By, John Guo, Cloud Alliance Architect, Check Point Software Technologies
Firewalls can be the main bottleneck when it comes to publishing new applications because they cannot keep up with the dynamic nature of modern applications and DevOps teams. In this blog, we will share how Check Point and HashiCorp partnered together to help customers keep up with their DevOps teams while still maintaining the security and compliance posture.
Check Point CloudGuard and HashiCorp Consul NIA integration
#1 Created a centralized database for all applications
One of the key components to automate infrastructure changes is a centralized registry that contains all information a network and firewall administrator needs. Some of these items are the name of the service, IP addresses, port numbers, and data flow. The biggest challenge is keeping this database up-to-date, as often this information is stored in a spreadsheet, which may never be updated after the initial investment of putting it together. Alternatively, when the spreadsheet gets updated the changes are not reflected in the firewall.
HashiCorp Consul solved this problem by providing a centralized database consisting of different application details. Consul is agent-based so it can be installed on virtual machines and containers in any cloud and on-prem devices. The database is constantly updated as applications are monitored, with updates occurring every few seconds. Consul even can do service discovery, which provides additional insights on service health and visibility for further security utilization.
#2 Extract the application metadata from Consul and apply the changes to CloudGuard
Consul-Terraform-Sync (CTS) is a new tool, now generally available, that helps organizations achieve Network Infrastructure Automation. CTS leverages Terraform’s provider ecosystem and Consul’s service catalog to detect changes to an application and automate applying those changes to the Check Point Management system. These changes can be a new node (IP address) registered or unregistered with an existing Consul service. If it is a registered service for the Check Point CloudGuard module, it will then start using Check Point’s Terraform provider to commit these changes to each participating Check Point gateway. Application updates are fully automated and does not require a firewall policy install which requires a change management ticket. With this integration, our customers can keep up with each application-scaling event without any manual intervention.
#3 Maintain the security posture of our firewall rules
Check Point releases hundreds of new features as part of each major release. One of the new feature is the introduction of Policy Layers.
Released as part of the R80 platform, this simple feature allows our customers to define both coarse-grained and fine-grained control in their firewall policy. Customers can now separate their applications per policy layer, this ensure that changes to the policy layer does not affect other overarching applications, and greatly reduces the risk of each firewall change related to the application. The result is reduced risks per firewall change and less time spent performing change management.
The policy layer feature helps security administrators maintain the security posture of the firewall. During the design and deployment of the application, security administrators can sign off on the required firewall rules ensuring it meets both security and compliance requirements. Any subsequent firewall rule changes to the application will need to be reviewed by Security. With the Consul-Terraform-Sync integration, IP address updates are maintained automatically, which will allow our firewalls to keep up with the speed of application changes and free up security administrators time to design and review firewall flows.
Thanks to this partnership integration, maintaining security while keeping up with the speed of DevOps is possible with Check Point and CTS integration. Our customers are now able to reduce the risk of each firewall rule change, keeping the rules up to date and maintaining access control that complies with the entire life cycle of the application.