White Paper

Bridging the gap between connectivity and security

Check Points philosophy on IPSec VPNs

Check Point protects every part of your networkperimeter, internal, Web to keep your information resources safe, accessible, and easy to manage.

Bridging the gap between connectivity and security

Contents
Executive summary 3 Introduction 3 Ensure the security of both the VPN and the network 3 Scenario 1: Placing a VPN device in front of the rewall 4 Scenario 2: Placing the VPN behind the rewall 5 Scenario 3: Integrated routers 6 Scenario 4: Placing the VPN and rewall devices in parallel 6 The Check Point solution for ensuring secure VPNs 7 SmartDefense intrusion prevention 9 Eliminating security sprawl 10 Provide advanced technologies to simplify VPN creation 11 Building blocks of a simple VPN deployment 11 Site-to-site authentication 11 VPN communities 11 Quality of Service 12 High Availability and load sharing 12 VPN-1: Restoring simplicity of VPN creation 12 Comprehensive encryption 12 Integrated Certicate Authority 13 Implementing VPN communities 13 QoS for VPNs 14 Multiple Entry Points for High Availability and load sharing 15 Beyond building VPN blocks: More resources, more-dynamic networks 16 The route-based VPN: Designing a complex VPN with simple routing 16 Graceful restart 18 Multicast protocol support 18 Conclusion 19

Check Points philosophy on IPSec VPNs

Executive summary
The IT business environment today demands an integrated approach to virtual private networks (VPNs)combining the needs of connectivity and security into a single solution. When looking to connect distributed ofces together over the Internet, organizations should ask themselves two questions: Will a given VPN solution provide an adequate level of protection to ensure its availability and the safety of the network? Does a given VPN solution marry advanced technologies with simplied management to reduce the burden placed on the organization to maintain the solution? Check Point VPN-1 security gateways are designed to answer yes to both these questions, by providing a bridge between connectivity and security without sacricing simplicity.

Introduction
Today, IPSec virtual private networks (VPNs) are commonplace, with more than half of enterprises using them to connect distributed ofces and provide condential communications over public networks. However, the very popularity of IPSec VPNs has led to IT organizational problems. Because VPNs are primarily a connectivity solution, network engineers rightfully have a large inuence on what their organizations consider important. This has often translated to an emphasis on advanced functionality such as multicast or dynamic routing support at the expense of security. For example, the rise of router-based VPNs has created connectivity solutions separated from security solutions such as rewalls. Perimeter-based rewalls cannot inspect encrypted VPN trafc if the router is on the interior of the network nor protect the router if it is on the exterior. Thus, security engineers have been forced to create complex workarounds to protect the network or, more commonly, sacrice security for simplicity. This problem of the tradeoff of connectivity versus security must be resolved without compromising either. This white paper explains a strategy for bridging the gap between connectivity and security and outlines the technologies that enterprises can use to implement it. It will examine two key tenets of this approach to VPNs: Ensure the security of both the VPN and the network Provide advanced technologies to simplify VPN management

Ensure the security of both the VPN and the network

When considering the objectives of a VPN deployment, it is easy to understand why such emphasis is placed on connectivity elements. Historically, they have been considered replacements for leased lines and frame relay. However, this emphasis is shortsighted in the modern business and IT environment for two reasons:

Check Point Software Technologies, Ltd.

Bridging the gap between connectivity and security

First, organizations use VPNs over untrusted or semi-trusted networks. Because of this, they are subject to threats such as denial of service (DoS) attacks specically aimed at VPN devices. By itself, a VPN device does not have the necessary intelligence to stop these attacks. As a connectivity device, a VPN device is designed for stabilitynot the dynamic updates needed to address evolving security concerns. Second, internal employeesoften considered trustedmust be considered semi-trusted at best. Although an organization can assume that the entity is who or what it claims to be, a security professional can no longer be condent that the entity is acting without malicious intent. Has her/his laptop been infected by a worm? Was the server attempting to connect compromised by a buffer overow? The appearance of worms and other application-layer threats has created the need to segregate and provide intelligent inspection of VPN trafc. To not do so is to expose the network to quickly spreading malware that may enter through a remote ofce. A major reason for the disconnect between how security and networking professionals view VPNs is the architecture imposed by segregating VPN and security technologies into separate solutions. Because of this, organizations are forced into four basic scenarios that either complicate security or cause it to be bypassed.

