Introduction to CloudGuard Controller
A component of Check Point's Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server., the CloudGuard Controller Provisions SDDC services as Virtual Data Centers that provide virtualized computer networking, storage, and security. manages security in public and on-premises environments with one unified management solution.
The CloudGuard Controller dynamically learns about objects and attributes in data centers, such as changes in subnets, security groups, virtual machines, IP addresses and tags.
After using the vendor’s API to establish a trust relationship with a data center, CloudGuard Controller regularly polls the connected environments for changes in objects and object attributes used in the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection..
Changes are automatically pushed to the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..
Item |
Description |
---|---|
1 |
CloudGuard Controller establishes a trusted relationship with the cloud environment. |
2 |
With the use of the vendor's APIs, the CloudGuard Controller connects to the cloud environment and regularly polls it for changes. |
3 |
Changes in the cloud environment are sent to the CloudGuard Controller. |
4 |
The CloudGuard Controller pushes updates to attributes and objects in the Security Policy rules to Check Point Security Gateways. |
Use Case
Dynamic environments such as public and on-premises data centers and clouds present a large challenge to security professionals.
The number of subnets, machines, and IP addresses changes quickly.
The legacy model of manual updates to the security policy and Security Gateways every two or three days is too slow for such environments.
In most organizations, personnel from several different departments have permission to add or remove assets in data centers.
This kind of overlap creates a concern about the security and maintenance of assets in the data center.
The solution to manual updates is to protect the security and maintenance of the assets - automatically.
This is where the CloudGuard Controller comes in to assist.
With the CloudGuard Controller, the Security Operation Center (SOC) can configure the security policy to automatically detect changes in data centers, and push these changes directly to the Security Gateway.
For example, an R&D team needed to add a separate R&D server for production and a separate R&D server for staging.
This required constant emails and service tickets between the server team and SOC team.
To add or remove an IP address, the server team had to open a ticket with IT.
Then IT had to manually update the information.
For example:
Source |
Destination |
Action |
---|---|---|
|
Internet |
Allow |
|
Internet |
Allow |
|
Internet |
Allow |
|
Internet |
Allow |
|
Internet |
Allow |
The problem grows by each request from R&D to remove IPxx
or add IPyy
.
With the possibility of hundreds of IP addresses, the chance of error and frustration from the two teams is inevitable.
This is where the CloudGuard Controller comes in to help.
The CloudGuard Controller changes a static, manual process into a dynamic, automatic flow of data.
The two teams only have to use one tag.
This one tag is representative of changes in the data center.
Rather than the manual, meticulous IP table, and the constant emails between the teams, the CloudGuard Controller removes the dependency on a manual procedure.
For example:
Source |
Destination |
Action |
---|---|---|
department=rnd |
Internet |
Allow |
Note - "department=rnd
" is the tag.
For more information, see Data Center Query Objects.
Check Point's CloudGuard Controller integrates with multiple virtual cloud environments. See Supported Data Centers.