Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

SD-WAN Security Techtalk Video and Slides

On 4th September 2019, we did a TechTalk with @Tomer_Sole on Check Point's new security solutions for SD-WAN.
We talked briefly about CloudGuard Edge for SD-WAN devices, but mostly discussed CloudGuard Connect, Cloud Network Security as a Service.

Materials available to CheckMates members:

0 Kudos
14 Replies
PhoneBoy
Admin
Admin

Selected questions asked during the session, with some answers.

What Regions are Supported?

  • Asia
    • India
    • Japan
    • Signapore
    • South Korea
  • Australia
  • Europe
    • Germany
    • Ireland
    • UK
  • North America
    • Canada
    • US North-East
    • US North-West
    • US South-East
    • US South-West
  • South America
    • Brazil

Is Support for Dynamic Branch Office IPs Planned?

Yes

Does CloudGuard Connect Have APIs?

Yes, but the documentation is not currently published. Please contact us and we can provide it.

Is There Cross-Location Redundancy?

When a site is created, it is created in two distinct datacenters in the same region. You can create another site in a different region, but there is no automatic failover.

Are Certificates Supported for IPsec Authentication?

Not currently.

Can CloudGuard Connect Be Deployed in Private Cloud?

Not currently.

Is Traffic Between Branch Offices Supported or Connectivity with Main/Datacenter Site?

Not currently, but these use cases are planned for the future.

Can CloudGuard Connect Protect Individual Users (Road Warriors)?

We have a different solution for roaming users currently called Capsule Connect that we plan to fold into CloudGuard Connect in the near future.

Can You Manage the Access Policy from On-Premise Management?

Yes

Can Logs Be Sent to On-Premise Management?

In the near-term roadmap.

Is Incoming Traffic Supported?

Not currently.

Is Identity Awareness Supported?

Using on-premise identity sources? Not currently. A number of cloud-based Identity Providers, including ADFS, are supported.

Is All Traffic Sent to CloudGuard Connect or only Port 80/443 Traffic?

All traffic is sent.

0 Kudos
D_W
Advisor

I think you posted the wrong link to the full video.

 

Cheers,
David

0 Kudos
PhoneBoy
Admin
Admin

Looks like the correct link to me.
What happens when you access it?
0 Kudos
D_W
Advisor

Hmm my fault then - I was confused about the different titles where one contains "security" and the other "connect" 😳

0 Kudos
PhoneBoy
Admin
Admin

The focus of the TechTalk is mostly CloudGuard Connect, which is why I labeled the video that way.
0 Kudos
Olga_Kuts
Advisor

The link does not go to the full video. I get to the same page with a video excerpt.

0 Kudos
Alex-
Advisor
Advisor

I can't download the presentation, I get "Please contact your administrator with the following error code: 1DD4E4D2"

0 Kudos
PhoneBoy
Admin
Admin

Had the wrong links above, this should be fixed @Olga_Kuts @Alex- 

0 Kudos
Alex-
Advisor
Advisor

@PhoneBoy Got it, many thanks!

0 Kudos
aheilmaier
Participant

Will you also provide a video  replay fuction, where I can change the replay speed ?

0 Kudos
PhoneBoy
Admin
Admin

Unfortunately, our video streaming service does not offer this capability.
0 Kudos
PhoneBoy
Admin
Admin

Few more questions and answers:

Other solutions that connect SD-WAN gateways to the cloud manage the tunnels and handle peering to the closest cloud edge and rekeying. Is there anything that talks between the Check Point edge and the cloud to do something like this?

CloudGuard Edge is installed per edge device. With CloudGuard Connect, you configure which location is closest to your office. Assuming that the office doesn't move, this should work. Roaming users can use Capsule Cloud until this functionality gets integrated within CloudGuard Connect.

Can VPN redundancy can be to multiple Check Point CloudGuard Connect locations?

The two tunnels per branch device go to different data centers in the same region.

Is the authentication on the IPsec tunnel only PSK or are certificates supported?

Currently, only PSK authentication is supported. Note that none of the popular SD-WAN solutions support certificate-based authentication currently. If this is a requirement, please contact us.

Is there any integration with Check Point Zero Touch?

Yes, Check Point SMB devices are supported. Step-by-step instructions exist on the Infinity Portal.

Is there any bandwidth limit?

Currently it is 850mbps per site object. You can split your subnets at the same branch office into multiple site objects on the Infinity Portal.

What's the Service Level Agreement for CloudGuard Connect

A formal document will be made available shortly, but the SLA is 99.999% thanks to our public cloud infrastructure and reliable mature security products.

Will it be possible to have policy that determines which application will use which IPsec tunnel/connection? Are there any options in the policy that determine if the latency or packet loss of a link reaches a certain threshold, an uplink won't be used anymore? Is there dynamic path selection possible?

This is a function provided by most SD-WAN Edge Devices. It is configured on the device, not in CloudGuard Connect.

0 Kudos
aheilmaier
Participant

You mentioned briefly the CloudGuard Edge solution.

How does you solution match/respond on the trend of having a local breakout to the cloud ?

For example with Office 365 the local breakout is recommended.

a) does/how does Cloud Guard Edge provide this architecture feature of a local breakout ?

b) Is Cloud Guard Connect the recommended architecture because of more implemented security features than with Cloud Guard Edge only ?

c) Is this a balancing act, like on the one side I would have a local breakout for better quality, on the other side I will have more security but a centralized breakout maybe due to network constraints with not so good quality.

d) Does Cloud Guard Connect also provide performance data ? Or should I start the typical implementation of performance measurment on the edge e.g. when SD-WAN boxes provide performance data ?

0 Kudos
Tomer_Sole
Mentor
Mentor

These are good questions.

Both CloudGuard Connect and CloudGuard Edge address the need for local breakout. With CloudGuard Connect, the device tunnels traffic to the Check Point cloud enforcement before going to the Internet. With CloudGuard Edge, the device runs the Check Point enforcement inside the local device before going to the Internet.

Generally the same security capabilities are applied at both products, except that:
- CloudGuard Edge runs the Check Point embedded OS while CloudGuard Connect runs the full Check Point capabilities. Currently, Check Point's embedded OS is not based on the R80.30 train but on R77.20.87 (small medium business SMB train have that kind of versioning numbers), but this is planned to change early next year.
- With CloudGuard Connect, security capabilities are always up to date while at CloudGuard Edge the administrators choose when to upgrade their embedded OS.
- CloudGuard Connect is able to perform more computational tasks because it is auto-expandable and not bound to RAM and CPU constraints. However at the moment the main difference is the R8x train base.

The balancing act is about these:
- With CloudGuard Edge you own the platform, that means you are in charge of upgrading it, troubleshooting it and expanding it when there's a need, while with CloudGuard Connect the solution is a service, not a platform, which means less operational tasks.
- CloudGuard Edge fits sites that don't require more than 1 core and 1 GB RAM of the platform while CloudGuard Connect works based on the total number of users.
- CloudGuard Connect protects traffic going from the branch to the Internet. This includes dropping the response if it is found malicious, but the main thing is that the initiator of each request sits inside the branch office. CloudGuard Edge protects traffic from the branch to the internet as well as traffic initiated from the Internet and into the branch, for example if you have a server in that site.
- Some devices simply cannot support the on-premise security containment technology, and we make specialized editions of CloudGuard Edge for every specific vendor, while CloudGuard Connect works with anything that has a VPN configuration option.


Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events