Implementing a secure high-availability network infrastructure with a dedicated DMZ based on the Check Point NGFW
Follow this tutorial to deploy a high-availability fail-safe network infrastructure with a dedicated DMZ
The infrastructure elements reside in two availability zones; we will also group them by purpose, placing the groups into different folders. This solution enables you to publish web resources, e.g., front-end applications, in a DMZ, restricting access to the internal network and thus ensuring its extra security.
We will use the following folders:
- The public folder contains Application Load Balancer enabling public access to DMZ applications.
- The mgmt folder contains NGFW firewalls and other resources, including
FW-A
andFW-B
firewall VMs,mgmt-server
, which is a firewall management server VM, andjump-vm
, a VM for accessing the VPN protected segment. - The dmz folder contains publicly accessible applications.
- The app and database folders contain application business logic; we will not use them in this tutorial.
For more information, see the project repository
To deploy a secure high-availability network infrastructure with a dedicated DMZ based on the Check Point next-generation firewall:
- Get your cloud ready.
- Prepare the environment.
- Deploy your resources.
- Set up firewall gateways.
- Enable the route-switcher module.
- Test the solution for performance and fault tolerance.
If you no longer need the resources you created, delete them.
Next-Generation Firewall
We will use a next generation firewall for cloud network protection and segmentation, creating a dedicated DMZ for publicly accessible applications. Yandex Cloud Marketplace offers multiple NGFW solutions.
In this scenario, we use the Check Point CloudGuard IaaS solution offering the following features:
- Firewalling
- NAT
- Intrusion prevention
- Antivirus
- Bot protection
- Application layer granular traffic control
- Session logging
- Centralized management with Check Point Security Management
In this tutorial, we will configure Check Point CloudGuard IaaS with basic access management and NAT policies.
Get your cloud ready
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The infrastructure support cost includes:
- Fee for continuously running VMs (see Yandex Compute Cloud pricing).
- Fee for using Application Load Balancer (see Yandex Application Load Balancer pricing).
- Fee for using Network Load Balancer (see Yandex Network Load Balancer pricing).
- Fee for IP addresses and outbound traffic (see Yandex Virtual Private Cloud pricing).
- Fee for using functions (see Yandex Cloud Functions pricing).
- Fee for using CheckPoint NGFW.
Required quotas
Warning
In this tutorial, you will have to deploy a resource-intensive infrastructure.
Make sure your cloud has sufficient quotas that are not used by other projects.
Resources used by this tutorial
Resource | Amount |
---|---|
Folders | 7 |
Instance groups | 1 |
Virtual machines | 6 |
VM vCPUs | 18 |
VM RAM | 30 GB |
Disks | 6 |
SSD size | 360 GB |
HDD size | 30 GB |
Cloud networks | 7 |
Subnets | 14 |
Route tables | 4 |
Security groups | 10 |
Static public IP addresses | 2 |
Public IP addresses | 2 |
Static routes | 17 |
Buckets | 1 |
Cloud functions | 1 |
Cloud function triggers | 1 |
Total RAM for all running functions | 128 MB |
Network load balancers (NLBs) | 2 |
NLB target groups | 2 |
Application load balancers (ALBs) | 1 |
ALB backend groups | 1 |
ALB target groups | 1 |
Prepare the environment
In this tutorial, we will use Windows software and Windows Subsystem for Linux
To deploy the infrastructure, we will use Terraform
Configure WSL
-
Check whether WSL is installed on your PC. To do this, run this command in the CLI terminal:
wsl -l
If WSL is installed, the terminal will display a list of available distributions, for example:
Windows Subsystem for Linux Distributions: docker-desktop (Default) docker-desktop-data Ubuntu
-
If WSL is not installed, install
it and repeat the previous step. -
Additionally, you can install your preferred Linux distribution, e.g., Ubuntu
, on top of WSL. -
To set the installed distribution as default, run this command:
wsl --setdefault ubuntu
-
To switch the terminal to Linux, run:
wsl ~
Note
Perform all steps below in the Linux terminal.
Create a cloud administrator service account
-
In the management console
, select the folder where you want to create your service account. -
In the list of services, select Identity and Access Management.
-
Click Create service account.
-
Specify the service account name, e.g.,
sa-terraform
.The name should match the following format:
- It must be 2 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- It must start with a letter and cannot end with a hyphen.
Make sure the service account name is unique within your cloud.
-
Click Create.
-
Assign the admin role to the service account.
- On the management console home page
, select your cloud. - Navigate to the Access bindings tab.
