Overview of CloudGuard Network for AWS Centralized Gateway Load Balancer

The AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. Gateway Load Balancer (GWLB) is a managed service that allows AWS user to easily deploy, scale, and manage virtual appliances, such as firewalls, intrusion detection and prevention systems, and deep packet inspection systems. AWS customers can deploy virtual appliances with high availability, scaling, and load balancing.

One example of such a virtual appliance is a CloudGuard Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

Cloud Network Security is one of the CloudGuard capabilities and provides advanced Threat Prevention and automated network security through a virtual Security Gateway, with unified security management across all your cloud and on-premises deployments. AWS customers use CloudGuard to securely migrate on-premises workloads to AWS and protect these assets with advanced security technologies that include Firewall, IPSClosed Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System)., Application ControlClosed Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI., DLP, Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV., and Anti-BotClosed Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT.. Threat ExtractionClosed Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. and Threat EmulationClosed Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. provide industry-leading protection from zero-day attacks.

For more about the AWS Gateway Load Balancers, click here.

This guide explains how to deploy and configure Check Point's CloudGuard Network Gateway Load Balancer security protection.

How GWLB Works

A Gateway Load Balancer operates at Layer 3 of the OSI model: the network layer. It listens for all IP packets across all ports and forwards traffic to the target group that is specified in its listener ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.. The GWLB and its registered virtual appliance instances exchange application traffic through the GENEVE protocol on port 6081.

For more information, see the AWS Gateway Load Balancer documentation, and review AWS's detailed blog posts on GWLB.

Architecture Patterns

Solution 1 – A Centralized GWLB Security VPC

The diagram shows the GWLB architecture for Check Point CloudGuard AWS an end-to-end solution that includes:

The GWLBe is the Servers VPC Internet Gateway's (IGW's) next hop for ingress traffic, and the servers' next hop for ingress and egress traffic, respectively. All traffic that reaches the GWLBe is automatically directed to the GWLB in the Security VPC. The GWLB forwards the packet to one of the Auto Scaling Group's (ASG) healthy instances over GENEVE protocol. The packet is then analyzed and processed based on the Security Gateway's policy. If the packet is accepted, it returns to the GWLB, and then to the corresponding GWLBe which redirects the packet to its original destination.

The creation of a GWLBe in each servers VPC allows the user to protect multiple servers VPCs. All GWLBe(s) created must point to the centralized GWLB and be inspected by the same centralized Security VPC, such as the same Firewall appliances.

Solution 2 - A GWLB Security VPC for Transit Gateway (TGW)

The diagram shows the TGW GWLB architecture for Check Point CloudGuard's AWS end-to-end solution that includes:

The TGW Solution Security VPC has 4 subnets for each AZ:

  1. TGW attachment subnet

  2. GWLBe subnet

  3. Check Point's Firewall subnet

  4. NAT Gateway subnet

This architecture allows the required management connectivity to the Check Point's EC2 instances.

For more architecture examples and traffic flows, refer to: Check Point CloudGuard Network Security - Integration with AWS Gateway Load Balancer workshop.

Benefits

GWLB provides a simple native AWS solution to deploy and manage network appliances in a horizontally scalable and fault-tolerant manner.

In addition, GWLB operates in a transparent manner. It is not necessary for the traffic source and destination software stacks to change, because GWLB does not change packet headers or payloads) which eliminates the necessity to make changes to users and applications.

GWLB integration with CloudGuard Network allows IT teams to keep consistent security practices on both cloud and on-premises deployments, to leverage existing security skill sets, and to build on existing investments and relationships with Check Point Security Solutions.

GWLB provides:

  • Elastic scalability of managed Check Point CloudGuard Gateway fleets functionality as traffic volumes changes.

  • Resiliency for Check Point CloudGuard Network gateway by automatically rerouting traffic to healthy gateways.

    Graceful failover among Auto Scaling Group Gateways for patching/maintenance (traffic is always directed to one of the health appliances).

  • Reduced network complexity

    • No traffic translation, or source NAT (original source and destination are kept inside the packet).

    • Traffic inspection is transparent – bump-in-the-wire.

    • A single security VPC with GWLB and Check Point CloudGuard Auto Scaling Group can connect to multiple GWLB Endpoints across multiple VPCs and/or AWS accounts.

  • Ease of use

    • Full deployment automation – uses CFT to deploy a security VPC to connect to multiple Endpoints (Endpoints deployment is manual).

    • Flexibility in the inspection enforcement with the use of subnets tags.

  • Support for multiple networking architectures

    • Current architecture supports traffic inspection in a centralized security VPC for simple (single VPCs with GWLBe in each) and complex (TGW) use case scenarios.

Use Case

A typical use case features customer AWS deployments, with one or more VPCs, with a requirement to protect and inspect network traffic with Check Point's CloudGuard Network Security Gateways.

Check Point's CloudGuard Network Security integrated with GWLB to provide traffic inspection in a centralized security VPC.

  • Solution 1: Deploying a Centralized GWLB Security VPC

    Ingress and Egress traffic inspection in unconnected VPCs.

  • Solution 2: Deploying a GWLB Security VPC for Transit Gateway

    Intra-VPC and Egress traffic inspection for VPCs connected with AWS Transit Gateway.

Prerequisites

Before you use this solution, you must be familiar with these AWS terms and services:

  • VPC

  • EC2

  • Elastic Load Balancers (ELB)

  • Ingress Routing

  • VPC Endpoints Gateway Load Balancer (Endpoint)

  • Transit Gateway

  • NAT Gateway (see Deploying Solution 2 - A Check Point Gateway Load Balancer Transit Gateway Environment with CloudFormation Template)

If you are new to AWS, see Getting Started with AWS.