VPN Whitepaper CP
-
Upload
ivan-milla -
Category
Documents
-
view
222 -
download
0
Transcript of VPN Whitepaper CP
-
8/12/2019 VPN Whitepaper CP
1/20
Check Point protects every part of yournetworkperimeter, internal, Web
to keep your information resources safe,
accessible, and easy to manage.
White Paper
Bridging the gap betweenconnectivity and securityCheck Points philosophy on IPSec VPNs
-
8/12/2019 VPN Whitepaper CP
2/20
Bridging the gap between connectivity and security
ContentsExecutive summary 3
Introduction 3
Ensure the security of both the VPN and the network 3
Scenario 1: Placing a VPN device in front of the firewall 4
Scenario 2: Placing the VPN behind the firewall 5
Scenario 3: Integrated routers 6
Scenario 4: Placing the VPN and firewall devices in parallel 6
The Check Point solution for ensuring secure VPNs 7
SmartDefense intrusion prevention 9
Eliminating security sprawl 10
Provide advanced technologies to simplify VPN creation 11
Building blocks of a simple VPN deployment 11
Site-to-site authentication 11
VPN communities 11
Quality of Service 12
High Availability and load sharing 12
VPN-1: Restoring simplicity of VPN creation 12
Comprehensive encryption 12
Integrated Certificate Authority 13
Implementing VPN communities 13
QoS for VPNs 14
Multiple Entry Points for High Availability and load sharing 15
Beyond building VPN blocks:More resources, more-dynamic networks 16
The route-based VPN: Designing a complex VPN with simple routing 16
Graceful restart 18
Multicast protocol support 18
Conclusion 19
-
8/12/2019 VPN Whitepaper CP
3/20
Check Points philosophy on IPSec VPNs
Check Point Software Technologies, Lt
Executive summaryThe IT business environment today demands an integrated approach to virtual
private networks (VPNs)combining the needs of connectivity and security into
a single solution. When looking to connect distributed offices together over the
Internet, organizations should ask themselves two questions:
Will a given VPN solution provide an adequate level of protection to ensure its
availability and the safety of the network?
Does a given VPN solution marry advanced technologies with simplified
management to reduce the burden placed on the organization to maintain
the solution?
Check Point VPN-1security gateways are designed to answer yes to both
these questions, by providing a bridge between connectivity and security without
sacrificing simplicity.
IntroductionToday, IPSec virtual private networks (VPNs) are commonplace, with more
than half of enterprises using them to connect distributed offices and provide
confidential communications over public networks. However, the very popularity
of IPSec VPNs has led to IT organizational problems. Because VPNs are primarily
a connectivity solution, network engineers rightfully have a large influence
on what their organizations consider important. This has often translated to
an emphasis on advanced functionality such as multicast or dynamic routing
support at the expense of security. For example, the rise of router-based VPNs
has created connectivity solutions separated from security solutions such as
firewalls. Perimeter-based firewalls cannot inspect encrypted VPN traffic if the
router is on the interior of the network nor protect the router if it is on the exterior.
Thus, security engineers have been forced to create complex workarounds to
protect the network or, more commonly, sacrifice security for simplicity. Thisproblem of the tradeoff of connectivity versus security must be resolved without
compromising either.
This white paper explains a strategy for bridging the gap between connectivity
and security and outlines the technologies that enterprises can use to implement
it. It will examine two key tenets of this approach to VPNs:
Ensure the security of both the VPN and the network
Provide advanced technologies to simplify VPN management
Ensure the security of both the VPN and the network
When considering the objectives of a VPN deployment, it is easy to understandwhy such emphasis is placed on connectivity elements. Historically, they
have been considered replacements for leased lines and frame relay. However,
this emphasis is shortsighted in the modern business and IT environment for
two reasons:
-
8/12/2019 VPN Whitepaper CP
4/20
Bridging the gap between connectivity and security
Check Point Software Technologies, Ltd.
