Introduction to CloudGuard Controller

A component of Check Point's Security Management Server, the CloudGuard Controller manages security in public and on-premises environments with one unified management solution. The CloudGuard Controller dynamically learns about objects and attributes in data centers, such as changes in subnets, security groups, virtual machines, IP addresses ,and tags. After using the vendor’s API to establish a trust relationship with a datacenter, CloudGuard Controller regularly polls the connected environments for changes in objects and object attributes used in the Security Policy. Changes are automatically pushed to the security gateway.

Item

Description

1

CloudGuard Controller establishes a trusted relationship with the cloud environment.

2

With the use of the vendor's APIs, the CloudGuard Controller connects to the cloud environment and regularly polls it for changes.

3

Changes in the cloud environment are sent to the CloudGuard Controller.

4

The CloudGuard Controller pushes updates to attributes and objects in the Security Policy rules to Check Point Security Gateways.

Use Case

Dynamic environments such as public and on-premises data centers and clouds present a large challenge to security professionals. The number of subnets, machines, and IP addresses changes quickly. The legacy model of manual updates to the security policy and Security Gateways every two or three days is too slow for such environments.

In most organizations, personnel from several different departments have permission to add or remove assets in data centers. This kind of overlap creates a concern about the security and maintenance of assets in the data center. The solution to manual updates is to protect the security and maintenance of the assets - automatically. This is where the CloudGuard Controller comes in to assist. With the CloudGuard Controller, the Security Operation Center (SOC) can configure the security policy to automatically detect changes in data centers, and push these changes directly to the Gateway.

For example, an RnD team needed to add an RnD server and a separate RnD server for staging. This required constant emails and service tickets between the server team and SOC team. To add or remove an IP address, the server team had to open a ticket with with the Info sec team. Then the Info sec team had to manually update the information. This process looks like this:

SRC

DST

Action

IP1

Internet

Allow

IP2

Internet

Allow

IP3

Internet

Allow

IP4

Internet

Allow

IP5

Internet

Allow

The problem grows by each request from RnD to remove IPxx or add IPxx. With the possibility of hundreds of IPs, the chance of error and frustration from the two teams is inevitable.

This is where the CloudGuard Controller comes in to help.

The CloudGuard Controller changes a static, manual process into a dynamic, automatic flow of data. The two teams only have to use one tag. This one tag is representative of changes in the data center. Rather than the manual, meticulous IP table, and the constant emails between the teams, the CloudGuard Controller removes the dependency on a manual procedure. For example:

SRC

DST

Action

*department=rnd

Internet

Allow

* Note- department=rnd is the tag.

For more information, see Data Center Query Objects.

Check Point's CloudGuard Controller integrates with these virtual cloud environments: