Check Point CloudGuard Network for AWS

AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. Transit Gateway (TGW) is an Amazon Web service that connects multiple Virtual Private Clouds (VPCs) to single gateway. TGW provides a single connection from the central gateway into each Amazon VPC, on-premises data center, or remote office across the network. Unlike traditional AWS peering, TGW data traffic flows between VPCs without requiring data to pass through the public internet.

Like a hub, TGWs route traffic on all connected networks. The hub and spoke model simplifies VPC management and reduces operational costs. This is because each network needs a connection only to the TGW to communicate with other networks. When new VPCs connect to the TGW, they automatically become visible to other networks. This ease of connectivity simplifies network scaling and data transmission.

CloudGuard Network Security supports AWS TGW. If offers end-to-end protection for enterprise workloads located in AWS VPCs. CloudGuard protects services in the public cloud from sophisticated threats, and unauthorized access, and prevents application later Denial of Service (DoS) attacks. At a closer look, CloudGuard Networkk Security inspects data which enters and leaves the private subnet in the AWS VPC to prevent attacks and mitigate data loss or leakage.

This guide explains how to deploy Check Point's CloudGuard Geo ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. in AWS, and specifically in AWS's Transit Gateway High Availability solution.

AWS Transit Gateway with CloudGuard Network Security:

  • Simplifies the interconnecting of VPCs

  • Provides security cluster which synchronizes connections, prevents interruptions in case of failure, and uses the full 50 Gb/s networking throughput.

  • Easy to deploy using a CloudFormation template which is a part of the Check Point Cloud Security Blue Print.

Highlights of Check Point's CloudGuard for AWS Transit Gateway High Availability:

Costs and Licenses

You are responsible for the cost of the AWS services used when deploying the solution as described in this guide.

The AWS CloudFormation template for the Security VPC includes parameters that you can configure. Some of these settings, such as instance type, affect the cost of deployment. For estimated costs, see the AWS pricing calculator.

This Transit VPC Transit Gateway (TGW) solution uses Amazon Machine Images (AMIs) from the AWS Marketplace. You must subscribe to Check Point CloudGuard in the AWS Marketplace before you can start the deployment.

Check Point CloudGuard Security Gateways, Check Point CloudGuard Network Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server., and AWSCloudFormation templates described in this guide must have a license. These are the two licensing options:

  • Pay As You Go (PAYG)

  • Bring Your Own License (BYOL)

To buy BYOL licenses, contact Check Point Sales.

Prerequisites

Before you use this solution, you must be familiar with these AWS terms and services:

  • Amazon EC2

  • Amazon VPC

  • AWS CloudFormation

  • AWS IAM

  • AWS Transit Gateway

If you are new to AWS, see Getting Started with AWS.

Architecture

The diagram shows the Geo Cluster architecture for Check Point CloudGuard Network for AWS.

The end-to-end solution includes:

  • Security VPC with the CloudGuard Network Geo Cluster members deployed in different Availability Zones

  • Sync between the Cluster MemberClosed Security Gateway that is part of a cluster.

  • Public route tables associated with public subnets

  • Private route table associated with the private subnets with a default route to the Active member private interface (eth1)

  • For ingress routing integration:

    IGW route table associated with the IGW with routes from the subnets to protect to the Active member public interface (eth0)

  • For Transit Gateway architecture:

    • TGW route table associated with the TGW subnets with a default route to the Active member public interface (eth0)

    • VPC attachment for the Security VPC to AWS Transit Gateway, attachments with TGW subnets

    • Spoke (Consumer) VPCs attached to the AWS TGW

Use Cases

A list examples that illustrate different way for setting up your Transit Gateway architecture:

The transparent proxy provides secured proxy services to the spoke VPCs.

It is transparent in that the security proxy services are seamless and do not need topological changes to the protected spoke VPCs.

With this solution, you do not need a CloudGuard Gateway for AWS in each of the spoke VPCs.

The solution relies on VPN connections to the central (hub) VPC for Internet-bound connections.

DevOps and application owners can use the transparent proxy to deploy solutions in designated VPCs, rely on AWS native security controls only, and have advanced Threat Prevention, Next Generation Firewall, and compliance, seamlessly from the central VPC.

The Transit VPC - Security VPC of the Transit Gateway solution, as a cloud perimeter, gives Threat Prevention and Access Control to the spoke VPCs.

Each VPC can be deployed in multiple Availability Zones and provide security services to multiple spoke VPCs in the environment.

Only the central VPC has access to the Internet, and the spokes are limited to private subnets.

All traffic to and from the spoke VPCs is steered through the central VPC.

The security controls are concentrated in a single central VPC.

With a Hybrid cloud setup, you can connect your on-premises and cloud environments, and cloud assets can have secured access to on-premises assets.

The connection is established through a secured VPN connection between your Check Point Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and a CloudGuard Network Gateway in AWS.

You can also implement a secure connection with AWS Direct Connect tunnels.

For example, a front-end server in the cloud can connect to an on-premises backend database to retrieve confidential data or business logic.

For more information, see sk120534.

Direct Connect makes it easy to set up a dedicated network connection from on-premises to AWS.

When you use AWS Direct Connect, it is transparent to Check Point Security Gateways.

For example, you can connect route and tunnels from Transit Gateways directly to Corporate Gateways.

You must configure the Direct Connect manually, when you connect corporate gateways and Transit Gateways. Automation is not supported.

For more information, see sk120534.

Security Policy

A Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. package is a collection of different types of policies enforced after installing the policy on the Security Gateways.

A policy package can have one or more of these policy types:

The Standard policy package is the default Security Policy defined in a newly deployed Security Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.. Every policy package has a default cleanup ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that drops all traffic.