First, organizations use VPNs over untrusted or semi-trusted networks.
Because of this, they are subject to threats such as denial of service (DoS) attacks
specifically aimed at VPN devices. By itself, a VPN device does not have the
necessary intelligence to stop these attacks. As a connectivity device, a VPN
device is designed for stabilitynot the dynamic updates needed to address
evolving security concerns.
Second, internal employeesoften considered trustedmust be considered
semi-trusted at best. Although an organization can assume that the entityiswho
or what it claims to be, a security professional can no longer be confident that the
entity is acting without malicious intent. Has her/his laptop been infected by a
worm? Was the server attempting to connect compromised by a buffer overflow?
The appearance of worms and other application-layer threats has created the
need to segregate and provide intelligent inspection of VPN traffic. To not do so
is to expose the network to quickly spreading malware that may enter through
a remote office.
A major reason for the disconnect between how security and networking
professionals view VPNs is the architecture imposed by segregating VPN and
security technologies into separate solutions. Because of this, organizations
are forced into four basic scenarios that either complicate security or cause it
to be bypassed.
Scenario 1: Placing a VPN device in front of the firewallIn the first scenario, a VPN device is placed between the firewall and the Internet.
Two types of products commonly are found herea VPN concentrator and a
VPN-enabled router. In both cases, the devices may have basic packet-filtering
capabilities. As VPN-enabled routers become more commonplace, organizations
are using this deployment configuration more frequentlyespecially at smaller
offices. The advantage of this configuration is that a VPN device unencrypts traffic
before the firewall sees it. The firewall can make intelligent decisions based on the
trafficsimplifying the deployment.
Firewall
VPN router
Unencryptedtraffic
IPSec tunnel
Internet
Placing a VPN in front of the firewall
-
8/12/2019 VPN Whitepaper CP
5/20Check Point Software Technologies, Ltd
Check Points philosophy on IPSec VPNs
While simple to deploy, this configuration suffers from one major weakness.
Because the VPN device sits outside the perimeter defenses, it is exposed to
attack and can be either compromised via vulnerability or taken offline via a
DoS attack such as those available against Internet Key Exchange (IKE), the key
management system for IPSec VPNs. The security offered by VPN devices does
not offer legitimate defenses against the threats posed by either vulnerabilities or
DoS-type attacks.
Scenario 2: Placing the VPN behind the firewallOrganizations that place the VPN device behind the firewall generally assume
that the entities on the other side of the VPN tunnel can be trusteda distinct risk
considering the majority of cyber attacks are still caused by trusted insiders. In this
scenario, VPN traffic remains uninspected due to encryption, which the perimeter
firewall is unable to decipher.
FirewallVPN router
IPSec tunnel
Internet
VPN placed behind the firewall
This second option creates large risks in the minds of security professionals
because the firewalland the associated security policyare simply bypassed.
One risk is that the VPN device is still subject to DoS attack or compromisejust
like it was when it was placed outside the firewall. Another risk is the firewall
cannot complete its primary job of inspecting traffic for malicious content. Instead,
attacks can pass through uninspected. Last, it involves leaving a number of ports,
or holes, open on the firewall so that VPN traffic can traverse it successfully. Thisviolates a fundamental security philosophy to lock down the networkleave as
few ports exposed as possible. Companies can choose to reroute the traffic back
through the firewall via a demilitarized zone (DMZ). However, the VPN device itself
is still at risk and administrators face a complex configuration challenge.
-
8/12/2019 VPN Whitepaper CP
6/20
Bridging the gap between connectivity and security
Check Point Software Technologies, Ltd.
Scenario 3: Integrated routersOne solution that networking companies have proposed for this problem is the
integrated routera device that combines multiple applications such as routing,
VPN, and firewall onto a single platform. While good in theory, these devices
actually share many of the problems of the previous scenarios. The main cause
of this is that these modules are not truly integrated. Instead, each module is
developed and implemented as an independent application. Traffic is passed
between modules in a linear fashion to complete tasks. The router completes its
tasks, then traffic is passed to the VPN if necessary, and finally the firewall. The
order may vary, but the lack of cooperation between applications does not. While
this does reduce hardware expense and rack space requirements, it does not
address the core issue of protecting the network and the VPN from threats.
