Check Point Software SSL VPN Solutions Technical Overview
description
Transcript of Check Point Software SSL VPN Solutions Technical Overview
![Page 1: Check Point Software SSL VPN Solutions Technical Overview](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681587d550346895dc5df3a/html5/thumbnails/1.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
Check Point SoftwareSSL VPN Solutions
Technical Overview
Thorsten SchuberthTechnical Consultant
Nubit 2005
![Page 2: Check Point Software SSL VPN Solutions Technical Overview](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681587d550346895dc5df3a/html5/thumbnails/2.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
Agenda
Introduction to SSL VPN Solutions Connectra 2.0
– New Security Features• Integrity Clientless Security (ICS) 3.0
– Integrity Secure Browser (ISB)– AV Checking– Enhanced Protection Levels
SSL Network Extender (SNX)– ICS Integration with R55 HFA-12
![Page 3: Check Point Software SSL VPN Solutions Technical Overview](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681587d550346895dc5df3a/html5/thumbnails/3.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
Check Point Security Solution
![Page 4: Check Point Software SSL VPN Solutions Technical Overview](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681587d550346895dc5df3a/html5/thumbnails/4.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
Web Threat Environment
Most cyber attacks and Internet security violations are generated through Internet applications.
![Page 5: Check Point Software SSL VPN Solutions Technical Overview](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681587d550346895dc5df3a/html5/thumbnails/5.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
Check Point Web Security Portfolio
SSL VPN for Web-based remote access– Connectra, The Web Security Gateway
• Unified SSL VPN, Web security, and Endpoint security
– SSL Network Extender• Network-level SSL VPN for Connectra &
VPN-1
Web Application Firewall – Web Intelligence
• Web Security for Connectra & VPN-1
Endpoint Security– Integrity Clientless Security
• Integrated into Connectra, available for Web applications
Securing the Web for Business
Bringing Business to the Web
![Page 6: Check Point Software SSL VPN Solutions Technical Overview](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681587d550346895dc5df3a/html5/thumbnails/6.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
Introducing ConnectraWeb Connectivity with Unmatched Security
Web Security Gateway Features Secure Web-Based Connectivity Integrated Server Security Adaptive Endpoint Security One-Click SSL Extranet Seamless Network Deployment
and Management
SSL VPNSSL VPN
IntegratedSecurity
IntegratedSecurity
EasyDeployment
EasyDeployment
![Page 7: Check Point Software SSL VPN Solutions Technical Overview](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681587d550346895dc5df3a/html5/thumbnails/7.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
Connectra – The Web Security Gateway
Security will be the #1 buying criteria for SSL VPN gateways in 2005
Key Advantage Today = MOST SECURE Endpoint Security Integration Integrated Attack Prevention
“Endpoint security integration was the #1 reason we chose Check Point.”
- Large Energy Company
“Endpoint security is an escalating problem as SSL VPNs go mainstream.”
- John Girard, VP of Gartner
![Page 8: Check Point Software SSL VPN Solutions Technical Overview](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681587d550346895dc5df3a/html5/thumbnails/8.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
Introducing SSL Network ExtenderSecure Network-Level Connectivity over the Web
SSL
Network-level connectivity over SSL VPN– Browser Plug-in
Supports all IP-based applications– TCP, UDP, ICMP, FTP, etc.
Integrated with Check Point Gateways– Connectra
• Enables native applications support– VPN-1
• Combined IPSec and SSL
![Page 9: Check Point Software SSL VPN Solutions Technical Overview](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681587d550346895dc5df3a/html5/thumbnails/9.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
Introducing Web IntelligenceProtection for the Entire Web Environment
Web application firewall technology for Check Point products.
Advanced Product Features– Malicious Code Protector ™
Patent-pending technology that catches buffer overflow attacks and other malicious code.
– Advanced Streaming InspectionExtends the inspection and reconstruction capabilities of the INSPECT architecture by adding active traffic control of live traffic streams.
– Simple Deployment and ManagementBuilt to be quickly deployed to protect Web servers without complex tuning and configuration.
Seamless Integration with Check Point ProductsProvides protection for the entire Web environment.