- Click Configure access.
- In the window that opens, click Service accounts and select the
sa-terraform
service account. - Click
Add role and select theadmin
role. - Click Save.
- On the management console home page
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name
or --folder-id
parameter.
-
Create a service account:
yc iam service-account create --name sa-terraform
Where
name
is the service account name. The name should match the following format:- It must be 2 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- It must start with a letter and cannot end with a hyphen.
Result:
id: ajehr0to1g8bh0la8c8r folder_id: b1gv87ssvu497lpgjh5o created_at: "2023-03-04T09:03:11.665153755Z" name: sa-terraform
-
Assign the admin role to the account:
yc resource-manager cloud add-access-binding <cloud_ID> \ --role admin \ --subject serviceAccount:<service_account_ID>
Result:
done (1s)
To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.
To assign the service account a role for a cloud or folder, use the updateAccessBindings
REST API method for the Cloud or Folder resource:
-
Select the role to assign to the service account. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.
-
Get the ID of the service accounts folder.
-
Get an IAM token required for authorization in the Yandex Cloud API.
-
Get a list of folder service accounts to find out their IDs:
export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaATEVAgA... curl \ --header "Authorization: Bearer ${IAM_TOKEN}" \ "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}"
Result:
{ "serviceAccounts": [ { "id": "ajebqtreob2d********", "folderId": "b1gvmob95yys********", "createdAt": "2018-10-18T13:42:40Z", "name": "my-robot", "description": "my description" } ] }
-
Create the request body, e.g., in the
body.json
file. Set theaction
property toADD
androleId
to the appropriate role, such aseditor
, and specify theserviceAccount
type and service account ID in thesubject
property:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "ajebqtreob2d********", "type": "serviceAccount" } } }] }
-
Assign a role to a service account. For example, for a folder with the
b1gvmob95yys********
ID:export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaAT******** curl \ --request POST \ --header "Content-Type: application/json" \ --header "Authorization: Bearer ${IAM_TOKEN}" \ --data '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
Install the required tools
-
Install Git
using the following command:sudo apt install git
-
Install Terraform:
-
Navigate to the root directory:
cd ~
-
Create the
terraform
directory and open it:mkdir terraform cd terraform
-
Download the
terraform_1.3.9_linux_amd64.zip
file:curl \ --location \ --remote-name \ https://hashicorp-releases.yandexcloud.net/terraform/1.3.9/terraform_1.3.9_linux_amd64.zip
-
Install
zip
and unpack the ZIP archive:apt install zip unzip terraform_1.3.9_linux_amd64.zip
-
Add the executable directory to your
PATH
:export PATH=$PATH:~/terraform
-
Make sure Terraform is installed by running this command:
terraform -help
-
-
Create a configuration file specifying the Terraform provider source:
-
Create the
.terraformrc
file innano
:cd ~ nano .terraformrc
-
Add the following section to the file:
provider_installation { network_mirror { url = "https://terraform-mirror.yandexcloud.net/" include = ["registry.terraform.io/*/*"] } direct { exclude = ["registry.terraform.io/*/*"] } }
For more information about mirror settings, see the Terraform documentation
.
-
Deploy your resources
-
Clone the
yandex-cloud-examples/yc-dmz-with-high-available-ngfw
GitHub repository and navigate to theyc-dmz-with-high-available-ngfw
directory:git clone https://github.com/yandex-cloud-examples/yc-dmz-with-high-available-ngfw.git cd yc-dmz-with-high-available-ngfw
-
Set up the CLI profile to run operations on behalf of the service account:
CLIIf you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder through the
--folder-name
or--folder-id
parameter.-
Create an authorized key for your service account and save it to the file:
yc iam key create \ --service-account-id <service_account_ID> \ --folder-id <ID_of_folder_with_service_account> \ --output key.json
Where:
service-account-id
: Service account ID.folder-id
: ID of the service account folder.output
: Authorized key file name.
