Enhance Application Security with Nutanix Flow and Check Point CloudGuard

By Daniel Mirkin, CloudGuard Project Manager, and Abhishek Tiwari, Senior Director, Product Management, Nutanix Flow, published May 4, 2021

Nutanix provides a “web-scale, hyperconverged infrastructure solution purpose-built for virtualization and both containerized and private cloud environments”.

Nutanix Flow offers policy-based network security tightly integrated into Nutanix AHV and Prism Central. Flow provides rich visualization, automation, and security for VMs running on AHV. Microsegmentation is a component of Flow networking that simplifies policy management. Using multiple Prism Central categories (logical groups), users can create a powerful distributed firewall that gives administrators an application-centric policy management tool for securing VM traffic.

Flow Microsegmentation Architecture (Source: Nutanix)

Check Point CloudGuard Network Security integrates with Nutanix to augment Flow microsegmentation with multi-layered defense to protect East-West traffic within the Nutanix deployed data center. CloudGuard transparently enforces security at the hypervisor level and between virtual machines. It automatically quarantines infected virtual machines for remediation, and provides comprehensive visibility into virtual network traffic trends and threats.

Let’s dive into a few of the recent security enhancements in Nutanix and how Check Point CloudGuard uses them to harden private cloud security for Check Point customers.

Network Topology

Check Point CloudGuard supports importing Nutanix virtual infrastructure entities.

Check Point CloudGuard connects to Nutanix Data Center and integrates the virtual cloud environment with Check Point CloudGuard gateways. CloudGuard automatically updates the security policy and security logs.

Check Point CloudGuard reads the inventory from Nutanix Data Center and allows the security operator to use virtual machines and categories from the inventory as part of the security policy. Check Point CloudGuard watches these objects and updates the gateway regarding any change that might occur on the Nutanix side.

Nutanix allows the dynamic export of network topology, providing Check Point CloudGuard with immediate access to all network configuration changes.

This functionality is particularly important to support the dynamic nature of customer cloud deployments.

Dynamic, Context-Based Grouping 

Check Point CloudGuard enables automated deployment of Check Point CloudGuard security gateways and micro-segmentation capabilities.

Check Point CloudGuard integration with Nutanix

Service chain insertion

You can direct each defined flow in an application policy through a service chain. The deployment workflow of Check Point CloudGuard security gateways can automate the creation of the service chain directly from a Nutanix Calm blueprint. Once the service chain is created, it is available to use in Nutanix Flow policy for traffic redirection. In Prism Central, use Flow to create the allowed inbound or outbound rule, and then select the desired service chain from the drop down menu.

Redirect through CloudGuard service chain

Check Point’s unified Security Management server and multi-domain servers allow cloud native integration between Check Point CloudGuard Network Security and Nutanix. The Security Management  server constantly monitors CloudGuard security gateways deployed on Nutanix Data Center and synchronizes them with the Security Management server.

Some popular use cases for Check Point CloudGuard’s integration with Nutanix Flow include:

  • Application Micro-segmentation
  • Secure End-User Compute (EUC)
  • Branch Office / ROBO Application Segmentation
  1. Application Micro-segmentation

The challenge:

Traditional approaches to secure virtual applications from East-West network traffic are difficult and require complex network designs and configuration, often requiring hairpinning traffic and negatively impacting cost and performance. Without micro-segmentation your virtual applications may exposed to threats or vulnerabilities.

The solution:

Micro-segmentation helps reduce the attack surface by preventing East-West lateral movement in your network. This is achieved by deploying Check Point CloudGuard security gateways integrated with Nutanix Flow. Use the Nutanix Calm blueprint to create service chains and deploy Check Point CloudGuard security gateways on every AHV host. With Nutanix Flow, specific traffic can be transparently directed to the Check Point CloudGuard security gateway in the service chain for deep packet inspection based on the user-defined Nutanix Flow policy. Nutanix Flow and Check Point CloudGuard security gateways help you achieve application micro-segmentation with deep packet inspection thereby securing your virtual environments from East-West lateral movement of attack thus improving Nutanix security.

