Академический Документы
Профессиональный Документы
Культура Документы
Check Point protects every part of your networkperimeter, internal, Web to keep your information resources safe, accessible, and easy to manage.
Contents
Executive summary 3 Introduction 3 Ensure the security of both the VPN and the network 3 Scenario 1: Placing a VPN device in front of the rewall 4 Scenario 2: Placing the VPN behind the rewall 5 Scenario 3: Integrated routers 6 Scenario 4: Placing the VPN and rewall devices in parallel 6 The Check Point solution for ensuring secure VPNs 7 SmartDefense intrusion prevention 9 Eliminating security sprawl 10 Provide advanced technologies to simplify VPN creation 11 Building blocks of a simple VPN deployment 11 Site-to-site authentication 11 VPN communities 11 Quality of Service 12 High Availability and load sharing 12 VPN-1: Restoring simplicity of VPN creation 12 Comprehensive encryption 12 Integrated Certicate Authority 13 Implementing VPN communities 13 QoS for VPNs 14 Multiple Entry Points for High Availability and load sharing 15 Beyond building VPN blocks: More resources, more-dynamic networks 16 The route-based VPN: Designing a complex VPN with simple routing 16 Graceful restart 18 Multicast protocol support 18 Conclusion 19
Executive summary
The IT business environment today demands an integrated approach to virtual private networks (VPNs)combining the needs of connectivity and security into a single solution. When looking to connect distributed ofces together over the Internet, organizations should ask themselves two questions: Will a given VPN solution provide an adequate level of protection to ensure its availability and the safety of the network? Does a given VPN solution marry advanced technologies with simplied management to reduce the burden placed on the organization to maintain the solution? Check Point VPN-1 security gateways are designed to answer yes to both these questions, by providing a bridge between connectivity and security without sacricing simplicity.
Introduction
Today, IPSec virtual private networks (VPNs) are commonplace, with more than half of enterprises using them to connect distributed ofces and provide condential communications over public networks. However, the very popularity of IPSec VPNs has led to IT organizational problems. Because VPNs are primarily a connectivity solution, network engineers rightfully have a large inuence on what their organizations consider important. This has often translated to an emphasis on advanced functionality such as multicast or dynamic routing support at the expense of security. For example, the rise of router-based VPNs has created connectivity solutions separated from security solutions such as rewalls. Perimeter-based rewalls cannot inspect encrypted VPN trafc if the router is on the interior of the network nor protect the router if it is on the exterior. Thus, security engineers have been forced to create complex workarounds to protect the network or, more commonly, sacrice security for simplicity. This problem of the tradeoff of connectivity versus security must be resolved without compromising either. This white paper explains a strategy for bridging the gap between connectivity and security and outlines the technologies that enterprises can use to implement it. It will examine two key tenets of this approach to VPNs: Ensure the security of both the VPN and the network Provide advanced technologies to simplify VPN management
First, organizations use VPNs over untrusted or semi-trusted networks. Because of this, they are subject to threats such as denial of service (DoS) attacks specically aimed at VPN devices. By itself, a VPN device does not have the necessary intelligence to stop these attacks. As a connectivity device, a VPN device is designed for stabilitynot the dynamic updates needed to address evolving security concerns. Second, internal employeesoften considered trustedmust be considered semi-trusted at best. Although an organization can assume that the entity is who or what it claims to be, a security professional can no longer be condent that the entity is acting without malicious intent. Has her/his laptop been infected by a worm? Was the server attempting to connect compromised by a buffer overow? The appearance of worms and other application-layer threats has created the need to segregate and provide intelligent inspection of VPN trafc. To not do so is to expose the network to quickly spreading malware that may enter through a remote ofce. A major reason for the disconnect between how security and networking professionals view VPNs is the architecture imposed by segregating VPN and security technologies into separate solutions. Because of this, organizations are forced into four basic scenarios that either complicate security or cause it to be bypassed.
