Overview of Infinity Next

Introduction

Infinity Next protects and controls access to and from assets.

  • Infinity Next is a Check Point Gen VI security framework that protects modern digital blueprints. It adopts a straightforward approach that puts the digital asset you want to protect at its center.

  • Infinity Next obtains inventory of assets and their attributes from various sources, and allows Security Teams and DevOps to apply applicable security practices, such as:

    • Access Control

    • Threat Prevention

    • Web Application and API Protection

    • IoT Protection

Infinity Next security covers more than fifty families of assets across Cloud, Network, Endpoint, Mobile, and IoT:

The Three Primary Layers of the Infinity Next Platform

  • Agents

  • Fog

  • Infinity Next Cloud and Management

Agents

Agents implement security monitoring and enforcement with either code developed by Check Point, or it control's native capabilities of the environment. In addition, agents can include components of, or even fully developed by 3rd parties.

Examples:

  • A Check Point software code that runs as an NGINX module and provides AppSec (Web Application and API Protection). This is called a "NGINX Embedded Nano-Agent".

  • A Check Point Virtual Machine that runs in the Public or Private Cloud and provides multiple security practices. This is called an "Infinity Next Gateway Dedicated Agent".

  • A Check Point software code that runs inside Nvidia SmartNIC to provide Access Control for servers. This is called a "SmartNic Embedded Nano-Agent".

  • A Check Point Nano-Agent that runs as Kubernetes Ingress and provide Web API Protection and Threat Prevention. This is called a "Kubernetes Ingress Embedded Nano-Agent".

  • A Nano-Agent that runs on a Smart Thermostat and provides Run-Time IoT Workload Protection and Virtual Patching. This is called an "IoT Embedded Nano-Agent".

Nano-Agents, of all types, automatically update themselves. Manual updates are possible. But, as a best practice, we do not recommend this method. Automatic updates make sure that the Nano-Agents have the latest security updates.

To deploy an Embedded Nano-Agent efficiently, it starts with a "Nano-Egg", which is a very small piece of code (less than 100 KB). The Nano-Egg then connects to its master. Note - The Nano-Egg master provides only the necessary software components.

Note - The size of a basic Embedded Nano-Agent is less than 10 MB.

Fog

"Fog" is a term from the Edge Computing paradigm. Fog is the master for all Nano-Agents. By default, Nano-Agents connect to the Check Point Public Fog hosted in the Cloud, which is highly-available and secure.

The Check Point Fog provides multiple services to Nano-Agents, such as:

  • Software updates

  • Setting and Policy updates

  • Real-Time Asset and Security Intelligence

  • Cross-Agent Machine Learning Functions

  • Channel for Event Logs and Telemetry (Fog sends this data for storage to the Infinity Next Cloud)

Note - By default, the Fog is transparent to users of Infinity Next technology

Infinity Next Cloud and Management

Infinity Next Cloud is a highly available and secure public service that hosts the Infinity Next Management Web Portal and RESTful API Server. In addition, Infinity Next Fogs use Infinity Next.

Infinity Next is 100% API-ready for modern DevOps deployments. Infinity Next has a Web UI, which is asset-centric and shows the policies in human readable terms that are understood by different audiences (as in DevOps, Security, Auditors, and Executives).

In This Release

Available Security Practices:

  1. AppSec (Secures against Web and API attacks)

    • Prevention of attacks in Web Application and API requests

    • Validation of Web API conformance to the OpenAPI schema (Swagger)

    • Protection against Web Bots

    • IPS Protections for 2800 Web CVEs

    The AppSec Security Practices uses Machine Learning. It requires almost zero configuration and has very high accuracy rate.

  2. Access Control - Incoming and Outgoing access, and "Access by Zone"

    Layer 4 Access Control solution for Linux-based workloads - Public Cloud, Private Cloud, and IoT.

    You can configure policies with rules, or with an intuitive graphical diagram.

