VPN Whitepaper CP

8/12/2019 VPN Whitepaper CP

1/20

Check Point protects every part of yournetworkperimeter, internal, Web

to keep your information resources safe,

accessible, and easy to manage.

White Paper

Bridging the gap betweenconnectivity and securityCheck Points philosophy on IPSec VPNs


2/20

Bridging the gap between connectivity and security

ContentsExecutive summary 3

Introduction 3

Ensure the security of both the VPN and the network 3

Scenario 1: Placing a VPN device in front of the firewall 4

Scenario 2: Placing the VPN behind the firewall 5

Scenario 3: Integrated routers 6

Scenario 4: Placing the VPN and firewall devices in parallel 6

The Check Point solution for ensuring secure VPNs 7

SmartDefense intrusion prevention 9

Eliminating security sprawl 10

Provide advanced technologies to simplify VPN creation 11

Building blocks of a simple VPN deployment 11

Site-to-site authentication 11

VPN communities 11

Quality of Service 12

High Availability and load sharing 12

VPN-1: Restoring simplicity of VPN creation 12

Comprehensive encryption 12

Integrated Certificate Authority 13

Implementing VPN communities 13

QoS for VPNs 14

Multiple Entry Points for High Availability and load sharing 15

Beyond building VPN blocks:More resources, more-dynamic networks 16

The route-based VPN: Designing a complex VPN with simple routing 16

Graceful restart 18

Multicast protocol support 18

Conclusion 19


3/20

Check Points philosophy on IPSec VPNs

Check Point Software Technologies, Lt

Executive summaryThe IT business environment today demands an integrated approach to virtual

private networks (VPNs)combining the needs of connectivity and security into

a single solution. When looking to connect distributed offices together over the

Internet, organizations should ask themselves two questions:

Will a given VPN solution provide an adequate level of protection to ensure its

availability and the safety of the network?

Does a given VPN solution marry advanced technologies with simplified

management to reduce the burden placed on the organization to maintain

the solution?

Check Point VPN-1security gateways are designed to answer yes to both

these questions, by providing a bridge between connectivity and security without

sacrificing simplicity.

IntroductionToday, IPSec virtual private networks (VPNs) are commonplace, with more

than half of enterprises using them to connect distributed offices and provide

confidential communications over public networks. However, the very popularity

of IPSec VPNs has led to IT organizational problems. Because VPNs are primarily

a connectivity solution, network engineers rightfully have a large influence

on what their organizations consider important. This has often translated to

an emphasis on advanced functionality such as multicast or dynamic routing

support at the expense of security. For example, the rise of router-based VPNs

has created connectivity solutions separated from security solutions such as

firewalls. Perimeter-based firewalls cannot inspect encrypted VPN traffic if the

router is on the interior of the network nor protect the router if it is on the exterior.

Thus, security engineers have been forced to create complex workarounds to

protect the network or, more commonly, sacrifice security for simplicity. Thisproblem of the tradeoff of connectivity versus security must be resolved without

compromising either.

This white paper explains a strategy for bridging the gap between connectivity

and security and outlines the technologies that enterprises can use to implement

it. It will examine two key tenets of this approach to VPNs:

Ensure the security of both the VPN and the network

Provide advanced technologies to simplify VPN management

Ensure the security of both the VPN and the network

When considering the objectives of a VPN deployment, it is easy to understandwhy such emphasis is placed on connectivity elements. Historically, they

have been considered replacements for leased lines and frame relay. However,

this emphasis is shortsighted in the modern business and IT environment for

two reasons:


4/20


Check Point Software Technologies, Ltd.

First, organizations use VPNs over untrusted or semi-trusted networks.

Because of this, they are subject to threats such as denial of service (DoS) attacks

specifically aimed at VPN devices. By itself, a VPN device does not have the

necessary intelligence to stop these attacks. As a connectivity device, a VPN

device is designed for stabilitynot the dynamic updates needed to address

evolving security concerns.

Second, internal employeesoften considered trustedmust be considered

semi-trusted at best. Although an organization can assume that the entityiswho

or what it claims to be, a security professional can no longer be confident that the

entity is acting without malicious intent. Has her/his laptop been infected by a

worm? Was the server attempting to connect compromised by a buffer overflow?