Scenario 1: Placing a VPN device in front of the rewall

In the rst scenario, a VPN device is placed between the rewall and the Internet. Two types of products commonly are found herea VPN concentrator and a VPN-enabled router. In both cases, the devices may have basic packet-ltering capabilities. As VPN-enabled routers become more commonplace, organizations are using this deployment conguration more frequentlyespecially at smaller ofces. The advantage of this conguration is that a VPN device unencrypts trafc before the rewall sees it. The rewall can make intelligent decisions based on the trafcsimplifying the deployment.

Firewall

VPN router Unencrypted traffic IPSec tunnel Internet

Placing a VPN in front of the rewall

Check Point Software Technologies, Ltd.

Check Points philosophy on IPSec VPNs

While simple to deploy, this conguration suffers from one major weakness. Because the VPN device sits outside the perimeter defenses, it is exposed to attack and can be either compromised via vulnerability or taken ofine via a DoS attack such as those available against Internet Key Exchange (IKE), the key management system for IPSec VPNs. The security offered by VPN devices does not offer legitimate defenses against the threats posed by either vulnerabilities or DoS-type attacks.

Scenario 2: Placing the VPN behind the rewall

Organizations that place the VPN device behind the rewall generally assume that the entities on the other side of the VPN tunnel can be trusteda distinct risk considering the majority of cyber attacks are still caused by trusted insiders. In this scenario, VPN trafc remains uninspected due to encryption, which the perimeter rewall is unable to decipher.

VPN router IPSec tunnel

Firewall

Internet

VPN placed behind the rewall

This second option creates large risks in the minds of security professionals because the rewalland the associated security policyare simply bypassed. One risk is that the VPN device is still subject to DoS attack or compromisejust like it was when it was placed outside the rewall. Another risk is the rewall cannot complete its primary job of inspecting trafc for malicious content. Instead, attacks can pass through uninspected. Last, it involves leaving a number of ports, or holes, open on the rewall so that VPN trafc can traverse it successfully. This violates a fundamental security philosophy to lock down the networkleave as few ports exposed as possible. Companies can choose to reroute the trafc back through the rewall via a demilitarized zone (DMZ). However, the VPN device itself is still at risk and administrators face a complex conguration challenge.

Check Point Software Technologies, Ltd.

Bridging the gap between connectivity and security

Scenario 3: Integrated routers

One solution that networking companies have proposed for this problem is the integrated routera device that combines multiple applications such as routing, VPN, and rewall onto a single platform. While good in theory, these devices actually share many of the problems of the previous scenarios. The main cause of this is that these modules are not truly integrated. Instead, each module is developed and implemented as an independent application. Trafc is passed between modules in a linear fashion to complete tasks. The router completes its tasks, then trafc is passed to the VPN if necessary, and nally the rewall. The order may vary, but the lack of cooperation between applications does not. While this does reduce hardware expense and rack space requirements, it does not address the core issue of protecting the network and the VPN from threats. A number of security appliances have followed the same model of providing several non-integrated applications on a single platform and face the same issue.

Integrated firewall, VPN, and router

Router VPN

IPSec tunnel

Internet Integrated firewall, VPN, and router Firewall/IPS

The integrated router architecture

Scenario 4: Placing the VPN and rewall devices in parallel

The fourth scenario places the VPN device and the rewall in parallel. The gateway router directs encrypted trafc to the VPN device and other trafc to the rewall. In practice, this scenario shares all the downside of previous scenarios without the upside of simpler conguration and deployment. The VPN device is still exposed to attack and encrypted trafc remains uninspected by the rewall. Also, ensuring the trafc is inspected requires the administrator to reroute trafc back through the rewall or to place another rewall on the interior of the VPN device.