Result:
id: aje8nn871qo4******** service_account_id: ajehr0to1g8b******** created_at: "2023-03-04T09:16:43.479156798Z" key_algorithm: RSA_2048
-
Create a CLI profile to run operations on behalf of the service account:
yc config profile create sa-terraform
Result:
Profile 'sa-terraform' created and activated
-
Configure the profile:
yc config set service-account-key key.json yc config set cloud-id <cloud_ID> yc config set folder-id <folder_ID>
Where:
-
Add your credentials to the environment variables:
export YC_TOKEN=$(yc iam create-token) export YC_CLOUD_ID=$(yc config get cloud-id) export YC_FOLDER_ID=$(yc config get folder-id)
-
-
Get your PC IP address:
curl 2ip.ru
Result:
192.2**.**.**
-
Open the
terraform.tfvars
file innano
and edit it as follows:-
The cloud ID line:
cloud_id = "<cloud_ID>"
-
The line with a list of allowed public IP addresses for
jump-vm
access:trusted_ip_for_access_jump-vm = ["<PC_external_IP_address>/32"]
-
-
Deploy the resources in the cloud with Terraform:
-
Initialize Terraform:
terraform init
-
Check the Terraform file configuration:
terraform validate
-
Check the list of cloud resources you want to create:
terraform plan
-
Create resources:
terraform apply
-
Set up firewall gateways
In this tutorial, we will configure FW-A
and FW-B
firewalls with basic access management and NAT policies required to test performance and fault tolerance, but insufficient for the production environment.
Connect to the control segment via a VPN
After deploying the infrastructure, the mgmt
folder will contain an Ubuntu jump-vm
instance with a configured WireGuard VPNmgmt
, dmz
, app
, and database
segment subnets through jump-vm
.
To set up the VPN tunnel:
-
Get your Linux username:
whoami
-
Install
WireGuard on your PC. -
Open WireGuard and click Add Tunnel.
-
In the dialog that opens, select the
jump-vm-wg.conf
file in theyc-dmz-with-high-available-ngfw
directory.To find a Linux, e.g., Ubuntu, directory, type the file path in the dialog address bar:
\\wsl$\Ubuntu\home\<Ubuntu_user_name>\yc-dmz-with-high-available-ngfw
Where
<Ubuntu_user_name>
is your Linux username you got in the previous step. -
Click Activate to activate the tunnel.
-
Check whether you can connect to the management server via WireGuard VPN by running this command in the terminal:
ping 192.168.1.100
Warning
If
ping
fails, make sure themgmt-jump-vm-sg
security group inbound rules include your PC external IP address.
Run SmartConsole
To set up and manage Check Point
-
Connect to the NGFW management server by opening
https://192.168.1.100
in your browser. -
Sign in using
admin
as both username and password. -
You will enter Gaia Portal where you can download the SmartConsole GUI client by clicking Manage Software Blades using SmartConsole. Download Now!.
-
Install SmartConsole on your PC.
-
Get a password to access SmartConsole by running this command in the terminal:
terraform output fw_smartconsole_mgmt-server_password
-
Open SmartConsole and sign in as
admin
with the password you got in the previous step, specifying192.168.1.100
as your management server IP address.
Add firewall gateways
Use the wizard to add the FW-A
firewall gateway to the management server:
-
In the Objects drop-down list at the top left, select More object types → Network Object → Gateways and Servers → New Gateway....
-
Click Wizard Mode.
-
In the dialog that opens, specify the following:
- Gateway name:
FW-A
- Gateway platform:
CloudGuard IaaS
- IPv4:
192.168.1.10
- Gateway name:
-
Click Next.
-
Get the firewall password by running this command in the terminal:
terraform output fw_sic-password
-
Enter the received password in the One-time password field.
-
Click Next, and then Finish.
Similarly, add the FW-B
firewall gateway with the values below:
- Gateway name:
FW-B
- IPv4:
192.168.2.10
FW-A
gateway network interfaces
Configure the Configure the eth0
network interface:
- In the Gateways & Servers tab, open the
FW-A
gateway setup dialog. - In the Topology table within the Network Management tab, select the
eth0
interface and click Modify.... - Under Leads To, select Override.
- Next to the Specific option, hover over the
FW-A-eth0
interface name and click the edit icon in the window that opens. - In the dialog that opens, rename
FW-A-eth0
tomgmt
. - Under Security Zone, activate Specify Security Zone and select InternalZone.
Similarly, configure the eth1
, eth2
, eth3
, and eth4
network interfaces:
-
For the
eth1
interface, select ExternalZone under Security Zone. Do not rename this interface. -
Rename the
eth2
interface todmz
, enable Interface leads to DMZ, and specify DMZZone.Set up Automatic Hide NAT to hide the addresses of internet-facing VMs hosted in the DMZ segment. To do this:
- In the
dmz
interface edit dialog, clickNet_10.160.1.0
and navigate to the NAT tab. - Enable Add automatic address translation rules, select Hide from the drop-down list, and then enable Hide behind gateway.
