Overview of Google Cloud Platform Network Security Integration (NSI)

This document describes how to deploy Cloud Firewall Gateways and integrate them with the Google Cloud Platform Google® Cloud Platform is a suite of products and services that includes hosting, cloud computing, database services and more. Acronym: GCP. (GCP See 'Google Cloud Platform'.) Network Security Integration (NSI) solution using in-band mode.

Introduction

Google Cloud Platform's Network Security Integration provides a framework for integrating third-party security solutions (such as Check Point Cloud Firewall solution) to enhance the security posture of cloud environments.

The in-band integration mode uses the packet intercept technology to direct specific traffic to Cloud Firewall Gateways for inline inspection. This method does not require NAT or other complex routing techniques and provides comprehensive security without changing existing network routing policies.

In-band integration supports inline inspection of different traffic types, including Ingress, Egress, Inter-VPC, and Intra-VPC traffic.

Cloud Firewall seamlessly integrates with GCP NSI to provide industry-leading threat prevention and unified security management across cloud environments. This integration lets organizations maintain consistent security policies Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. and protect their workloads from sophisticated cyber threats.

GCP NSI supports inspection of IPv4 traffic and can also inspect IPv6 traffic in dual-stack deployments, when IPv6 is explicitly enabled on the producer side. In these scenarios, both IPv4 and IPv6 traffic are intercepted using the same in-band packet intercept mechanism, with additional consumer-side configuration required for IPv6 traffic inspection.

Key Terms

• GCP Network Security Integration - A GCP feature allowing in-band integration using packet intercept technology, enabling third-party network appliances to inspect network traffic transparently.

• GENEVE Encapsulation - A protocol to securely transport packets to the appliance without changing the original source and destination IP addresses.

Key Features of GCP Network Security Integration

• Comprehensive Visibility - NSI provides detailed insights into Virtual Private Cloud (VPC) network traffic.

• Advanced Security Protection - Integration with the Cloud Firewall solution enhances network security with Advanced Threat Prevention, Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV., Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT., and granular traffic filtering capabilities.

• Seamless Integration - In-band integration enables easy deployment of Cloud Firewall and does not require changes to network routing policies.

• GENEVE Encapsulation - This feature transparently redirects network traffic to in-band appliances. The redirection does not require changes to existing routing policies. GENEVE encapsulation preserves original packets when they are delivered to third-party appliances for inspection.

Benefits of GCP Network Security Integration

• Enhanced Security - NSI leverages Check Point's advanced threat prevention capabilities to protect cloud workloads from known and unknown threats.

• Unified Management - Check Point's unified Cloud Firewall platform enables consistent management of security policies across on-premises and cloud environments.

• Scalability and Flexibility - Security operations can be scaled to match the dynamic nature of cloud environments, ensuring robust protection without compromising performance.

Use Case

Consider a Web application running on multiple servers across different zones with a Load Balancer distributing traffic among these servers.

NSI enables deep inspection of network packets by placing third-party appliances (such as Cloud Firewall Gateways) in the path of network traffic. This allows to block unauthorized access and adjust security measures dynamically based on traffic patterns.

Prerequisites

You must be familiar with these topics:

• GCP cloud infrastructure and GCP Managed Instance Groups (MIG)

• GCP Autoscaling

• GCP Load Balancers

• GCP Identify & Access Management