Check Point Cloudguard for Microsoft Azure | Test Drive User Guide

Check Point CloudGuard for Microsoft Azure | Test Drive User Guide

Check Point CloudGuard for Microsoft Azure

R80.10 Test Drive User Guide

Content 1 INTRODUCTION ...... 3 2 TEST DRIVE OVERVIEW ...... 4 3 TEST DRIVE ...... 5

3.1 START THE TEST DRIVE ...... 5 3.2 REVIEW THE CLOUDGUARD PRODUCT INFORMATION AND USE CASES ...... 5 3.3 INFORMATION FOR ACCESSING THE TEST DRIVE ENVIRONMENT ...... 6 3.4 CONNECTING TO THE TEST DRIVE ENVIRONMENT ...... 6 3.4.1 Using the Windows Remote Desktop Client ...... 6 3.4.2 Using an Existing Check Point R80.10 SmartConsole Client ...... 8 3.5 REVIEW THE SECURITY POLICY ...... 9 3.6 VERIFY NORMAL WEB TRAFFIC ...... 12 3.7 BLOCK AN SQL INJECTION ATTACK ...... 14 3.8 BLOCK ACCESS TO SOCIAL NETWORKS ...... 20 4 CLOUDGUARD FOR AZURE USE CASES OVERVIEW ...... 30 5 SUPPORT ...... 30

Figures Figure 1 Check Point CloudGuard for Microsoft Azure Test Drive Environment ...... 5

1 Introduction Welcome to Check Point CloudGuard for Microsoft Azure test drive!

Check Point CloudGuard test drive for Microsoft Azure enables customers to rapidly try out CloudGuard enterprise security gateway features deployed on a virtual instance inside a Microsoft Azure IaaS (Infrastructure as a Service) virtual cloud. This test drive will allow you to experience the capabilities of the CloudGuard gateway in action using a real web server app, simulated attack vectors, and verification of activity in event logs.

Why do I need CloudGuard for Azure when the cloud is already secure? Check Point CloudGuard allows you to protect your apps and data deployed in Azure. As you may well know, when you deploy a server in Azure configured with a public facing IP (even a private IP with NAT allowing for Internet access), it is exposed to cyber-attacks from the Internet, just like any server deployed in an on premise environment. Cloud providers provide cost efficient computing resources but only secure the infrastructure layer. Check Point CloudGuard allows you to secure the higher layers (network layer up to application layer) with advanced multi-layer security in order to gain visibility into traffic and threats as well as detect and prevent attacks inside and outside your cloud network and demonstrate compliance. Additionally, a perimeter based security gateway approach makes it easier to protect multiple virtual machine instances (with unknown security posture, software, and patch levels) in a highly dynamic cloud environment where VMs are constantly spun up and removed. It is the customer’s responsibility to protect their data and apps in the cloud.

Activities included in this Test Drive

At the end of the test drive, you will have accomplished the following:  Remotely access and navigate the SmartConsole management user interface (UI) to provision and monitor the CloudGuard security gateway  Enable internet/public facing app (web server) by provisioning a security policy and verify correct operation of the web server  Simulate an SQL attack, watch it succeed, and then block the attack by provisioning Intrusion Prevention (IPS) functionality and verify correct operation in the SmartEvent logs  Block all access to social networks (i.e. Facebook/LinkedIn/Twitter) by enabling Application and URL Filtering and verify correct operation using SmartEvent logs

If you wish to purchase and deploy CloudGuard for Azure immediately in either “PAY as you Go” (PAYG) or “Bring Your Own License” (BYOL) licensing model, please visit the CloudGuard listing on Azure Marketplace which contains ARM templates for rapid single click provisioning and deployment. A reference architecture is available at: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondeta ils=&solutionid=sk109360&partition=General&product=CloudGuard

Please note that Check Point CloudGuard is fully integrated with Azure Security Center as well, to automate and orchestrate the deployment.

Follow the instructions below to begin your test drive. Enjoy your journey!

2 Test Drive Overview This test drive will have you working on securing a single tier app environment where tier one is a web server deployed inside Azure cloud behind the Azure load balancer. This simulates a real- world scenario where the web server hosts dynamic content from the cloud but needs to be secured with advance threat protection using a virtual enterprise security gateway.