• Included in Connectra• Available as an add-on to VPN-1 gateways• Will be available on InterSpect
WebServers
![Page 10: Check Point Software SSL VPN Solutions Technical Overview](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681587d550346895dc5df3a/html5/thumbnails/10.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
Introducing Integrity Clientless Security
Key Benefits Stops ID and password theft, prevents
data loss Makes it easy to secure non-IT
controlled PC’s that access the enterprise network
Prevents any non-compliant remote PC from compromising enterprise security
Key Features Spyware Detection & Remediation Simple Deployment & Maintenance Network Access Policy Enforcement Integrates with Web Applications-
Outlook Web Access, Extranet Portals Integrated with Connectra
![Page 11: Check Point Software SSL VPN Solutions Technical Overview](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681587d550346895dc5df3a/html5/thumbnails/11.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
Integrity Secure Browser Configuration
Windows Only Solution– IE Offers Transparent Install– Other Browsers are Supported
• Manual Prompt to Install ISB– Mozilla, Netscape & Opera
– Subsequent Connections will not require reinstallation
![Page 12: Check Point Software SSL VPN Solutions Technical Overview](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681587d550346895dc5df3a/html5/thumbnails/12.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
Integrity Secure Browser
![Page 13: Check Point Software SSL VPN Solutions Technical Overview](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681587d550346895dc5df3a/html5/thumbnails/13.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
Connectra 2.0 ICS 3.0 Integration
Integrity Secure Browser– ISB will safeguard data in:
• Password and Form fields• URL history• cached files• recently-used files
– Warns users of potentially unsafe actions• Copy to local Clipboard• Download Files
![Page 14: Check Point Software SSL VPN Solutions Technical Overview](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681587d550346895dc5df3a/html5/thumbnails/14.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
Protection Level Enhancements
Added Options to require ICS &/or ISB Enables Access to applications where
ICS/ISB support is not currently available– Macintosh & Linux users can now connect
even if ICS is enabled
![Page 15: Check Point Software SSL VPN Solutions Technical Overview](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681587d550346895dc5df3a/html5/thumbnails/15.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
ICS 3.0 Anti-Virus Checking
AV Checking Support for– Trend PC-cillin &OfficeScan– CA eTrust & VET– Symantec Norton Antivirus– Sophos AV– McAfee VirusScan– Zone Alarm Antivirus
DAT file version restrictions– Minimum DAT file version– DAT file creation date should be newer than– DAT file should be no older than <x> days
You can check that the Anti Virus is:– Installed– Installed and running
Custom Error Message for Out of Compliance AV– Shared by all AV Checks
![Page 16: Check Point Software SSL VPN Solutions Technical Overview](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681587d550346895dc5df3a/html5/thumbnails/16.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
Connectra Appliance vs. Software Comparison
50 100 250 500 1,000 U
Connectra Series 1000
Cat 4$10,000 $15,000 $24,000
Connectra Series 2000
Cat 4$24,000 $36,000 $54,000
Connectra Series 6000
Cat 4$44,000 $60,000 $90,000
Connectra SW
Cat 1$8,000 $15,000 $30,000 $50,000 $60,000
![Page 17: Check Point Software SSL VPN Solutions Technical Overview](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681587d550346895dc5df3a/html5/thumbnails/17.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
SSL Network Extender for VPN-1
![Page 18: Check Point Software SSL VPN Solutions Technical Overview](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681587d550346895dc5df3a/html5/thumbnails/18.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
R55 HFA-12 SNX & ICS
R55 SNX Integrated with ICS 2.2– AV Checking– File/Registry checks
• Requirement or Prohibition• Observation Mode remote nodes
Separate Installations of ICS & VPN-1 Each Product is licensed & purchased
independently Manual Process for updating configuration file
on VPN-1 gateways– $FWDIR/conf/extender/request.xml
![Page 19: Check Point Software SSL VPN Solutions Technical Overview](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681587d550346895dc5df3a/html5/thumbnails/19.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
ICS 2.2 Overview
Browser control (ActiveX) sent to users
before they log into their web based
application.
• Scans, identifies, and
disables spyware
• Displays detected
threats and provides
removal assistance
• Optionally, enforces
security policy
compliance by
preventing network
access to PCs that
contain screened
software, have outdated
anti-virus definitions, or
are missing other
requirements
![Page 20: Check Point Software SSL VPN Solutions Technical Overview](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681587d550346895dc5df3a/html5/thumbnails/20.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
ICS Integration with SNX
User Presented with ICS Scan prior to authentication
Same ICS scan for all users per gateway No Protection Level Granularity as with
Connectra
![Page 21: Check Point Software SSL VPN Solutions Technical Overview](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681587d550346895dc5df3a/html5/thumbnails/21.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
Thank You
Questions???