Check Point Software Technologies, Ltd.

Check Points philosophy on IPSec VPNs

Firewall

VPN device Encrypted traffic

Other traffic

Internet

VPN device and rewall in parallel

The Check Point solution for ensuring secure VPNs

To solve these problemsto bring connectivity together with securitythe Check Point VPN-1 security gateway family is architected in a truly integrated fashion. Rather than separate applications running independently, the rewall, VPN, and intrusion prevention functions act as onebeing brought in at the proper time to perform their functions while minimizing the risk. By doing this, VPNs gain protection against DoS attacks while the rewall and intrusion prevention functions can inspect VPN trafc without complicating the conguration.

VPN Intrusion prevention Firewall

VPN-1

Encrypted traffic

Internet

The Check Point architecture

Check Point Software Technologies, Ltd.

Bridging the gap between connectivity and security

An example of this is the protection that VPN-1 gateways provide against IKE DoS attacks. A known attack against IKE takes advantage of vulnerabilities within the IKE protocol suite by sending a specially crafted packet asking the VPN gateway to create a VPN tunnel. The gateway is obliged to respond and reserve a portion of memory for the tunnel. By sending many of these requests from random IP addresses in a short time, an attacker can cause the VPN gateway to consume all resources and be unable to properly respond to legitimate requests. One possibility to defend against such an attack is to limit IKE conversations to the known IP addresses of gateways. However, to do so would mean disallowing the dynamic IP addresses used to provision many smaller ofces. Another method would be to watch the number of IKE requests per second and throttle back new ones when a threshold is reached that would indicate an attack. VPN-1 security gateways offer a number of additional methods to prevent IKE DoS attacks without denying services. The rst method is stateless protection. When a VPN-1 security gateway is under load or has hit a threshold that indicates a possible attack, it will challenge the requesting gateway to produce a number that only that gateway could know. It then forgets the request and does not allocate memory or CPU resources until the remote gateway has responded with the correct answer. If the attacker has forged the IP address of a legitimate gateway, she or he will not receive the challenge and will not answercausing the original request to be discarded. However, an attacker may control a number of IP addresses unknown to the VPN-1 security gateway and has compromised the host associated with them a typical bot scenario. In this situation, it is likely that the attacker will be able to respond to the challenge. To address this issue, VPN-1 security gateways provide a puzzle challenge method. In this case, the remote computer is asked to solve a computationally intensive puzzle before resources are allocated. Because computers will only be able to solve a few of these challenges a second, the puzzle method will slow down requests and blunt the DoS attack.

Check Point Software Technologies, Ltd.

Check Points philosophy on IPSec VPNs

VPN-1 IKE protections

SmartDefense intrusion prevention

VPN-1 security gateways also provide advanced IKE protections through SmartDefense intrusion prevention technologyprotecting not only Check Point VPN technologies, but those of other vendors as well. This is important because all vendor gateways can be subject to IKE DOS attack. In August 2002, the United States Computer Emergency Readiness Team (CERT) issued a warning that multiple vendors solutions could be vulnerable to potential buffer overows or DoS attacks if an attacker were to send a single malformed packet. However, Check Points SmartDefense can detect even a single malformed packet because at a deep level it can tell the difference between normal and malicious IKE trafc behavior. Therefore, when a VPN-1 security gateway receives a packet that does not conform to IKE protocols, it will prevent that packet from entering the network.

Check Point Software Technologies, Ltd.

Bridging the gap between connectivity and security

SmartDefense intrusion prevention IKE protections

Beyond the specic protections for VPN-directed attacks, the integrated approach provided by the VPN-1 family also ensures that trafconce unencryptedis not malicious in intent. As stated earlier, the possibility of remote sites being infected with worms and other malicious code means that they must now be treated as semi-trusted entities. Although VPN-1 security gateways do support wire-mode the ability to pass VPN trafc through uninspectedby default they apply the necessary inspection to keep the network safe.

