Featured Products by
Check Point Software Technologies
Check Point VPN-1 Pro:
Secure Virtual Network Architecture
The Challenge
With its worldwide reach, the Internet
provides a flexible and cost-effective infrastructure for extending the corporate network
to all employees and key business partners. In order for corporations to take full
advantage of the Internet, however, they must be able to guarantee both the security of
business communications and the protection of internal network resources.
In addition to security, companies
extending the reach of their networks also face challenges of availability, performance,
and scalability. For mission-critical applications to utilize VPN (Virtual Private
Network) technologies, the VPN must provide reliable performance and seamless fault
tolerance. Extranet VPNs pose the additional challenge of achieving interoperability
between solutions from different vendors. Finally, all components of a VPN must be easily
integrated and managed within the overall enterprise security infrastructure.
 (click on image for larger view) |
The Solution
VPN-1 Pro™ is a tightly integrated software solution combining the market-leading
FireWall-1® security suite with sophisticated VPN technologies. The cornerstone of Check
Point’s Secure Virtual Network architecture, VPN-1 Pro meets the demanding
requirements of Internet, intranet, and extranet VPNs by providing secure connectivity to
corporate networks, remote and mobile users, satellite offices, and key partners.
VPN-1 Pro software may be deployed on a range of platforms for maximum flexibility and
scalability.
VPN-1 Pro supports sophisticated high availability configurations for IPSec traffic, and provides built-in resiliency for remote access VPNs. Extranets are made possible through support for industry standards as well as all leading PKI products and services. For superior performance, VPN-1 Pro solutions may also include bandwidth management, compression, and hardware-based VPN acceleration.
Product Features
- Protects data communications with industry-standard encryption, authentication, and key management schemes
- Secures valuable corporate resources with FireWall-1
- Enables centralized, integrated, policy-based management of the entire enterprise security policy
- Includes advanced OpenPKI support, integrated bandwidth management, compression, and sophisticated High Availability solutions
- Includes Secure XL and QOS
Product Benefits
- Ensures maximum security for corporate resources and Internet communications
- Lowers cost of connecting mobile workers, telecommuters, and branch offices
- Eases network security management and reduces administrative overhead
- Provides scalability, reliability, and superior performance for mission-critical VPNs
- Flexibility
- High Scalable VPN's and multi-Gigabit security performance
Security
Check Point VPN-1 Pro integrates access control, authentication, and encryption to guarantee the security of network connections, the authenticity of local and remote users, and the privacy and integrity of data communications.
Access Control
Based on the market-leading FireWall-1"White", Check Point
VPN-1 Pro supports more than 150 pre-defined applications, services, and protocols out
of the box. VPN-1 Pro secures all popular Internet services, including the most
commonly used applications like HTTP, SMTP, Telnet, and FTP; the entire TCP family of
applications; and connectionless protocols such as UDP. In addition, VPN-1
Pro
supports important business applications such as Oracle SQL, multimedia applications such
as RealAudio, and Voice over IP (VoIP) services such as H.323.
Supported User Authentication Schemes | ||
| User Authentication Scheme | Verification Mechanism | |
| RADIUS | Supports multiple authentication methods | |
| TACACS/TACACS+ | Supports multiple authentication methods | |
| Token-based (two factor) | Uses hardware token and password | |
| Operating System Password | Standard OS password | |
| FireWall-1 Password | FireWall-1 gateway password | |
| S/Key | Seed-based one-time passwords | |
| Digital Certificates | Validated by checking the CA’s signature | |
| X.509 | ||
| Pre-Shared Secret | ||
| Hybrid Mode IKE | ||
Supported Data Authentication Schemes | ||
| Data Authentication Scheme | Key Length | Hash Length |
| CBC-DES-MAC | 56-bit | 64-bit |
| MD5 | 128-bit | 128-bit |
| SHA-1 | 160-bit | 160-bit |
Supported Key Management Schemes | ||
| Scheme | Process | Description |
| IKE (ISAKMP/Oakley) | Automatic | Optional key management scheme for IPv4, mandatory for IPv6 |
| FWZ | Automatic | Internal or external CA/PKI automatically establishes security associations and updates public keys |
| SKIP | Automatic | Optional key management scheme for IPv4 |
| Manual IPSec | Manual | All security associations & keys distributed manually |
Authentication
One of the most important requirements of a VPN solution is the ability to verify the
identity of the person using the VPN. Once users successfully authenticate themselves,
they gain secure access to network resources such as email, internal Web servers, NT
domain resources, and database applications.
