1 / 56

Peter Marini | MSP and Public Cloud Channel

vSEC For public cloud. Peter Marini | MSP and Public Cloud Channel. Agenda. THE vSEC FAMILY. ADAPTIVE SECURITY FOR DYNAMIC CLOUDS. ADVANCED PROTECTION ANY CLOUD, ANY SERVICE. ACI. Datacenter Hacking Incident. Leaked account details of 32 million members

willardm
Télécharger la présentation

Peter Marini | MSP and Public Cloud Channel

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. vSEC For public cloud Peter Marini | MSP and Public Cloud Channel  [Internal Use] for Check Point employees​

  2. Agenda

  3. THE vSEC FAMILY ADAPTIVE SECURITY FOR DYNAMIC CLOUDS ADVANCED PROTECTION ANY CLOUD, ANY SERVICE ACI  [Internal Use] for Check Point employees​

  4. Datacenter Hacking Incident • Leaked account details of 32 million members • Website hosted on public cloud • Is the public cloud insecure?

  5. Cloud security – Shared Responsiblity • Application Firewall • Intrusion Prevention System • Anti-Malware • Logging & Audit • https://aka.ms/pciresponsibilitymatrix  [Restricted] ONLY for designated groups and individuals​

  6. Check Point vSEC for Public Cloud

  7. Use Cases  [Restricted] ONLY for designated groups and individuals​

  8. Unified management Enterprise ONE CONSOLE

  9. Single Policy

  10. Threat visibility

  11. Lateral Threats • Perimeter Gateway doesn’t protect traffic inside the cloud • Lack of security between applications • Threats attack low-priority service and then move to critical systems North APP APP APP APP APP South Modern threats can spread laterally inside the data center,moving from one application to another

  12. Access Control and Threat Prevention Firewall Anti-Virus Anti-Bot Application Control IPS Threat Emulation URL Filtering

  13. Secure Remote Access Site-to-Site VPN SSL/Client VPN

  14. Public Cloud integrations • Marketplace • Licensing (BYOL, PAYG) • Deployment Templates (ARM, CloudFormation, Cloud Launcher) • Scenarios • High Availability • Load Balancer Support • Autoscale • License Pool • VPN connectivity • Architecture • vSEC controller

  15. vSEC controller Firewall Firewall Firewall Management Server Polls public cloud API for changes (Name, IP Address, Groups, Tags) Dynamically updates policy on gateways Logs reflect public cloud data Can be used for automation scenarios

  16. Demo – Security Check uP and VSEC Controller

  17. Sizing vSEC AWS • Licensed by virtual core • Performance increases with more cores

  18. Sizing vSEC Azure Licensed by virtual core Performance increases with more cores

  19. Architecture - Azure

  20. Azure Virtual Network (VNET) Azure virtual network (VNet) is a representation of your own network in the cloud. It is defined with a CIDR range and you can also further segment your VNet into subnets.

  21. Define UDR forPerimeterinsertion Internet Inetgw Vnet 10.0.0.0/16 Security subnet – 10.0.1.0/24 Security GW– 10.0.1.10/24 web1 web2 srv1 srv2 Backendsubnet – 10.0.3.0/24 Frontendsubnet – 10.0.2.0/24

  22. Define UDR for Subnet to Subnet insertion Internet Inetgw Vnet 10.0.0.0/16 Security subnet – 10.0.1.0/24 Security GW– 10.0.1.10/24 web1 web2 srv1 srv2 Backendsubnet – 10.0.3.0/24 Frontendsubnet – 10.0.2.0/24

  23. Define UDR for VM to VM insertion Internet Inetgw Vnet 10.0.0.0/16 Security subnet – 10.0.1.0/24 Security GW– 10.0.1.10/24 web1 web2 srv1 srv2 Backendsubnet – 10.0.3.0/24 Frontendsubnet – 10.0.2.0/24