Eliminating security sprawl

Going beyond security, this integrated approach simplies the management of VPNs. The amount of effort needed to maintain separate user databases, policies, and logging should not be underestimated. A common point for introducing errors, the multiple interfaces and databases required by separate rewall and VPN solutions creates the condition of security sprawlunplanned security that duplicates effort and causes divergent policies that reduce security effectiveness while increasing management costs. Because it offers a unied security architecture across all functionsrewall, VPN, and intrusion preventiona VPN-1 security gateway eliminates security sprawl. This greatly reduces the costs associated with VPN management and minimizes the chance for errors by using common resources such as the user database for shared tasks.

10

Check Point Software Technologies, Ltd.

Check Points philosophy on IPSec VPNs

Provide advanced technologies to simplify VPN creation

VPNs have swiftly moved from being something considered too complex to deploy on a large scale to being a necessity for business communications. The adoption of large-scale broadband connections has meant that organizations now use VPNs on a much larger scale connecting much smaller ofces compared to just a few years ago. Keeping a positive return on investment for these deployments requires that VPNs become much simpler to deploy.

Building blocks of a simple VPN deployment

At its roots, a VPN is a solution that protects data transmitted over an untrusted network using encryption algorithms to ensure the condentiality and integrity of information. As a VPN scales to include more sites, the simplicity of that denition is lost in complexity. That VPN simplicity has to be restored. In addition to the need to simplify the creation of VPN encryption, site-to-site authentication, VPN communities, Quality of Service, and High Availability and load sharing also need to be considered in any VPN deployment. Site-to-site authentication A major complication in VPN deployment has been site-to-site authentication. There are two main options for ensuring the identity of communicating parties. One option has been shared secretsa manually assigned encryption key pair shared by two sites. For large organizations looking to set up a fully meshed networka VPN where all sites can speak directly to each other, this means conguring a number of keys that equal (n*n-1)/2, where n is the number of sites. For example, an organization that has 75 sites involved in a fully meshed VPN would need to manually program 2775 keys. Adding site 76 would require keeping track of another 75 key pairs. Complicating matters are the security requirements to change these keys on a regular basis. From an administrative standpoint, shared secret key management is enough of a challenge to keep VPNs small in nature. The alternative has been to set up a certicate authority for public key infrastructure (PKI) based key exchanges. This does provide a more secure method by reducing the chance of a brute force attack, which becomes possible because organizations simply do not have the time to change keys on a regular basis. However, for companies that have not previously deployed a PKI system and centralized directory, it adds considerable expense and complexity to VPN deployment. VPN communities Setting up VPN communities has long been a problem for network administrators. Adding new sites and available resources to an existing VPN has usually been a manual process centered on getting the current gateways to recognize the new gateway. The scale of manually conguring sites results in hard-to-nd errors that limit connectivity.

Check Point Software Technologies, Ltd.

11

Bridging the gap between connectivity and security

Quality of Service Another factor to consider in VPN deployment is bandwidth management and Quality of Service (QoS). As real-time applications such as VoIP have become more widespread, this consideration has increased in importance due to the latency of VPN communications. Administrators must be able to mitigate latency while maintaining VPN encryption. QoS should be able to be exibly dened by the organization to meet the needs of the application mix. High Availability and load sharing In provisioning VPN services, High Availability and load sharing play a central role. For example, internal resources like email are dependent on the uptime of the VPN. Traditionally, even VPNs that have High Availability have had problems with synchronization. If one gateway becomes unavailable, a user must restart her/his session before continuinga major headache in usability for the non-technical person. Also, High Availability clusters need to be able to support failover even when physically distant from one another.

VPN-1: Restoring simplicity of VPN creation

The VPN-1 solution is designed to restore the simplicity of VPN creation through a variety of technologies. Check Point has been at the forefront of simplifying large-scale VPN deployments while increasing the power available through advanced technologies, an example of which is comprehensive encryption. Comprehensive encryption The VPN-1 security gateway family supports advanced encryption algorithms for protection of data transmission. Certied by the United States federal government under the Federal Information Processing Standards Publication 140-2 for cryptographic modules, the VPN technologies within VPN-1 combine exibility to match the proper encryption algorithm to the needed security prole with the assurance of a proven solution. Encryption algorithms IKE encryption AES-256 3DES DES CAST IPSec encryption AES-256 AES-128 3DES DES DES-40CP CAST CAST-40 NULL IKE and IPSec data integrity SHA1 MD5

12

Check Point Software Technologies, Ltd.