A number of security appliances have followed the same model of providing
several non-integrated applications on a single platform and face the same issue.
Integrated firewall,VPN, and router
VPN
Integratedfirewall, VPN,
and router
Firewall/IPS
RouterIPSec tunnel
Internet
The integrated router architecture
Scenario 4: Placing the VPN and firewall devices in parallelThe fourth scenario places the VPN device and the firewall in parallel. The gateway
router directs encrypted traffic to the VPN device and other traffic to the firewall. Inpractice, this scenario shares all the downside of previous scenarios without the
upside of simpler configuration and deployment. The VPN device is still exposed
to attack and encrypted traffic remains uninspected by the firewall. Also, ensuring
the traffic is inspected requires the administrator to reroute traffic back through
the firewall or to place another firewall on the interior of the VPN device.
-
8/12/2019 VPN Whitepaper CP
7/20Check Point Software Technologies, Ltd
Check Points philosophy on IPSec VPNs
The Check Point solution for ensuring secure VPNsTo solve these problemsto bring connectivity together with securitythe Check
Point VPN-1security gateway family is architected in a truly integrated fashion.
Rather than separate applications running independently, the firewall, VPN,
and intrusion prevention functions act as onebeing brought in at the proper
time to perform their functions while minimizing the risk. By doing this, VPNs
gain protection against DoS attacks while the firewall and intrusion prevention
functions can inspect VPN traffic without complicating the configuration.
VPN
device
Other traffic
Encryptedtraffic
Firewall
Internet
VPN device and firewall in parallel
Encrypted traffic
Firewall
VPN-1
VPN
Intrusionprevention
Internet
The Check Point architecture
-
8/12/2019 VPN Whitepaper CP
8/20
Bridging the gap between connectivity and security
Check Point Software Technologies, Ltd.
An example of this is the protection that VPN-1 gateways provide against IKE DoS
attacks. A known attack against IKE takes advantage of vulnerabilities within the
IKE protocol suite by sending a specially crafted packet asking the VPN gateway
to create a VPN tunnel. The gateway is obliged to respond and reserve a portion
of memory for the tunnel. By sending many of these requests from random IP
addresses in a short time, an attacker can cause the VPN gateway to consume all
resources and be unable to properly respond to legitimate requests.
One possibility to defend against such an attack is to limit IKE conversations to
the known IP addresses of gateways. However, to do so would mean disallowing
the dynamic IP addresses used to provision many smaller offices. Another method
would be to watch the number of IKE requests per second and throttle back new
ones when a threshold is reached that would indicate an attack.
VPN-1 security gateways offer a number of additional methods to prevent IKE
DoS attacks without denying services. The first method is stateless protection.
When a VPN-1 security gateway is under load or has hit a threshold that indicates
a possible attack, it will challenge the requesting gateway to produce a number
that only that gateway could know. It then forgets the request and does not
allocate memory or CPU resources until the remote gateway has responded
with the correct answer. If the attacker has forged the IP address of a legitimate
gateway, she or he will not receive the challenge and will not answercausing the
original request to be discarded.
However, an attacker may control a number of IP addresses unknown to the
VPN-1 security gateway and has compromised the host associated with them
a typical bot scenario. In this situation, it is likely that the attacker will be able
to respond to the challenge. To address this issue, VPN-1 security gateways
provide a puzzle challenge method. In this case, the remote computer is asked to
solve a computationally intensive puzzle before resources are allocated. Because
computers will only be able to solve a few of these challenges a second, the puzzlemethod will slow down requests and blunt the DoS attack.
-
8/12/2019 VPN Whitepaper CP
9/20Check Point Software Technologies, Ltd
Check Points philosophy on IPSec VPNs
SmartDefense intrusion prevention
VPN-1 security gateways also provide advanced IKE protections throughSmartDefense intrusion prevention technologyprotecting not only Check
Point VPN technologies, but those of other vendors as well. This is important
because all vendor gateways can be subject to IKE DOS attack. In August 2002,
the United States Computer Emergency Readiness Team (CERT) issued a warning
that multiple vendors solutions could be vulnerable to potential buffer overflows
or DoS attacks if an attacker were to send a single malformed packet. However,
Check Points SmartDefense can detect even a single malformed packet because
at a deep level it can tell the difference between normal and malicious IKE traffic
behavior. Therefore, when a VPN-1 security gateway receives a packet that does
not conform to IKE protocols, it will prevent that packet from entering the network.
VPN-1 IKE protections
-
8/12/2019 VPN Whitepaper CP
10/20
Bridging the gap between connectivity and security
0 Check PointSoftware Technologies, Ltd.
Beyond the specific protections for VPN-directed attacks, the integrated approach
provided by the VPN-1 family also ensures that trafficonce unencryptedis not
malicious in intent. As stated earlier, the possibility of remote sites being infected
with worms and other malicious code means that they must now be treated as
semi-trusted entities. Although VPN-1 security gateways do support wire-mode
the ability to pass VPN traffic through uninspectedby default they apply the
necessary inspection to keep the network safe.
Eliminating security sprawlGoing beyond security, this integrated approach simplifies the management of
VPNs. The amount of effort needed to maintain separate user databases, policies,
and logging should not be underestimated. A common point for introducing
errors, the multiple interfaces and databases required by separate firewall and
VPN solutions creates the condition of security sprawlunplanned security that
duplicates effort and causes divergent policies that reduce security effectiveness
while increasing management costs.
Because it offers a unified security architecture across all functionsfirewall, VPN,
and intrusion preventiona VPN-1 security gateway eliminates security sprawl.
This greatly reduces the costs associated with VPN management and minimizesthe chance for errors by using common resources such as the user database for
shared tasks.
SmartDefense intrusion prevention IKE protections
-
8/12/2019 VPN Whitepaper CP
11/20Check Point Software Technologies, Ltd
Check Points philosophy on IPSec VPNs
Provide advanced technologies to simplifyVPN creationVPNs have swiftly moved from being something considered too complex to
deploy on a large scale to being a necessity for business communications. The
adoption of large-scale broadband connections has meant that organizationsnow use VPNs on a much larger scale connecting much smaller offices compared
to just a few years ago. Keeping a positive return on investment for these
deployments requires that VPNs become much simpler to deploy.
Building blocks of a simple VPN deploymentAt its roots, a VPN is a solution that protects data transmitted over an untrusted
network using encryption algorithms to ensure the confidentiality and integrity of
information. As a VPN scales to include more sites, the simplicity of that definition
is lost in complexity. That VPN simplicity has to be restored. In addition to the
need to simplify the creation of VPN encryption, site-to-site authentication, VPN
communities, Quality of Service, and High Availability and load sharing also need
to be considered in any VPN deployment.
Site-to-site authentication
A major complication in VPN deployment has been site-to-site authentication.
There are two main options for ensuring the identity of communicating parties.
One option has been shared secretsa manually assigned encryption key pair
shared by two sites. For large organizations looking to set up a fully meshed
networka VPN where all sites can speak directly to each other, this means
configuring a number of keys that equal (n*n-1)/2, where n is the number of sites.
For example, an organization that has 75 sites involved in a fully meshed VPN
would need to manually program 2775 keys. Adding site 76 would require keeping
track of another 75 key pairs. Complicating matters are the security requirements
to change these keys on a regular basis. From an administrative standpoint, shared
secret key management is enough of a challenge to keep VPNs small in nature.