In this scenario, all inbound/outbound (i.e. North/South) traffic to the web server is secured by the CloudGuard gateway.

The test drive environment consists of the following components:

Figure 1 Check Point CloudGuard for Microsoft Azure Test Drive Environment

An Azure Virtual Network with the following subnets: • A Gateway external subnet (10.0.0.0/24) • A Gateway internal subnet (10.0.1.0/24) • A Web Server Subnet (internal1-subnet) (10.0.2.0/24) • An Windows Machine Subnet (external1subnet (10.0.4.0/24)

The test drive has 3 virtual machines: • A Linux machine • A Windows machine • A Check Point CloudGuard gateway

The Linux machine is pre-configured as a web server listening on TCP port 80. The Windows machine is pre-installed with the Check Point SmartConsole (R80.10) Graphical User Interface clients.

The Check Point CloudGuard gateway has two interfaces attached to external and internal subnets. The Windows machine is attached to external subnet. The Web Server is attached to the web server subnet.

The CloudGuard external network interface has an extra public IP set up to receive HTTP traffic on a dedicated public address and forward it to through the Check Point CloudGuard security gateway to the web server. The Check Point CloudGuard Security gateway is pre-configured with security and Network Address Translation (NAT) policies to receive and forward this traffic. 3 Test Drive

3.1 Start the Test Drive  Go to https://azuremarketplace.microsoft.com/en-us/marketplace/apps/checkpoint.vsec and click the TEST DRIVE button.  You need to sign in for your test drive using your Microsoft account. If you don’t have a Microsoft account, you will need to create one. (An Azure account is not needed!)  Click to start the free Test Drive.

Note: It can take up to 13 minutes for your environment to be built.

3.2 Review the CloudGuard Product Information and Use Cases While your test drive environment is being built, you can:  Read the short Check Point CloudGuard for Microsoft Azure Solution Brief  https://www.checkpoint.com/downloads/products/cloudguard-microsoft-azure-solution- brief.pdf  Visit the Check Point CloudGuard for Microsoft Azure page

https://www.checkpoint.com/products/iaas-public-cloud-security/  Review the key use cases described in section 4‎ CloudGuard for Azure Use Cases Overview at the end of this guide.

3.3 Information for Accessing the Test Drive Environment When you launch the test drive, you will receive an email containing information that will allow you to connect to your environment.

This email includes: • The user names and password needed to authenticate to the Windows machine and the Check Point CloudGuard Gateway • The public address of the gateway • The public address of the Windows machine • The URL of the protected web application

The same access information is also available in the Test Drive page.

In this Test Drive, we will be using Check Point SmartConsole, a Windows based graphical user interface (GUI) client, to manage and monitor the security policy of the Check Point CloudGuard gateway.

3.4 Connecting to the Test Drive Environment You have two options to access the Test Drive:  You can use the Windows machine with the pre-installed clients. o Go to section 3.4.1‎ Using the Windows Remote Desktop Client.  Alternatively, if you already have Check Point SmartConsole R80.10 installed on your computer, you can use it to directly connect to the public address of the Check Point CloudGuard gateway. o Go to section 3.4.2‎ Using an Existing Check Point R80.10 SmartConsole Client.

3.4.1 Using the Windows Remote Desktop Client If you do not have the Check Point R80.10 SmartConsole client installed, you can use the Windows machine in the Test Drive environment where it is already pre-installed. To connect to the Windows machine in the Test Drive environment:  Open a Remote Desktop Connection client (Start -> mstsc in Windows).

 Click on  For Computer, use the Windows server address from your My Test Drives section or the Windows IP address you received in your Test Drive email.  For User name, use “\cloudguard” (note the leading \ to avoid the use of your corporate domain).

 Click Connect.

 Under password, enter the Windows server password from your My Test Drives section or the password you received in your Test Drive email. They are the same.

 Click OK. Note: After you login to the Windows machine, please wait a couple of minutes while setup installs SmartConsole application on your windows machine.  After installation finishes, locate, and launch the Smart Console R80.10 client in the top left:

 Log in with the Gateway password from your My Test Drives section or the password you received via email. o The Gateway username is admin as stated in your My Test Drives section and the email you received. o The IP address is 10.0.0.10 (the external private address). o Click on Login, and approve the fingerprint:

Proceed to section 3.5‎ Review the Security Policy.

3.4.2 Using an Existing Check Point R80.10 SmartConsole Client If you already have the Check Point R80.10 SmartConsole client pre-installed on your computer, you can use it to directly connect to the Check Point CloudGuard Gateway.

Open Check Point R80.10 SmartConsole.  Log in with the Gateway password from your My Test Drives section or the password you received via email. o The Gateway username is admin as stated in your My Test Drives section and the email you received. o Use the public gateway IP address from your My Test Drives section or the email you received.

o Click on Login, and approve the fingerprint:

3.5 Review the Security Policy Now that you are connected to the Check Point CloudGuard Security Gateway for Azure, let’s examine the security policy.

 Go to the Standard Tab, and click Policy.

 Review the firewall security policy.

Note: All rules (except cleanup rule) have logs enabled.

Now let’s examine the NAT rules.  Go to the Standard tab and click NAT.  Review the firewall Network Address Translation (NAT) policy:

The table below details the purpose of the NAT policy rules from above:

Rules Purpose 1-2 Avoiding NAT inside the vNET 3-10 Automatic rules, can be ignored 11 Translate connections arriving from the Internet to the web server frontend IP to the private address of the web server

 Open the Azure picker in any of the policy rules:

 Review the network objects/Network security groups and Tags view of your Azure subscription:

 Press the SmartConsole Logs &Monitor button. We will be using this feature to view logs.

In the next sections, you’ll complete tasks related to cloud security management activities.

Exercise 1: Verify Normal Web Traffic In this scenario, you will verify normal web traffic.

 Use a browser to connect to the URL in your My Test Drives Access information Step 1 and that you received via email (Web Server URL).

 Click on the first Test button. 

This will generate a standard web request to the following URL: http://[WEB-SERVER-ADDRESS]/CloudGuard.jpg This connection should be allowed and the status should change to Success as shown above. (Optional)  You can verify this manually by adding “/CloudGuard.jpg” to the URL in your My Test Drives Access information Step 1 (or from the email you received (Web Server URL)) and browsing to it. In Log:  To make sure that traffic went through the CloudGuard gateway, look at the results in the logs:

Exercise 2: Block an SQL Injection Attack Now you will simulate an SQL Injection Attack, configure the Intrusion Prevention (IPS) functionality in order to block the attack, and then view the generated logs.

 Click on the 2nd Test button (Block SQL injection attack).

This will simulate an SQL injection attack by requesting the following URL: http://[WEB-SERVER-ADDRESS]/cgi-bin/sql-injection/id=concat Since we have not set up the Intrusion Prevention (IPS) functionality, this attack will not be blocked. (Optional)  Verify this manually by adding “/cgi-bin/sql-injection/id=concat” to the URL in your My Test Drives Access information Step 1 (or from the email you received (Web Server URL)) and browsing to it. http://[WEB-SERVER-ADDRESS]/cgi-bin/sql-injection/id=concat

In order to block the above attack, you need to configure IPS (Intrusion Prevention System) functionality.

In Smart Console:

• Click on the Threat Prevention-> Policy on the Left panel and then Click on IPS Protections.

• Type “sql” in the Look for box.

• Click on the SQL Injection protection at the topof the table.

 Double click on Optimized in the SQL Injection table.

 In the SQL Injection windows, select the Advanced in the left pane, select Apply to all HTTP Traffic, and click OK.

 Click on Install Policy in the top menu bar to install the newly modified policy.

 Click on OK to publish and install the IPS policy on the CloudGuard gateway.

 Wait for the policy installation to complete and click Close:

Launch the SQL attack again to verify IPS functionality. On the Web Server page:  Click on the 2nd Test button again (Block SQL injection attack).

This time, the attack should be blocked.

(Optional)  Test this manually by adding “/cgi-bin/sql-injection/id=concat” to the URL in your My Test Drives Access information Step 1 (or from the email you received (Web Server URL)) and browsing to it. http://[WEB-SERVER-ADDRESS]/cgi-bin/sql-injection/id=concat

In SmartConsole Logs:  View the generated log by clicking the Logs tab below.

 Double click on the log record to see more information.

