Modernizing Authentication — What It Takes to Transform Secure Access
Check Point Software Technologies this week announced a new release of its VPN-1/FireWall-1 software that is intended to increase the reliability, scalability, ease-of-use and performance of Check Point-based virtual private networks.
The release of Check Point's Next Generation (NG) VPN culminates a five-part software release for VPN-1/FireWall-1, says Johnnie Konstantas, product marketing manager. Previous releases addressed "Next Generation" user interface, management, performance and VPN client functions.
In concert, the features are intended to allow enterprises to more easily deploy and manage large VPNs while maintaining security end-to-end.https://l1.cdn.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=iKey to the latter is a personal firewall that comes with Check Point's previously announced VPN-1 SecureClient Next Generation software. The firewall can be centrally managed, enabling an administrator to ensure it complies with corporate policies and relieving end users from dealing with configuration chores they are probably not qualified to handle. Administrators can use the firewall to dictate what is allowed and not allowed on the client machine. For example, the firewall can ensure that the client not act as a Web server and restrict the sites the user is allowed to visit.
"There's a two-fold benefit," Konstantas says. For one, the firewall protects the user's machine and all its files. "It also protects the corporation that the client machine is connected to, so there's no way somebody can hijack the machine and gain access to the corporate net."
SecureClient also includes a Security Configuration Verification feature. Each time the client logs in to the VPN, an automated check is performed to ensure proper policy is running on the client and that it hasn't been altered. Check Point is working with its partners to extend this feature to check other criteria, such as ensuring the proper version of anti-virus software is running.
New with NG VPN is a feature intended to automate the deployment of new gateways in site-to-site VPNs by using public key infrastructure (PKI) technology. When you install or upgrade to NG VPN, the software automatically creates a certificate authority (CA) that is used to distribute x.509-based certificates to all modules in the network. The certificates are then used to authenticate each module to each other. When a new gateway is added to the network, it is issued a certificate from the CA, housed on the central management server.
Check Point is using this technique instead of the alternative shared secret authentication mechanism, which requires a series of unique passwords to authenticate gateways to each other, all of which must be managed manually. "When you get up to 100 gateways, that becomes an unmanageable number of passwords," Konstantas says. The PKI approach, on the other hand, "speaks directly to scalability."
A new performance monitor capability allows administrators to monitor the performance of the VPN down to individual applications. It provides a graphical view of performance, which can be mapped against a threshold, such as a service level agreement.
Check Point has also added support for the Differentiated Services (DiffServ) standard, which provides a mechanism for applying quality of service specifications to different traffic flows. Essentially, DiffServ allows administrators to mark certain applications as more critical than others, ensuring them of priority service through the network.
The caveat is that all network elements within the cloud have to support DiffServ for the feature to do any good. "We've chosen this standard in a forward-looking way, knowing this is where Internet infrastructure is going," Konstantas says. "Some managed service providers will be able to use this today, if they own all the gear in between two [Check Point] VPN gateways."
The final major new feature in NG VPN is one that allows for the use of an alternate, private-line path to a gateway if the primary Internet path is out of commission. For example, if a branch in Los Angeles cannot communicate via the VPN to a branch in New York because the New York Internet connection is down, the LA branch may instead connect to a Chicago branch and use its private line connection to reach New York. This takes advantage of the fact that many companies leave some private line connections between sites even after they establish a VPN, Konstantas says.
NG VPN software is free to customers with a Check Point software subscription. For new users, the software ranges from $4,995 to $20,000 per gateway, depending on configuration. Now in beta test with a number of customers, the software will be generally available in mid-summer.