may well be that all bandwidth resources are allocated to one service and none to another A bandwidth management tool must be able to divide the available resources so that more important services are allocated more bandwidth, but all services are allocated some bandwidth

• Minimum Bandwidth

Trang 20

Benefits of a Policy-Based Solution

A bandwidth management tool must be able to guarantee a service’s minimum required bandwidth It must also be able to allocate bandwidth preferentially, for example, to move a company’s video conference to the “head of the line” in preference to all other internet traffic

• Classification

A bandwidth management tool must be able to accurately classify

communications However, simply examining a packet in isolation does not provide all the information needed to make an informed decision State information — derived from past communications and other applications — is also required A packet’s contents, the communication state and the application state (derived from other applications) must all be considered when making control decisions

Benefits of a Policy-Based Solution

Based on the principles discussed in the previous section, there are basically three ways to improve the existing best-effort service that enterprise networks and ISPs deliver today:

• Add more bandwidth to the network

• Prioritize network traffic at the edges of the network

• Guarantee QoS by enforcing a set of policies that are based on business priorities (policy-based network management) throughout the network

Of these, only policy-based network management provides a comprehensive QoS solution by:

• Using policies to determine the level of service that applications or customers need

• Prioritizing network requests

• Guaranteeing levels of service

Trang 21

How Does Check Point Deliver QoS

How Does Check Point Deliver QoS

Check Point QoS (previously called FloodGate-1), a policy-based QoS management solution from Check Point Software Technologies Ltd., satisfies your needs for a bandwidth management solution Check Point QoS is a unique, software-only based application that manages traffic end-to-end across networks, by distributing enforcement throughout network hardware and software

Check Point QoS enables you to prioritize business-critical traffic, such as ERP, database and Web services traffic, over less time-critical traffic Check Point QoS allows you to guarantee bandwidth and control latency for streaming applications, such as Voice over IP (VoIP) and video conferencing With highly granular controls, Check Point QoS also enables guaranteed or priority access to specific employees, even if they are remotely accessing network resources through a VPN tunnel Check Point QoS is deployed with VPN-1® Pro These integrated solutions provide QoS for both VPN and unencrypted traffic to maximize the benefit of a secure, reliable, low-cost VPN network

Figure 1-1 Check Point QoS Deployment

Check Point QoS leverages the industry's most advanced traffic inspection and bandwidth control technologies Check Point-patented Stateful Inspection

technology captures and dynamically updates detailed state information on all network traffic This state information is used to classify traffic by service or

Trang 22

How Does Check Point Deliver QoS

application After a packet has been classified, Check Point QoS applies QoS to the packet by means of an innovative, hierarchical, Weighted Fair Queuing (WFQ) algorithm to precisely control bandwidth allocation

Trang 23

Features and Benefits

Features and Benefits

Check Point QoS provides the following features and benefits:

• Flexible QoS policies with weights, limits and guarantees: Check Point QoS enables you to develop basic policies specific to your requirements These basic policies can be modified at any time to incorporate any of the Advanced Check Point QoS features described in this section

• Integration with VPN-1 Power or VPN-1 Net: Optimize network performance for VPN and unencrypted traffic: The integration of an organization’s security and bandwidth management policies enables easier policy definition and system configuration

• Performance analysis through SmartView Tracker: monitor the performance of your system by means of log entries recorded in SmartView Tracker

• Integrated DiffServ support: add one or more Diffserv Classes of Service to the QoS Policy Rule Base

• Integrated Low Latency Queuing: define special classes of service for “delay sensitive” applications like voice and video to the QoS Policy Rule Base

• Integrated Authenticated QoS: provide QoS for end-users in dynamic IP environments, such as remote access and DHCP environments

• Integrated Citrix MetaFrame support: deliver a QoS solution for the Citrix ICA protocol

• No need to deploy separate VPN, Firewall and QoS devices: Check Point QoS and VPN-1 Power share a similar architecture and many core technology components, therefore users can utilize the same user-defined network objects

in both solutions

• Proactive management of network costs: Check Point QoS’s monitoring systems enable you to be proactive in managing your network and thus controlling network costs

• Support for end-to-end QoS for IP networks: Check Point QoS offers complete support for end-to-end QoS for IP networks by distributing enforcement

throughout network hardware and software

Trang 24

Traditional Check Point QoS vs Check Point QoS Express

Traditional Check Point QoS vs Check Point QoS Express

Both Traditional and Express modes of Check Point QoS are included in every product installation Express mode enables you to define basic policies quickly and easily and thus “get up and running” without delay Traditional mode incorporates the more advanced features of Check Point QoS