  1. End User Computing

The challenge:

Virtual desktops are growing in popularity, but hosting all of these desktops within your core data center also dramatically increases your attack surface without the proper protections in place. The dynamic nature of these desktops can also make security management challenging.

The solution:

Nutanix Flow isolates groups of virtual desktops (or each individual desktop within a group) with a simple one-click security policy. Check Point CloudGuard security gateways inspect and enforce Layer 7 controls (such as URL Filtering, Malware Detection) as well as block threats across the virtual desktop infrastructure.

  1. Branch Office / ROBO Application Segmentation

Remote Office / Branch Office (ROBO) applications are often subject to network threats and vulnerabilities. Securing these applications is challenging due to the small footprints of such deployments and the distributed policy management needed at each remote site.

Nutanix Flow with Prism offers centralize management of security policies with local enforcement at each site, thereby providing both simplified management and optimal control. Nutanix Flow integrated with Check Point CloudGuard provides multi-layered security at the ROBO site with deep packet inspection. In addition, Check Point CloudGuard running on AHV can also serve as a virtualized secure gateway for the entire site.

Benefits of the integration

Nutanix and Check Point have partnered to deliver an integrated solution with Check Point CloudGuard, which enables companies to realize the full potential of their hybrid cloud infrastructure on Nutanix AHV while providing protection against potential vulnerabilities, malware, and other sophisticated threats. Nutanix Flow’s ability to secure L4 traffic is augmented by CloudGuard’s industry-leading threat prevention capabilities. The joint solution for Nutanix Data Center effectively addresses one of the key challenges of modern data center networks, securing workloads at the perimeter with Check Point’s industry-leading next generation firewall, and segments East-West traffic within the virtual environment using granular L4 policies with L7 inspection.

Check Point CloudGuard security gateways are placed on each AHV host and controlled by Check Point Security Management (Source: Nutanix)

The bridge mode operation intercepts traffic and has the ability to block traffic before it is sent along. Bridge network functions have ingress and egress interfaces. In the diagram below, the VM-A traffic is redirected thorough a bridged Check Point CloudGuard security gateway for deep packet inspection. The following configuration is deployed on every AHV host in the cluster.

Check Point CloudGuard Network Security with service chaining protects against advanced threats (Source: Nutanix)

What is Check Point CloudGuard Network Security?

Check Point CloudGuard Network Security is a cloud-native security gateway which delivers industry-leading advanced threat prevention and multi-layered network security for all public, private and hybrid cloud deployments.

High-level architecture diagram of Check Point CloudGuard for increased private cloud security

Threat prevention security features include Firewall, DLP, IPS, Application Control, IPsec VPN, Antivirus and Anti-Bot, Threat Extraction and Threat Emulation.

Integrated with leading configuration management tools, Check Point CloudGuard enables rapid deployment and supports full automation to support CI/CD processes and Infrastructure as Code practices.

The Unified Security Management console provides consistent visibility, policy management, logging, reporting and control across all public, private and hybrid cloud networks as well as for on-premises deployments.

What’s next?

If you’d like to learn more about Check Point CloudGuard Network Security, please speak with your Check Point channel partner, your account Security Engineer or contact us.

To read the Forrester Total Economic Impact of Check Point CloudGuard Network Security, where Forrester interviewed a $10B+ US-based healthcare company who uses CloudGuard to secure their hybrid-cloud deployment and generated a 169% ROI, click here.

If you are in the process of planning your migration to the cloud, please contact us to schedule a demo, and a cloud security expert will help to understand your needs.

Do you want to read more about cloud security?

Download the Check Point cloud security blueprint documents:

  • This document introduces the cloud security blueprint and describes key architectural principles and cloud security concepts.
  • This document explains the blueprint architecture, describes how Check Point’s cloud security solutions enable you implement the blueprint, and how these address the cloud security challenges and architectural principles that were outlined in the first document.
  • This document provides reference architectures for implementing the cloud security blueprint.

If you have any questions, please contact your local Check Point account representative or partner, or contact us here.

Follow and join the conversations about Check Point and Check Point CloudGuard on TwitterFacebookLinkedIn and Instagram.