For maximum security and flexibility, VPN-1 Pro provides integrated support for multiple user authentication methods. User authentication can be accomplished using smart cards, token-based products like SecurID, LDAP-stored passwords, RADIUS or TACACS+ servers, pre-shared secrets, X.509 digital certificates, or even advanced biometric techniques. In addition, Check Point provides the Secure Authentication API (SAA), an open application programming interface that enables third-party security vendors to integrate their leading-edge solutions with VPN-1.
VPN-1 Pro provides additional flexibility by enabling organizations to utilize any supported authentication method in conjunction with the Internet Key Exchange (IKE) for IPSec VPN deployments.
Encryption
Once secure network access has been granted, a VPN solution must protect the privacy of
the data being transmitted. By adhering to the IPSec standard, VPN-1 Pro automatically
negotiates the strongest possible encryption and data authentication algorithms available
between communicating parties. This includes both DES and Triple DES for data encryption,
and SHA-1 and MD5 for data authentication. In addition, encryption keys are updated
frequently, ensuring maximum security and providing Perfect Forward Secrecy (PFS) so that
older encryption keys cannot be used to decipher more recent communications.
| Supported Encryption Algorithms | |
| Encryption | Key Length |
| Rijndael 128 0 256 bit | |
| CAST-40 | 40-bit |
| FWZ-1 | 48-bit |
| DES-40 | 40-bit (32-bit IV) |
| DES | 56-bit |
| Triple DES | 168-bit |
Public Key Infrastructure (PKI) Support
Public Key
Infrastructures provide the necessary management infrastructure for large IPSec VPN
deployments by enabling the use and management of keys and digital certificates. By
adhering to industry standards such as X.509, PKIs also ensure the highest levels of
security and interoperability as organizations expand their networks through remote access
and extranet VPNs.
Interoperability through OpenPKI
VPN-1’s OpenPKI support allows customers to choose the PKI solution that best fits
their needs. OpenPKI ensures that VPN-1 Pro, as well as VPN-1 Appliances and client
solutions, are compatible with all leading PKI products and
services. PKI solutions from vendors such as Entrust, Verisign, Baltimore
Technologies, and Netscape are being certified as part of Check
Point’s OPSEC (Open Platform for Security) Alliance.
Concurrent Support for Multiple Vendors’ Certificate Authorities
VPN-1 Pro enables the establishment of heterogeneous extranets by supporting the
simultaneous use of digital certificates from multiple CAs (Certificate Authorities). This
capability is absolutely critical to successful deployment of a VPN involving multiple
companies, since each company may have a different VPN solution in use. Concurrent
certificate support allows a single VPN-1 Pro to simultaneously establish multiple IPSec connections with gateways using different vendors’ VPN and PKI
solutions.
High Availability
Today’s
E-Business environments require a fail-safe, secure infrastructure. If a VPN gateway
becomes unreachable for even a few minutes it can mean a substantial financial loss. Check
Point VPN-1 Pro offers a range of high availability solutions for business-critical VPNs.
Sophisticated Fail-Over Capabilities
VPN-1 Pro enables high availability solutions which maintain IPSec connections during
fail-over. Enhanced state table synchronization enables transparent hot standby
configurations for both site-to-site and client-to-site VPN deployments. With transparent
fail-over, mission-critical VPN gateways are always available and sessions continue
seamlessly if a gateway becomes unavailable for any reason. In such an event, users
connected to that gateway will not have to re-authenticate and will not even notice that
an alternate gateway has taken over. Mission-critical operations or high-value
transactions will continue intact without needing to be restarted.
Resilient Remote Access
VPN-1 Pro, together with either VPN-1
SecuRemote™ or VPN-1
SecureClient, also provides a cost-efficient alternative to high availability
configurations requiring redundant hardware. In multi-site VPNs, VPN-1
Pro enables the VPN client to detect a gateway outage, and then use any
available gateway to access network resources. Thus the VPN connection
is established and all traffic is routed correctly through an alternate
gateway with complete user transparency.
All network objects are created and managed within the VPN-1 Management console.
Workstations objects include hosts, servers, and gateways.
