https://community.isc2.org/t5/Tech-Talk/Securing-AWS-inter-subnet-traffic-using-Check-Point-Cloud-Guard/m-p/9952#M29 <P>I am talking about inspection and control of traffic between subnets inside single VPC.</P><P>&nbsp;</P><P>As AWS using common router per-VPC, by default, traffic from all subnets inside are forwarding traffic to it.</P><P>Thus, to achieve proper inspection between tiers, multi-VPC architecture is required.</P><P>In contrast, Azure allows routing of the traffic inside Availability Set.</P><P>This distinction has, in some instances, swayed the choice of the cloud provider for organizations trying to migrate payloads and looking at complexities caused by AWS prohibiting trans-VPC traffic.</P><P>&nbsp;</P><P>That was the reason to figure out how to achieve intra-VPC, inter-subnet inspection and access control.</P><P>&nbsp;</P><P>Since I am versed in Check Point, I've picked that vendor's offering for POC, but there is no reason same could not be achieved with PAN or Fortinet.</P> Mon, 30 Apr 2018 20:06:21 GMT vt100 2018-04-30T20:06:21Z https://community.isc2.org/t5/Tech-Talk/Securing-AWS-inter-subnet-traffic-using-Check-Point-Cloud-Guard/m-p/9931#M27 <P>For those of us in the trenches responsible for securing cloud payloads, this may come handy. Apparently, AWS does not natively support inspection of the in-VPC traffic.</P><P>&nbsp;</P><P>This solution circumvents the limitation and allows you to control and inspect traffic within VPC between multiple private and public subnets:</P><P>&nbsp;</P><P><A title="Inter-subnet, intra-VPC traffic control and inspection in AWS" href="https://community.checkpoint.com/docs/DOC-2639-inspection-of-inter-subnet-traffic-in-aws-vpc" target="_self">https://community.checkpoint.com/docs/DOC-2639-inspection-of-inter-subnet-traffic-in-aws-vpc</A></P> Mon, 30 Apr 2018 13:12:27 GMT https://community.isc2.org/t5/Tech-Talk/Securing-AWS-inter-subnet-traffic-using-Check-Point-Cloud-Guard/m-p/9931#M27 vt100 2018-04-30T13:12:27Z https://community.isc2.org/t5/Tech-Talk/Securing-AWS-inter-subnet-traffic-using-Check-Point-Cloud-Guard/m-p/9950#M28 <P>Fortinet, Palo Alto and Cisco ASA also have solutions in the AWS marketplace to protect inter-subnet traffic within AWS.&nbsp; &nbsp;Coupled with Checkpoint, these are the Gartner&nbsp; "Enterprise Network Firewall" magic quadrant leaders, visionaries and challengers&nbsp; - everyone else is a "niche player".&nbsp;&nbsp;</P><P>&nbsp;</P><P>AWS's closest native capability is <A href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html" target="_self">Security Groups</A>.&nbsp; They inspect transparently "just outside" the network interface on each server, rather than the more traditional inline default-gateway. They are an adequate stateful inspection packet firewall, but they can not do advanced analytics, such as malware detection or SQL injection defenses.</P><P>&nbsp;</P><P>This may or may not be adequate depending on your use case.&nbsp; Simple is enough in many cases, such as blocking unneeded IP ports.</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 30 Apr 2018 19:55:06 GMT https://community.isc2.org/t5/Tech-Talk/Securing-AWS-inter-subnet-traffic-using-Check-Point-Cloud-Guard/m-p/9950#M28 denbesten 2018-04-30T19:55:06Z https://community.isc2.org/t5/Tech-Talk/Securing-AWS-inter-subnet-traffic-using-Check-Point-Cloud-Guard/m-p/9952#M29 <P>I am talking about inspection and control of traffic between subnets inside single VPC.</P><P>&nbsp;</P><P>As AWS using common router per-VPC, by default, traffic from all subnets inside are forwarding traffic to it.</P><P>Thus, to achieve proper inspection between tiers, multi-VPC architecture is required.</P><P>In contrast, Azure allows routing of the traffic inside Availability Set.</P><P>This distinction has, in some instances, swayed the choice of the cloud provider for organizations trying to migrate payloads and looking at complexities caused by AWS prohibiting trans-VPC traffic.</P><P>&nbsp;</P><P>That was the reason to figure out how to achieve intra-VPC, inter-subnet inspection and access control.</P><P>&nbsp;</P><P>Since I am versed in Check Point, I've picked that vendor's offering for POC, but there is no reason same could not be achieved with PAN or Fortinet.</P> Mon, 30 Apr 2018 20:06:21 GMT https://community.isc2.org/t5/Tech-Talk/Securing-AWS-inter-subnet-traffic-using-Check-Point-Cloud-Guard/m-p/9952#M29 vt100 2018-04-30T20:06:21Z