Check Point 20420 DDoS Protector Appliance
Stop Denial of Service attacks in seconds with customized, multilayered protection that blocks a wide range of attacks.
In today's threat landscape, “Denial of Service (DoS)” attacks are increasing in number, speed and complexity. Denial of Service and Distributed Denial of Service (DDoS) attacks are relatively easy to carry out, and can cause serious damage to companies who rely on web services to operate. Multiple (more than 50) DDoS attack “toolkits” are readily available on the Internet, and an increasing number of attacks are initiated in over 230 countries. DDoS attacks are often profit-driven: in 2011, cyber criminals earned a whopping $12.5 billion dollars. 2012 shows an alarming surge of DDoS threats to the financial services industry. However hacktivisim and political motivations are fast becoming the most popular forum to launch Denial of Service attacks. Anonymous successfully spearheaded numerous attack campaigns against individuals, organizations, governments and countries in retaliation for actions or statements they didn't agree with.
Many DDoS solutions are deployed by an Internet Service Provider, offering generic protections against network layer attacks. However today's DDoS attacks have become more sophisticated, launching multiple attacks at networks and applications. Successful DDoS solutions will offer companies the ability to customize their protections to meet changing security needs, fast response time during an attack, and a choice of deployment options.
Check Point's new DDoS Protector keeps businesses running with multi-layered, customizable protections and 12Gbps performance that automatically defends against network flood and application layer attacks for fast response time against today's sophisticated denial of service attacks. DDoS Protector appliances offer flexible deployment options to easily protect any size business, and integrated security management for real-time traffic analysis and threat management intelligence for advanced protection against DDoS attacks. Check Point also provides dedicated 24/7 support and resources to ensure up-to-the-minute protections.
- Protects against known and unknown DDoS attacks
- Defends against both network and application attacks
- Flexible filter engines detect and prevent malicious exploits
- Protects against HTTP attacks
- Protects against bandwidth flood attacks
- Fast, customized signature creation keeps businesses running
- Protection against evolving DDoS attacks to minimize business impacts
- Advanced techniques help maintain web services during an attack
- Turn-key appliance works right out of the box
- Integrated with Check Point security management for greater visibility and control
- High-performing DDoS solution with 14Gbps capacity and 12Gpbs throughput
- Multi-layered protection blocks multiple attack types
- Customized protections fit different business sizes and security needs
- Flexible deployment options include on-site installation or through your ISP
Network and Traffic Flood Protections
Protection against DDoS attacks aimed at networks using:
- Behavioral DoS-Protects against TCP, UDP, ICMP, IGMP and Fragment DDoS attacks with adaptive behavioral based detection.
- DoS Shield-Protects against known DDoS attack tools with pre-defined an customized filters to block rate-limits per pattern.
- Syn Protection-Blocks SYN-spoofed DoS with SYN rate thresholds per protected servers.
- Black List-Blocks generic attacks with L3 and L4 sourcedestination classifications and expiration rules.
- Connection Rate Limit-Blocks generic, non-supported protocols (non DNS, HTTP) and application level flood attacks with rate-based thresholds.
Application Based Dos/Ddos Protections
Protects against more complex DDoS attacks that misuse application resources with:
- SYN Protection with Web Challenge-Protects against HTTP connection-based DoS attacks with SYN rate threshold per protected server.
- Behavioral DNS Protections-Block DNS query DoS attacks with DNS adaptive behavioral based detection using DNS footprint blocking rate limits and DNS challenge and response.
- Behavioral HTTP Protections (The “HTTP Mitigator”)-Blocks HTTP connection-based DoS attacks and upstream HTTP bandwidth attacks with server-based HTTP adaptive behavioral detection, HTTP footprint with web challenge response, 302 redirect and JS challenge actions.
Directed Application Dos/DDoS Protections
Repels Dos and DDoS attacks that require special filtering criteria. Flexible filtering definitions search for specific content patterns in each packet. Enables the ability to analyze and block ongoing attacks by defining on-the-fly protections.
DDoS Appliances are integrated with Check Point Security Management, including:
Unified security event and analysis solution that delivers real-time threat management information to instantly stop threats and block attacks with on-the-fly protections. Move from business view to forensics in just three clicks.
Advanced log analyzer that delivers proactive security intelligence with split-second search results from any log field for instant visibility into billions of log records over multiple time periods and domains.
Comprehensive auditing solution to troubleshoot system and security issues, gather information for legal or audit purposes, and generate reports to analyze network traffic patterns. In the case of an attack or other suspicious network activity, use SmartView Tracker to temporarily or permanently terminate connections from specific IP addresses.
