CloudGuard Segmentation
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:06
>> Welcome to Check Point Jump Start training series.
00:06
In this training module,
00:06
we'll examine the CloudGuard capabilities called
00:06
the CloudGuard private and public network security.
00:06
CloudGuard network security is used to protect
00:06
both your private and public Cloud network assets.
00:06
Lesson 3, CloudGuard segmentation.
00:06
In this third lesson, we're going to
00:06
learn how to use CloudGuard firewall, rule bases,
00:06
and some creative Cloud routing to
00:06
help segment your Cloud networks.
00:06
Now let's talk about cloud guard segmentation.
00:06
The word segmentation can have
00:06
multiple meanings in network terminology.
00:06
But here I'm referring to the meaning
00:06
that networks are isolated from each other.
00:06
If one machine is compromised on one network,
00:06
it can then compromise
00:06
other machines on the same or other networks.
00:06
CloudGuard can be used to protect and inspect
00:06
your Cloud environments in both in what we call a
00:06
north-south virtual Clouds configuration,
00:06
and also between your virtual networks in what we
00:06
call an East-West data flow configuration.
00:06
In the next few moments I'm
00:06
going to explain what I mean and how
00:06
these traffic flow configurations can
00:06
be used to protect your networks.
00:06
North-South segmentation refers to
00:06
egress and ingress inspection perimeters,
00:06
meaning here we're inspecting traffic
00:06
to and from your virtual Cloud environment.
00:06
The North perimeter hub,
00:06
would be hosting any Public Cloud assets
00:06
that would be public-facing
00:06
and here most traffic would be
00:06
leading from and to the Internet.
00:06
The South hub, would be
00:06
hosting all your private Cloud assets.
00:06
These are your internal only assets
00:06
for your eyes only so to speak and from here,
00:06
most assets would be
00:06
accessible to and from your organization,
00:06
head office or branch offices and your company
00:06
personal and private assets would be stored here.
00:06
East-West refers to lateral traffic movement.
00:06
Traffic that is moving from
00:06
one Cloud network to another Cloud network.
00:06
This can also refer to traffic movement within
00:06
the Cloud from one subnet to another subnet,
00:06
from one virtual private Cloud to
00:06
another virtual private Cloud from
00:06
one availability zone to another availability zone,
00:06
from one region to another region.
00:06
This lateral movement would mostly be
00:06
accessible or accessed within
00:06
the Cloud providers backbone,
00:06
no traffic will be forwarded to or from the Internet.
00:06
Then we would do inspect traffic,
00:06
at different Cloud and network perimeters.
00:06
As traffic is flowing
00:06
between different Cloud perimeters,
00:06
or moving between your virtual networks
00:06
or virtual workloads,
00:06
ideally, we would have
00:06
a CloudGuard gateway at each perimeters edge.
00:06
Most traditional network segmentation
00:06
protects your assets from the North-South perimeters,
00:06
meaning ingress and egress traffic.
00:06
But what is different in the Cloud is
00:06
that now with CloudGuard solutions,
00:06
we can even protect both your assets from North-South,
00:06
and also from East-West perimeters.
00:06
East-West segmentation is
00:06
an additional security solution that adds
00:06
an additional layer of protection into
00:06
your network that you
00:06
cannot do with traditional networking.
00:06
But you can do this in the Cloud by taking
00:06
advantage of some very creative routing,
00:06
which we will discuss shortly.
00:06
Now let's take a look at how to
00:06
segment your assets in the Cloud.
00:06
In his video, I'm going to focus on the Public Cloud.
00:06
Even though you can do
00:06
both North-South segmentation
00:06
and East-West segmentation in
00:06
both public Cloud solutions and
00:06
also private Cloud solutions
00:06
the implementation is different.
00:06
The concept is the same,
00:06
but how to achieve it
00:06
varies between private Cloud solutions.
00:06
For now, private Cloud is
00:06
out of the scope of this training series.
00:06
Let's now first take a look at
00:06
the North-South perimeter inspection.
00:06
The North perimeter is your internet facing hub.