  24. Add UDR to gateway subnet for VPN/ExpressRoute On-premiseDataCenter Internet Express Routegw Inetgw Vnet 10.0.0.0/16 Security subnet – 10.0.1.0/24 Security GW– 10.0.1.10/24 Futuresubnets – 10.0.X.0/24 srv1 srv2 web1 srv1 srv2 web2 Backendsubnet – 10.0.3.0/24 Frontendsubnet – 10.0.2.0/24

  25. With vNET Peering On-premiseDataCenter Internet Express Routegw Inetgw Vnet 10.0.0.0/16 Security subnet – 10.0.1.0/24 Security GW– 10.0.1.10/24 Partnervnet 10.20.0.0/16 Futuresubnets – 10.0.X.0/24 srv1 srv2 srv1 srv2 web1 web2 Backendsubnet – 10.0.3.0/24 Frontendsubnet – 10.0.2.0/24

  26. No. of interfaces for CP gateway? [Protected] Non-confidential content

  27. vSEC Azure Cluster reference architecture

  28. Azure Cluster considerations This feature is available starting with R77.30 version 77.30.8009043 The feature is only available in Azure Resource Manager deployments. It is not supported with Azure Service Manager (also known as classic) deployments. Only two members per cluster are supported. Running the Security Management Server on the cluster members is not supported. Only High Availability mode (Active/Standby) is supported. Load Sharing modes are not supported. Failover times: Cluster IP <2 min Azure LB inbound NAT rules <3min UDR routes <20 sec

  29. Azure cluster setup

  30. Azure Autoscaling • For stateless traffic (HTTP/HTTPS) • Scaling can take some time • Licensing – consider PAYG [Protected] Non-confidential content

  31. Services vNET • Suitable for large organizations with multiple vNETs • Deployment can be single/cluster

  32. Architecture - AWS

  33. AWS Virtual Private Cloud (VPC) • Manage all aspects of the networking

  34. Perimeter protection

  35. AWS route tables • In an AWS VPC, every routing table has a route to the effect that every node “one hop away” from any other in the same VPC • The local routing can’t be modified for the next hop

  36. Control traffic between subnets • Similar to traditional network • Change the default gateway on host • Can be used in HAas well • Firewall needs interface per subnet – there is a limit on interfaces depending on VM size

  37. Transit VPC • Use for shared services and transitive routing between VPCs • Reduces software licensing • Can be used between VPCs, accounts, and regions • Overlay hub and spoke network built using VPN • Reduces changes needed on spoke VPCs • Configure Check Point VPN to AWS VGW using BGP for redundancy [Protected] Non-confidential content

  38. Full Availability Zone Mesh • Firewall in each Availability Zone • Using firewall vendor’s centralized management solution for VPN management

  39. Clustering • 2 members only and must be in same Availability Zone • AWS API calls to move private IP addresses and change routing tables – requires IAM role • Can take up to 40 sec

  40. Load Balancing • Provides redundancy on different availability zones without session synchronization • Allows Active-Active traffic movement • Mainly stateless traffic

  41. Autoscale/LB “Sandwich” • Helps customers automatically adjust their Amazon EC2 capacity according to the current load. • Require load balancer before & after the gateways • Usually relevant with PAYG licensing model • Internal load balancer can be used for outgoing proxy

  42. Comparisons

  43. AWS/Azure Security Groups

  44. Host-based (Agent) security

  45. WAF vs NGFW Example of OS-level attack: GHOST Exploit: https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html Imperva (WAF) response: https://www.imperva.com/Services/adc_advisories_response_CVE_2015_7547 Check Point IPS protection: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk104443

  46. Gartner Magic Quadrant – Enterprise Network Firewall Mature and complete Enterprise offerings Strong ecosystem of technology and channel partners Best in class central management  [Internal Use] for Check Point employees​

  47. Security

  48. Performance table Price/Performance

  49. Capabilities

  50. Case Study – Singapore government • IPS to prevent and log exploits for all government public cloud deployments • ‘Government certified solution – operational for >2 years with no issues’

More Related