CloudGuard Network Security Architectures PDF
Document Details
Uploaded by GentleTelescope6991
Tags
Related
Summary
This document provides an overview of CloudGuard Network Security, a cloud security solution that extends on-premises security to the cloud. It covers different deployment options and components like SmartConsole, Security Management Server, and Security Gateway. This document is likely part of a training course on cloud security and network architecture.
Full Transcript
Check Point CloudGuard offers fully automated, comprehensive, and prevention-first cloud security to reduce overall risk across the entire cloud environment. This module provide an overview of all products in the CloudGuard solution. It then provides a more detailed look at the CloudGuard Network Se...
Check Point CloudGuard offers fully automated, comprehensive, and prevention-first cloud security to reduce overall risk across the entire cloud environment. This module provide an overview of all products in the CloudGuard solution. It then provides a more detailed look at the CloudGuard Network Security solution, which is the focus of this course. 13 14 The Check Point CloudGuard platform includes a portfolio of products to meet your cloud security needs as listed on this slide. This course focuses on CloudGuard Network Security. A brief description of each product is included in the Student Guide. The next slide shows the Check Point web page where there is more information about these solutions. Note to instructor: Mention that CloudGuard WAF and the Check Point Firewall (Quantum Firewall or Security Gateway) are different solutions. The Quantum Firewall is discussed later in this module. 15 Note to instructor: This course uses the product terminology from the following site: https://www.checkpoint.com/products/ 16 CloudGuard Network Security extends On-Premises security to the cloud with consistent policies across public, private, and hybrid clouds. Many popular cloud platforms, such as those listed on this slide, are supported by CloudGuard Network Security. 17 18 The CloudGuard Network Security is built on the Check Point Three-Tier Architecture including: SmartConsole Security Management Server Security Gateway Each component has its own specific responsibilities as explained in the Student Guide. Note to instructor: Optionally, hide the detail slides for SmartConsole, the Security Management Server, and Security Gateway. 19 20 The first component of the Three-Tier Architecture is SmartConsole. SmartConsole provides a graphical interface to manage the objects that represent network elements, servers, and Security Gateways. These objects are used throughout SmartConsole for many tasks, including policy management. 21 Like an On-Premises security environment, CloudGuard Network Security Gateway requires a Security Management Server to function correctly and to enforce CloudGuard Network Security Policies (rules). The Security Management Server is a dedicated server that runs Check Point software. Its software is installed on a server running the Check Point Gaia proprietary operating system. Gaia combines the best functionality of the following Check Point IP Series (IPSO) and SecurePlatform or SPLAT legacy operating systems 22 Like an On-Premises security environment, CloudGuard Network Security Gateway requires a Security Management Server to function correctly and to enforce CloudGuard Network Security Policies (rules). The Security Management Server is a dedicated server that runs Check Point software. Its software is installed on a server running the Check Point Gaia proprietary operating system. Gaia combines the best functionality of the following Check Point IP Series (IPSO) and SecurePlatform or SPLAT legacy operating systems. 23 CloudGuard Controller The CloudGuard Controller is a sub-component of the Security Management Server It maintains visibility of protected cloud environments to carry out automation and adaptive security. It also dynamically identifies cloud resources created within a single cloud or a multi-cloud environment. The CloudGuard Controller dynamically learns about objects and attributes in data centers, such as changes in subnets, security groups, virtual machines, IP addresses and tags. With the use of the vendor's APIs, the CloudGuard Controller connects to the cloud environment and regularly polls it for changes. Changes are automatically pushed to the Security Gateway. CloudGuard Management Extension CloudGuard Management Extension (CME) is a utility that allows integration between the Check Point Security Management Server, the CloudGuard Network solution, and Cloud Service Provides (CSPs). 24 There are many use cases for the CloudGuard Network Security solution. Some examples are included on this slide. 25 Note to instructor: Per Account Services, Elastic Software License is a term that describes a single license with multiple cores being used. The license is used dynamically to apply licenses to the instances. It is elastic in so much that it stretches to accommodate additional instances, as needed. The utility is designed to always hand out a license to the Security Gateways as needed. Central license refers to the way the license itself is generated. For Security Gateways, a license can be generated as a Local license using the both the Security Gateway’s IP and the Security Management Server’s IP, or a license can be generated as a Central license. A Central license is generated using the Security Management Server’s IP only. For the vsec_lic_cli utility, the license must be generated as a Central license using the Security Management Server’s IP. The utility does not accept a license that is generated as a Local license. 