Vous êtes sur la page 1sur 54

CHECK POINT VSEC: SECURE YOUR AZURE HYBRID CLOUD

Thank you for joining the webinar. We’ll get started shortly …

©2017 Check Point Software Technologies Ltd. 1


CHECK POINT AND MICROSOFT AZURE:
ARCHITECTURE AND USE CASES FOR
SECURE HYBRID CLOUD
Advanced Threat Prevention Security for Public
and Hybrid Clouds
September 6, 2017

©2017 Check Point Software Technologies Ltd. 2


TODAY’S SPEAKERS

Greg Pepper Nava Vaisman Levy Peter Ostashen


Head of Security Architects Technical Evangelist Senior IT Manager
Check Point Software Technologies Microsoft Azure Denham Capital

©2017 Check Point Software Technologies Ltd. 3


Agenda
• Azure Cloud Services and Use Cases
• Check Point vSEC Cloud Security Components
• Check Point Cloud Security Use Cases
• Customer Case Study: Denham Capital
• Summary
• Q&A

©2017 Check Point Software Technologies Ltd. 4


AZURE AND YOU SHARE RESPONSIBILITY FOR CLOUD
SECURITY

Customers protect
their apps and data in
the cloud

Azure takes care of


protecting the cloud
infrastructure

©2017 Check Point Software Technologies Ltd. 5


MICROSOFT AZURE OVERVIEW

©2017 Check Point Software Technologies Ltd. 6


Trust

Openness and flexibility

Application innovation

Data and intelligence

©2017 Check Point Software Technologies Ltd. 7


Achieve global scale, in local regions
Trust

38
Azure regions

NEWLY ANNOUNCED:
France: France Central and France South
Korea: Korea Central and Korea South
DoD East and Central

©2017 Check Point Software Technologies Ltd. 8


VIRTUAL
VIRTUAL NETWORKS
NETWORKS ANDGSROUPS
& SECURITY ECURITY GROUPS

INTERNET Client  Create Virtual Networks


with Subnets and Private
Microsoft Azure
IP addresses
Cloud Access
Layer
RDP Endpoint
(password access)
 Configure access control
rules, which can be
Customer 1
Subnet 1 Subnet 2 Subnet 3
Customer 2
Deployment X Deployment Y
applied across Virtual
Networks to thousands
Corp 1 VPN of machines in seconds
VLAN-to-VLAN

 Can bring your own DNS


and can domain join
your VMs
DNS Server
Isolated Virtual
Networks

©2017 Check Point Software Technologies Ltd. 9


USER DEFINED ROUTING AND VIRTUAL APPLIANCES

©2017 Check Point Software Technologies Ltd. 10


Network watcher and diagnostics
Understand your network and resolve problems
NEW

• Visualize IP Flow for enhanced


troubleshooting
• Integration with Operations DOWNLOAD ANALYZE

Management Suite (OMS)


• VPN Gateway and Tunnel Health
• Application Gateway Metrics MICROSOFT ANALYTICS

• Network Security Groups and THIRD PARTY


OR ON-PREM
User Defined Routes Diagnostics TOOLS

improvements

©2017 Check Point Software Technologies Ltd. 11


Azure Load Balancer
AZURE LOAD BALANCER

 Layer 4 (TCP, UDP)


 Internal / External
 Hash based distribution algorithm.
Default is a 5 tuple Configuration
 Port Forwarding
 Source NAT (SNAT)

©2017 Check Point Software Technologies Ltd. 12


Azure Resource
AZUREManager Concepts
RESOURCE MANAGER CONCEPTS

• Resource Group
• Template Deployment
• Tags
• Access Control
• Consistent Management Layer

©2017 Check Point Software Technologies Ltd. 13


Typical ARM VM deployment

©2017 Check Point Software Technologies Ltd. 14


Resource Groups

©2017 Check Point Software Technologies Ltd. 15


Template Deployment

©2017 Check Point Software Technologies Ltd. 16


AENTER
AZURE SECURITY C ZURE SECURITY CENTER
 Gain visibility and control
Set Policy &
Monitor  Integrated security, monitoring,
Understand Deploy policy management
Current Integrated
State Solutions Continue  Built in threat detections and
learning
Deploy &
alerts
Visibility &
Detect
Control  Works with broad ecosystem of
industry leading 3rd party security
Find
threats that Respond & solutions including:
might go recover faster
unnoticed