- Repeat these steps for
Net_10.160.2.0
.
- In the
-
Rename the
eth3
interface toapp
and specify InternalZone. -
Rename the
eth4
interface todatabase
and specify InternalZone.
FW-B
gateway network interfaces
Configure the Configure the FW-B
gateway network interfaces the same way as you did for FW-A
. Give the interfaces existing names from the list.
To select an already specified interface name:
- Under Leads To, select Override.
- Find the relevant name in the drop-down list next to the Specific option.
Warning
Renaming the interfaces the second time will cause the network object name replication error when setting security policies.
Create network objects
-
In the Objects drop-down list at the top left, select New Network... and create
public - a
andpublic - b
networks with the following parameters:Name Network address Net mask public - a 172.16.1.0 255.255.255.0 public - b 172.16.2.0 255.255.255.0 -
Select New Network Group..., create the
public
group, and add thepublic - a
andpublic - b
networks to it. -
Select New Host... and create hosts with the following parameters:
Name IPv4 address dmz-web-server 10.160.1.100 FW-a-dmz-IP 10.160.1.10 FW-a-public-IP 172.16.1.10 FW-b-dmz-IP 10.160.2.10 FW-b-public-IP 172.16.2.10 -
Select More object types → Network Object → Service → New TCP... and create a TCP service for the DMZ application, specifying its name:
TCP_8080
and port:8080
.
Set security policy rules
To add a security rule:
- In the Security policies tab, select Policy under Access Control.
- Right-click the rule table area and, in the context menu that opens, select Above or Below next to New Rule.
- In the new line that appears:
- In the Name column, specify
Web-server port forwarding on FW-a
. - In the Source column, click
+
and selectpublic
. - In the Destination column, select
FW-a-public-IP
. - In the Services & Applications column, select
TCP_8080
. - In the Action column, select
Accept
. - In the Track column, select
Log
. - In the Install On column, select
FW-a
.
- In the Name column, specify
In the same way, add other rules from the table below; these rules will allow you to test the firewall policies, pass NLB health checks, publish a test application from the DMZ segment, and run a fault tolerance test.
No | Name | Source | Destination | VPN | Services & Applications | Action | Track | Install On |
---|---|---|---|---|---|---|---|---|
1 | Web-server port forwarding on FW-a | public | FW-a-public-IP | Any | TCP_8080 | Accept | Log | FW-a |
2 | Web-server port forwarding on FW-b | public | FW-b-public-IP | Any | TCP_8080 | Accept | Log | FW-b |
3 | FW management & NLB healthcheck | mgmt | FW-a, FW-b, mgmt-server | Any | https, ssh | Accept | Log | Policy Targets (All gateways) |
4 | Stealth | Any | FW-a, FW-b, mgmt-server | Any | Any | Drop | Log | Policy Targets (All gateways) |
5 | mgmt to DMZ | mgmt | dmz | Any | Any | Accept | Log | Policy Targets (All gateways) |
6 | mgmt to app | mgmt | app | Any | Any | Accept | Log | Policy Targets (All gateways) |
7 | mgmt to database | mgmt | database | Any | Any | Accept | Log | Policy Targets (All gateways) |
8 | ping from dmz to internet | dmz | ExternalZone | Any | icmp-requests (Group) | Accept | Log | Policy Targets (All gateways) |
9 | Cleanup rule | Any | Any | Any | Any | Drop | Log | Policy Targets (All gateways) |
Set up a static NAT table
Source NAT
ensures that the return traffic of the user’s connection returns to the firewall. Destination NAT
routes user requests to the network load balancer upstream of the group of application web servers.
Source IP
and Destination IP
headers of packets coming from Application Load Balancer to the DMZ application will be translated to the firewall IP and load balancer IP, respectively.
To set up the FW-A
gateway NAT table:
- Navigate to the NAT section under Access Control.
- Right-click the rule table area and, in the context menu that opens, select Above or Below next to New Rule.
- In the new line that appears:
- In the Original Source column, click
+
and selectpublic
. - In the Original Destination column, select
FW-a-public-IP
. - In the Original Services column, select
TCP_8080
. - In the Translated Source column, select
FW-a-dmz-IP
. - In the Translated Destination column, select
dmz-web-server
. - In the Install On column, select
FW-a
.
- In the Original Source column, click
- Change the NAT method for
FW-a-dmz-IP
by right-clickingFW-a-dmz-IP
in the table and selecting NAT Method > Hide from the context menu.
