Getting Started with CloudGuard Network for AWS
Prerequisites
Before you use this solution, you must be familiar with these AWS
Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. terms and services:
-
Amazon EC2
-
Amazon VPC
-
AWS CloudFormation
-
AWS IAM
-
AWS Transit Gateway
If you are new to AWS, see Getting Started with AWS.
|
|
Note - For the list of supported versions, refer to the Support Life Cycle Policy. |
Introduction
AWS Transit Gateway (TGW) is an Amazon Web service that connects multiple Virtual Private Clouds (VPCs) to a single gateway. The TGW provides a single connection from the central gateway to each Amazon VPC, on-premises data center, or remote office across the network. Unlike traditional AWS peering, the TGW routes traffic between VPCs without sending data through the public Internet.
The TGW operates as a hub to route traffic on all connected networks. The hub and spoke model makes VPC management easier and decreases operation costs. Each network only needs to connect to the TGW to communicate with other networks. When new VPCs connect to the TGW, they become immediately visible to other networks. This easy connectivity makes network scaling and data transmission simpler.
CloudGuard Network Security supports AWS TGW. It provides end-to-end protection for enterprise workloads in AWS VPCs. CloudGuard protects services in the public cloud from sophisticated threats and unauthorized access. It also prevents future Denial of Service (DoS) attacks. On the micro level, CloudGuard Network Security examines data that enters and leaves the private subnet in the AWS VPC to prevent attacks and reduce data loss or leakage.
This guide explains how to deploy the Check Point CloudGuard Network Cross AZ Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. in AWS. Specifically, it focuses on the AWS Transit Gateway High Availability solution.
AWS Transit Gateway with CloudGuard Network Security:
-
Makes VPC connections simpler.
-
Provides a security cluster that synchronizes connections, prevents interruptions if a failure occurs, and uses the full 50 Gb/s network throughput.
-
Is easy to deploy with a CloudFormation template, which is part of the Check Point Cloud Security Blue Print.
The main features of Check Point CloudGuard for AWS Transit Gateway High Availability solution are:
-
Next-Generation Firewall with Application Control
Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI., Data Awareness, HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi., NAT, and logging -
IPS
Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). and virtual patching of cloud resources with URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. for Internet-bound traffic
-
Anti-Bot
Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. and Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. protection, Zero-day Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. and Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. -
High Availability (HA) environment
-
Automated solution environment with CloudFormation
Costs and Licenses
|
|
Important - You must pay for the AWS services you use when you deploy this solution. |
The AWS CloudFormation template for the Security VPC has parameters that you can configure. Some of these settings, such as the instance type, affect the cost of deployment. To estimate costs, use the AWS pricing calculator.
This Transit Gateway (TGW) solution uses Amazon Machine Images (AMIs) from the AWS Marketplace. Before you start the deployment, you must subscribe to Check Point CloudGuard in the AWS Marketplace.
You need a license for all Check Point CloudGuard Security Gateways, Check Point CloudGuard Security Management Servers, and AWS CloudFormation templates described in this guide.
These are the two licensing options:
-
Pay As You Go (PAYG)
-
Bring Your Own License (BYOL)
To purchase BYOL licenses, contact Check Point Sales.
Architecture
Cross AZ Cluster has two types of architecture for Check Point CloudGuard Network AWS:
Cross AZ Cluster with Transit Gateway
Cross AZ Cluster without Transit Gateway
The end-to-end solution includes:
-
A Security VPC with CloudGuard Network Cross AZ Cluster members deployed in different Availability Zones.
-
Synchronization between the Cross AZ Cluster members.
-
Public routing tables for public subnets.
-
A private routing table for private subnets with a default route to the Active member's private interface (eth1).
-
Ingress routing integration:
The routing table associated with the Internet Gateway has routes to private subnets through the Active member public interface (eth0).
-
A Transit Gateway architecture that includes:
-
A TGW routing table for the TGW subnets with a default route to the Active member's public interface (eth0).
-
A VPC attachment for the Security VPC to AWS Transit Gateway, with attachments to TGW subnets.
-
Spoke (Consumer) VPCs attached to the AWS TGW.
-
Security Policy
A Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. package is a set of different policy types. These policies take effect after you install them on the Security Gateways.
A policy package can have one or more of these policy types:
-
Access Control
-
Desktop Security
-
Threat Prevention
The Standard policy package is the default Security Policy in a newly deployed Security Management Server. Each policy package has a default cleanup rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that stops all traffic.