Site icon Check Point Blog

Check Point CloudGuard Network Security streamlines operational efficiency with as-a-Service solution on AWS

By Jonathan Maresky, Cloud Product Marketing Manager, published November 29, 2021

Check Point is honored and excited to take cloud security innovation to the next level through its integration with AWS Gateway Load Balancer and AWS Managed Gateway Endpoints. This blog post will provide some background to the announcement and the integrated offering, explain how it works with AWS services, and the benefits it provides customers.

Background:

I am a firm believer in giving praise where praise is due.

In this case, praise is due to AWS for their customer obsession in two separate but related areas.

Firstly – cloud network security:

In my early days at Check Point, I would often encounter cloud security engineers who would tell me that network security is no longer needed in the cloud, because it is “out-dated on-prem technology”. They would also say that every cloud security need can be provided via the cloud vendor’s existing capabilities like AWS security groups. After researching this with various Check Point cloud security engineers and customers, I concluded this was a classic NIH response, where cloud vendors try to perpetuate the illusion that anything not available in their arsenal is unnecessary. Quite the technology Jedi mind trick.

Then AWS Network Firewall was announced at re:Invent in 2020, enabling customers to deploy a cloud network firewall in order to increase their AWS security with additional capabilities like URL filtering and more granular pattern matching and vulnerability detection.

This significant announcement was driven by customer obsession – to improve security by providing a foundational security capability.

Secondly – AWS Gateway Load Balancer (GWLB), and how it is extended by a cloud security vendor like Check Point to provide AWS customers with industry-leading cloud network security as a service:

AWS GWLB was also announced at re:Invent in 2020, and was also driven by customer obsession – to make cloud network security easier and more cost-effective to deploy and maintain, allowing AWS customers to choose their preferred cloud security vendor with reduced networking complexity. In fact, Check Point was one of the AWS partners to integrate with AWS Gateway Load Balancer at launch.

Customers immediately took advantage of the new capability to improve the efficiency and streamline the architecture and design of their AWS security. But the positive impact of AWS GWLB is not limited to inline security appliances that are deployed, configured, and maintained by AWS customers – GWLB also enables trusted cloud security vendors like Check Point to provide cloud network security as a service, by using new capabilities provided by GWLB.

This is customer obsession at work again, where AWS extends the options available to their customers: before, customers wanting a cloud-native managed network security service could only use AWS Network Firewall; now customers can also choose to consume an AWS partner operated cloud network security solution as a service on AWS, thus providing a more native experience. This service also removes the overhead of managing, maintaining, and updating network security infrastructure, improving the customer’s operational efficiency and user experience.

An example of such a service-based solution is Check Point CloudGuard’s Network Security, now available as-a Service to complement and enhance AWS native security.

How does Check Point address Cloud Network Security-as-a-Service on AWS?

Check Point CloudGuard Network Security is a cloud-native managed service which deploys security gateways, providing industry-leading advanced threat prevention together with elastic cloud network security. CloudGuard is automated at the speed of DevOps, and enables unified security management from a single-pane-of-glass.

A highly-requested characteristic of this managed service is its ease-of-use and ease-of consumption. It is highly scalable, highly available and features consumption-based billing. CloudGuard is natively integrated with AWS services, tools and its latest architecture constructs including AWS Gateway Load Balancer (GWLB).

The managed service can be deployed with just a few clicks and scales automatically as customers’ network traffic changes, so users do not need to deploy and manage the underlying infrastructure. CloudGuard significantly reduces the complexity and the operational costs for customers who want to inspect and filter traffic to, from, or between their Amazon VPCs (i.e. North-South and East-West traffic inspection).

CloudGuard is designed by and for cloud DevOps and DevSecOps.

It is intuitive and saves DevOps time and effort with a streamlined onboarding experience. Moreover, CloudGuard can be fully managed using Infrastructure as Code.