You can specify whether you choose Traditional over Express or vice versa, each time you install a new policy

Table 1-1 shows a comparative table of the features of the Traditional and Express modes of Check Point QoS

Table 1-1 Check Point QoS Traditional Features vs Check Point QoS Express Features

Feature Check Point

QoS Traditional

Check Point QoS Express

Find out more

Support of platforms and

Trang 25

Traditional Check Point QoS vs Check Point QoS Express

LLQ (controlling packet

delay in Check Point QoS)

Table 1-1 Check Point QoS Traditional Features vs Check Point QoS Express Features

Feature Check Point

QoS Traditional

Check Point QoS Express

Find out more

Trang 26

Workflow

The following workflow shows both the basic and advanced steps that the System Administrator may follow in the installation, setup and operational procedures of Check Point QoS:

Figure 1-2 Workflow Steps

1 Verify that Check Point QoS is installed on top of VPN-1Pro or VPN-1 Net

2 Start SmartDashboard See “Step 2: Starting SmartDashboard” on page 57

3 Define the Global Properties of Check Point QoS See “Defining QoS Global Properties” on page 112

4 Define the Check Point Gateway’s Network Objects See the SmartCenter

Administration Guide.

5 Setup the basic rules and sub-rules governing the allocation of QoS flows on the network See “Editing QoS Rule Bases” on page 118 After the basic rules have been defined, you may modify these rules to add any of the more

advanced features described in step 8

6 Implement the Rule Base See “Implementing the Rule Base” on page 51

7 Enable log collection and monitor the system See “Enabling Log Collection” on page 165

8 Modify the rules defined in step 4 by adding any of the following advanced features:

• DiffServ Markings See “Working with Differentiated Services (DiffServ)” on page 144

• Define Low Latency Queuing See “Working with Low Latency Classes” on page 150

Trang 28

Workflow

Trang 29

Chapter 2

Introduction to Check Point QoS

In This Chapter

Check Point QoS’s Innovative Technology page 30

Interaction with VPN-1Pro and VPN-1 Net page 39

Trang 30

Check Point QoS’s Innovative Technology

Check Point QoS’s Innovative Technology

FloodGate-1 is a bandwidth management solution for Internet and Intranet

gateways that enables network administrators to set bandwidth policies to solve or alleviate network problems like the bandwidth congestion at network access points The overall mix of traffic is dynamically controlled by managing bandwidth usage for entire classes of traffic, as well as individual connections FloodGate-1 controls both inbound and outbound traffic flows

Network traffic can be classified by Internet service, source or destination IP address, Internet resource (for example, specific URL designators), user or traffic direction (inbound or outbound) A Check Point QoS Policy consists of rules that specify the weights, limits and guarantees that are applied to the different

FloodGate-1 is completely transparent to both users and applications

FloodGate-1 implements four innovative technologies:

• Stateful Inspection: FloodGate-1 incorporates Check Point’s patented Stateful Inspection technology to derive complete state and context information for all network traffic

• Intelligent Queuing Engine: This traffic information derived by the Stateful Inspection technology is used by FloodGate-1’s Intelligent Queuing Engine (IQ EngineTM) to accurately classify traffic and place it in the proper transmission queue The network traffic is then scheduled for transmission based on the QoS Policy The IQ Engine includes an enhanced, hierarchical Weighted Fair Queuing (WFQ) algorithm to precisely control the allocation of available bandwidth and ensure efficient line utilization

• WFRED (Weighted Flow Random Early Drop): FloodGate-1 makes use of WFRED, a mechanism for managing packet buffers that is transparent to the user and requires no pre-configuration

Trang 31

Technology Overview

• RDED (Retransmission Detection Early Drop): FloodGate-1 makes use of RDED,

a mechanism for reducing the number of retransmits and retransmit storms This Check Point mechanism, drastically reduces retransmit counts, greatly improving the efficiency of the enterprise’s existing lines The increased bandwidth that FloodGate-1 makes available to important applications comes at the expense of less important (or completely unimportant) applications As a result purchasing more bandwidth can be significantly delayed

applications) Cumulative data from the communication and application states, network configuration and bandwidth allocation rules are used to classify

communications

Stateful Inspection enables FloodGate-1 to parse URLs and set priority levels based

