By Jonathan Maresky, Cloud Product Marketing Manager, published November 29, 2021
Check Point is honored and excited to take cloud security innovation to the next level through its integration with AWS Gateway Load Balancer and AWS Managed Gateway Endpoints. This blog post will provide some background to the announcement and the integrated offering, explain how it works with AWS services, and the benefits it provides customers.
Background:
I am a firm believer in giving praise where praise is due.
In this case, praise is due to AWS for their customer obsession in two separate but related areas.
Firstly – cloud network security:
In my early days at Check Point, I would often encounter cloud security engineers who would tell me that network security is no longer needed in the cloud, because it is “out-dated on-prem technology”. They would also say that every cloud security need can be provided via the cloud vendor’s existing capabilities like AWS security groups. After researching this with various Check Point cloud security engineers and customers, I concluded this was a classic NIH response, where cloud vendors try to perpetuate the illusion that anything not available in their arsenal is unnecessary. Quite the technology Jedi mind trick.
Then AWS Network Firewall was announced at re:Invent in 2020, enabling customers to deploy a cloud network firewall in order to increase their AWS security with additional capabilities like URL filtering and more granular pattern matching and vulnerability detection.
This significant announcement was driven by customer obsession – to improve security by providing a foundational security capability.
Secondly – AWS Gateway Load Balancer (GWLB), and how it is extended by a cloud security vendor like Check Point to provide AWS customers with industry-leading cloud network security as a service:
AWS GWLB was also announced at re:Invent in 2020, and was also driven by customer obsession – to make cloud network security easier and more cost-effective to deploy and maintain, allowing AWS customers to choose their preferred cloud security vendor with reduced networking complexity. In fact, Check Point was one of the AWS partners to integrate with AWS Gateway Load Balancer at launch.
Customers immediately took advantage of the new capability to improve the efficiency and streamline the architecture and design of their AWS security. But the positive impact of AWS GWLB is not limited to inline security appliances that are deployed, configured, and maintained by AWS customers – GWLB also enables trusted cloud security vendors like Check Point to provide cloud network security as a service, by using new capabilities provided by GWLB.
This is customer obsession at work again, where AWS extends the options available to their customers: before, customers wanting a cloud-native managed network security service could only use AWS Network Firewall; now customers can also choose to consume an AWS partner operated cloud network security solution as a service on AWS, thus providing a more native experience. This service also removes the overhead of managing, maintaining, and updating network security infrastructure, improving the customer’s operational efficiency and user experience.
An example of such a service-based solution is Check Point CloudGuard’s Network Security, now available as-a Service to complement and enhance AWS native security.
How does Check Point address Cloud Network Security-as-a-Service on AWS?
Check Point CloudGuard Network Security is a cloud-native managed service which deploys security gateways, providing industry-leading advanced threat prevention together with elastic cloud network security. CloudGuard is automated at the speed of DevOps, and enables unified security management from a single-pane-of-glass.
A highly-requested characteristic of this managed service is its ease-of-use and ease-of consumption. It is highly scalable, highly available and features consumption-based billing. CloudGuard is natively integrated with AWS services, tools and its latest architecture constructs including AWS Gateway Load Balancer (GWLB).
The managed service can be deployed with just a few clicks and scales automatically as customers’ network traffic changes, so users do not need to deploy and manage the underlying infrastructure. CloudGuard significantly reduces the complexity and the operational costs for customers who want to inspect and filter traffic to, from, or between their Amazon VPCs (i.e. North-South and East-West traffic inspection).
CloudGuard is designed by and for cloud DevOps and DevSecOps.
It is intuitive and saves DevOps time and effort with a streamlined onboarding experience. Moreover, CloudGuard can be fully managed using Infrastructure as Code.
The enterprise-grade security is key for DevSecOps: Check Point is a Leader in the 2021 Gartner Magic Quadrant for Network Firewalls, for the 22nd year. CloudGuard also enables data center object policy controllability and integrates with 3rd party security solutions. It includes Check Point’s advanced threat prevention features together with built-in high availability and unrestricted cloud scalability.
How does CloudGuard Network Security work as a service?
Onboarding is simple, quick and intuitive:
After the customer creates an account in the Check Point portal and selects CloudGuard Network Security, the service inititates a cross-account role between Check Point and customer accounts, to provide permissions for resource visibility and Managed GWLB Endpoint (MGE) deployment in customer accounts. It then sets up security policies using an easy setup wizard and configures situational visibility for monitoring and logging purposes.
To better understand how CloudGuard Network Security works as a service, let’s consider “before” and “after” architecture diagrams. The figure below represents a typical deployment of CloudGuard Network Security, which is implemented with an auto-scaling group of virtual security gateways inside a security VPC. The customer needs to deploy the security gateways and perform the complex network routing to connect these to spoke VPCs via AWS GWLB/GWLBE and AWS Transit Gateway (TGW). The customer also has to size the security gateway instances appropriately, update, and maintain them over their lifetime.