©2017 Check Point Software Technologies Ltd. 17


LOG
Log Analysis ANALYSIS
with WITH OMS SECURITY
OMS Security

©2017 Check Point Software Technologies Ltd. 18


WHY DO WE NEED
ADVANCED SECURITY IN
THE CLOUD?
UNDERSTANDING CLOUD SECURITY
CHALLENGES

©2017 Check Point Software Technologies Ltd. 19


CLOUD SECURITY REQUIREMENTS

Sacrificing speed and agility for security

Consistent protections and policy management

Consolidated visibility, logging and reporting

Increasing sophistication of threats & malware

Lateral spread of threats

©2017 Check Point Software Technologies Ltd. 20


CHECK POINT VSEC FOR MICROSOFT AZURE
Advanced Threat Prevention Security for Hybrid Clouds

vSEC GATEWAY vSEC CONTROLLER


• Comprehensive protections • Automated security with
including: Firewall, IPS, unified management
AntiBot, AntiVirus, VPN, DLP • Context-aware policies and logs
and SandBlast Zero-Day leveraging Azure defined
Protections objects
• Secure traffic between • Consolidated logging and
applications in the hybrid reporting across private, public
cloud and hybrid clouds

©2017 Check Point Software Technologies Ltd. 21


Check Point vSEC Components

vSEC GATEWAY vSEC CONTROLLER

• Multiple ARM Templates • Auto-Provision vSEC


• Use UDR Route Tables & ELB Instances
NAT to Service Chain • Context-aware policies
leveraging “cloud”-defined
objects

©2017 Check Point Software Technologies Ltd. 22


vSEC Controller – Learns and Adapts
vSEC controller constantly tracks changes to objects

imported from the cloud management server


and updates Security Gateways

R80 Management
Azure Cloud Server vSEC Controller
API Scanner

©2017 Check Point Software Technologies Ltd. 23


APPLICATION-AWARE POLICY with vSEC Controller

Check Point Access Policy


Rule From To Application Action

Finance_App1 Database_Group
3 MSSQL Allow
(Azure Object) (Azure Tag)

4 Finance_Users Finance_Apps CRM Allow


(AD Group) (Azure VNET)

5 User_ID SAP_App SAP Allow


(Azure Object)

Security policy with application identity tied to SDN and Cloud platforms

©2017 Check Point Software Technologies Ltd. 24


USE CASE: AZURE CLOUD OBJECT DISCOVERY WITH VSEC

Reference Architecture
• Auto-discovery of Azure defined
objects
• Leverages Azure objects like VPC’s,
Subnets and Instances in security
policies and logs
• Policies updated in real-time
• Improved visibility and forensics

©2017 Check Point Software Technologies Ltd. 25


R80 MANAGEMENT CONSOLE
– VSEC CONTROLLER

DEMO

©2017 Check Point Software Technologies Ltd. 26


Auto-Provisioning Components
Management
Server Auto Provisioning Service
• Monitors Azure accounts for new GWs (determined by tags)
• Utilizes Azure tags to allow gateways to automatically build trust with management server
• Applies Configuration template to GW. Template identified by tag. It determines:
• Blades to be activated
• Name of policy to be pushed
• Configured in autoprovision.json file

vSEC Gateway
Deployment Script (Azure ARM Template)
• Executes first time GW configuration
• Adds tags to instances. Tags specify:
• Management Server
• Configuration Template on Management server

©2017 Check Point Software Technologies Ltd. 27


VSEC GATEWAY
DEPLOYMENT
METHODOLOGIES AND
USE CASES
HOW TO DEPLOY VSEC INTO AZURE CLOUD

©2017 Check Point Software Technologies Ltd. 28


Check Point vSEC for Azure – Deployment Use Cases

Internet

UDR
Microsoft
Azure

Frontend Subnet

vSEC GW

Backend Subnet

R UD
UD R

Web Subnet DB Subnet

Web Server Web Server DB

Virtual Network

©2017 Check Point Software Technologies Ltd. 29


Common Scenarios
• Internet facing web application -> N-S protection
̶ Network Firewall
̶ IPS
• Internal Network Segmentation & Segregation -> E-W
protection
• VPN
̶ Corporate site to cloud VPN
̶ Secure remote access for Admins
̶ Mobile VPN access for Users – Employees, Contractors
• High Availability – HA clusters and VM scale sets
• ExpressRoute – VNET peering and service insertion
©2017 Check Point Software Technologies Ltd. 30
Use Case: Single vSEC Gateway in Azure deployment
• 2 NIC GW
• N/S traffic flows through
vSEC GW
̶ Ingress because LB and GW
Static NAT
̶ Egress because default route
& Dynamic NAT
• Loadbalancer is used when
you need additional PIPs for
NATing internal resources