on file types For example, FloodGate-1 can identify HTTP file downloads with

*.exe or *.zip extensions and allocates bandwidth accordingly

Intelligent Queuing Engine

FloodGate-1 uses an enhanced WFQ algorithm to manage bandwidth allocation A FloodGate-1 packet scheduler moves packets through a dynamically changing scheduling tree at different rates in accordance with the QoS Policy High priority packets move through the scheduling tree more quickly than low priority packets.Check Point QoS leverages TCP’s throttling mechanism to automatically adjust bandwidth consumption per individual connections or classes of traffic Traffic bursts are delayed and smoothed by FloodGate-1’s packet scheduler, holding back the traffic and forcing the application to fit the traffic to the QoS Policy By intelligently delaying traffic, the IQ Engine effectively controls the bandwidth of all

IP traffic

The preemptive IQ Engine responds immediately to changing traffic conditions and

Trang 32

Technology Overview

differences in the weighted priorities (for example 50:1) In addition, since packets are always available for immediate transmission, the IQ Engine provides precise bandwidth control for both inbound and outbound traffic, and ensures 100% bandwidth utilization during periods of congestion In addition, in Traditional mode

it uses per connection queuing to ensure that every connection receives its fair share of bandwidth

WFRED (Weighted Flow Random Early Drop)

WFRED is a mechanism for managing the packet buffers of FloodGate-1 WFRED does not need any preconfiguring It adjusts automatically and dynamically to the situation and is transparent to the user

Because the connection of a LAN to the WAN creates a bottleneck, packets that arrive from the LAN are queued before being retransmitted to the WAN When traffic in the LAN is very intense, queues may become full and packets may be dropped arbitrarily Dropped packets may reduce the throughput of TCP

connections, and the quality of streaming media

WFRED prevents FloodGate-1’s buffers from being filled by sensing when traffic becomes intense and dropping packets selectively The mechanism considers every connection separately, and drops packets according to the connection

characteristics and overall state of the buffer

Unlike mechanisms such as RED/WRED, which rely on the TOS byte in the IP header (which is seldom used), WFRED queries FloodGate-1 as to the priority of the connection, and then uses this information WFRED protects “fragile”

connections from more “aggressive” ones, whether they are TCP or UDP, and always leaves some buffer space for new connections to open

RDED (Retransmit Detect Early Drop)

TCP exhibits extreme inefficiency under certain bandwidth and latency conditions For example, the bottleneck that results from the connection of a LAN to the WAN causes TCP to retransmit packets RDED prevents inefficiencies by detecting retransmits in TCP streams and preventing the transmission of redundant packets when multiple copies of a packet are concurrently queued on the same flow The result is a dramatic reduction of retransmit counts and positive feedback retransmit loops Implementing RDED requires the combination of intelligent queuing and full reconstruction of TCP streams, capabilities that exist together only in FloodGate-1

Trang 33

Check Point QoS Architecture

Check Point QoS Architecture

rule-matching infrastructure to examine a packet Logging information is provided using Firewall kernel API

QoS Module

The major role of the QoS module is to implement a QoS policy at network access points and control the flow of inbound and outbound traffic It includes two main parts:

• QoS kernel driver

• QoS daemon

Trang 34

Basic Architecture

QoS Kernel Driver

The kernel driver is the heart of QoS operations It is in the kernel driver that IP packets are examined, queued, scheduled and released, enabling QoS traffic control abilities Utilizing Firewall kernel module services, QoS functionality is a part of the cookie chain, a Check Point infrastructure mechanism that allows modules to operate on each packet as it travels from the link layer (the machine network card driver) to the network layer (its IP stack), or vice versa

QoS Daemon (fgd50)

The QoS daemon is a user mode process used to perform tasks that are difficult for the kernel It currently performs 2 tasks for the kernel (using Traps):

• Resolving DNS for the kernel (used for Rule Base matching)

• Resolving Authenticated Data for an IP (using UserAuthority - again for Rule Base matching)

• In CPLS configuration, the daemon updates the kernel of any change in the cluster status For example, if a cluster member goes down the daemon recalculates the relative loads of the modules and updates the kernel

QoS SmartCenter Server

The QoS SmartCenter Server is an add-on to the SmartCenter Server (fwm) The SmartCenter Server, which is controlled by Check Point SmartConsole clients, provides general services to Check Point QoS and is capable of issuing QoS functions by running QoS command line utilities It is used to configure the bandwidth policy and control QoS modules A single SmartCenter Server can control multiple QoS modules running either on the same machine as the