Check Points philosophy on IPSec VPNs

Integrated Certicate Authority Check Points answer to offering site-to-site authentication is integrated Certicate Authority (ICA). Check Point VPN-1 security gateways include an ICA that reduces the complexity of site-to-site VPN deployment while enhancing communications condentiality through simplied authentication. This ICA is located on the SmartCenter server and is fully compliant with X.509 certicates and certicate revocation lists. A certicate is automatically created and issued when a new VPN-1 Power or VPN-1 UTM security gateway is deployed with VPN components. Administrators can congure attributes such as key validity length and key size to exibly t their environments. This ICA can also be used for remote access VPN users. If an organization has already deployed a separate PKI solution, VPN-1 security gateways can also use it for certicates. Third-party certicates can be imported manually using a PKCS#10 request or be obtained using Automatic Enrollment from a trusted CA. VPN-1 security gateways support the following protocols for Automatic Enrollment: SCEP (Simple Certicate Enrollment Protocol) CMP v1 (Certicate Management Protocol) CMP v2 Many third-party PKI vendors have certied their solutions for interoperability with Check Point solutions through the Open Platform for Security (OPSEC). To see a list of certied solutions, visit http://www.opsec.com and view the Authentication solutions page in the Security Enforcement section. Because VPN-1 security gateways are compliant with X.509 certicates, other solutions may work as well. Implementing VPN communities By simplifying the process of adding gateways, it will become easier to set up VPN communities. An important concept in Check Points drive to simplify VPNs, VPN communities enable an administrator to quickly add a new VPN-1 security gateway to an existing site-to-site VPN. This new gateway will automatically inherit the necessary IPSec congurations, and all other gateways will immediately become aware of the new gateway. Some of the attributes that can be congured include: IKE properties including Dife-Hellman group type and use of aggressive mode Encryption and data integrity algorithms for key exchange and data secrecy Perfect Forward Secrecy Any applications, services, or protocols that should not be encrypted This technologywhich is also called One-Click VPNreduces the initial time needed to set up a site-to-site VPN and to add new sites. It also lowers the chance of conguration errors in large-scale VPNs. Because all congurations come from a single place, the time spent troubleshooting VPN problems is greatly reduced. To simplify the transition from legacy VPN solutions, third-party VPN devices can participate in VPN communities. In this case, the administrator must manually congure the third-party VPN device but the VPN-1 security gateways will automatically recognize the device and adopt the proper conguration illustrating the simplicity that Check Point brings the VPN conguration.

Check Point Software Technologies, Ltd.

13

Bridging the gap between connectivity and security

Viewing dened VPN communities

VPN-1 communities support both meshed and star VPN topologies. In a meshed VPN, all community members may communicate directly with one another. In a star VPN, trafc between sites resembles a hub and spoke, where all trafc is routed through a set of central gateways. To simplify management of a star VPN community, an administrator may use VPN communities to congure whether trafc is routed: Only to the central gateways To central gateways and then to other VPN community members To central gateways and then allowed to pass to other members or the Internet QoS for VPNs Because VPN-1 security gateways provide true integration of multiple security functions, they are perfectly placed to deliver policy-based bandwidth management and QoS. With this, organizations can mitigate the latency added by encryption on time-sensitive applications such as VoIP. Administrators can dene their QoS policies based on a number of methods, including: Weight of priority in comparison to other trafc Guarantee of bandwidth minimum and maximum Low latency queuing DiffServ Group

14

Check Point Software Technologies, Ltd.