In the same way, set up the FW-B
gateway static NAT table based on the table below:
No | Original Source | Original Destination | Original Services | Translated Source | Translated Destination | Translated Services | Install On |
---|---|---|---|---|---|---|---|
1 | public | FW-a-public-IP | TCP_8080 | FW-a-dmz-IP (Hide) | dmz-web-server | Original | FW-a |
2 | public | FW-b-public-IP | TCP_8080 | FW-b-dmz-IP (Hide) | dmz-web-server | Original | FW-b |
Apply the security policy rules
- Click Install Policy at the top left of the screen.
- In the dialog that opens, click Push & Install.
- In the next dialog, click Install and wait for the process to complete.
Enable the route-switcher module
After completing the NGFW setup, make sure FW-A
and FW-B
health checks return Healthy
. To do this, select Network Load Balancer in the mgmt
folder of the Yandex Cloud management consoleroute-switcher-lb-...
network load balancer page. Expand the target group and check whether its resources are Healthy
. If they are Unhealthy
, make sure FW-A
and FW-B
are configured correctly and running.
Once the FW-A
and FW-B
status changes to Healthy
, open the route-switcher.tf
file and change the route-switcher
start_module
value to true
. To enable the module, run these commands:
terraform plan
terraform apply
Within five minutes, the route-switcher
module will start working, providing outbound traffic fault tolerance.
Test the solution for performance and fault tolerance
Test the system
-
To get the load balancer IP address, run this command in the terminal:
terraform output fw-alb_public_ip_address
-
Make sure your network infrastructure is accessible from outside by opening the following address in your browser:
http://<ALB_load_balancer_public_IP_address>
If your system is accessible from outside, you will see the
Welcome to nginx!
page. -
Make sure the firewall rules allowing traffic are active. To do this, navigate to the
yc-dmz-with-high-available-ngfw
folder on your PC and connect to a DMZ VM over SSH:cd ~/yc-dmz-with-high-available-ngfw ssh -i pt_key.pem admin@<VM_internal_IP_address_in_DMZ_segment>
-
To check whether there is internet access on the DMZ VM, run this command:
ping ya.ru
The
ping from dmz to internet
rule should allow the command to run. -
Make sure the firewall traffic-blocking rules are active.
To check that
Jump VM
in themgmt
segment cannot be accessed from thedmz
segment, run this command:ping 192.168.1.101
The
Cleanup rule
should block the command.
Testing fault tolerance
-
Install the
httping
tool for making HTTP requests on your PC:sudo apt-get install httping
-
To get the load balancer IP address, run this command in the terminal:
terraform output fw-alb_public_ip_address
-
Emulate the DMZ application inbound traffic by making a request to the ALB public IP address:
httping http://<ALB_load_balancer_public_IP_address>
-
Open another terminal window and connect to a DMZ VM over SSH:
ssh -i pt_key.pem admin@<VM_internal_IP_address_in_DMZ_segment>
-
Set
admin
password:sudo passwd admin
-
In the Yandex Cloud management console
, change the settings of this VM:- In the list of services, select Compute Cloud.
- In the left-hand panel, select
Virtual machines. - Click
next to the VM you need and select Edit. - In the window that opens, under Additional, enable Access to serial console.
- Click Save changes.
-
Connect to the VM serial console, enter the
admin
username and password you set earlier. -
Emulate the DMZ to internet outbound traffic by running
ping
on the DMZ VM:ping ya.ru
-
Emulate the main firewall failure by stopping the
FW-A
VM in themgmt
folder of the Yandex Cloud management console . -
Monitor the loss of
httping
andping
packets. AfterFW-A
fails, you may see a traffic loss for about one minute with the subsequent traffic recovery. -
Make sure the
dmz-rt
route table in thedmz
folder uses theFW-B
address asnext hop
. -
Emulate the main firewall recovery by running the
FW-A
VM in the Yandex Cloud management console . -
Monitor the loss of
httping
andping
packets. AfterFW-A
is restored, you may see a traffic loss for about one minute with the subsequent traffic recovery. -
Make sure the
dmz-rt
route table in thedmz
folder uses theFW-A
address asnext hop
.
How to delete the resources you created
To stop paying for the resources you created, run this command:
terraform destroy
Terraform will permanently delete all resources, such as networks, subnets, VMs, load balancers, folders, etc.
You can delete the resources faster by deleting all folders in the Yandex Cloud console and then deleting the terraform.tfstate
file from the yc-dmz-with-high-available-ngfw
folder on your PC.