The appearance of worms and other application-layer threats has created the

need to segregate and provide intelligent inspection of VPN traffic. To not do so

is to expose the network to quickly spreading malware that may enter through

a remote office.

A major reason for the disconnect between how security and networking

professionals view VPNs is the architecture imposed by segregating VPN and

security technologies into separate solutions. Because of this, organizations

are forced into four basic scenarios that either complicate security or cause it

to be bypassed.

Scenario 1: Placing a VPN device in front of the firewallIn the first scenario, a VPN device is placed between the firewall and the Internet.

Two types of products commonly are found herea VPN concentrator and a

VPN-enabled router. In both cases, the devices may have basic packet-filtering

capabilities. As VPN-enabled routers become more commonplace, organizations

are using this deployment configuration more frequentlyespecially at smaller

offices. The advantage of this configuration is that a VPN device unencrypts traffic

before the firewall sees it. The firewall can make intelligent decisions based on the

trafficsimplifying the deployment.

Firewall

VPN router

Unencryptedtraffic

IPSec tunnel

Internet

Placing a VPN in front of the firewall


5/20Check Point Software Technologies, Ltd


While simple to deploy, this configuration suffers from one major weakness.

Because the VPN device sits outside the perimeter defenses, it is exposed to

attack and can be either compromised via vulnerability or taken offline via a

DoS attack such as those available against Internet Key Exchange (IKE), the key

management system for IPSec VPNs. The security offered by VPN devices does

not offer legitimate defenses against the threats posed by either vulnerabilities or

DoS-type attacks.

Scenario 2: Placing the VPN behind the firewallOrganizations that place the VPN device behind the firewall generally assume

that the entities on the other side of the VPN tunnel can be trusteda distinct risk

considering the majority of cyber attacks are still caused by trusted insiders. In this

scenario, VPN traffic remains uninspected due to encryption, which the perimeter

firewall is unable to decipher.

FirewallVPN router

IPSec tunnel

Internet

VPN placed behind the firewall

This second option creates large risks in the minds of security professionals

because the firewalland the associated security policyare simply bypassed.

One risk is that the VPN device is still subject to DoS attack or compromisejust

like it was when it was placed outside the firewall. Another risk is the firewall

cannot complete its primary job of inspecting traffic for malicious content. Instead,

attacks can pass through uninspected. Last, it involves leaving a number of ports,

or holes, open on the firewall so that VPN traffic can traverse it successfully. Thisviolates a fundamental security philosophy to lock down the networkleave as

few ports exposed as possible. Companies can choose to reroute the traffic back

through the firewall via a demilitarized zone (DMZ). However, the VPN device itself

is still at risk and administrators face a complex configuration challenge.


6/20



Scenario 3: Integrated routersOne solution that networking companies have proposed for this problem is the

integrated routera device that combines multiple applications such as routing,

VPN, and firewall onto a single platform. While good in theory, these devices

actually share many of the problems of the previous scenarios. The main cause

of this is that these modules are not truly integrated. Instead, each module is

developed and implemented as an independent application. Traffic is passed

between modules in a linear fashion to complete tasks. The router completes its

tasks, then traffic is passed to the VPN if necessary, and finally the firewall. The

order may vary, but the lack of cooperation between applications does not. While

this does reduce hardware expense and rack space requirements, it does not

address the core issue of protecting the network and the VPN from threats.

A number of security appliances have followed the same model of providing

several non-integrated applications on a single platform and face the same issue.

Integrated firewall,VPN, and router

VPN

Integratedfirewall, VPN,

and router

Firewall/IPS

RouterIPSec tunnel

Internet

The integrated router architecture

Scenario 4: Placing the VPN and firewall devices in parallelThe fourth scenario places the VPN device and the firewall in parallel. The gateway

router directs encrypted traffic to the VPN device and other traffic to the firewall. Inpractice, this scenario shares all the downside of previous scenarios without the

upside of simpler configuration and deployment. The VPN device is still exposed

to attack and encrypted traffic remains uninspected by the firewall. Also, ensuring

the traffic is inspected requires the administrator to reroute traffic back through

the firewall or to place another firewall on the interior of the VPN device.




The Check Point solution for ensuring secure VPNsTo solve these problemsto bring connectivity together with securitythe Check

Point VPN-1security gateway family is architected in a truly integrated fashion.

Rather than separate applications running independently, the firewall, VPN,

and intrusion prevention functions act as onebeing brought in at the proper

time to perform their functions while minimizing the risk. By doing this, VPNs

gain protection against DoS attacks while the firewall and intrusion prevention

functions can inspect VPN traffic without complicating the configuration.

VPN

device

Other traffic

Encryptedtraffic

Firewall

Internet

VPN device and firewall in parallel

Encrypted traffic

Firewall

VPN-1

VPN

Intrusionprevention

Internet

The Check Point architecture


8/20



An example of this is the protection that VPN-1 gateways provide against IKE DoS

attacks. A known attack against IKE takes advantage of vulnerabilities within the

IKE protocol suite by sending a specially crafted packet asking the VPN gateway

to create a VPN tunnel. The gateway is obliged to respond and reserve a portion

of memory for the tunnel. By sending many of these requests from random IP

addresses in a short time, an attacker can cause the VPN gateway to consume all

resources and be unable to properly respond to legitimate requests.

One possibility to defend against such an attack is to limit IKE conversations to

the known IP addresses of gateways. However, to do so would mean disallowing

the dynamic IP addresses used to provision many smaller offices. Another method

would be to watch the number of IKE requests per second and throttle back new

ones when a threshold is reached that would indicate an attack.

VPN-1 security gateways offer a number of additional methods to prevent IKE

DoS attacks without denying services. The first method is stateless protection.

When a VPN-1 security gateway is under load or has hit a threshold that indicates

a possible attack, it will challenge the requesting gateway to produce a number

that only that gateway could know. It then forgets the request and does not

allocate memory or CPU resources until the remote gateway has responded

with the correct answer. If the attacker has forged the IP address of a legitimate

gateway, she or he will not receive the challenge and will not answercausing the

original request to be discarded.

However, an attacker may control a number of IP addresses unknown to the

VPN-1 security gateway and has compromised the host associated with them

a typical bot scenario. In this situation, it is likely that the attacker will be able

to respond to the challenge. To address this issue, VPN-1 security gateways

provide a puzzle challenge method. In this case, the remote computer is asked to

solve a computationally intensive puzzle before resources are allocated. Because

computers will only be able to solve a few of these challenges a second, the puzzlemethod will slow down requests and blunt the DoS attack.




SmartDefense intrusion prevention

VPN-1 security gateways also provide advanced IKE protections throughSmartDefense intrusion prevention technologyprotecting not only Check

Point VPN technologies, but those of other vendors as well. This is important

because all vendor gateways can be subject to IKE DOS attack. In August 2002,

the United States Computer Emergency Readiness Team (CERT) issued a warning

that multiple vendors solutions could be vulnerable to potential buffer overflows

or DoS attacks if an attacker were to send a single malformed packet. However,

Check Points SmartDefense can detect even a single malformed packet because

at a deep level it can tell the difference between normal and malicious IKE traffic

behavior. Therefore, when a VPN-1 security gateway receives a packet that does

not conform to IKE protocols, it will prevent that packet from entering the network.

VPN-1 IKE protections


10/20


0 Check PointSoftware Technologies, Ltd.

Beyond the specific protections for VPN-directed attacks, the integrated approach

provided by the VPN-1 family also ensures that trafficonce unencryptedis not

malicious in intent. As stated earlier, the possibility of remote sites being infected

with worms and other malicious code means that they must now be treated as

semi-trusted entities. Although VPN-1 security gateways do support wire-mode

the ability to pass VPN traffic through uninspectedby default they apply the

necessary inspection to keep the network safe.

Eliminating security sprawlGoing beyond security, this integrated approach simplifies the management of

VPNs. The amount of effort needed to maintain separate user databases, policies,

and logging should not be underestimated. A common point for introducing

errors, the multiple interfaces and databases required by separate firewall and

VPN solutions creates the condition of security sprawlunplanned security that

duplicates effort and causes divergent policies that reduce security effectiveness

while increasing management costs.

Because it offers a unified security architecture across all functionsfirewall, VPN,

and intrusion preventiona VPN-1 security gateway eliminates security sprawl.

This greatly reduces the costs associated with VPN management and minimizesthe chance for errors by using common resources such as the user database for

shared tasks.

SmartDefense intrusion prevention IKE protections




Provide advanced technologies to simplifyVPN creationVPNs have swiftly moved from being something considered too complex to

deploy on a large scale to being a necessity for business communications. The

adoption of large-scale broadband connections has meant that organizationsnow use VPNs on a much larger scale connecting much smaller offices compared

to just a few years ago. Keeping a positive return on investment for these

deployments requires that VPNs become much simpler to deploy.

Building blocks of a simple VPN deploymentAt its roots, a VPN is a solution that protects data transmitted over an untrusted

network using encryption algorithms to ensure the confidentiality and integrity of

information. As a VPN scales to include more sites, the simplicity of that definition

is lost in complexity. That VPN simplicity has to be restored. In addition to the

need to simplify the creation of VPN encryption, site-to-site authentication, VPN

communities, Quality of Service, and High Availability and load sharing also need

to be considered in any VPN deployment.

Site-to-site authentication

A major complication in VPN deployment has been site-to-site authentication.

There are two main options for ensuring the identity of communicating parties.

One option has been shared secretsa manually assigned encryption key pair

shared by two sites. For large organizations looking to set up a fully meshed

networka VPN where all sites can speak directly to each other, this means

configuring a number of keys that equal (n*n-1)/2, where n is the number of sites.

For example, an organization that has 75 sites involved in a fully meshed VPN

would need to manually program 2775 keys. Adding site 76 would require keeping

track of another 75 key pairs. Complicating matters are the security requirements

to change these keys on a regular basis. From an administrative standpoint, shared

secret key management is enough of a challenge to keep VPNs small in nature.

The alternative has been to set up a certificate authority for public key

infrastructure (PKI) based key exchanges. This does provide a more secure

method by reducing the chance of a brute force attack, which becomes possible

because organizations simply do not have the time to change keys on a regular

basis. However, for companies that have not previously deployed a PKI system

and centralized directory, it adds considerable expense and complexity to

VPN deployment.

VPN communities

Setting up VPN communities has long been a problem for network administrators.

Adding new sites and available resources to an existing VPN has usually been a

manual process centered on getting the current gateways to recognize the new

gateway. The scale of manually configuring sites results in hard-to-find errors that

limit connectivity.


12/20



Encryption algorithms

IKE encryption AES-256

3DES

DES

CAST

IPSec encryption AES-256

AES-128

3DES

DES

DES-40CP

CAST

CAST-40

NULL

IKE and IPSec data integrity SHA1

MD5

Quality of Service

Another factor to consider in VPN deployment is bandwidth management and

Quality of Service (QoS). As real-time applications such as VoIP have become

more widespread, this consideration has increased in importance due to the

latency of VPN communications. Administrators must be able to mitigate latency

while maintaining VPN encryption. QoS should be able to be flexibly defined by

the organization to meet the needs of the application mix.

High Availability and load sharing

In provisioning VPN services, High Availability and load sharing play a central role.

For example, internal resources like email are dependent on the uptime of the

VPN. Traditionally, even VPNs that have High Availability have had problems with

synchronization. If one gateway becomes unavailable, a user must restart her/his

session before continuinga major headache in usability for the non-technical

person. Also, High Availability clusters need to be able to support failover even

when physically distant from one another.

VPN-1: Restoring simplicity of VPN creationThe VPN-1 solution is designed to restore the simplicity of VPN creation through

a variety of technologies. Check Point has been at the forefront of simplifying

large-scale VPN deployments while increasing the power available through

advanced technologies, an example of which is comprehensive encryption.

Comprehensive encryption

The VPN-1 security gateway family supports advanced encryption algorithms for

protection of data transmission. Certified by the United States federal government

under the Federal Information Processing Standards Publication 140-2 for

cryptographic modules, the VPN technologies within VPN-1 combine flexibility

to match the proper encryption algorithm to the needed security profile with the

assurance of a proven solution.




Integrated Certificate Authority

Check Points answer to offering site-to-site authentication is integrated

Certificate Authority (ICA). Check Point VPN-1 security gateways include an ICA

that reduces the complexity of site-to-site VPN deployment while enhancing

communications confidentiality through simplified authentication. This ICA is

located on the SmartCenter server and is fully compliant with X.509 certificates

and certificate revocation lists. A certificate is automatically created and issued

when a new VPN-1 Power or VPN-1 UTM security gateway is deployed with VPN

components. Administrators can configure attributes such as key validity length

and key size to flexibly fit their environments. This ICA can also be used for remote

access VPN users.

If an organization has already deployed a separate PKI solution, VPN-1 security

gateways can also use it for certificates. Third-party certificates can be imported

manually using a PKCS#10 request or be obtained using Automatic Enrollment

from a trusted CA. VPN-1 security gateways support the following protocols for

Automatic Enrollment:

SCEP (Simple Certificate Enrollment Protocol)

CMP v1 (Certificate Management Protocol)

CMP v2

Many third-party PKI vendors have certified their solutions for interoperability with

Check Point solutions through the Open Platform for Security (OPSEC). To see a

list of certified solutions, visit http://www.opsec.com and view the Authentication

solutions page in the Security Enforcement section. Because VPN-1 security

gateways are compliant with X.509 certificates, other solutions may work as well.

Implementing VPN communities

By simplifying the process of adding gateways, it will become easier to set up

VPN communities. An important concept in Check Points drive to simplify

VPNs, VPN communities enable an administrator to quickly add a new VPN-1

security gateway to an existing site-to-site VPN. This new gateway will

automatically inherit the necessary IPSec configurations, and all other gateways

will immediately become aware of the new gateway. Some of the attributes that

can be configured include:

IKE properties including Diffie-Hellman group type and use of aggressive mode

Encryption and data integrity algorithms for key exchange and data secrecy

Perfect Forward Secrecy

Any applications, services, or protocols that should not be encrypted

This technologywhich is also called One-Click VPNreduces the initial

time needed to set up a site-to-site VPN and to add new sites. It also lowers the

chance of configuration errors in large-scale VPNs. Because all configurations

come from a single place, the time spent troubleshooting VPN problems is greatly

reduced. To simplify the transition from legacy VPN solutions, third-party VPN

devices can participate in VPN communities. In this case, the administrator must

manually configure the third-party VPN device but the VPN-1 security gateways

will automatically recognize the device and adopt the proper configuration

illustrating the simplicity that Check Point brings the VPN configuration.


14/20



VPN-1 communities support both meshed and star VPN topologies. In a meshed

VPN, all community members may communicate directly with one another. In

a star VPN, traffic between sites resembles a hub and spoke, where all traffic is

routed through a set of central gateways. To simplify management of a star VPN

community, an administrator may use VPN communities to configure whether

traffic is routed:

Only to the central gateways

To central gateways and then to other VPN community members

To central gateways and then allowed to pass to other members or the Internet

QoS for VPNs

Because VPN-1 security gateways provide true integration of multiple security

functions, they are perfectly placed to deliver policy-based bandwidth

management and QoS. With this, organizations can mitigate the latency added by

encryption on time-sensitive applications such as VoIP. Administrators can define

their QoS policies based on a number of methods, including:

Weight of priority in comparison to other traffic

Guarantee of bandwidth minimum and maximum

Low latency queuing

DiffServ Group

Viewing defined VPN communities




Defining a QoS policy

Multiple Entry Points for High Availability and load sharing

Multiple Entry Point (MEP) provides High Availability and load sharing for VPN

services. When a VPN gateway fails under normal circumstances, all internal

resourcessuch as email, VoIP, and morebehind it are no longer available.

MEP works when two VPN-1 security gateways are connected internally via

frame relay or leased line and both have specific resources defined within their

encryption domainsthe lists of hosts, servers, and other resources that should

be encrypted in a VPN tunnel. If one of the gateways is not available, the site-to-

site VPN automatically transfers traffic to the other gateway. Unlike traditional

clustering solutions used for High Availability, MEP allows the gateways to be

geographically distant from each other.

VPN-1 supports traditional High Availability and clustering as well. Multiple

VPN-1 security gateways may be placed together to create an active/active

cluster that enables VPN scaling. When a VPN session is started on one gateway,

it is synchronized between all gateways through Check Points patented Stateful

Inspection technology. If the gateway is unavailable for whatever reason, thesession is automatically continued on another member of the cluster without

requiring the session to be restarted.

Multiple Entry Point configured for gateway X

VPN

domain C

Sharedencryption domain

VPN domain A

VPN domain B

Gateway X

Gateway B

Gateway A

Internet


16/20



Beyond building VPN blocks: More resources,more-dynamic networksThe traditional way to create a VPN has been to define encryption domainsthe

different resources behind each VPN device that should have traffic encrypted

across a tunnel. Then the routing between each gateway is defined. For small-scale and static VPNs, this method worked very well. As networks grew larger and

more interconnected with dynamic resources, domain-based VPNs have not been

able to scale with them as:

Resources grew in numberwhen the resources that were accessed by a

VPN did not change and were few in number, domain-based VPNs worked

well. Once more resources were added that had to be accessed across a

large number of offices, the VPN domains became larger and more difficult to

maintain correctly

Networks became more dynamic and largerthe shift from static routing to

dynamic routing reduced the overhead in router configuration and increased

network reliability. However, traditional VPNs have relied on statically definedroutes between resources. Traditional VPNs cannot deal effectively with

resources that are located in a dynamic routing environment. With the growth in

the number of offices being connected, managing the number of static routes

required between VPN devices also became overwhelming.

The route-based VPN: Designing a complex VPNwith simple routingThe answer to these issues is route-based VPNs, an advanced technology found

in VPN-1 security gateways that simplifies the deployment of large-scale VPNs.

The core difference between route-based and domain-based VPNs is that the

decision whether to encrypt traffic is not founded on a predefined set of resources

such as subnets or hosts but on IP routing.

To accomplish this, VPN-1 devices use VPN tunnel interfaces (VTI) to represent

virtual direct links between different sites on the VPN. Each site has a VPN tunnel

interface that corresponds to another VPN-1 security gateway that it is connected

to through the VPN. For a packet leaving the network destined for a remote office

over a VPN, the following happens:

1. An IP packet destined for address X is matched against the routing table

2. The routing table indicates that address X is routed through an exclusive

connection, known as a VTI

3. VPN-1 intercepts the packet, applies the proper security parameters for the

VPN, and inserts the destination gateways IP address4. The packet is rerouted to the physical interface and sent to the remote gateway

At the other end, the process happens in reverse.




Dynamic routing support

OSPF

BGP

RIPv1

RIPv2

Route-based VPN using VPN tunnel interface

Route-based VPNs can use both static and dynamic routing to create the virtual

connection between corresponding VTIs. Dynamic routing offers a number ofbenefits over static routing for creating a secure, reliable VPN that spans a large

number of locations.

VPN-1

VPN-1

Internet

Internal network

VPN tunnelinterface

Physicalinterface

Physical

interface

Internal network

VPN tunnelinterface

Physical

interface

Physicalinterface

First, the two VPN-1 security gateways can exchange routing information aboutthe networks they protect and dynamically change routes based on that information.

This enables geographically separated locations to participate in each others

dynamic routing communities without a dedicated logical or physical connection

such as frame relay or a leased line. More importantly, each VPN-1 security

gateway understands how to correctly route encrypted traffic to its final destination.


18/20



Second, it enhances the reliability of the VPN. As an example, consider this scenario:

Sites A, B, and C each has route-based VPNs set up with VTIs they share. If the

link between site A and site B becomes unavailable, site B will automatically know

that site C has a route to site A. Unlike with domain-based VPNs using MEP, this is

accomplished automatically without administrator configuration.