Typical cloud network security architecture without Network Security as a Service
CloudGuard Network Security architecture when deployed as-a-Service consists of two main components (see figure below). The GWLB Inspection VPC, on the right side, is deployed in Check Point’s account. This VPC communicates via the GWLB to GWLB endpoints (GWLBEs) inside the customer’s VPCs. These GWLBEs (also called Managed Gateway Endpoints, MGEs, because they can be managed by 3rd-party vendors) are deployed by CloudGuard using the cross-account permissions that were set up during the onboarding process, and are billed directly to Check Point. This enables CloudGuard to wrap all components and underlying infrastructure into a single bill, charged to the customer by Check Point. Check Point-managed components are emphasized in pink, while customer-managed components are emphasized in grey.
Typical cloud network security architecture with CloudGuard Network Security deployed as a service
What are the benefits of CloudGuard’s Network Security as a Service offering to customers?
Credit: Freepik
You may be familiar with CloudGuard’s pillars of Security · Automated · Everywhere.
Let’s see how these pillars apply to the benefits to CloudGuard Network Security customers when used as a service.
Security:
- Enterprise-grade security with the most secure threat prevention: Industry-leading catch rate of malware, ransomware and other types of attacks.
- Recognized as a long-term leader by third-party analysts: Check Point’s Network Firewall is a Leader on the Gartner Magic Quadrant for Network Firewall for 22 consecutive years, has a Recommended rating by NSS Labs, and has over 28 years of security gateway intellectual property and cybersecurity technology innovation.
Automated:
- Ease of deployment, ease of use, and ease of consumption: Deployment from scratch within ten minutes. CloudGuard’s Network Security as a Service solution is deeply integrated with AWS native services to ensure an optimal user experience.
- Operational simplicity: CloudGuard’s Network Security as a Service solution eliminates the overhead of deployment, maintenance and management of cloud network security.
- Integrated with leading 3rd-party tools including configuration management, SIEM and SOAR: Command and control cloud-native security gateways programmatically, supporting Infrastructure As Code, CI/CD practices, automation of processes using APIs and security automation use cases for response and remediation teams.
Everywhere:
- Unified Security Management console: provides consistent visibility, policy management, logging, reporting and control.
- Extend on-premises security posture to the cloud easily, quickly and intuitively: ensures secure cloud migration and increase operational efficiency without the complexity of additional security solutions.
- Collects and leverages contextual information about cloud configurations: using asset tags, objects, security groups and more to automatically adjust security policies after any changes in dynamic cloud environments.
What’s next?
If you would like to benefit from the operational benefits and are ready to be an early adopter, you’re invited to join the Early Availability program.
Are you attending AWS re:Invent, the biggest cloud event of the year? If so, please meet us at the Check Point booth #1004 next to the AWS Marketplace Pavilion. You can share your network security requirements and we will explain how CloudGuard Network Security can address your needs. In addition, we will have other exciting news, and you can also test your trivia knowledge to win prizes!
Check Point is also a sponsor of the AWS Jam Lounge where conference attendees can get hands-on experience with Check Point in an AWS environment through a dedicated mini-hack event.
If you are migrating to the cloud and evaluating cloud network security solutions, download the Buyer’s Guide to Cloud Network Security to understand:
- The top 10 considerations when evaluating and choosing a cloud network security solution in more detail
- An overview of Check Point CloudGuard and how it answers these top 10 considerations
- The relative benefits of the solutions provided by leading cloud providers and third-party security vendors
Another fascinating document is the Forrester Total Economic Impact of CloudGuard Network Security: Forrester Research interviewed a $10B+ US-based healthcare company who uses CloudGuard to secure their hybrid-cloud deployment and generated a 169% ROI. To read this document, click here.
If you are in the process of planning your migration to AWS, please fill in the form to schedule a demo, and a cloud security expert will help to understand your needs.
Do you want to read more about cloud security?
Download the Check Point cloud security blueprint documents:
- Introduction to Cloud Security Blueprint introduces the cloud security blueprint and describes key architectural principles and cloud security concepts.
- Cloud Security Blueprint: Architecture and Solutions explains the blueprint architecture, describes how Check Point’s cloud security solutions enable you implement the blueprint, and how these address the cloud security challenges and architectural principles that were outlined in the first document.
- This document provides reference architectures for implementing the cloud security blueprint.
If you are ready to trial CloudGuard Network Security on AWS, contact us to ask if there is a 3 hour deep-dive technical workshop in your region/country and in your local language. If you have any other questions, please contact your local Check Point account representative or partner using the same contact us link.
Follow and join the conversations about Check Point and CloudGuard on Twitter, Facebook, LinkedIn and Instagram.