The alternative has been to set up a certificate authority for public key
infrastructure (PKI) based key exchanges. This does provide a more secure
method by reducing the chance of a brute force attack, which becomes possible
because organizations simply do not have the time to change keys on a regular
basis. However, for companies that have not previously deployed a PKI system
and centralized directory, it adds considerable expense and complexity to
VPN deployment.
VPN communities
Setting up VPN communities has long been a problem for network administrators.
Adding new sites and available resources to an existing VPN has usually been a
manual process centered on getting the current gateways to recognize the new
gateway. The scale of manually configuring sites results in hard-to-find errors that
limit connectivity.
-
8/12/2019 VPN Whitepaper CP
12/20
Bridging the gap between connectivity and security
2 Check PointSoftware Technologies, Ltd.
Encryption algorithms
IKE encryption AES-256
3DES
DES
CAST
IPSec encryption AES-256
AES-128
3DES
DES
DES-40CP
CAST
CAST-40
NULL
IKE and IPSec data integrity SHA1
MD5
Quality of Service
Another factor to consider in VPN deployment is bandwidth management and
Quality of Service (QoS). As real-time applications such as VoIP have become
more widespread, this consideration has increased in importance due to the
latency of VPN communications. Administrators must be able to mitigate latency
while maintaining VPN encryption. QoS should be able to be flexibly defined by
the organization to meet the needs of the application mix.
High Availability and load sharing
In provisioning VPN services, High Availability and load sharing play a central role.
For example, internal resources like email are dependent on the uptime of the
VPN. Traditionally, even VPNs that have High Availability have had problems with
synchronization. If one gateway becomes unavailable, a user must restart her/his
session before continuinga major headache in usability for the non-technical
person. Also, High Availability clusters need to be able to support failover even
when physically distant from one another.
VPN-1: Restoring simplicity of VPN creationThe VPN-1 solution is designed to restore the simplicity of VPN creation through
a variety of technologies. Check Point has been at the forefront of simplifying
large-scale VPN deployments while increasing the power available through
advanced technologies, an example of which is comprehensive encryption.
Comprehensive encryption
The VPN-1 security gateway family supports advanced encryption algorithms for
protection of data transmission. Certified by the United States federal government
under the Federal Information Processing Standards Publication 140-2 for
cryptographic modules, the VPN technologies within VPN-1 combine flexibility
to match the proper encryption algorithm to the needed security profile with the
assurance of a proven solution.
-
8/12/2019 VPN Whitepaper CP
13/20Check Point Software Technologies, Ltd
Check Points philosophy on IPSec VPNs
Integrated Certificate Authority
Check Points answer to offering site-to-site authentication is integrated
Certificate Authority (ICA). Check Point VPN-1 security gateways include an ICA
that reduces the complexity of site-to-site VPN deployment while enhancing
communications confidentiality through simplified authentication. This ICA is
located on the SmartCenter server and is fully compliant with X.509 certificates
and certificate revocation lists. A certificate is automatically created and issued
when a new VPN-1 Power or VPN-1 UTM security gateway is deployed with VPN
components. Administrators can configure attributes such as key validity length
and key size to flexibly fit their environments. This ICA can also be used for remote
access VPN users.
If an organization has already deployed a separate PKI solution, VPN-1 security
gateways can also use it for certificates. Third-party certificates can be imported
manually using a PKCS#10 request or be obtained using Automatic Enrollment
from a trusted CA. VPN-1 security gateways support the following protocols for
Automatic Enrollment:
SCEP (Simple Certificate Enrollment Protocol)
CMP v1 (Certificate Management Protocol)
CMP v2
Many third-party PKI vendors have certified their solutions for interoperability with
Check Point solutions through the Open Platform for Security (OPSEC). To see a
list of certified solutions, visit http://www.opsec.com and view the Authentication
solutions page in the Security Enforcement section. Because VPN-1 security
gateways are compliant with X.509 certificates, other solutions may work as well.