• Intra-VPC traffic inspected


if needed!
©2017 Check Point Software Technologies Ltd. 31
Use Case: High Availability Cluster for Azure Deployment
• Active/Standby
• Stateful Failover
• On an availability set
• Failover involves API calls to
̶ Reassign the cluster IP
̶ Switch next hop on relevant UDR
̶ Reassign LB NAT rules target

©2017 Check Point Software Technologies Ltd. 32


Use Case: vSEC VM Scale Set for Autoscaling
• VM ScaleSet Used for vSEC
Gateways
• ScaleSet Attaches to External
and Internal Load Balancers
• Ingress TCP/UDP
• Egress HTTP/HTTPS via Proxy
• Active/Active Load Sharing for
N+1 Clustering & Performance

©2017 Check Point Software Technologies Ltd. 33


USE CASE: REMOTE ACCESS AND HYBRID CLOUD

Reference Architecture
• Check Point vSEC protects
assets in Azure vNET
• Complete SK article
• Deployment Scenarios and
Demo – YouTube video
• Clustering for HA
• ExpressRoute for Hybrid Cloud
• vNET peering

©2017 Check Point Software Technologies Ltd. 34


vSEC Gateway Deployments & Capabilities

Use Case Default Multi- Stateful High Load Intra- Support


GW Availability failover Availability Sharing network VPN
Zone/ inspection
Availability
Set
Single GW Yes No No No No Azure: Yes
UDR

HA Cluster Yes Yes Yes Yes No Azure: Yes


UDR
VM Scale No Yes No Yes Yes LB SSL VPN
Set cluster redirection Only

©2017 Check Point Software Technologies Ltd. 35


Reference Architectures
Topic Link
Deploy Check Point with single interface, important for combining multi features on the Check Point Link
box like VPN and HA.
How to deploy a Check Point Security Gateway with multiple interfaces in Microsoft Azure. An ARM Link
Template for this scenario on GitHub
Using Custom Data to execute an initialization script when launching Check Point Security Gateway Link
in Microsoft Azure
Secure things-to-cloud communication (IoT) using encrypted tunnel - How to set up a VPN tunnel Link
between a Check Point Security Gateway in Azure
Enhanced security for internet web facing applications TBD
High availability and fault tolerant deployment (GitHub template) Link
Compliance and security enforcement in the cloud TBD
Hybrid Cloud – Security and management TBD

©2017 Check Point Software Technologies Ltd. 36


Customer Case Study

Peter Ostashen
Senior IT Manager, Denham
Capital

©2017 Check Point Software Technologies Ltd. 37


WHO ARE WE

• Denham Capital is a private equity firm with more than $8.5 billion invested in the
power, oil and gas, and mining industries.
• Long time Check Point and Azure customer, with IT infrastructure built using on-
premise data center and Azure cloud creating hybrid environment
• As Denham migrates its infrastructure to the cloud over the next two years, it
needed a way to secure cloud-based assets—as easily as possible

©2017 Check Point Software Technologies Ltd. 38


BUSINESS AND TECHNICAL CHALLENGES
Business Challenges
• Securely migrate critical services to Azure Cloud to speed up
service delivery and reduce data center footprint
• Reduce high costs of operating physical data centers and
hardware
• Improve app performance for processing and analyzing financial
models with large amounts of data
• Rapid and easy deployment and provisioning of new offices and
users and moving existing accounts

©2017 Check Point Software Technologies Ltd. 39


BUSINESS AND TECHNICAL CHALLENGES
Technical Challenges
• Migrate critical business apps to the cloud without compromising
performance or security
• Ensure that cloud assets are as secure as premises –based assets
• Simplify security management across hybrid cloud with Single pane of Glass,
common security policies, centralized logs

©2017 Check Point Software Technologies Ltd. 40


WHY CHECK POINT?

Industry Leader Seamless Scalability &


in Security integration with Azure Flexibility
and management of
to support dynamic
hybrid workloads
environment and
business requirements

©2017 Check Point Software Technologies Ltd. 41


THE SOLUTION – CHECK POINT AND AZURE
Capabilities and Technical Benefits
• Robust and Advanced Security across Hybrid
cloud
• Migration of back-office apps to the Azure cloud
• Phased migration using hybrid cloud approach
• Better app performance for end users
• Rapid and easy security provisioning
• Dynamic security policy that adapts in real-time
to changes in the environment
• Consistent security policy and threat visibility
across the Azure hybrid cloud

©2017 Check Point Software Technologies Ltd. 42


THE SOLUTION – CHECK POINT VSEC AND AZURE

“Check Point vSEC for Azure really eased the pain of


securing our cloud. We have consistent security
policy and threat visibility across both
infrastructures. And we can ensure that every new
service or workload in Azure is secured instantly. It
just works.”
Peter Ostashen,
IT Manager, Denham Capital