Exercise 3: Block traffic between Web Server to Windows machine In this activity, you will block traffic between Web Server to Windows machine, Open Azure picker view and select desired objects, Add Drop rule in order to block inner VNet traffic, and then view the generated logs. On the Web Server page:  Click on the 3rd Test button (block traffic between Web Server to Windows machine).

This will cause the web server to ping the windows machine. Since we have not yet set up block rules between machines in our VNet, this traffic will not be blocked. Look at the Logs:

In Smart Console:  Go to your Policy and rule No. 3, then Right Click rule and click the New Rule Above:

 Click on sign in The source column and then click the button and click on azure:

 In the Picker window, Type “web” in the search box and click the [+] near the webApp Virtual machine :

 Close the picker and notice that the VM was added to the policy rule:

 Open the picker for the Destination column and this time Type “win” in the search box and click the [+] near the winMachine Virtual machine and close the picker:

 In the Services & Applications, click the and then type “icmp” in the search box then click the [+] near icmp-proto and close the window:

 In the Track column select Log from the drop down menu  In Name column, you can type: “Block ping/ICMP from web server to windows machine”

 Click the Install policy and wait for the policy installation to finish successfully  Click on the 3rd Test button again to simulate traffic between Web Server to Windows machine This time, traffic between Web Server to Windows machine should be blocked and the test should succeed:

 You can now view the results in the logs:

 You can double click the entry to see a more detailed description of the block:

Exercise 4: Test Auto update

In this activity, you will simulate adding a new tag on your web server and then see how it automatically being updated in the objects picker tree See Section 3.5 for More Information:

 Before pressing the 4th test button on the web server, open the object picker and click on the Tags view. You should see the following Tags and values:

 Click on the 4th Test button (Dynamic Update with CloudGuard controller).

This will cause the Azure environment to add a new tag called: newTag with value Added. Now, allow up to 30 seconds refresh time to pass and open the object picker and extend the Tags folder, and you can see that the new tag was added automatically:

NOTE: clicking the test button again will remove the new tag from the web server and from the object picker automatically.

Exercise 5: Block Access to Social Networks In this activity, you will simulate access to social networks, configure Application & URL Filtering functionality in order to block access to social networks, and then view the generated logs. On the Web Server page:  Click on the 5th Test button (Block access to social networks).

This will cause the web server to communicate with various social networks web sites. Since we have not yet set up Application Control & URL Filtering, this traffic will not be blocked. In SmartConsole:  Go to Access Control -> Policy and Add rule above the 1st rule and in Services & Applications column, type “social ne” and click the [+] sign near Social Networking and close the window:

 In the Track column, change the option to Log  The final rule should look like the following:

 Click on Install Policy in the top menu bar to install the newly modified policy.

 Click on Install to install the Application & URL Filtering policy.

 Wait for the policy installation to complete.

On the Web Server page:  Click on the 5th Test button again to simulate access to social networks. This time, access to social networks should be blocked:

In Log:  Stand on Rule 1 in the policy and in the look at the log below. You should see several logs indicating that a connection was opened from the web subnet to social network web sites similar

to this:

 Double click on one of these log record to see more information.

Congratulations!

You have completed the activities in the Check Point CloudGuard for Microsoft Azure Test Drive. Feel free to keep exploring this environment.

Thank you! 4 CloudGuard for Azure Use Cases Overview Key use cases of CloudGuard for Azure include: • Advanced security protection of your internet/public facing apps hosted in Azure using perimeter gateway • Hybrid cloud by creating site-to-site secure VPN tunnel between your on premise network and cloud network – allowing secured communications between on premise users & applications and cloud applications & infrastructure • Secure remote access to the cloud apps for mobile users using point-to-point secure tunnel – allowing mobile users to talk to your cloud apps • Intersegment security protection between app tiers inside your cloud – preventing the lateral spread of threats between servers inside your cloud • Achieve high availability using multiple gateways deployed in a cluster • Auto-scaling by automatically deploying multiple instances of security gateway using an elastic load balancer • Provision security policy using Azure cloud objects like VM instance names and network security groups/tags • Review event logs with cloud objects like VM instance names and network security groups

5 Support

Please contact your Check Point or Microsoft Azure sales team for more information about this Test Drive and Check Point CloudGuard for Azure.