540 likes | 567 Views
Learn how to deploy Check Point vSEC Security Solution in Microsoft Azure with hands-on labs. Suitable for Sys Admins, Analysts, and Engineers.
E N D
Workshop Check Point vSEC for Microsoft Azure Instructor Slides [Protected] Distribution or modification is subject to approval
Preface • Course Layout • Course Chapters and Learning Objectives • Sample Setup for Labs [Protected] Distribution or modification is subject to approval
Course Layout • The following professionals benefit best from this course: • Check Point Certified System Administrators • Support Analysts • Network Engineers [Protected] Distribution or modification is subject to approval
Course Chapters 1 2 3 Microsoft Azure Azure Deployment and Licensing + Lab The Check Point vSEC Security Solution + Lab [Protected] Distribution or modification is subject to approval
Sample Setup for Labs [Protected] Distribution or modification is subject to approval
Lab 1.1: Navigating Azure • Create navigation shortcuts in the Microsoft Azure Portal. • Navigate various products in the Microsoft Azure Portal. LAB BREAK [Protected] Distribution or modification is subject to approval
Lab 1.2: Building the AWS Environment • Create an Azure virtual network. • Configure two additional subnets for the virtual network. • Deploy and configure a Check Point R80 management server. • Deploy and configure a Check Point vSEC cluster. • Create a web server and an associated route table. • Configure routes in the route table. LAB BREAK [Protected] Distribution or modification is subject to approval
Chapter 1: The Check Point vSEC Security Solution • Understand cloud computing and the advantages of deploying resources into a virtualized datacenter. • Discuss the various security challenges facing virtual environments and data centers. • Understand how Check Point vSEC protects virtual environments and data centers. [Protected] Distribution or modification is subject to approval
Understanding Modern Data Center Security Challenges Lateral threats Dynamic changes Complex environments
Understanding Modern Data Center Security Challenges Lateral threats Dynamic changes Complex environments
Understanding Modern Data Center Security Challenges Lateral threats Dynamic changes Complex environments
Securing the Environment with vSEC • vSEC for Private Cloud • vSEC for Cisco ACI • vSEC for Vmware NSX • vSEC for OpenStack • vSEC for Public Cloud • vSEC for AWS • vSEC for Google Cloud Platform • vSEC for Microsoft Azure • vSEC for Virtual Data Center • vSEC Virtual Edition (VE)
Securing the Environment with vSEC Protection against lateral threats Adaptive to dynamic changes Unified management
Securing the Environment with vSEC Protection against lateral threats Adaptive to dynamic changes Unified management
Securing the Environment with vSEC Protection against lateral threats Adaptive to dynamic changes Unified management
Main Components vSEC Controller Server vSEC Gateway
Review Questions Name three platforms that support Check Point vSEC for Private Cloud. vSEC for Cisco ACI, vSEC for VMware NSX, and vSEC for OpenStack support Check Point vSEC for Private Cloud.
Review Questions What are some ways Check Point vSEC protects virtual environments? It performs Stateful Inspection of traffic between virtual machines using Firewall and protects data centers from threats and attacks using Threat Prevention technology. With Threat Prevention Tagging, vSEC quickly identifies, tags, and quarantines infected hosts in the network by tagging the hosts and sharing the threat information with the cloud controller. Integration with popular cloud infrastructure vendors allows vSEC to easily import configurations and incorporate them into Check Point Security Policies. With real-time context sharing, changes are automatically tracked and Security Policies are applied regardless of the host.
Review Questions What are the two main components of a Check Point vSEC security solution? The two main components are vSEC gateway and the Security Management Server with vSEC controller.
Chapter 2: Microsoft Azure • Understand how Microsoft Azure products and services can be used to build a virtual environment secured by Check Point vSEC. [Protected] Distribution or modification is subject to approval
Using Microsoft Azure • Check Point vSEC for Microsoft Azure • One console for consistent policy and threat visibility across the entire infrastructure. • Safeguards against data and infrastructure breaches while maintaining the ability to securely connect mobile users to their network.
