Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
vt100
Community Champion
‎04-30-2018 09:12 AM
‎04-30-2018 09:12 AM

Securing AWS inter-subnet traffic using Check Point Cloud Guard

For those of us in the trenches responsible for securing cloud payloads, this may come handy. Apparently, AWS does not natively support inspection of the in-VPC traffic.

 

This solution circumvents the limitation and allows you to control and inspect traffic within VPC between multiple private and public subnets:

 

https://community.checkpoint.com/docs/DOC-2639-inspection-of-inter-subnet-traffic-in-aws-vpc

Reply
0 Kudos
2 Replies
denbesten
Community Champion
‎04-30-2018 03:55 PM
‎04-30-2018 03:55 PM

Fortinet, Palo Alto and Cisco ASA also have solutions in the AWS marketplace to protect inter-subnet traffic within AWS.   Coupled with Checkpoint, these are the Gartner  "Enterprise Network Firewall" magic quadrant leaders, visionaries and challengers  - everyone else is a "niche player".  

 

AWS's closest native capability is Security Groups.  They inspect transparently "just outside" the network interface on each server, rather than the more traditional inline default-gateway. They are an adequate stateful inspection packet firewall, but they can not do advanced analytics, such as malware detection or SQL injection defenses.

 

This may or may not be adequate depending on your use case.  Simple is enough in many cases, such as blocking unneeded IP ports.

 

 

Reply
0 Kudos
vt100
Community Champion
‎04-30-2018 04:06 PM
‎04-30-2018 04:06 PM

I am talking about inspection and control of traffic between subnets inside single VPC.

 

As AWS using common router per-VPC, by default, traffic from all subnets inside are forwarding traffic to it.

Thus, to achieve proper inspection between tiers, multi-VPC architecture is required.

In contrast, Azure allows routing of the traffic inside Availability Set.

This distinction has, in some instances, swayed the choice of the cloud provider for organizations trying to migrate payloads and looking at complexities caused by AWS prohibiting trans-VPC traffic.

 

That was the reason to figure out how to achieve intra-VPC, inter-subnet inspection and access control.

 

Since I am versed in Check Point, I've picked that vendor's offering for POC, but there is no reason same could not be achieved with PAN or Fortinet.

Reply
0 Kudos