Management Model Comparison
The following table summarizes the capabilities and differences between the two management models.The capacity figures shown for Multi-Domain Server
Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. represent estimated, practical limits that will sustain acceptable performance levels under normal conditions. Actual performance is dependent on many factors, including deployed hardware, network topology, traffic load and security requirements.
|
Feature |
Security Management Server |
Multi-Domain Server (Practical Limit) |
|---|---|---|
|
Management Domains |
1 |
250 |
|
Concurrent Administrators |
1 |
250 |
|
Object Databases |
1 |
250 |
|
Policies |
250 |
250 |
|
Certificate Authorities |
1 |
250 |
|
Virtual Systems |
25 (recommended) |
250 |
Management Server Communication - SIC
All communication between the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. and the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. is accomplished by means of Secure Internal Communication (SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server.), a certificate based channel that authenticates communication between Check Point components. The Management Server uses SIC for provisioning Virtual Devices, policy installation, logging, and status monitoring.
SIC trust is initially established using a one-time password during configuration of the VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateway or VSX Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members. For Multi-Domain Security Management deployments, SIC trust is established between the Domain Management Server associated with the VSX Gateway or VSX Cluster (Main Domain Management Server).
The Virtual Devices establish trust in a different manner than their physical counterparts. When creating a Virtual Device Logical object that emulates the functionality of a type of physical network object. Virtual Device can be on of these: Virtual Router, Virtual System, or Virtual Switch., VSX automatically establishes SIC trust using the secure communication channel defined between the Management Server and the VSX Gateway. The VSX Gateway uses its management interface for Secure Internal Communication between the Management Server and all Virtual Devices.