Using Microsoft AzureProducts Provision private networks, optionally connect to on-premises datacenters Virtual Networks Virtual Machines Resource Groups Network Security Groups ExpressRoute
Using Microsoft AzureProducts Provision Windows and Linux virtual machines Virtual Networks Virtual Machines Resource Groups Network Security Groups ExpressRoute
Using Microsoft AzureProducts Organize and collectively manage resources Virtual Networks Virtual Machines Resource Groups Network Security Groups ExpressRoute
Using Microsoft AzureProducts Secure resources Virtual Networks Virtual Machines Resource Groups Network Security Groups ExpressRoute
Using Microsoft AzureProducts Dedicated private network fiber connections to Azure Virtual Networks Virtual Machines Resource Groups Network Security Groups ExpressRoute
Using Microsoft AzureFeatures Azure Resource Explorer Azure Resource Manager Templates Tags Activity Logs Customized Policies Public IP Addresses
Using Microsoft AzureFeatures Azure Resource Explorer Azure Resource Manager Templates Tags Activity Logs Customized Policies Public IP Addresses
Using Microsoft AzureFeatures Azure Resource Explorer Azure Resource Manager Templates Tags Activity Logs Customized Policies Public IP Addresses
Using Microsoft AzureFeatures Azure Resource Explorer Azure Resource Manager Templates Tags Activity Logs Customized Policies Public IP Addresses
Using Microsoft AzureFeatures Azure Resource Explorer Azure Resource Manager Templates Tags Activity Logs Customized Policies Public IP Addresses
Using Microsoft AzureFeatures { "properties": { "parameters": { "allowedLocations": { "type": "array", "metadata": { "description": "The list of locations that can be specified when deploying resources", "strongType": "location", "displayName": "Allowed locations“ } } }, "displayName": "Allowed locations", "description": "This policy enables you to restrict the locations your organization can specify when deploying resources.", "policyRule": { "if": { "not": { "field": "location", "in": "[parameters('allowedLocations')]“ } }, "then": { "effect": "deny“ } } } } Azure Resource Explorer Azure Resource Manager Templates Tags Activity Logs Customized Policies Public IP Addresses
Using Microsoft AzureFeatures Azure Resource Explorer Azure Resource Manager Templates Tags Activity Logs Customized Policies Public IP Addresses
Access Control • Role-Based Access Control (RBAC) consists of: • Role definition • Role assignment • Pre-defined roles: • Owner • Contributor • Reader • User Access Administrator
Access ControlAdministrator Roles • Billing administrator • Compliance administrator • Security administrator • Service administrator • User account administrator
Review Questions Describe two common Azure products used by a System Administrator to build a virtual network. Azure virtual machines are one of the main resources in an Azure environment. They can represent on-premises servers or be used to scale up to the cloud to balance resources (also referred to as load balancing) and reduce costs. A template defines the structure and configuration of an Azure solution. Using a template makes it possible to repeatedly deploy a solution throughout its lifecycle with consistency. After selecting a solution from the portal, Azure automatically provides a deployment template that can be customized to customer needs.
Review Questions What is the purpose of a resource group? A resource group is a collection of related resources. It allows you to deploy, manage, or edit resources in one action.
Review Questions What are some measures a System Administrator can take to secure their Azure virtual network? A Network Security Group (NSG) secures access to publicly exposed resources using network security rules that determine if inbound or outbound traffic is allowed or denied. The Azure Resource Manager provides control over who can execute specific actions for an organization. It natively integrates Role-Based Access Control (RBAC) with the management platform and extends access control to all services in an organization.
Chapter 3: Azure Deployment and Licensing • Understand how to plan and deploy a Microsoft Azure virtual network. • Recognize the two elastic licensing options for Check Point vSEC for Microsoft Azure. [Protected] Distribution or modification is subject to approval
Deployment • What Azure locations will host virtual networks? Available locations include various regions of Australia, Asia, Canada, Japan, Korea, UK, and the US. • Is it necessary to provide communication between the Azure virtual network(s) and on-premises datacenter(s)? • Is it necessary to isolate traffic based on groups of virtual machines, such as a group of front end web servers and a group of back end database servers? • Is it necessary to control traffic flow using virtual appliances? • Do users need different sets of permissions to different Azure resources?
DeploymentDeployment Methods • Deployment Methods: • Azure Portal • Azure PowerShell • Azure CLI
Elastic LicensingBring Your Own License • Based on the number of cores used across all gateways in the private or public cloud environment • Ideal for multiple on-premise and/or cloud-based vSEC gateways • Floating license - customer can determine how cores are distributed among gateways
Elastic LicensingPay As You Go Only available for AWS and Azure Priced at hourly or annual rate Includes Check Point Software Blades and standard support Does not include cost of the virtual compute
Virtual Machine Scale Sets • Easy creation through the Azure Portal • Simple scaling properties • Integrated autoscale • Azure Resource Manager integration • Integrated load balancing • REST, SDK, and CLI support • Built-in high availability • Support for manual roll out of OS image updates without downtime
AutoscalingConfiguring Autoscaling Azure Autoscale Custom solution Third-party services
Virtual Machine Scale Sets and Autoscaling Use Cases RDP/SSH to Scale Set Instances Connect to Virtual Machines Using NAT rules Connect to Virtual Machines Using a Jumpbox
Review Questions What are some important questions to answer when planning an Azure virtual network? What Azure locations will host virtual networks? Available locations include various regions of Australia, Asia, Canada, Japan, Korea, UK, and the US. Is it necessary to provide communication between these Azure locations? Is it necessary to provide communication between the Azure virtual network(s) and on-premises datacenter(s)? Is it necessary to isolate traffic based on groups of virtual machines, such as a group of front end web servers and a group of back end database servers? Is it necessary to control traffic flow using virtual appliances? Do users need different sets of permissions to different Azure resources?