Implementing VPN communities
By simplifying the process of adding gateways, it will become easier to set up
VPN communities. An important concept in Check Points drive to simplify
VPNs, VPN communities enable an administrator to quickly add a new VPN-1
security gateway to an existing site-to-site VPN. This new gateway will
automatically inherit the necessary IPSec configurations, and all other gateways
will immediately become aware of the new gateway. Some of the attributes that
can be configured include:
IKE properties including Diffie-Hellman group type and use of aggressive mode
Encryption and data integrity algorithms for key exchange and data secrecy
Perfect Forward Secrecy
Any applications, services, or protocols that should not be encrypted
This technologywhich is also called One-Click VPNreduces the initial
time needed to set up a site-to-site VPN and to add new sites. It also lowers the
chance of configuration errors in large-scale VPNs. Because all configurations
come from a single place, the time spent troubleshooting VPN problems is greatly
reduced. To simplify the transition from legacy VPN solutions, third-party VPN
devices can participate in VPN communities. In this case, the administrator must
manually configure the third-party VPN device but the VPN-1 security gateways
will automatically recognize the device and adopt the proper configuration
illustrating the simplicity that Check Point brings the VPN configuration.
-
8/12/2019 VPN Whitepaper CP
14/20
Bridging the gap between connectivity and security
4 Check PointSoftware Technologies, Ltd.
VPN-1 communities support both meshed and star VPN topologies. In a meshed
VPN, all community members may communicate directly with one another. In
a star VPN, traffic between sites resembles a hub and spoke, where all traffic is
routed through a set of central gateways. To simplify management of a star VPN
community, an administrator may use VPN communities to configure whether
traffic is routed:
Only to the central gateways
To central gateways and then to other VPN community members
To central gateways and then allowed to pass to other members or the Internet
QoS for VPNs
Because VPN-1 security gateways provide true integration of multiple security
functions, they are perfectly placed to deliver policy-based bandwidth
management and QoS. With this, organizations can mitigate the latency added by
encryption on time-sensitive applications such as VoIP. Administrators can define
their QoS policies based on a number of methods, including:
Weight of priority in comparison to other traffic
Guarantee of bandwidth minimum and maximum
Low latency queuing
DiffServ Group
Viewing defined VPN communities
-
8/12/2019 VPN Whitepaper CP
15/20Check Point Software Technologies, Ltd
Check Points philosophy on IPSec VPNs
Defining a QoS policy
Multiple Entry Points for High Availability and load sharing
Multiple Entry Point (MEP) provides High Availability and load sharing for VPN
services. When a VPN gateway fails under normal circumstances, all internal
resourcessuch as email, VoIP, and morebehind it are no longer available.
MEP works when two VPN-1 security gateways are connected internally via
frame relay or leased line and both have specific resources defined within their
encryption domainsthe lists of hosts, servers, and other resources that should
be encrypted in a VPN tunnel. If one of the gateways is not available, the site-to-
site VPN automatically transfers traffic to the other gateway. Unlike traditional
clustering solutions used for High Availability, MEP allows the gateways to be
geographically distant from each other.
VPN-1 supports traditional High Availability and clustering as well. Multiple
VPN-1 security gateways may be placed together to create an active/active
cluster that enables VPN scaling. When a VPN session is started on one gateway,
it is synchronized between all gateways through Check Points patented Stateful
Inspection technology. If the gateway is unavailable for whatever reason, thesession is automatically continued on another member of the cluster without
requiring the session to be restarted.