  3. IoT Workload Protection

    IoT Protect Nano-Agent provides on-device run-time protection that enables connected devices with built-in firmware security. Based on Control Flow Integrity (CFI), the lightweight Check Point IoT Protect Nano-Agent protects the most sophisticated device attacks such as: shell injections, memory corruption, control flow hijacking, and potential zero-day firmware vulnerability.

Infinity Next CloudGuard AppSec Practices

The Infinity Next CloudGuard AppSec solution secures an organization's web applications.

AppSec analyzes web transactions with a set of Artificial Intelligence engines that operate in unison to protect against sophisticated attacks.

Four Primary Components of CloudGuard AppSec

  • Web Application Protection (WAF)

  • API Security

  • Anti-Bot Protection

  • Intrusion Prevention

Web Application Protection: OWASP Top 10 and Advanced Attacks

The first component of AppSec, the WAF, executes a two-stage request analysis.

The first stage is very fast, and usually 95% of the requests are determined as non-suspicious. The suspicious requests go to a second stage, in which the requests undergo a deeper analysis that uses three patent-pending AI engines (User Reputation Scoring, Application Awareness Scoring, and Indicator Scoring).

This three-score combination, with the addition of pattern learning, leads to a very accurate decision that include these benefits:

  1. Superior false-positive rate than traditional WAF (decisions are mainly based on matches to signatures).

  2. Blocks different attack scenarios that are not blocked with a signature-only approach.

  3. Reduction in administration time because it is not constantly necessary to tune the engine, create exceptions, disable signatures, and more.

API Security: Validate Schema and Prevent Attacks

Frequently, software developers do not include verification of API input in their code.

The AppSec API security component provides two protection models: positive and negative. Administrators can enable one of them, or the two of them.

  • The positive model delivers preemptive protection for possible API vulnerabilities through a schema validation procedure.

    API schemas in OpenAPI (such as used in "Swagger") are uploaded to AppSec.

    Incoming API requests are validated against these schemas to block all invalid API requests.

  • The negative model uses the WAF and automatically detects and blocks malicious payloads in the API.

Anti-Bot Protection: Distinguish Humans from Bots

AppSec Anti-Bot protection component performs a three-step procedure:

  1. Inject scripts into web application pages, such as login pages.

  2. Collect data about input patterns and canalize key stroke sequences, mouse moves, and finger touches.

    Bots do not use such patterns. If a bot artificially creates such patterns, AppSec identifies them.

  3. Make a decision if the input is entered by a human or by an automatic script (such as a bot), and block this activity.

Intrusion Prevention (IPS)

IPS provides traditional signature-based protections for over 2800 web-based CVEs (Common Vulnerabilities and Exposures).

Deploying Infinity Next CloudGuard AppSec

Infinity Next AppSec deployment options:

  1. Infinity Next Gateway - A Virtual Machine that runs Check Point Gaia Operating System with a Reverse Proxy and Check Point Nano-Agent.

    Available for:

    1. Amazon Web Services (AWS) - available in the AWS Marketplace

    2. Microsoft Azure - available in the Azure Marketplace

    3. Standalone Virtual Machine for VMware

  2. Infinity Next Container for Docker and Kubernetes environments.

  3. An Embedded Nano-Agent on top of any NGINX Web Server or NGINX Reverse Proxy.

  4. Roadmap: An Embedded Nano-Agent on top of Apache, Envoy, and other Web Servers, API Servers, and Reverse Proxies.

Infinity Next Access Control Practices

Access Control is the most basic Security Practice for any asset. With Infinity Next Access Control, it is possible to refer to an asset or group of assets by any attribute that describes them, rather than by only traditional keys such as IP addresses, Ports, Protocol, Applications, and others.

These practices are supported for Access Control:

Firewall Access Practice

Infinity Next Nano-Agents allow or block communication to and from a specific asset or a dynamic group of assets called Zones.

Example: