Check Point Software SSL VPN Solutions Technical Overview

©2005 Check Point Software Technologies Ltd. Proprietary & Confidential

Check Point SoftwareSSL VPN Solutions

Technical Overview

Thorsten SchuberthTechnical Consultant

Nubit 2005


Agenda

Introduction to SSL VPN Solutions Connectra 2.0

– New Security Features• Integrity Clientless Security (ICS) 3.0

– Integrity Secure Browser (ISB)– AV Checking– Enhanced Protection Levels

SSL Network Extender (SNX)– ICS Integration with R55 HFA-12


Check Point Security Solution


Web Threat Environment

Most cyber attacks and Internet security violations are generated through Internet applications.


Check Point Web Security Portfolio

SSL VPN for Web-based remote access– Connectra, The Web Security Gateway

• Unified SSL VPN, Web security, and Endpoint security

– SSL Network Extender• Network-level SSL VPN for Connectra &

VPN-1

Web Application Firewall – Web Intelligence

• Web Security for Connectra & VPN-1

Endpoint Security– Integrity Clientless Security

• Integrated into Connectra, available for Web applications

Securing the Web for Business

Bringing Business to the Web


Introducing ConnectraWeb Connectivity with Unmatched Security

Web Security Gateway Features Secure Web-Based Connectivity Integrated Server Security Adaptive Endpoint Security One-Click SSL Extranet Seamless Network Deployment

and Management

SSL VPNSSL VPN

IntegratedSecurity

IntegratedSecurity

EasyDeployment

EasyDeployment


Connectra – The Web Security Gateway

Security will be the #1 buying criteria for SSL VPN gateways in 2005

Key Advantage Today = MOST SECURE Endpoint Security Integration Integrated Attack Prevention

“Endpoint security integration was the #1 reason we chose Check Point.”

- Large Energy Company

“Endpoint security is an escalating problem as SSL VPNs go mainstream.”

- John Girard, VP of Gartner


Introducing SSL Network ExtenderSecure Network-Level Connectivity over the Web

SSL

Network-level connectivity over SSL VPN– Browser Plug-in

Supports all IP-based applications– TCP, UDP, ICMP, FTP, etc.

Integrated with Check Point Gateways– Connectra

• Enables native applications support– VPN-1

• Combined IPSec and SSL


Introducing Web IntelligenceProtection for the Entire Web Environment

Web application firewall technology for Check Point products.

Advanced Product Features– Malicious Code Protector ™

Patent-pending technology that catches buffer overflow attacks and other malicious code.

– Advanced Streaming InspectionExtends the inspection and reconstruction capabilities of the INSPECT architecture by adding active traffic control of live traffic streams.

– Simple Deployment and ManagementBuilt to be quickly deployed to protect Web servers without complex tuning and configuration.

Seamless Integration with Check Point ProductsProvides protection for the entire Web environment.

• Included in Connectra• Available as an add-on to VPN-1 gateways• Will be available on InterSpect

WebServers


Introducing Integrity Clientless Security

Key Benefits Stops ID and password theft, prevents

data loss Makes it easy to secure non-IT

controlled PC’s that access the enterprise network

Prevents any non-compliant remote PC from compromising enterprise security

Key Features Spyware Detection & Remediation Simple Deployment & Maintenance Network Access Policy Enforcement Integrates with Web Applications-

Outlook Web Access, Extranet Portals Integrated with Connectra


Integrity Secure Browser Configuration

Windows Only Solution– IE Offers Transparent Install– Other Browsers are Supported

• Manual Prompt to Install ISB– Mozilla, Netscape & Opera

– Subsequent Connections will not require reinstallation


Integrity Secure Browser


Connectra 2.0 ICS 3.0 Integration

Integrity Secure Browser– ISB will safeguard data in:

• Password and Form fields• URL history• cached files• recently-used files

– Warns users of potentially unsafe actions• Copy to local Clipboard• Download Files


Protection Level Enhancements

Added Options to require ICS &/or ISB Enables Access to applications where

ICS/ISB support is not currently available– Macintosh & Linux users can now connect

even if ICS is enabled


ICS 3.0 Anti-Virus Checking

AV Checking Support for– Trend PC-cillin &OfficeScan– CA eTrust & VET– Symantec Norton Antivirus– Sophos AV– McAfee VirusScan– Zone Alarm Antivirus

DAT file version restrictions– Minimum DAT file version– DAT file creation date should be newer than– DAT file should be no older than <x> days

You can check that the Anti Virus is:– Installed– Installed and running

Custom Error Message for Out of Compliance AV– Shared by all AV Checks


Connectra Appliance vs. Software Comparison

50 100 250 500 1,000 U

Connectra Series 1000

Cat 4$10,000 $15,000 $24,000


Cat 4$24,000 $36,000 $54,000


Cat 4$44,000 $60,000 $90,000

Connectra SW

Cat 1$8,000 $15,000 $30,000 $50,000 $60,000


SSL Network Extender for VPN-1


R55 HFA-12 SNX & ICS

R55 SNX Integrated with ICS 2.2– AV Checking– File/Registry checks

• Requirement or Prohibition• Observation Mode remote nodes

Separate Installations of ICS & VPN-1 Each Product is licensed & purchased

independently Manual Process for updating configuration file

on VPN-1 gateways– $FWDIR/conf/extender/request.xml


ICS 2.2 Overview

Browser control (ActiveX) sent to users

before they log into their web based

application.

• Scans, identifies, and

disables spyware

• Displays detected

threats and provides

removal assistance

• Optionally, enforces

security policy

compliance by

preventing network

access to PCs that

contain screened

software, have outdated

anti-virus definitions, or

are missing other

requirements


ICS Integration with SNX

User Presented with ICS Scan prior to authentication

Same ICS scan for all users per gateway No Protection Level Granularity as with

Connectra


Thank You

Questions???

Documents

Check Point Software SSL VPN Solutions Technical Overview