SNMP V1, 2C and 3, Log File, Syslog, Email
SNMP, V1, 2C, 3, HTTP, HTTPS, SSH, Telnet, SOAP, API, Console (user selectable).
Based on Network Time Protocol (NTP).
Export Real-Time Signature Information
Northbound XML interface exports behavioral parameters.
|Max Concurrent Sessions||2,000,000||4,000,000||6,000,000|
|Max DDoS Flood Attack Prevention Rate (pps)||1,000,000||10,000,000||25,000,000|
|Latency||< 60 microseconds|
|Real Time Signatures||Detect and protect in less than 18 seconds|
|10/100/1000 Copper Ethernet||4||4||4||8||8||8||-||-||-||-|
|Gigabit Ethernet (SFP)||2||2||2||4||4||4||-||-||-||-|
|10 Gigabit Ethernet (XFP)||-||-||-||4||4||4||-||-||-||-|
|1 / 10 Gigabit Ethernet (SFP+)||-||-||-||-||-||-||20||20||20||20|
|40 Gigabit Ethernet (QSFP+)||-||-||-||-||-||-||4||4||4||4|
|10/100/1000 Copper Ethernet||2||2||2||2||2||2||2||2||2||2|
|Network Operation||Transparent L2 Forwarding|
|Deployment Modes||In-line; SPAN Port Monitoring; Copy Port Monitoring; local out-of-path; Out-of-path mitigation (scrubbing center solution)|
|Tunneling Protocol Support||VLAN Tagging, L2TP, MPLS, GRE, GTP|
|IPv6||Support IPv6 networks and block IPv6 attacks|
|Policy Action||Block & Report, Report Only|
|Block Actions||Drop packet, reset (source, destination, both), suspend (source, src port, destination, dest port or any combination), Challenge-Response for HTTP and DNS attacks|
|Fail-open/fail-close||Internal fail-open/fail-close for copper ports; internal fail-close for SFP ports; optional fail-open for SFP ports 4||Internal fail-open/fail-close for copper ports; internal fail-close for SFP and XFP ports; optional fail-open for SFP and XFP ports 5||internal fail-close for SFP+ and QSFP+ ports; optional fail-open for SFP+ and QSFP+ ports 5|
|Dual Power Supply||Optional||Yes - Hot Swappable|
|Advanced internal overload mechanism||Yes|
(Dual PS option 147W)
|Heat Dissipation||604 BTU/h,
(Dual PS option 501 BTU/h)
|1623 BTU/h||2162 BTU/h|
|Auto-Ranging||100V-120V/200V-240V AC 47-63Hz or -38 to -72VDC|
|Dimensions (WxDxH)||424mm x 457mm x 44mm||424mm x 600mm x 88mm||426mm x 537mm x 88mm|
|Weight||15.9 lb / 7.2 kg,
(Dual PS option 19.2 lb / 8.7 kg)
|39.0 lb / 18.0 kg||33.2 lb / 15.1 kg|
|Operating Temperature||5 - 55 C|
|Humidity (non-condensing)||5% to 95%|
|Safety Certifications||EN 60950-1:2006, CB - IEC 60950-1, cTUVus||EN, UL, CSA, IEC #60950-1||EN 60950-1:2006, CB -
IEC 60950-1, CCC, cTUVus
|EMC||EN 55022, EN 55024, FCC Part 15B Class A||EN 55022, EN 55024, FCC Part 15B Class A||EN 55022, EN 55024,
EN 61000-3-2, EN 61000-3-3
|Other Certifications||CE, FCC, VCCI, CB, TUV, UL/cUL, CCC, C-Tick, RoHS||CE, FCC, VCCI, CB, TUV, UL/cUL, CCC, C-Tick, RoHS||IEC 61000 4-2 to 4-6 ,
4-8 & IEC 61000-4-11,
FCC Part 15B
Class A, ICES-003, VCCI,
C-Tick RoHS 6 Compliant
|1 Actual performance figures may change per network configuration, traffic type, etc.
2 Capacity is measured as maximum traffic forwarding when no security profiles are configured.
3 Throughput is measured with behavioral IPS protections and signature IPS protections using eCommerce protection profile.
4 External fiber fail-open switch with SFP ports is available at additional cost.
5 External fiber fail-open switches with SFP, XFP SFP+ or QSFP+ ports are available at additional cost.
Download the Check Point DDoS Protector Appliances Datasheet (PDF).
- All Prices are Inclusive of GST
- Pricing and product availability subject to change without notice.