Firewall
While simple to deploy, this conguration suffers from one major weakness. Because the VPN device sits outside the perimeter defenses, it is exposed to attack and can be either compromised via vulnerability or taken ofine via a DoS attack such as those available against Internet Key Exchange (IKE), the key management system for IPSec VPNs. The security offered by VPN devices does not offer legitimate defenses against the threats posed by either vulnerabilities or DoS-type attacks.
Firewall
Internet
This second option creates large risks in the minds of security professionals because the rewalland the associated security policyare simply bypassed. One risk is that the VPN device is still subject to DoS attack or compromisejust like it was when it was placed outside the rewall. Another risk is the rewall cannot complete its primary job of inspecting trafc for malicious content. Instead, attacks can pass through uninspected. Last, it involves leaving a number of ports, or holes, open on the rewall so that VPN trafc can traverse it successfully. This violates a fundamental security philosophy to lock down the networkleave as few ports exposed as possible. Companies can choose to reroute the trafc back through the rewall via a demilitarized zone (DMZ). However, the VPN device itself is still at risk and administrators face a complex conguration challenge.
Router VPN
IPSec tunnel
Firewall
Other traffic
Internet
VPN-1
Encrypted traffic
Internet
An example of this is the protection that VPN-1 gateways provide against IKE DoS attacks. A known attack against IKE takes advantage of vulnerabilities within the IKE protocol suite by sending a specially crafted packet asking the VPN gateway to create a VPN tunnel. The gateway is obliged to respond and reserve a portion of memory for the tunnel. By sending many of these requests from random IP addresses in a short time, an attacker can cause the VPN gateway to consume all resources and be unable to properly respond to legitimate requests. One possibility to defend against such an attack is to limit IKE conversations to the known IP addresses of gateways. However, to do so would mean disallowing the dynamic IP addresses used to provision many smaller ofces. Another method would be to watch the number of IKE requests per second and throttle back new ones when a threshold is reached that would indicate an attack. VPN-1 security gateways offer a number of additional methods to prevent IKE DoS attacks without denying services. The rst method is stateless protection. When a VPN-1 security gateway is under load or has hit a threshold that indicates a possible attack, it will challenge the requesting gateway to produce a number that only that gateway could know. It then forgets the request and does not allocate memory or CPU resources until the remote gateway has responded with the correct answer. If the attacker has forged the IP address of a legitimate gateway, she or he will not receive the challenge and will not answercausing the original request to be discarded. However, an attacker may control a number of IP addresses unknown to the VPN-1 security gateway and has compromised the host associated with them a typical bot scenario. In this situation, it is likely that the attacker will be able to respond to the challenge. To address this issue, VPN-1 security gateways provide a puzzle challenge method. In this case, the remote computer is asked to solve a computationally intensive puzzle before resources are allocated. Because computers will only be able to solve a few of these challenges a second, the puzzle method will slow down requests and blunt the DoS attack.
Beyond the specic protections for VPN-directed attacks, the integrated approach provided by the VPN-1 family also ensures that trafconce unencryptedis not malicious in intent. As stated earlier, the possibility of remote sites being infected with worms and other malicious code means that they must now be treated as semi-trusted entities. Although VPN-1 security gateways do support wire-mode the ability to pass VPN trafc through uninspectedby default they apply the necessary inspection to keep the network safe.
10
11
Quality of Service Another factor to consider in VPN deployment is bandwidth management and Quality of Service (QoS). As real-time applications such as VoIP have become more widespread, this consideration has increased in importance due to the latency of VPN communications. Administrators must be able to mitigate latency while maintaining VPN encryption. QoS should be able to be exibly dened by the organization to meet the needs of the application mix. High Availability and load sharing In provisioning VPN services, High Availability and load sharing play a central role. For example, internal resources like email are dependent on the uptime of the VPN. Traditionally, even VPNs that have High Availability have had problems with synchronization. If one gateway becomes unavailable, a user must restart her/his session before continuinga major headache in usability for the non-technical person. Also, High Availability clusters need to be able to support failover even when physically distant from one another.