The enterprise-grade security is key for DevSecOps: Check Point is a Leader in the 2021 Gartner Magic Quadrant for Network Firewalls, for the 22nd year. CloudGuard also enables data center object policy controllability and integrates with 3rd party security solutions. It includes Check Point’s advanced threat prevention features together with built-in high availability and unrestricted cloud scalability.

How does CloudGuard Network Security work as a service?

Onboarding is simple, quick and intuitive:

After the customer creates an account in the Check Point portal and selects CloudGuard Network Security, the service inititates a cross-account role between Check Point and customer accounts, to provide permissions for resource visibility and Managed GWLB Endpoint (MGE) deployment in customer accounts. It then sets up security policies using an easy setup wizard and configures situational visibility for monitoring and logging purposes.

To better understand how CloudGuard Network Security works as a service, let’s consider “before” and “after” architecture diagrams. The figure below represents a typical deployment of CloudGuard Network Security, which is implemented with an auto-scaling group of virtual security gateways inside a security VPC. The customer needs to deploy the security gateways and perform the complex network routing to connect these to spoke VPCs via AWS GWLB/GWLBE and AWS Transit Gateway (TGW). The customer also has to size the security gateway instances appropriately, update, and maintain them over their lifetime.

Typical cloud network security architecture without Network Security as a Service

CloudGuard Network Security architecture when deployed as-a-Service consists of two main components (see figure below). The GWLB Inspection VPC, on the right side, is deployed in Check Point’s account. This VPC communicates via the GWLB to GWLB endpoints (GWLBEs) inside the customer’s VPCs. These GWLBEs (also called Managed Gateway Endpoints, MGEs, because they can be managed by 3rd-party vendors) are deployed by CloudGuard using the cross-account permissions that were set up during the onboarding process, and are billed directly to Check Point. This enables CloudGuard to wrap all components and underlying infrastructure into a single bill, charged to the customer by Check Point. Check Point-managed components are emphasized in pink, while customer-managed components are emphasized in grey.

Typical cloud network security architecture with CloudGuard Network Security deployed as a service

What are the benefits of CloudGuard’s Network Security as a Service offering to customers?

Credit: Freepik

You may be familiar with CloudGuard’s pillars of Security · Automated · Everywhere.

Let’s see how these pillars apply to the benefits to CloudGuard Network Security customers when used as a service.

Security:

Automated:

Everywhere:

What’s next?

If you would like to benefit from the operational benefits and are ready to be an early adopter, you’re invited to join the Early Availability program.

Are you attending AWS re:Invent, the biggest cloud event of the year? If so, please meet us at the Check Point booth #1004 next to the AWS Marketplace Pavilion. You can share your network security requirements and we will explain how CloudGuard Network Security can address your needs. In addition, we will have other exciting news, and you can also test your trivia knowledge to win prizes!

Check Point is also a sponsor of the AWS Jam Lounge where conference attendees can get hands-on experience with Check Point in an AWS environment through a dedicated mini-hack event.

If you are migrating to the cloud and evaluating cloud network security solutions, download the Buyer’s Guide to Cloud Network Security to understand:

Another fascinating document is the Forrester Total Economic Impact of CloudGuard Network Security: Forrester Research interviewed a $10B+ US-based healthcare company who uses CloudGuard to secure their hybrid-cloud deployment and generated a 169% ROI. To read this document, click here.

If you are in the process of planning your migration to AWS, please fill in the form to schedule a demo, and a cloud security expert will help to understand your needs.

Do you want to read more about cloud security?

Download the Check Point cloud security blueprint documents:

If you are ready to trial CloudGuard Network Security on AWS, contact us to ask if there is a 3 hour deep-dive technical workshop in your region/country and in your local language. If you have any other questions, please contact your local Check Point account representative or partner using the same contact us link.

Follow and join the conversations about Check Point and CloudGuard on TwitterFacebookLinkedIn and Instagram.

Exit mobile version