{"id":16620,"date":"2019-10-17T18:00:32","date_gmt":"2019-10-18T02:00:32","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/10\/17\/news-10359\/"},"modified":"2019-10-17T18:00:32","modified_gmt":"2019-10-18T02:00:32","slug":"news-10359","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/10\/17\/news-10359\/","title":{"rendered":"Best practices for adding layered security to Azure security with Check Point\u2019s CloudGuard IaaS"},"content":{"rendered":"

Credit to Author: Todd VanderArk| Date: Fri, 18 Oct 2019 01:00:03 +0000<\/strong><\/p>\n

The cloud is changing the way we build and deploy applications. Most enterprises will benefit from the cloud\u2019s many advantages through hybrid, multi, or standalone cloud architectures. A recent report<\/a> showed that 42 percent of companies have a multi-cloud deployment strategy.<\/p>\n

The advantages of the cloud include flexibility, converting large upfront infrastructure investments to smaller monthly bills (for example, the CAPEX to OPEX shift), agility, scalability, the capability to run applications and workloads at high speed, as well as high levels of reliability and availability.<\/p>\n

However, cloud security is often an afterthought in this process. Some worry that it may slow the momentum of organizations that are migrating workloads into the cloud. Traditional IT security teams may be hesitant to implement new cloud security processes, because to them the cloud may be daunting or confusing, or just new and unknown.<\/p>\n

Although the concepts may seem similar, cloud security is different than traditional enterprise security. Additionally, there may also be industry-specific compliance and security standards to be met.<\/p>\n

Public cloud vendors have defined the Shared Responsibility Model<\/a> where the vendor is responsible for the security \u201cof\u201d their cloud, while their customers are responsible for the security \u201cin\u201d the cloud.<\/p>\n

\"Image<\/p>\n

The Shared Responsibility Model (Source: <\/em>Microsoft Azure<\/em><\/a>).<\/em><\/p>\n

Cloud deployments include multi-layered components, and the security requirements are often different per layer and per component. Often, the ownership of security is blurred when it comes to the application, infrastructure, and sometimes even the cloud platform\u2014especially in multi-cloud deployments.<\/p>\n

Cloud vendors, including Microsoft, offer fundamental network-layer, data-layer, and other security tools<\/a> for use by their customers. Security analysts, managed security service providers, and advanced cloud customers recommend layering on advanced threat prevention and network-layer security solutions to protect against modern-day attacks. These specialized tools evolve at the pace of industry threats to secure the organization\u2019s cloud perimeters and connection points.<\/p>\n

Check Point is a leader in cloud security and the trusted security advisor to customers migrating workloads into the cloud.<\/p>\n

Check Point\u2019s CloudGuard IaaS<\/a> helps protect assets in the cloud with dynamic scalability, intelligent provisioning, and consistent control across public, private, and hybrid cloud deployments. CloudGuard IaaS supports Azure and Azure Stack. Customers using CloudGuard IaaS can securely migrate sensitive workloads, applications, and data into Azure and thereby improve their security.<\/p>\n

But how well<\/em><\/strong> does CloudGuard IaaS conform to Microsoft\u2019s best practices?<\/p>\n

Principal Program Manager of Azure Networking, Dr. Reshmi Yandapalli (DAOM), published a blog post titled Best practices to consider before deploying a network virtual appliance<\/a> earlier this year, which outlined considerations when building or choosing Azure security and networking services. Dr. Yandapalli defined four best practices for networking and security ISVs\u2014like Check Point\u2014to improve the cloud experience for Azure customers.<\/p>\n

I discussed Dr. Yandapalli\u2019s four best practices with Amir Kaushansky, Check Point\u2019s Head of Cloud Network Security Product Management. Amir\u2019s responsibilities include the CloudGuard IaaS roadmap and coordination with the R&D\/development team.<\/p>\n

1. Azure accelerated networking support<\/h3>\n

Dr. Yandapalli\u2019s first best practice in her blog is that the ISV\u2019s Azure security solution is available on one or more Azure virtual machine (VM) type with Azure\u2019s accelerated networking capability<\/a> to improve networking performance. Dr. Yandapalli recommends that you \u201cconsider a virtual appliance that is available on one of the supported VM types with Azure\u2019s accelerated networking capability.\u201d<\/p>\n

The diagram below shows communication between VMs, with and without Azure\u2019s accelerated networking:<\/p>\n

\"Image<\/p>\n

Accelerated networking to improve performance of Azure security (Source: <\/em>Microsoft Azure<\/em><\/a>).<\/p>\n