12
Integrated Certicate Authority Check Points answer to offering site-to-site authentication is integrated Certicate Authority (ICA). Check Point VPN-1 security gateways include an ICA that reduces the complexity of site-to-site VPN deployment while enhancing communications condentiality through simplied authentication. This ICA is located on the SmartCenter server and is fully compliant with X.509 certicates and certicate revocation lists. A certicate is automatically created and issued when a new VPN-1 Power or VPN-1 UTM security gateway is deployed with VPN components. Administrators can congure attributes such as key validity length and key size to exibly t their environments. This ICA can also be used for remote access VPN users. If an organization has already deployed a separate PKI solution, VPN-1 security gateways can also use it for certicates. Third-party certicates can be imported manually using a PKCS#10 request or be obtained using Automatic Enrollment from a trusted CA. VPN-1 security gateways support the following protocols for Automatic Enrollment: SCEP (Simple Certicate Enrollment Protocol) CMP v1 (Certicate Management Protocol) CMP v2 Many third-party PKI vendors have certied their solutions for interoperability with Check Point solutions through the Open Platform for Security (OPSEC). To see a list of certied solutions, visit http://www.opsec.com and view the Authentication solutions page in the Security Enforcement section. Because VPN-1 security gateways are compliant with X.509 certicates, other solutions may work as well. Implementing VPN communities By simplifying the process of adding gateways, it will become easier to set up VPN communities. An important concept in Check Points drive to simplify VPNs, VPN communities enable an administrator to quickly add a new VPN-1 security gateway to an existing site-to-site VPN. This new gateway will automatically inherit the necessary IPSec congurations, and all other gateways will immediately become aware of the new gateway. Some of the attributes that can be congured include: IKE properties including Dife-Hellman group type and use of aggressive mode Encryption and data integrity algorithms for key exchange and data secrecy Perfect Forward Secrecy Any applications, services, or protocols that should not be encrypted This technologywhich is also called One-Click VPNreduces the initial time needed to set up a site-to-site VPN and to add new sites. It also lowers the chance of conguration errors in large-scale VPNs. Because all congurations come from a single place, the time spent troubleshooting VPN problems is greatly reduced. To simplify the transition from legacy VPN solutions, third-party VPN devices can participate in VPN communities. In this case, the administrator must manually congure the third-party VPN device but the VPN-1 security gateways will automatically recognize the device and adopt the proper conguration illustrating the simplicity that Check Point brings the VPN conguration.
13
VPN-1 communities support both meshed and star VPN topologies. In a meshed VPN, all community members may communicate directly with one another. In a star VPN, trafc between sites resembles a hub and spoke, where all trafc is routed through a set of central gateways. To simplify management of a star VPN community, an administrator may use VPN communities to congure whether trafc is routed: Only to the central gateways To central gateways and then to other VPN community members To central gateways and then allowed to pass to other members or the Internet QoS for VPNs Because VPN-1 security gateways provide true integration of multiple security functions, they are perfectly placed to deliver policy-based bandwidth management and QoS. With this, organizations can mitigate the latency added by encryption on time-sensitive applications such as VoIP. Administrators can dene their QoS policies based on a number of methods, including: Weight of priority in comparison to other trafc Guarantee of bandwidth minimum and maximum Low latency queuing DiffServ Group
14
Multiple Entry Points for High Availability and load sharing Multiple Entry Point (MEP) provides High Availability and load sharing for VPN services. When a VPN gateway fails under normal circumstances, all internal resourcessuch as email, VoIP, and morebehind it are no longer available. MEP works when two VPN-1 security gateways are connected internally via frame relay or leased line and both have specic resources dened within their encryption domainsthe lists of hosts, servers, and other resources that should be encrypted in a VPN tunnel. If one of the gateways is not available, the site-tosite VPN automatically transfers trafc to the other gateway. Unlike traditional clustering solutions used for High Availability, MEP allows the gateways to be geographically distant from each other. VPN-1 supports traditional High Availability and clustering as well. Multiple VPN-1 security gateways may be placed together to create an active/active cluster that enables VPN scaling. When a VPN session is started on one gateway, it is synchronized between all gateways through Check Points patented Stateful Inspection technology. If the gateway is unavailable for whatever reason, the session is automatically continued on another member of the cluster without requiring the session to be restarted.