©2017 Check Point Software Technologies Ltd. 43


DEPLOYMENT ARCHITECTURE AND IMPLEMENTATION
• Check Point vSEC for Azure virtual appliance for
advanced security, perimeter and lateral protection,
remote access and hybrid connectivity
• Check Point 4600 / 2200 Appliances deployed on-
premises and in branches
• Check Point vSEC Virtual Edition as Management
Appliance for security management across the
hybrid cloud and deployed on-premises
• Azure ExpressRoute, Azure LB, High Availability Sets,
Azure vNET, Azure Compute, Built-in security
controls, Azure site recovery, Azure Backup

©2017 Check Point Software Technologies Ltd. 44


NETWORK SECURITY DEPLOYED IN AZURE VNET– HYBRID CLOUD

Azure
Branches /
Check Point
22xx Mobile Users

Internet and
SaaS apps)

Private Public
Subnet Subnet

Availability Region 2 Service


Provider
(WAN) Smart
management
Load Express
Balancing Route

Check Point
45xx
Enterprise
Private Public servers
Subnet Subnet

Check Point Customer Data


Availability Region 1 46xx
Center

©2017 Check Point Software Technologies Ltd. 45


SOLUTION RESULTS

• Rapid and easy deployment and provisioning of


advanced security

• Unified and consistent security and management across


multiple cloud and premises environments

• Consolidated view of on-premise and cloud security from


a single pane of glass

• Advanced and scalable security for cloud apps to support


speed and agility

• Delivered compelling return on investment in less than


one year

©2017 Check Point Software Technologies Ltd. 46


SUMMARY
Summary
• Solution is Cost-Effective – Secure – Easy to Use
• Solution Delivers value now and in the future
Future Directions
• Deploy R80 Security Management for automation
of policy deployment in the cloud
• Check Point can help provide guidance for future
technology needs
• Cloud-based solution can scale and evolve

©2017 Check Point Software Technologies Ltd. 47


©2017 Check Point Software Technologies Ltd. 48
MICROSOFT IGNITE – CHECK POINT BOOTH

• Check Point is Gold sponsor at Microsoft Ignite conference, Sep 25- 29, 2017
Orlando, FL. Please come visit us at Booth #807 to speak to a cloud security or mobile
security experts or see a vSEC or SandBlast Mobile demo first hand
• Check Point Keynote Sessions featuring live joint customer testimonials and video
success stories
• Cloud Security Breakout: Best Practices for Securing Hybrid Clouds in Microsoft
Azure, and Azure Stack using Check Point vSEC
• Coming soon: vSEC support for Azure Stack for hybrid cloud support

©2017 Check Point Software Technologies Ltd. 49


CHECK POINT – MICROSOFT AZURE BOOT CAMPS

• Please attend our hands-on workshops to learn how easily and rapidly Check Point
vSEC cloud security can be deployed in Azure hybrid cloud to protect workloads/apps
• Upcoming boot camps and seminars :
• Sep 15 – St. Louis, MO
• Sep 19 – Tampa, FL
• Sep 20 – Las Vegas, NV
• Sep 26 – Houston, TX and Minneapolis, MN

©2017 Check Point Software Technologies Ltd. 50


MORE INFORMATION - RESOURCES

• Check Point vSEC for Azure product page and collateral – Joint Solution Brief –
includes support for Azure Stack
• Check Point vSEC for Azure landing page with webinar recording and slides
• Cloud Security Shared Responsibility Whitepaper
• vSEC on Azure MarketPlace
• Check Point Reference Architectures /ARM templates for vSEC
• Customer References – case study and video
• Free Trial promotion – Azure credits
• vSEC for Azure Test Drive and User Guide
©2017 Check Point Software Technologies Ltd. 51
SUMMARY: WHY CHECK POINT VSEC FOR AZURE CLOUD?

Advanced threat prevention for Azure applications

Unified management for public cloud and hybrid cloud environments

Adaptive security with auto-scaling and auto-provisioning

Flexible deployment and extend security to Azure

©2017 Check Point Software Technologies Ltd. 52


Q
A

• Greg Pepper– Head of Security Architects, Check Point - gpepper@checkpoint.com


• Nava Vaisman Levy - Technical Evangelist, Microsoft Azure - navale@microsoft.com
• Peter Ostashen- Senior IT Manager, Denham Capital - peter.ostashen@denhamcapital.com
• Krishnan Subramanian– Product Marketing Manager, Check Point - ksubrama@checkpoint.com

©2017 Check Point Software Technologies Ltd. 53


THANK YOU

©2017 Check Point Software Technologies Ltd. 54

Vous aimerez peut-être aussi