Cisco CS-MARS-20-K9 - Security MARS 20 User Manual page 151

Chapter 4 Configuring Firewall Devices
Table 4-1
Abbreviation
SSLCA
SIC
SIC DN
VIPs
VPN-1
To understand what MARS supports, we must first clarify the product terminology used by Check Point.
NG refers to the 5.x product family, and it included three feature packs: FP1, FP2, and FP3. NG is
different from NG AI in that NG AI improved upon, and renamed, the SmartDefense feature set that was
introduced in NG FP2. NG AI also provides a larger number of application-aware inspections,; hence
the name Application Intelligence. NG AI included releases R54 and R55. NGX refers to the 6.x product
family and began with the R60 release.
MARS supports and has been tested with the following releases:
• NG FP3
NG AI (R55)
•
NGX (R60)
•
The different security platforms, Provider-1, SiteManager-1, SmartCenter, and SmartCenter Pro are
bundles of the technologies released under the NG, NG AI, and NGX release trains. From this
perspective, MARS works with any of the security platforms as long as it belongs to one of the supported
release trains.
Check Point Provider-1 is a security management system for the managed security service providers
(MSSP) and multi-site enterprises, respectively. Service providers are able to manage the Check Point
gateways (firewall and VPN gateways) on their customer sites. The security policies and the system
configurations are stored on the MDS. Each per-customer security policy is managed through a CMA,
which also reside on the MDS. The Provider-1 system allows the service provider and the end customers
to maintains separate log servers, using the MLM and CLM respectively. The user interface for
Provider-1 is called the MDG. This system also support a tiered fault-tolerant configuration via
redundancy at the gateway, CMA, or MDS level.
The Provider-1 system ensures secure and private communication between its components and Check
Point gateways. Each CMA has its own internal certificate authority that issues certificates for secure
communication between the CMA, log servers, and its own network. All communication between MDSs
is authenticated and secured, and every MDS communicates securely with the CMAs that it houses.
The SiteManager-1 system operates much the same as Provider-1; however, it is targeted toward large
enterprise customers. The Check Point components are the same as those found in Provider-1.
78-17020-01
Check Point Abbreviations and Acronyms
Expansion
Secure Sockets Layer Certificate
Authority, using a symmetric key cipher
(protocol)
Secure Internal Communication
SIC Distinguished Name
Virtual IP Addresses
Check Point VPN-1 Pro and Edge
Additional Information
—
—
—
Usually used in a Provider-1/
SiteManager-1 deployment to assign
unique IP addresses for CMA instances.
VPN-1 Pro is the Check Point
enforcement gateway that does the
inspection, firewalling, VPN encryption
and QoS tagging.
VPN-1 Edge is treated as a normal
enforcement point.
User Guide for Cisco Security MARS Local Controller
Check Point Devices
4-23