Check Points philosophy on IPSec VPNs

Dening a QoS policy

Multiple Entry Points for High Availability and load sharing Multiple Entry Point (MEP) provides High Availability and load sharing for VPN services. When a VPN gateway fails under normal circumstances, all internal resourcessuch as email, VoIP, and morebehind it are no longer available. MEP works when two VPN-1 security gateways are connected internally via frame relay or leased line and both have specic resources dened within their encryption domainsthe lists of hosts, servers, and other resources that should be encrypted in a VPN tunnel. If one of the gateways is not available, the site-tosite VPN automatically transfers trafc to the other gateway. Unlike traditional clustering solutions used for High Availability, MEP allows the gateways to be geographically distant from each other. VPN-1 supports traditional High Availability and clustering as well. Multiple VPN-1 security gateways may be placed together to create an active/active cluster that enables VPN scaling. When a VPN session is started on one gateway, it is synchronized between all gateways through Check Points patented Stateful Inspection technology. If the gateway is unavailable for whatever reason, the session is automatically continued on another member of the cluster without requiring the session to be restarted.
VPN domain B

Shared encryption domain VPN domain C VPN domain A Gateway B

Internet Gateway A Gateway X

Multiple Entry Point congured for gateway X

Check Point Software Technologies, Ltd.

15

Bridging the gap between connectivity and security

Beyond building VPN blocks: More resources, more-dynamic networks

The traditional way to create a VPN has been to dene encryption domainsthe different resources behind each VPN device that should have trafc encrypted across a tunnel. Then the routing between each gateway is dened. For smallscale and static VPNs, this method worked very well. As networks grew larger and more interconnected with dynamic resources, domain-based VPNs have not been able to scale with them as: Resources grew in numberwhen the resources that were accessed by a VPN did not change and were few in number, domain-based VPNs worked well. Once more resources were added that had to be accessed across a large number of ofces, the VPN domains became larger and more difcult to maintain correctly Networks became more dynamic and largerthe shift from static routing to dynamic routing reduced the overhead in router conguration and increased network reliability. However, traditional VPNs have relied on statically dened routes between resources. Traditional VPNs cannot deal effectively with resources that are located in a dynamic routing environment. With the growth in the number of ofces being connected, managing the number of static routes required between VPN devices also became overwhelming.

The route-based VPN: Designing a complex VPN with simple routing

The answer to these issues is route-based VPNs, an advanced technology found in VPN-1 security gateways that simplies the deployment of large-scale VPNs. The core difference between route-based and domain-based VPNs is that the decision whether to encrypt trafc is not founded on a predened set of resources such as subnets or hosts but on IP routing. To accomplish this, VPN-1 devices use VPN tunnel interfaces (VTI) to represent virtual direct links between different sites on the VPN. Each site has a VPN tunnel interface that corresponds to another VPN-1 security gateway that it is connected to through the VPN. For a packet leaving the network destined for a remote ofce over a VPN, the following happens: 1. An IP packet destined for address X is matched against the routing table 2. The routing table indicates that address X is routed through an exclusive connection, known as a VTI 3. VPN-1 intercepts the packet, applies the proper security parameters for the VPN, and inserts the destination gateways IP address 4. The packet is rerouted to the physical interface and sent to the remote gateway At the other end, the process happens in reverse.

16

Check Point Software Technologies, Ltd.

Check Points philosophy on IPSec VPNs

Physical interface Physical interface VPN tunnel interface VPN-1 Internal network

Internet VPN-1 Physical interface Physical interface VPN tunnel interface Internal network

Route-based VPN using VPN tunnel interface

Route-based VPNs can use both static and dynamic routing to create the virtual connection between corresponding VTIs. Dynamic routing offers a number of benets over static routing for creating a secure, reliable VPN that spans a large number of locations. Dynamic routing support OSPF BGP RIPv1 RIPv2 First, the two VPN-1 security gateways can exchange routing information about the networks they protect and dynamically change routes based on that information. This enables geographically separated locations to participate in each others dynamic routing communities without a dedicated logical or physical connection such as frame relay or a leased line. More importantly, each VPN-1 security gateway understands how to correctly route encrypted trafc to its nal destination.

Check Point Software Technologies, Ltd.