00:06
This is where you assign workloads
00:06
that are accessible from the Internet.
00:06
Your customers will be able to
00:06
get to your Internet facing
00:06
assets such as your web servers your database servers,
00:06
your marketing servers, or
00:06
any other servers that you want that to be
00:06
accessible from the Internet for
00:06
your customer base or for the general public.
00:06
You want to be extremely sure that you have
00:06
the outmost protection with
00:06
the highest level of security in this North perimeter.
00:06
In addition, and I have alluded to this a few
00:06
times depending on your business demands,
00:06
this northbound hub can be scaled up during
00:06
business peak hours or scaled
00:06
down during slow downward trends.
00:06
The North perimeter hub is where your Internet
00:06
facing loud guard firewalls will be located.
00:06
This is your public facing hub,
00:06
and this is where you protect
00:06
your assets that are accessible from the Internet.
00:06
Here is where you define your access control rules,
00:06
your user's identity permissions to
00:06
your public Cloud assets and here is also
00:06
where we inspect traffic with
00:06
threat prevention blades to prevent
00:06
breaches into your Cloud networks.
00:06
For obvious reasons, no northbound traffic
00:06
should have access permissions
00:06
to your Cloud infrastructure.
00:06
They might have only access to
00:06
your public-facing data, your web servers,
00:06
your databases but you want to be
00:06
sure that there is no access to
00:06
your Cloud infrastructure and this
00:06
includes load balancers, firewalls, gateways,
00:06
workloads and so only approved protocols, services,
00:06
and applications would be
00:06
allowed and this is true for any network,
00:06
be it public, private,
00:06
Cloud or traditional networks.
00:06
Of course, all other unapproved protocols would
00:06
be dropped at the perimeter and so only access to
00:06
the data on the servers will be allowed and any access to
00:06
the servers themselves would be
00:06
dropped like RDP connections for example.
00:06
Now let's take a look at the South hub.
00:06
Here's where most customers
00:06
create what we call a southbound perimeter.
00:06
This perimeter in general will not be
00:06
public Internet facing assets and
00:06
so it would not be allowing traffic
00:06
from the general public but instead,
00:06
even though these assets are still stored in a Cloud,
00:06
these would be assets that should only be
00:06
accessible from and to the organization.
00:06
These are company facing assets,
00:06
assets that would be accessible
00:06
from the many of the companies various locations,
00:06
different locations such as the headquarters,
00:06
branch offices or the company's data centers
00:06
and they may be also
00:06
accessible from and to
00:06
other Cloud regions or other Cloud providers.
00:06
All data leaving to and
00:06
from this location would usually be
00:06
encrypted through a native IPSec VPN,
00:06
other encryption solution.
00:06
For security reasons,
00:06
only traffic source from the headquarters or
00:06
source from the branch offices will be
00:06
accessible through the southbound perimeter.
00:06
Traffic is still be outbound to the Internet,
00:06
but mostly it would be for
00:06
software update or software patching and so you
00:06
would still need CloudGuard firewall located at
00:06
the southbound perimeter through either except
00:06
authorized traffic but obviously,
00:06
you would need to block
00:06
any nefarious security breaching attempts.
00:06
Again, let me repeat so we can understand
00:06
clearly the difference between
00:06
the North hub and the South hub.
00:06
In the North would have public facing assets,
00:06
assets that we want to be
00:06
available to the general public.
00:06
In the south hub this is where you would
00:06
store your private and confidential assets.
00:06
No public facing or
00:06
customer traffic is allowed through the South hub,
00:06
only private traffic to and
00:06
from your organization is allowed.
00:06
You might also allow outbound software updates,
00:06
but no source traffic from the Internet
00:06
would be allowed through this southbound hub.
00:06
Here you would place a southbound facing
00:06
CloudGuard firewall and only allow
00:06
traffic source from your locations.
00:06
Any traffic source from
00:06
the Internet would be dropped here.
00:06
Now let's talk about East-West segmentation,
00:06
which is completely different
00:06
between North-South segmentation.