SmartCenter Server or on remote machines The SmartCenter Server also manages the Check Point Log Repository and acts as a log server for the SmartView Tracker The SmartCenter server is a user mode process that communicates with the module using CPD

QoS SmartConsole

The main SmartConsole application is Check Point SmartDashboard By creating

"bandwidth rules" the SmartDashboard allows system administrators to define a network QoS policy to be enforced by Check Point QoS

Other SmartConsole clients are the SmartView Tracker - a log entries browser; and SmartView Status which displays status information about active QoS modules and their policies

Trang 35

Check Point QoS Configuration

Figure 2-1 Basic Architecture - Check Point QoS Components

Check Point QoS in SmartDashboard

Check Point SmartDashboard is used to create and modify the QoS Policy and define the network objects and services If both VPN-1Pro and Check Point QoS are licensed, they each have a tab in SmartDashboard

Figure 2-2 QoS Rules in SmartDashboard

The QoS Policy rules are displayed in both the SmartDashboard Rule Base, on the right side of the window, and the QoS tree, on the left (see Figure 2-2)

Check Point QoS Configuration

The SmartCenter Server and the QoS Module can be installed on the same machine

or on two different machines When they are installed on different machines, the configuration is known as distributed (see Figure 2-3)

Trang 36

Figure 2-3 Distributed FloodGate-1 Configuration

Figure 2-3 shows a distributed configuration, in which one SmartCenter Server (consisting of a SmartCenter Server and a SmartConsole) controls four QoS Modules, which in turn manage bandwidth allocation on three FloodGated lines

A single SmartCenter Server can control and monitor multiple QoS Modules The QoS Module operates independently of the SmartCenter Server QoS Modules can operate on additional Internet gateways and interdepartmental gateways

Client/Server Interaction

The SmartConsole and the SmartCenter Server can be installed on the same machine or on two different machines When they are installed on two different machines, FloodGate-1 implements the Client/Server model, in which a

SmartConsole controls a SmartCenter Server running on another workstation

Trang 37

Figure 2-4 QoS Client/Server Configuration

In the configuration depicted in Figure 2-4, the functionality of the SmartCenter Server is divided between two workstations (Tower and Bridge) T he SmartCenter Server, including the database, is on Tower T he SmartConsole is on Bridge.The user, working on Bridge, maintains the QoS Policy and database, which reside

on Tower T he QoS Module on London enforces the QoS Policy on the FloodGated line

The SmartCenter Server is started with the cpstart command, and must be running

if you wish to use the SmartConsole on one of the client machines

A SmartConsole can manage the Server (that is, run the SmartConsole to

communicate with a SmartCenter Server) only if both the administrator running the SmartConsole and the machine on which the SmartConsole is running have been authorized to access the SmartCenter Server

In practice, this means that the following conditions must be met:

• The machine on which the Client is running is listed in the

Trang 39

Interaction with VPN-1Pro and VPN-1 Net

Interaction with VPN-1Pro and VPN-1 Net

In This Section

Interoperability

FloodGate-1 must be installed together with VPN-1 Power or VPN-1 Net on the same system FloodGate-1 is installed on top of a VPN-1 Power or VPN-1 Net Because FloodGate-1 and VPN-1 Power or VPN-1 Net share a similar architecture and many core technology components, users can utilize the same user-defined network objects in both solutions This integration of an organization’s security and bandwidth management policies enables easier policy definition and system configuration Both products can also share state table information which provides efficient traffic inspection and enhanced product performance FloodGate-1’s tight integration with VPN-1 Power or VPN-1 Net provides the unique ability to enable users that deploy the solutions in tandem to define bandwidth allocation rules for encrypted and network-address-translated traffic

SmartCenter Server

If FloodGate-1 is installed on a machine on which VPN-1 Power or VPN-1 Net is also installed, FloodGate-1 uses the VPN-1 Power or VPN-1 Net SmartCenter Server and shares the same objects database (network objects, services and resources) with VPN-1 Power or VPN-1 Net Some types of objects have properties which are product specific For example, a VPN-1 Power has encryption properties which are not relevant to FloodGate-1, and a FloodGate-1 network interface has speed properties which are not relevant to VPN-1 Power

Trang 40

Interoperability

Tiêu đề	Check Point Qos Administration Guide Version Ngx R65
Trường học	Check Point Software Technologies Ltd.
Thể loại	hướng dẫn
Năm xuất bản	2007

Định dạng
Số trang	220
Dung lượng	2,84 MB