Multiple Entry Point configured for gateway X
VPN
domain C
Sharedencryption domain
VPN domain A
VPN domain B
Gateway X
Gateway B
Gateway A
Internet
-
8/12/2019 VPN Whitepaper CP
16/20
Bridging the gap between connectivity and security
6 Check PointSoftware Technologies, Ltd.
Beyond building VPN blocks: More resources,more-dynamic networksThe traditional way to create a VPN has been to define encryption domainsthe
different resources behind each VPN device that should have traffic encrypted
across a tunnel. Then the routing between each gateway is defined. For small-scale and static VPNs, this method worked very well. As networks grew larger and
more interconnected with dynamic resources, domain-based VPNs have not been
able to scale with them as:
Resources grew in numberwhen the resources that were accessed by a
VPN did not change and were few in number, domain-based VPNs worked
well. Once more resources were added that had to be accessed across a
large number of offices, the VPN domains became larger and more difficult to
maintain correctly
Networks became more dynamic and largerthe shift from static routing to
dynamic routing reduced the overhead in router configuration and increased
network reliability. However, traditional VPNs have relied on statically definedroutes between resources. Traditional VPNs cannot deal effectively with
resources that are located in a dynamic routing environment. With the growth in
the number of offices being connected, managing the number of static routes
required between VPN devices also became overwhelming.
The route-based VPN: Designing a complex VPNwith simple routingThe answer to these issues is route-based VPNs, an advanced technology found
in VPN-1 security gateways that simplifies the deployment of large-scale VPNs.
The core difference between route-based and domain-based VPNs is that the
decision whether to encrypt traffic is not founded on a predefined set of resources
such as subnets or hosts but on IP routing.
To accomplish this, VPN-1 devices use VPN tunnel interfaces (VTI) to represent
virtual direct links between different sites on the VPN. Each site has a VPN tunnel
interface that corresponds to another VPN-1 security gateway that it is connected
to through the VPN. For a packet leaving the network destined for a remote office
over a VPN, the following happens:
1. An IP packet destined for address X is matched against the routing table
2. The routing table indicates that address X is routed through an exclusive
connection, known as a VTI
3. VPN-1 intercepts the packet, applies the proper security parameters for the
VPN, and inserts the destination gateways IP address4. The packet is rerouted to the physical interface and sent to the remote gateway
At the other end, the process happens in reverse.
-
8/12/2019 VPN Whitepaper CP
17/20Check Point Software Technologies, Ltd
Check Points philosophy on IPSec VPNs
Dynamic routing support
OSPF
BGP
RIPv1
RIPv2
Route-based VPN using VPN tunnel interface
Route-based VPNs can use both static and dynamic routing to create the virtual
connection between corresponding VTIs. Dynamic routing offers a number ofbenefits over static routing for creating a secure, reliable VPN that spans a large
number of locations.
VPN-1
VPN-1
Internet
Internal network
VPN tunnelinterface
Physicalinterface
Physical
interface
Internal network
VPN tunnelinterface
Physical
interface
Physicalinterface
First, the two VPN-1 security gateways can exchange routing information aboutthe networks they protect and dynamically change routes based on that information.
This enables geographically separated locations to participate in each others
dynamic routing communities without a dedicated logical or physical connection
such as frame relay or a leased line. More importantly, each VPN-1 security
gateway understands how to correctly route encrypted traffic to its final destination.
-
8/12/2019 VPN Whitepaper CP
18/20
Bridging the gap between connectivity and security
8 Check PointSoftware Technologies, Ltd.
Second, it enhances the reliability of the VPN. As an example, consider this scenario:
Sites A, B, and C each has route-based VPNs set up with VTIs they share. If the
link between site A and site B becomes unavailable, site B will automatically know
that site C has a route to site A. Unlike with domain-based VPNs using MEP, this is
accomplished automatically without administrator configuration.
A redundant VPN using route-based VPN with dynamic routing
10.10.20.0/24
Internet
Frame relay orleased line
VPN-1 A
207.34.1.30
VPN-1 C
156.146.12.9
10.10.20.0/2410.10.20.0/24
VPN-1 B
215.129.43.17
Graceful restartA distinct benefit that VPN-1 security gateways bring when dealing with dynamic
routing is the inclusion of OSPF hitless/graceful restart and BGP graceful restart.These two protocolsoften found only on high-end routersenable a swift
recovery from temporary hardware failure, such as a reboot. Under normal
circumstances, a gateway (gateway A) trying to communicate with another
gateway (gateway B) that has failed would automatically remove that route from
its tables and report it to other gatewayscausing a ripple effect even if gateway
B is only down temporarily. If a VPN-1 gateway is temporarily down, its routes
are not automatically deleted but assumed to still be valid temporarily.