Kaushansky says, \u201cCheck Point was the first certified compliant vendor<\/a> with Azure accelerated networking. Accelerated networking can improve performance and reduce jitter, latency, and CPU utilization.\u201d<\/p>\n

According to Kaushansky\u2014and depending on workload and VM size\u2014Check Point and customers have observed at least a 2-3 times increase in throughput due to Azure accelerated networking.<\/p>\n

2. Multi-Network Interface Controller (NIC) support<\/h3>\n

Dr. Yandapalli\u2019s blog\u2019s next best practice is to use VMs with multiple NICs to improve network traffic management via traffic isolation. For example, you can use one NIC for data plane traffic and one NIC for management plane traffic. Dr. Yandapalli states, \u201cWith multiple NICs you can better manage your network traffic by isolating various types of traffic across the different NICs.\u201d<\/p>\n

The diagram below shows the Azure Dv2-series with maximum NICs per VM size:<\/p>\n

\"Image<\/p>\n

Azure Dv2-series VMs with # NICs per size.<\/em><\/p>\n

CloudGuard IaaS supports multi-NIC VMs, without any maximum of the number of NICs. Check Point recommends the use of VMs with at least two NICs\u2014VMs with one NIC are supported but not recommended.<\/p>\n

Depending on the customer\u2019s deployment architecture, the customer may use one NIC for internal East-West traffic and the second for outbound\/inbound North-South traffic.<\/p>\n

3. High Availability (HA) port with Azure load balancer<\/h3>\n

The Dr. Yandapalli\u2019s third best practice is that Azure security and networking services should be reliable and highly available.<\/p>\n

Dr. Yandapalli suggests the use of a High Availability (HA) port load balancing rule. \u201cYou would want your NVA to be reliable and highly available, to achieve these goals simply by adding network virtual appliance instances to the backend pool of your internal load balancer and configuring a HA ports load-balancer rule,\u201d says Dr. Yandapalli.<\/p>\n

The diagram below shows an example usage of a HA port:<\/p>\n

\"\"<\/p>\n

Flowchart example of a HA port with Azure load balancer.<\/em><\/p>\n

Kaushansky says, \u201cCloudGuard IaaS supports this functionality with a standard load balancer via Azure Resource Manager deployment templates, which customers can use to deploy CloudGuard IaaS easily in HA mode.\u201d<\/p>\n

4. Support for Virtual Machine Scale Sets (VMSS)<\/h3>\n

The Dr. Yandapalli\u2019s last best practice is to use Azure VMSS<\/a> to provide HA. These also provide the management and automation layers for Azure security, networking, and other applications. This cloud-native functionality provides the right amount of IaaS resources at any given time, depending on application needs. Dr. Yandapalli points out that \u201cscale sets provide high availability to your applications, and allow you to centrally manage, configure, and update a large number of VMs.\u201d<\/p>\n

In a similar way to the previous best practice, customers can use an Azure Resource Manager deployment template to deploy CloudGuard in VMSS mode. Check Point recommends the use of VMSS for traffic inspection of North-South (inbound\/outbound) and East-West (lateral movement) traffic.<\/p>\n

Learn more and get a free trial<\/h3>\n

As you can see from the above, CloudGuard IaaS is compliant with all four of Microsoft\u2019s common best practices for how to build and deploy Azure network security solutions.<\/p>\n

Visit Check Point<\/a> to understand how CloudGuard IaaS can help protect your data and infrastructure in Microsoft Azure and hybrid clouds and improve Azure network security. If you\u2019re evaluating Azure security solutions, you can get a free 30-day evaluation license of CloudGuard IaaS on Azure Marketplace<\/a>!<\/p>\n

(Based on a blog published on June 4, 2019 in the Check Point Cloud Security blog<\/a>.)<\/em><\/p>\n

The post Best practices for adding layered security to Azure security with Check Point\u2019s CloudGuard IaaS<\/a> appeared first on Microsoft Security.<\/p>\n

https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Todd VanderArk| Date: Fri, 18 Oct 2019 01:00:03 +0000<\/strong><\/p>\n

Learn how Check Point CloudGuard IaaS provides an added layer of security for Azure and aligns with Azure security\u2019s best practices.<\/p>\n

The post Best practices for adding layered security to Azure security with Check Point\u2019s CloudGuard IaaS<\/a> appeared first on Microsoft Security.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[21500,22745],"class_list":["post-16620","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-azure-security","tag-microsoft-intelligent-security-association-misa"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16620","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16620"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16620\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16620"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16620"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16620"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}