CloudGuard for AWS - Security Transit VPC Demonstration
We've recently released an important milestone in our security solutions for AWS – the automated Security Transit VPC.
This solution enables our customers to provide a vast array of security use cases to their public (or hybrid) cloud environments, with optimal costs & performance, complete automation and agility at scale.
With minimal interference and footprint, security admins can now achieve security visibility and advanced threat prevention, all on an IPsec encrypted transitive network.
In this session, we demonstrate how to deploy the solution, show it in operation, and answer your questions!
An excerpt of the session is below with the full recording available to CheckMates members: CloudGuard for AWS - Security Transit VPC Demonstration Video
Hi Folks I just watched the session on AWS and using cloud guard as transit VPC, I have a question what if customer has already deployed transit VPC with CISCO using CSR is there way to create another VPC using checkpoint then connect back into the transit VPC?
Thanks for the reply I would to Chain them as our CSR is already deployed for direct connect in the transit VPC
Get Outlook for iOS<https://aka.ms/o0ukef>
Here were some of the other questions asked during the session:
Are you going to update SK120534 to show that you need to specifically permit ESP traffic on the AWS Security Groups??
Yes, indeed allowing ESP [Custom Protocol | ESP (50) | All ] is required. Generally, we recommend using the more detailed deployment guide instead of the SK - can be found here: Transit VPC for AWS R80.10 Deployment Guide
The architecture diagram shows the management server in AWS. Can this use an existing on-prem management server?
On-premise Management server is supported. For R80.10 there is a need to install JHF version 142 or above. For R80.20 the GA supports this. Above this there is a need to install the add-on as described in the deployment guide.
How fast is the the HA failover, if I understand it correct it is based on the BGP?
It relies on BGP convergence, which is not deterministic. It typically occurs in 10-20 seconds.
Is transit VPC inspection in AWS unique to Check Point only?
There are other solutions out there that handle the IPsec mesh and transitive connectivity, however those solutions (Cisco CSR, Aviatrix, to name a leading few) do not provide the essential security function with deep packet inspection and threat prevention.
Is the R8x API going to be updated so that interoperable objects can be created? As these are required for creating VPNs to spoke VPC's through automation tools.
This is in the roadmap.
Can this be done in Azure and GCP as well?
The automated solution covers AWS only. Each cloud provider uses different infrastructures and architectures. For example, this approach is not common in Azure as vNET peering (transitive, encrypted, supports service insertion with UDRs) is often a better solution.
Are you going to update SK120534 as the BGP configuration within the SK can create asymmetric routing due to the AWS VPG's creating 2 IPSEC tunnels for each VPC VPN and only accepting externally defined BGP preferences through AS-PATH.
Refer to the deployment guide: Transit VPC for AWS R80.10 Deployment Guide
What about the BGP ASN? Should we leave it at the default value?
Default is just fine (private scope ASN per RFC), unless the organization has a public registered ASN they wish to use.
It's possible to set more than one vCPU for SecureXL with R80.20?
You are probably refer to the coupling of 1 NIC to 1 CPU. In R80.20 this should be much better.
Are their plans to support the same automated deployment functionality in other tools such as Terraform?
Not at the moment.
AWS limits their VPC VPNs to 1.25 gig bandwidth. Have you seen this limitation become a problem for users since traffic has to traverse to the transit VPC over that to reach another VPC?
In large scale environments or in case of an especially throughput-intensive spoke VPCs, this could be an issue. The solution we recommend is to deploy a Check Point gateway instead of the managed VPN gateway on the spokes using the new c5 instances, which we will support in the near future.
Does the "automation" you guys are referring to encompass the addition/removal of spoke VPCs?
Yes, it includes automation for all aspects of maintenance of the IPsec mesh.
Will this connect in the same way as my current network to my Splunk SIEM for monitoring?
Yes, with Log Exporter. See Log Exporter guide
What is the impact of the route based VPN in AWS on R80.20 on CoreXL and SecureXL?
Starting with R80.10, IPsec is optimized on multi core setups. Starting with R80.20, it includes SecureXL enhancements for better acceleration. The impact is not significant, and with c5 instances, it will be minimal.
Where is the max number of supported spoke VPC documented?? 35 was just mentioned.
Technically, there is no limitation in code. Up to 35 spokes is the recommended number of VPCs we've certified with average common throughput requirements.
Does the improvements to the API also encompass all common configuration items within IPSEC VPNs such as DH group for phase 2 as this is not currently supported?
This is in the roadmap.
Another question related to security, which kind of methods uses to inspect encrypted traffic between the VPN IPsec?
Since we’re terminating the IPSec tunnel on a Check Point gateway, we can inspect them with deep packet inspection , HTTPS Inspection, IPS, Anti-Bot, Anti-Virus, Application Control, URL Filtering, zero day protection, and more. Essentially every security engine Check Point gateway provides.
Is each gateway in the hub a member of AutoScaling group with 1 instance?
No, the solution is not deployed as autoscaling group. Autoscaling support will be added in the future (Check Point autoscaling, not referring to AWS standard autoscaling, which does not support IPsec).
It's possible to delete Datacenter objects automatically in SmartDashboard after the object was deleted in AWS? How can I find deleted Datacenter objects in SmartDashboard (like unused objects)?
When you delete the object in AWS, it will be marked as "deleted on server" but it won’t automatically be deleted from the policy. Of course you can delete it manually. The way to identify those objects is to view the info of the datacenter object, which will reflect it is deleted on server.
SK120534 no longer specifies to use conditional matches for traffic to VPC's within firewall policy but sk100726 still states to use conditional matches. Which approach is correct?
In both SKs, there is explanation how to use the “VPN Directional Match in VPN Column.”
The scripts responsible for deployment of the AWS VPC VPN Gateways as well as BGP config are located on the CP management server?
Can datacenter objects be imported from multiple AWS accounts?
Can it be done through a single cross account IAM role?
Yes with sts:AssumeRole permission.
MDM is not supported yet. Technical Problem or will be considered later?
MDM on-premise is supported. MDM on AWS is planned.
JHF requirements for Transit VPC solution in CloudGuard for AWS:
- On AWS MGMT - Only JHF take #142 and above are supported
- On premise MGMT – Supported only with JHF take #142 and above
- JHF Take 154 is currently the GA one
- We are working to update the public Documentation (with few more updates)
- On premise MGMT – supported (just add-on installation)
- On AWS MGMT – coming soon…