Multicast protocol supportAnother benefit of using dynamic routing for route-based VPNs is the support for
sending multicast protocols over a VPN. The increased use of applications such
as video conferencing between sites has made the ability to encrypt multicasttraffic a necessity. VPN-1 security gateways also inspect multicast traffic to
ensure its validity and that its intent is not malicious.
-
8/12/2019 VPN Whitepaper CP
19/20Check Point Software Technologies, Ltd
Check Points philosophy on IPSec VPNs
Many organizations may desire to use a mixture of both domain-based and route-
based VPNs. The VPN-1 family enables administrators to use bothproviding
great flexibility when configuring VPNs. Because VPN-1 security gateways
support both modes at the same time, organizations can take a phased approach
in migrating between the two methods.
ConclusionCheck Points philosophy on IPSec VPNs is that they represent a bridge
between the networking professionals emphasis on connectivity and the security
professionals emphasis on protecting the network. The IPSec-based line of
VPN-1 security gateways from Check Point provides secure connectivity for
distributed networks by combining the proven security used in 100 percent of the
Fortune 100 with advanced technologies designed to simplify the creation and
management of complex VPNs.
Multicast protocol support
IGMP
PIM-SM
PIM-DM
-
8/12/2019 VPN Whitepaper CP
20/20
2003-2006 Check Point Software Technologies Ltd. All rights reserved. Check Point, Application Intelligence, Check PointExpress, the Check Point logo, AlertAdvisor, ClusterXL, ConnectControl, Connectra, Cooperative Enforcement, CooperativeSecurity Alliance, CoSa, DefenseNet, Eventia, Eventia Analyzer, Eventia Reporter, FireWall-1, FireWall-1 GX, FireWall-1SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, NGX, Open SecurityExtension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Office, SecureClient, SecureKnowledge,SecuRemote, SecurePlatform, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, SiteManager-1, SmartCenter,SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartDashboard, SmartDefense, SmartDefense Advisor, SmarterSecurity, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status,SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence,ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, Zone Labs,and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates.All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The productsdescribed in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 andmay be protected by other U.S. Patents, foreign patents, or pending applications.
August 11, 2006 P/N: 502243
About Check Point Software TechnologiesCheck Point Software Technologies Ltd. (www.checkpoint.com) is the
worldwide leader in securing the Internet. It is the market leader in the world-
wide enterprise firewall, personal firewall, and VPN markets. Through its NGX
platform, the company delivers a unified security architecture for a broad
range of perimeter, internal, and Web security solutions that protect business
communications and resources for corporate networks and applications,remote employees, branch offices, and partner extranets. The companys
ZoneAlarm product line is one of the most trusted brands in Internet security,
creating award-winning endpoint security solutions that protect millions of PCs
from hackers, spyware, and data theft. Extending the power of the Check Point
solution is its Open Platform for Security (OPSEC), the industrys framework
and alliance for integration and interoperability with best-of-breed solutions
from more than 350 leading companies. Check Point solutions are sold,
integrated, and serviced by a network of more than 2,200 Check Point partners
in 88 countries.
CHECK POINT OFFICES
Worldwide Headquarters
3A Jabotinsky Street, 24th Floor
Ramat Gan 52520, Israel
Tel: 972-3-753 4555
Fax: 972-3-575 9256
email: [email protected]
U.S. Headquarters
800 Bridge Parkway
Redwood City, CA 94065
Tel: 800-429-4391 ; 650-628-2000
Fax: 650-654-4233
URL: http://www.checkpoint.com