00:06
The main purpose of
00:06
East-West segmentation is to protect your assets
00:06
in the Cloud in case
00:06
an asset or workload has been compromised.
00:06
In traditional network, once
00:06
an asset has been compromised,
00:06
then all bets are off.
00:06
Once an asset has been compromised,
00:06
then the attackers will be able to spread and
00:06
infect laterally between host-to-host.
00:06
The same is true also in the Cloud.
00:06
Once an asset has been compromised in the Cloud,
00:06
attackers are able to spread
00:06
laterally from virtual machines or virtual machine,
00:06
or perhaps even extending to
00:06
reach into the corporate networks.
00:06
But in the Cloud, we can add
00:06
another additional security protection
00:06
what we call East-West segmentation.
00:06
With East-West segmentation when a host tries to
00:06
communicate to another host on the same private Cloud,
00:06
it cannot do so directly.
00:06
It first needs to go through the CloudGuard gateway for
00:06
access permissions and threat inspection
00:06
, if it is accepted,
00:06
then the traffic is allowed and even if the hosts are
00:06
directly and physically next to
00:06
each other in the same subnet,
00:06
we can still prevent lateral movement in what we call the
00:06
East-West traffic flow to secure the Cloud assets.
00:06
This is also what we usually call micro-segmentation.
00:06
Their workloads can be
00:06
directly connected to each other and
00:06
still all traffic flow must first
00:06
go through the CloudGuard gateway for approval,
00:06
for access control permissions,
00:06
and also threat prevention inspection
00:06
before routing to its final destination.
00:06
As mentioned already, this kind of
00:06
segmentation is not possible in traditional networks.
00:06
This is only possible in the Cloud.
00:06
How do we do this?
00:06
Again, I'll repeat to be sure this is clear.
00:06
We take advantage of
00:06
special native Cloud routing rules and
00:06
creatively segment the workloads
00:06
so even though the workloads
00:06
might be on the same network,
00:06
we're using very creative routing solutions
00:06
to make sure that when the workloads need to
00:06
communicate to any other workload on
00:06
the same network the traffic first needs to be routed to
00:06
the clarity guard gateway for
00:06
complete rule-based analysis that
00:06
defines what workload traffic
00:06
is allowed and to
00:06
what other workload and
00:06
protocols are allowed and in addition,
00:06
the CloudGuard, will perform
00:06
deep packet inspection to make sure to traffic is benign
00:06
and legitimate before routing
00:06
the traffic to the destination workloads.
00:06
Notice that in this diagram that even though
00:06
host A and host B are on the same subnet,
00:06
they cannot directly communicate with each other.
00:06
That's because we created
00:06
a routing entry in the routing table,
00:06
that says that the next hop is the CloudGuard gateway.
00:06
The source is host A,
00:06
the destination is host B,
00:06
but the next hop is the CloudGuard gateway.
00:06
I'll show you how to exactly do this in
00:06
the lab section of this training series.
00:06
That brings us to the end of this lesson.
00:06
Let's quickly recap before exiting this video.
00:06
Lesson 3 was about CloudGuard segmentation.
00:06
In this training module,
00:06
we discussed how to do Cloud network segmentation.
00:06
In this lesson, we learned
00:06
that we can secure traffic in the Cloud
00:06
using what we call segmentation
00:06
and we have a few kinds of segmentation.
00:06
We have what we call the North-South segmentation,
00:06
which helps direct and secure the traffic flow
00:06
to and from the Internet and
00:06
also to the corporate offices.
00:06
We also have a different kind of segmentation what
00:06
we call East-West traffic flow segmentation.
00:06
Here we can segment traffic to prevent
00:06
lateral infection even though
00:06
the workloads might be directly next to each other.
00:06
We use creative Cloud routing solutions and
00:06
firewall rule bases to
00:06
segment and protect the Cloud assets.
00:06
That completes our third lesson
00:06
and that is the end of this training video.
00:06
I hope to see you in the next video until then,
00:06
so along and goodbye.
Up Next
Instructed By
Similar Content