Enterprise Management
Virtual Private
Networks are only one component of an organization’s overall network security
strategy. An effective security solution must provide the ability to define VPNs within a
single, enterprise-wide security policy which can be distributed and managed from one
central console. An extensible VPN solution must also be easy to deploy and administer as
the number of users grows.
Check Point’s intuitive graphical user interface provides a single management console for defining and managing multiple elements of a Secure Virtual Network: firewall security, VPNs, network address translation, bandwidth management, and data compression. All object definitions (e.g. users, hosts, networks, and services) are shared among all applications for efficient policy creation and security management.
Centralized Management
VPN-1 implementations are integrated into an overall enterprise security policy simply by
adding one or more rules to the security rule base. Once a policy has been created or
modified, it is automatically distributed to all security enforcement points.
Check Point’s unified management console and automatic distributed deployment of policies dramatically increases management efficiency when compared to solutions that require either multiple management interfaces or per-device policy installation. Furthermore, overall security is strengthened because the policy is always up-to-date at all network enforcement points.
Scalability
Check Point VPN-1 deployments scale to accommodate large numbers of VPN nodes—either
users or remote sites. Because VPN-1 Pro software runs on a variety of platforms and
operating systems, organizations can choose the deployment platform that best meets their
current and projected needs. Furthermore, by supporting standards-based directory and PKI
infrastructures, VPN-1 solutions are able to support large, open VPN communities with
minimal management overhead.
Check Point Enterprise Management Console VPNs are defined as
rules within the overall enterprise security policy.
[Click here for full view]
Comprehensive Solutions
Check Point offers a broad range of VPN products from which organizations can choose to
design the configuration that best meets their requirements. Individual data sheets are
available for the following products:
VPN-1 SecuRemote
Client-side encryption software to extend the enterprise VPN to desktop, remote, and
mobile users
VPN-1 SecureClient
Enhanced VPN client software offering centrally managed personal firewall capabilities and
security verification for all enterprise VPN users
VPN-1 SecureServer™
Security and VPN connectivity designed specifically for a single application server
VPN-1 Appliances™
A complete family of integrated hardware and software solutions delivering secure Internet
access for all size networks
VPN-1 Accelerator Card™
A plug-and-play hardware PCI card which speeds VPN performance through acceleration of
IPSec encryption
FloodGate-1™
Policy-based, enterprise bandwidth management solution which optimizes network performance
by assigning priority to business critical traffic
Compression Server Module
Compression for business-critical data flowing between VPN-1 Pro which significantly
increases site-to-site VPN performance
High Availability Module
Seamless fail-over for mission-critical deployments through clusters of redundant gateways
VPN-1 Certificate Manager™
A complete turnkey certificate management system for Check Point’s VPN-1 solutions
Flexible Deployment
VPN-1 Pro is the cornerstone of Check Point VPN-1 solutions, the most comprehensive
set of products and technologies for remote access, intranet, and extranet VPNs. VPN
Gateway software can run on a variety of platforms—Unix and NT servers, dedicated
appliances, and other networking devices—to meet the needs of any VPN deployment.
VPN-1 Pro System Requirements |
||
| Operating Systems/Platforms Management Server & Enforcement Module |
Microsoft Windows NT 4.0 (SP6 & earlier) Sun Solaris 2.6, Solaris 7 (32-bit mode only) Red Hat Linux 6.0, 6.1 HP-UX 10.20, 11. 0 (32-bit mode only) IBM AIX 4.2.1, 4.3.2 Check Point VPN-1 Appliances |
|
| GUI Client | Microsoft Windows
9x, NT Sun Solaris SPARC HP-UX 10.20 IBM AIX |
|
| Disk space Management Server & Enforcement Module |
40 MB |
|
| GUI | 40 MB | |
| Memory Management Server & Enforcement Module |
64 MB minimum, 128 MB recommended |
|
| GUI Client | 32 MB | |
| Network interface | ATM Ethernet Fast Ethernet FDDI Token Ring |
|
| Media | CD-ROM | |
About Us | Professional Services | Featured Products | Products Solution / Business Partners |
Network Security Tidbits | Place an Order | Online Credit Application | Events & Seminars
Career Opportunities | Site Map
Network Systems Integration
Land-mail: 2245 First Street, Suite 202, Simi Valley, CA 93065
Phone 1-805-579-1030 - Fax 1-805-527-9243
e-Mail:
info@nsi-solutions.com