26 27 28 29 Check Point Deploying CloudGuard Network Security Gateways involves a process that launches virtual machines quickly with limited oversight. This module examines the public cloud platform resources involved in CloudGuard Network deployments. 30 31 Architecting cloud environments is an adventure in navigating this constantly changing landscape to achieve the most secure, stable, and efficient results. Architects must understand the basic components they are using to build these environments. Cloud components have specific names. These names should be understood and used by architects to avoid confusion when seeking support. Note to instructor: This slide lists the basic components. Optionally, hide the two slides with the tables that provide details. 32 33 Note to instructor: Optionally, hide this slide. 34 Note to instructor: Optionally, hide this slide. 35 This section reviews common deployment architectures for CloudGuard Network Security. These architectures range in complexity and include: Single Gateway architecture Mesh architecture (Peering) Hub and Spoke architecture Cluster architecture 36 The simplest deployment is the single Security Gateway. A single gateway deployment routes all traffic into, out of, and throughout the environment through the same Security Gateway. 37 Deployment tools include: CSP Portal - The CSP Portal is the primary resource used for any deployment. It provides access to create, view, and manage CloudGuard Network Security resources through a graphical interface. Shell - Uses predefined CloudGuard Network Security Gateway templates for automated deployments. (This is a different technology than a traditional CLI interface.) Command Line Interface (CLI) - Launches CloudGuard Network Security Gateway with command line scripts. Refer to the Student Guide for additional information about each item. 38 A Single Gateway deployment is straightforward. The slide shows a simplified view of the basic steps to follow. See the Student Guide for details. 39 While the Single Gateway Architecture is a good solution for a coordinated and organized deployment into the cloud managed by one team, what happens when multiple teams are working with cloud resources without a coordinated plan? 40 Advantages Each network connects to other networks for the resources they need. Each Workload connects to the other Workloads via peer-to-peer links, which is why a Mesh architecture is also referred to as Peering. On each Peer, or Workload, a local subnetwork and Peering networks connect to the shared Workloads. This lets Workloads interconnect. Each Peer also has routes directing the traffic to the specific Workload that houses the shared resources. Use Case A use case for Mesh deployment is below. In this example, there are four teams with specific services or resources. A Mesh architecture lets these teams share services or resources. See the figure notes on the following page for details. 41 An example of a Mesh architecture is as follows: Application Team A has a Workload that is designed to provide a specific service, a product database for inventory control. Application Team B wants to use the database that Application Team A provides for the sales application in their Workload, so the two groups establish a Peering connection between their Workloads to allow communication. Application Team C deploys a web server that needs the information from the product database and uses the sales application to process orders, and so more peer connections are established. Application Team D deploys an application server to use the information from the other team servers. 42 43 In a Mesh deployment, each Workload requires routing to all other Workloads involved. Peering offers peer-to-peer connectivity, but does not allow extended peering relationships, which prevents the Peer of one Workload from using all features of that network Peers without a direct connection to them. This means that each member of the Mesh must have a connection to each of the other Workload to use their resources. When there are few Workloads, the number of links are minimal. As the Mesh expands, the number of connections increases much faster than the number of Workloads, which can be found with the formula on the slide. 44 This rapid expansion proceeds as shown in this example. 45 46 A Hub and Spoke architecture addresses limitations of a Mesh architecture and meets many of an organization’s cloud security requirements. Its characteristics include: All spokes (Workloads) maintain independent connections to hubs (network interfaces in the Workload), which permit access to the Internet. All traffic that enters and exits each spoke must travel through a hub. Spokes use network segmentation to clearly separate Workloads from one another and isolate their Workloads. Advantages A Hub and Spoke architecture addresses many organizations’ cloud security requirements with blueprint concept that accommodates the functional needs of Development, Operations, and Security teams. This blueprint concept is based on a Secure Cloud Network architecture that consists of five underlying security principles that assist organizations with building public cloud environments securely. 47