VPN domain B
15
16
Physical interface Physical interface VPN tunnel interface VPN-1 Internal network
Internet VPN-1 Physical interface Physical interface VPN tunnel interface Internal network
Route-based VPNs can use both static and dynamic routing to create the virtual connection between corresponding VTIs. Dynamic routing offers a number of benets over static routing for creating a secure, reliable VPN that spans a large number of locations. Dynamic routing support OSPF BGP RIPv1 RIPv2 First, the two VPN-1 security gateways can exchange routing information about the networks they protect and dynamically change routes based on that information. This enables geographically separated locations to participate in each others dynamic routing communities without a dedicated logical or physical connection such as frame relay or a leased line. More importantly, each VPN-1 security gateway understands how to correctly route encrypted trafc to its nal destination.
17
Second, it enhances the reliability of the VPN. As an example, consider this scenario: Sites A, B, and C each has route-based VPNs set up with VTIs they share. If the link between site A and site B becomes unavailable, site B will automatically know that site C has a route to site A. Unlike with domain-based VPNs using MEP, this is accomplished automatically without administrator conguration.
VPN-1 A 207.34.1.30
10.10.20.0/24
VPN-1 B 215.129.43.17
10.10.20.0/24
10.10.20.0/24
Graceful restart
A distinct benet that VPN-1 security gateways bring when dealing with dynamic routing is the inclusion of OSPF hitless/graceful restart and BGP graceful restart. These two protocolsoften found only on high-end routersenable a swift recovery from temporary hardware failure, such as a reboot. Under normal circumstances, a gateway (gateway A) trying to communicate with another gateway (gateway B) that has failed would automatically remove that route from its tables and report it to other gatewayscausing a ripple effect even if gateway B is only down temporarily. If a VPN-1 gateway is temporarily down, its routes are not automatically deleted but assumed to still be valid temporarily.
18
Multicast protocol support IGMP PIM-SM PIM-DM Many organizations may desire to use a mixture of both domain-based and routebased VPNs. The VPN-1 family enables administrators to use bothproviding great exibility when conguring VPNs. Because VPN-1 security gateways support both modes at the same time, organizations can take a phased approach in migrating between the two methods.
Conclusion
Check Points philosophy on IPSec VPNs is that they represent a bridge between the networking professionals emphasis on connectivity and the security professionals emphasis on protecting the network. The IPSec-based line of VPN-1 security gateways from Check Point provides secure connectivity for distributed networks by combining the proven security used in 100 percent of the Fortune 100 with advanced technologies designed to simplify the creation and management of complex VPNs.
19
CHECK POINT OFFICES Worldwide Headquarters 3A Jabotinsky Street, 24th Floor Ramat Gan 52520, Israel Tel: 972-3-753 4555 Fax: 972-3-575 9256 email: info@checkpoint.com
U.S. Headquarters 800 Bridge Parkway Redwood City, CA 94065 Tel: 800-429-4391 ; 650-628-2000 Fax: 650-654-4233 URL: http://www.checkpoint.com
2003-2006 Check Point Software Technologies Ltd. All rights reserved. Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, ConnectControl, Connectra, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Eventia, Eventia Analyzer, Eventia Reporter, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Ofce, SecureClient, SecureKnowledge, SecuRemote, SecurePlatform, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, SiteManager-1, SmartCenter, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, Userto-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its afliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications. August 11, 2006 P/N: 502243