17

Bridging the gap between connectivity and security

Second, it enhances the reliability of the VPN. As an example, consider this scenario: Sites A, B, and C each has route-based VPNs set up with VTIs they share. If the link between site A and site B becomes unavailable, site B will automatically know that site C has a route to site A. Unlike with domain-based VPNs using MEP, this is accomplished automatically without administrator conguration.

VPN-1 A 207.34.1.30

10.10.20.0/24

VPN-1 B 215.129.43.17

Internet VPN-1 C 156.146.12.9

10.10.20.0/24

Frame relay or leased line

10.10.20.0/24

A redundant VPN using route-based VPN with dynamic routing

Graceful restart
A distinct benet that VPN-1 security gateways bring when dealing with dynamic routing is the inclusion of OSPF hitless/graceful restart and BGP graceful restart. These two protocolsoften found only on high-end routersenable a swift recovery from temporary hardware failure, such as a reboot. Under normal circumstances, a gateway (gateway A) trying to communicate with another gateway (gateway B) that has failed would automatically remove that route from its tables and report it to other gatewayscausing a ripple effect even if gateway B is only down temporarily. If a VPN-1 gateway is temporarily down, its routes are not automatically deleted but assumed to still be valid temporarily.

Multicast protocol support

Another benet of using dynamic routing for route-based VPNs is the support for sending multicast protocols over a VPN. The increased use of applications such as video conferencing between sites has made the ability to encrypt multicast trafc a necessity. VPN-1 security gateways also inspect multicast trafc to ensure its validity and that its intent is not malicious.

18

Check Point Software Technologies, Ltd.

Check Points philosophy on IPSec VPNs

Multicast protocol support IGMP PIM-SM PIM-DM Many organizations may desire to use a mixture of both domain-based and routebased VPNs. The VPN-1 family enables administrators to use bothproviding great exibility when conguring VPNs. Because VPN-1 security gateways support both modes at the same time, organizations can take a phased approach in migrating between the two methods.

Conclusion
Check Points philosophy on IPSec VPNs is that they represent a bridge between the networking professionals emphasis on connectivity and the security professionals emphasis on protecting the network. The IPSec-based line of VPN-1 security gateways from Check Point provides secure connectivity for distributed networks by combining the proven security used in 100 percent of the Fortune 100 with advanced technologies designed to simplify the creation and management of complex VPNs.

Check Point Software Technologies, Ltd.

19

About Check Point Software Technologies

Check Point Software Technologies Ltd. (www.checkpoint.com) is the worldwide leader in securing the Internet. It is the market leader in the worldwide enterprise rewall, personal rewall, and VPN markets. Through its NGX platform, the company delivers a unied security architecture for a broad range of perimeter, internal, and Web security solutions that protect business communications and resources for corporate networks and applications, remote employees, branch ofces, and partner extranets. The companys ZoneAlarm product line is one of the most trusted brands in Internet security, creating award-winning endpoint security solutions that protect millions of PCs from hackers, spyware, and data theft. Extending the power of the Check Point solution is its Open Platform for Security (OPSEC), the industrys framework and alliance for integration and interoperability with best-of-breed solutions from more than 350 leading companies. Check Point solutions are sold, integrated, and serviced by a network of more than 2,200 Check Point partners in 88 countries.

CHECK POINT OFFICES Worldwide Headquarters 3A Jabotinsky Street, 24th Floor Ramat Gan 52520, Israel Tel: 972-3-753 4555 Fax: 972-3-575 9256 email: info@checkpoint.com

U.S. Headquarters 800 Bridge Parkway Redwood City, CA 94065 Tel: 800-429-4391 ; 650-628-2000 Fax: 650-654-4233 URL: http://www.checkpoint.com

2003-2006 Check Point Software Technologies Ltd. All rights reserved. Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, ConnectControl, Connectra, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Eventia, Eventia Analyzer, Eventia Reporter, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Ofce, SecureClient, SecureKnowledge, SecuRemote, SecurePlatform, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, SiteManager-1, SmartCenter, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, Userto-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its afliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications. August 11, 2006 P/N: 502243