SD-WAN Security Techtalk Video and Slides

PhoneBoy · ‎2019-09-04

On 4th September 2019, we did a TechTalk with @Tomer_Sole on Check Point's new security solutions for SD-WAN.
We talked briefly about CloudGuard Edge for SD-WAN devices, but mostly discussed CloudGuard Connect, Cloud Network Security as a Service.

Materials available to CheckMates members:

Slides
Full Video of session (excerpt is below)

(view in My Videos)

PhoneBoy · ‎2019-09-04

Selected questions asked during the session, with some answers.

What Regions are Supported?

Asia
- India
- Japan
- Signapore
- South Korea
Australia
Europe
- Germany
- Ireland
- UK
North America
- Canada
- US North-East
- US North-West
- US South-East
- US South-West
South America
- Brazil

Is Support for Dynamic Branch Office IPs Planned?

Yes

Does CloudGuard Connect Have APIs?

Yes, but the documentation is not currently published. Please contact us and we can provide it.

Is There Cross-Location Redundancy?

When a site is created, it is created in two distinct datacenters in the same region. You can create another site in a different region, but there is no automatic failover.

Are Certificates Supported for IPsec Authentication?

Not currently.

Can CloudGuard Connect Be Deployed in Private Cloud?

Not currently.

Is Traffic Between Branch Offices Supported or Connectivity with Main/Datacenter Site?

Not currently, but these use cases are planned for the future.

Can CloudGuard Connect Protect Individual Users (Road Warriors)?

We have a different solution for roaming users currently called Capsule Connect that we plan to fold into CloudGuard Connect in the near future.

Can You Manage the Access Policy from On-Premise Management?

Yes

Can Logs Be Sent to On-Premise Management?

In the near-term roadmap.

Is Incoming Traffic Supported?

Not currently.

Is Identity Awareness Supported?

Using on-premise identity sources? Not currently. A number of cloud-based Identity Providers, including ADFS, are supported.

Is All Traffic Sent to CloudGuard Connect or only Port 80/443 Traffic?

All traffic is sent.

D_W · ‎2019-09-05

I think you posted the wrong link to the full video.

Cheers,
David

PhoneBoy · ‎2019-09-05

Looks like the correct link to me.
What happens when you access it?

D_W · ‎2019-09-06

Hmm my fault then - I was confused about the different titles where one contains "security" and the other "connect" 😳

PhoneBoy · ‎2019-09-06

The focus of the TechTalk is mostly CloudGuard Connect, which is why I labeled the video that way.

Olga_Kuts · ‎2019-09-09

The link does not go to the full video. I get to the same page with a video excerpt.

Alex- · ‎2019-09-09

I can't download the presentation, I get "Please contact your administrator with the following error code: 1DD4E4D2"

PhoneBoy · ‎2019-09-09

Had the wrong links above, this should be fixed @Olga_Kuts @Alex-

Alex- · ‎2019-09-10

@PhoneBoy Got it, many thanks!

aheilmaier · ‎2019-09-12

Will you also provide a video replay fuction, where I can change the replay speed ?

PhoneBoy · ‎2019-09-12

Unfortunately, our video streaming service does not offer this capability.

PhoneBoy · ‎2019-09-13

Few more questions and answers:

Can VPN redundancy can be to multiple Check Point CloudGuard Connect locations?

The two tunnels per branch device go to different data centers in the same region.

Is the authentication on the IPsec tunnel only PSK or are certificates supported?

Currently, only PSK authentication is supported. Note that none of the popular SD-WAN solutions support certificate-based authentication currently. If this is a requirement, please contact us.

Is there any integration with Check Point Zero Touch?

Yes, Check Point SMB devices are supported. Step-by-step instructions exist on the Infinity Portal.

Is there any bandwidth limit?

Currently it is 850mbps per site object. You can split your subnets at the same branch office into multiple site objects on the Infinity Portal.

What's the Service Level Agreement for CloudGuard Connect

A formal document will be made available shortly, but the SLA is 99.999% thanks to our public cloud infrastructure and reliable mature security products.

Will it be possible to have policy that determines which application will use which IPsec tunnel/connection? Are there any options in the policy that determine if the latency or packet loss of a link reaches a certain threshold, an uplink won't be used anymore? Is there dynamic path selection possible?

This is a function provided by most SD-WAN Edge Devices. It is configured on the device, not in CloudGuard Connect.

aheilmaier · ‎2019-09-14

You mentioned briefly the CloudGuard Edge solution.

How does you solution match/respond on the trend of having a local breakout to the cloud ?

For example with Office 365 the local breakout is recommended.

a) does/how does Cloud Guard Edge provide this architecture feature of a local breakout ?

b) Is Cloud Guard Connect the recommended architecture because of more implemented security features than with Cloud Guard Edge only ?

c) Is this a balancing act, like on the one side I would have a local breakout for better quality, on the other side I will have more security but a centralized breakout maybe due to network constraints with not so good quality.

d) Does Cloud Guard Connect also provide performance data ? Or should I start the typical implementation of performance measurment on the edge e.g. when SD-WAN boxes provide performance data ?

Tomer_Sole · ‎2019-09-14

These are good questions.

Both CloudGuard Connect and CloudGuard Edge address the need for local breakout. With CloudGuard Connect, the device tunnels traffic to the Check Point cloud enforcement before going to the Internet. With CloudGuard Edge, the device runs the Check Point enforcement inside the local device before going to the Internet.

Generally the same security capabilities are applied at both products, except that:
- CloudGuard Edge runs the Check Point embedded OS while CloudGuard Connect runs the full Check Point capabilities. Currently, Check Point's embedded OS is not based on the R80.30 train but on R77.20.87 (small medium business SMB train have that kind of versioning numbers), but this is planned to change early next year.
- With CloudGuard Connect, security capabilities are always up to date while at CloudGuard Edge the administrators choose when to upgrade their embedded OS.
- CloudGuard Connect is able to perform more computational tasks because it is auto-expandable and not bound to RAM and CPU constraints. However at the moment the main difference is the R8x train base.

The balancing act is about these:
- With CloudGuard Edge you own the platform, that means you are in charge of upgrading it, troubleshooting it and expanding it when there's a need, while with CloudGuard Connect the solution is a service, not a platform, which means less operational tasks.
- CloudGuard Edge fits sites that don't require more than 1 core and 1 GB RAM of the platform while CloudGuard Connect works based on the total number of users.
- CloudGuard Connect protects traffic going from the branch to the Internet. This includes dropping the response if it is found malicious, but the main thing is that the initiator of each request sits inside the branch office. CloudGuard Edge protects traffic from the branch to the internet as well as traffic initiated from the Internet and into the branch, for example if you have a server in that site.
- Some devices simply cannot support the on-premise security containment technology, and we make specialized editions of CloudGuard Edge for every specific vendor, while CloudGuard Connect works with anything that has a VPN configuration option.