A redundant VPN using route-based VPN with dynamic routing

10.10.20.0/24

Internet

Frame relay orleased line

VPN-1 A

207.34.1.30

VPN-1 C

156.146.12.9

10.10.20.0/2410.10.20.0/24

VPN-1 B

215.129.43.17

Graceful restartA distinct benefit that VPN-1 security gateways bring when dealing with dynamic

routing is the inclusion of OSPF hitless/graceful restart and BGP graceful restart.These two protocolsoften found only on high-end routersenable a swift

recovery from temporary hardware failure, such as a reboot. Under normal

circumstances, a gateway (gateway A) trying to communicate with another

gateway (gateway B) that has failed would automatically remove that route from

its tables and report it to other gatewayscausing a ripple effect even if gateway

B is only down temporarily. If a VPN-1 gateway is temporarily down, its routes

are not automatically deleted but assumed to still be valid temporarily.

Multicast protocol supportAnother benefit of using dynamic routing for route-based VPNs is the support for

sending multicast protocols over a VPN. The increased use of applications such

as video conferencing between sites has made the ability to encrypt multicasttraffic a necessity. VPN-1 security gateways also inspect multicast traffic to

ensure its validity and that its intent is not malicious.




Many organizations may desire to use a mixture of both domain-based and route-

based VPNs. The VPN-1 family enables administrators to use bothproviding

great flexibility when configuring VPNs. Because VPN-1 security gateways

support both modes at the same time, organizations can take a phased approach

in migrating between the two methods.

ConclusionCheck Points philosophy on IPSec VPNs is that they represent a bridge

between the networking professionals emphasis on connectivity and the security

professionals emphasis on protecting the network. The IPSec-based line of

VPN-1 security gateways from Check Point provides secure connectivity for

distributed networks by combining the proven security used in 100 percent of the

Fortune 100 with advanced technologies designed to simplify the creation and

management of complex VPNs.

Multicast protocol support

IGMP

PIM-SM

PIM-DM


20/20

2003-2006 Check Point Software Technologies Ltd. All rights reserved. Check Point, Application Intelligence, Check PointExpress, the Check Point logo, AlertAdvisor, ClusterXL, ConnectControl, Connectra, Cooperative Enforcement, CooperativeSecurity Alliance, CoSa, DefenseNet, Eventia, Eventia Analyzer, Eventia Reporter, FireWall-1, FireWall-1 GX, FireWall-1SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, NGX, Open SecurityExtension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Office, SecureClient, SecureKnowledge,SecuRemote, SecurePlatform, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, SiteManager-1, SmartCenter,SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartDashboard, SmartDefense, SmartDefense Advisor, SmarterSecurity, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status,SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence,ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, Zone Labs,and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates.All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The productsdescribed in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 andmay be protected by other U.S. Patents, foreign patents, or pending applications.

August 11, 2006 P/N: 502243

About Check Point Software TechnologiesCheck Point Software Technologies Ltd. (www.checkpoint.com) is the

worldwide leader in securing the Internet. It is the market leader in the world-

wide enterprise firewall, personal firewall, and VPN markets. Through its NGX

platform, the company delivers a unified security architecture for a broad

range of perimeter, internal, and Web security solutions that protect business

communications and resources for corporate networks and applications,remote employees, branch offices, and partner extranets. The companys

ZoneAlarm product line is one of the most trusted brands in Internet security,

creating award-winning endpoint security solutions that protect millions of PCs

from hackers, spyware, and data theft. Extending the power of the Check Point

solution is its Open Platform for Security (OPSEC), the industrys framework

and alliance for integration and interoperability with best-of-breed solutions

from more than 350 leading companies. Check Point solutions are sold,

integrated, and serviced by a network of more than 2,200 Check Point partners

in 88 countries.

CHECK POINT OFFICES

Worldwide Headquarters

3A Jabotinsky Street, 24th Floor

Ramat Gan 52520, Israel

Tel: 972-3-753 4555

Fax: 972-3-575 9256

email: [email protected]

U.S. Headquarters

800 Bridge Parkway

Redwood City, CA 94065

Tel: 800-429-4391 ; 650-628-2000

Fax: 650-654-4233

URL: http://www.checkpoint.com

VPN Whitepaper CP

Documents

Transcript of VPN Whitepaper CP