Getting Started with CloudGuard Network for AWS
Prerequisites
Before you use this solution, you must be familiar with these AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. terms and services:
-
Amazon EC2
-
Amazon VPC
-
AWS CloudFormation
-
AWS IAM
-
AWS Transit Gateway
If you are new to AWS, see Getting Started with AWS.
|
Note - For the list of supported versions, refer to the Support Life Cycle Policy. |
Introduction
AWS Transit Gateway (TGW) is an Amazon Web service that connects multiple Virtual Private Clouds (VPCs) to a single gateway. TGW provides a single connection from the central gateway to each Amazon VPC, on-premises data center, or remote office across the network. Unlike traditional AWS peering, TGW traffic flows between VPCs without the need for data to pass through the public internet.
TGW acts as a hub to route traffic on all connected networks. The hub and spoke model simplify VPC management and reduces operation costs. Each network only needs to connect to the TGW to communicate with other networks. When new VPCs connect to the TGW, they are immediately visible to other networks. This ease of connectivity simplifies network scaling and data transmission.
CloudGuard Network Security supports AWS TGW. It offers end-to-end protection for enterprise workloads located in AWS VPCs. CloudGuard protects services in the public cloud from sophisticated threats, and unauthorized access and prevents later Denial of Service (DoS) attacks. On the micro-level, CloudGuard Network Security inspects data that enters and leaves the private subnet in the AWS VPC to prevent attacks and mitigate data loss or leakage.
This guide explains how to deploy Check Point's CloudGuard Network Cross AZ Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. in AWS, specifically in AWS's Transit Gateway High Availability solution.
AWS Transit Gateway with CloudGuard Network Security:
-
Simplifies VPC connections.
-
Provides a security cluster which synchronizes connections, prevents interruptions in case of failure, and uses the full 50 Gb/s network throughput.
-
Easy to deploy through the use of a CloudFormation template, part of the Check Point Cloud Security Blue Print.
Highlights of Check Point's CloudGuard for AWS Transit Gateway High Availability:
-
Next-Generation Firewall with Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI., Data Awareness, HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi., NAT, and logging.
-
IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). and virtual patching of cloud resources with URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. for Internet-bound traffic.
-
Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT., Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV., Zero-day Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE., and Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX..
-
High Availability (HA) environment.
-
Automated solution environment with CloudFormation.
Costs and Licenses
You are responsible for the cost of the AWS services used when you deploy the solution as described in this guide.
The AWS CloudFormation template for the Security VPC includes parameters that you can configure. Some of these settings, such as instance type, affect the cost of deployment. For estimated costs, see the AWS pricing calculator.
This Transit VPC Transit Gateway (TGW) solution uses Amazon Machine Images (AMIs) from the AWS Marketplace. You must subscribe to Check Point CloudGuard in the AWS Marketplace before you can start the deployment.
You need a license for all Check Point CloudGuard Security Gateways, Check Point CloudGuard Security Management Server, and AWS CloudFormation templates described in this guide must have a license. These are the licensing options:
-
Pay As You Go (PAYG)
-
Bring Your Own License (BYOL)
To buy BYOL licenses, contact Check Point Sales.
Architecture
Cross AZ Cluster has two types of architecture for Check Point CloudGuard Network AWS:
Cross AZ Cluster with Transit Gateway
Cross AZ Cluster without Transit Gateway
The end-to-end solution includes:
-
Security VPC with the CloudGuard Network Cross AZ Cluster members deployed in different Availability Zones.
-
Sync between the Cross AZ Cluster members.
-
Public routing tables associated with public subnets.
-
Private routing table associated with the private subnets with a default route to the Active member private interface (eth1).
-
Ingress routing integration:
The routing table associated with the IGW contains routes to private subnets trough the Active member public interface (eth0).
-
Transit Gateway architecture includes:
-
TGW routing table related to the TGW subnets with a default route to the Active member public interface (eth0).
-
VPC attachment for the Security VPC to AWS Transit Gateway, attachments with TGW subnets.
-
Spoke (Consumer) VPCs attached to the AWS TGW.
-
Security Policy
A Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. package is a collection of different types of policies enforced after you install the policy on the Security Gateways.
A policy package can have one or more of these policy types:
-
Access Control
-
Desktop Security
-
Threat Prevention
The Standard policy package is the default Security Policy defined in a newly deployed Security Management Server. Each policy package has a default cleanup rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that drops all traffic.