SecureVPN Connectivity

• Flexible Deployment

• Support for Industry Standard Protocols

• Flexible User Authentication

• Transparent Operation

• Enriched Access with Office Mode

• Non-stop VPNs

Flexible Deployment

VPN-1 SecuRemote and VPN-1 SecureClient support dynamic and fixed IP addressing for all Internet Service Provider (ISP) services - dial-up, cable modem, or Digital Subscriber Lines (DSL) - making them the ideal solution for telecommuters and mobile workers. When installed internally, VPN-1 clients protect critical business communications on traditional and wireless LANs.

 

 

 
Sometimes VPN-1 client traffic needs to traverse a NAT device or a firewall prior to reaching the VPN-1 gateway. Because not all NAT devices can handle IPSec traffic, the traffic can be dropped. To address this problem, VPN-1 clients enable NAT traversal by supporting UDP encapsulation and IKE over TCP.

Support for Industry Standard Protocols

VPN-1 SecuRemote and VPN-1 SecureClient support industry standard VPN protocols and algorithms to deliver complete compatibility with VPN-1/FireWall-1 security policies.

Encryption Algorithms	Key Length
(Advanced Encryption Standard - AES)	128- to 256-bit
Triple DES	168-bit
DES	56-bit
User Authentication
X.509 Digital Certificates
Pre-shared Secret
RADIUS
TACACS
Tokens
Operating System Password
VPN-1/FireWall-1 Password
Public Key Algorithms	Key Length
RSA	512- to 1536-bit
Diffie-Hellman	768- to 1536-bit
Key Management
IKE
IP Compression
IPCOMP

 

Flexible User Authentication

VPN-1 SecuRemote and VPN-1 SecureClient support for Hybrid Mode Authentication, the Check Point Secure Authentication API (SAA) and the Check Point Internal Certificate Authority (ICA) provides a range of user authentication options.

Hybrid Mode Authentication enables use of widely used authentication methods such as token cards (e.g., SecurID), RADIUS and TACACS within IPSec VPNs. This means that you can select user authentication solutions that best meet your organization's needs, while leveraging the industry-standard security of X.509 digital certificates for VPN gateway authentication.

 

Check Point SAA Support extends user authentication options to include a range of OPSEC-certified authentication products, including biometric devices. This support is particularly important to organizations that want to employ an existing authentication solution with a PKI-based trust model.

 

Check Point ICA enables use of digital certificates for user authentication in an IPSec/IKE VPN, out-of-the-box. The ICA can automatically issue digital certificates to all Check Point management servers, gateways and VPN-1 SecureClient users. The ICA is included with VPN-1 gateways.

Transparent Operation

All VPN functionality, including key negotiation and data encryption, is completely transparent to the user. Each time a user requests a connection, VPN-1 SecuRemote/SecureClient intercepts the request and determines if the destination resource resides behind a known VPN-1 gateway. Once the gateway is identified, the VPN-1 client is automatically invoked and asks the user for authentication. VPN-1 SecuRemote/SecureClient also intelligently resolves both internal unregistered domains and external domain names.

 

Enriched Access with Office Mode

Office Mode enables VPN-1 SecureClient users to access applications, such as some MS Networking protocols, that require the user to be on the same network as the server. Office Mode does this by enabling a VPN-1 gateway to assign an internal IP address, DNS and WINS information to those accessing the network with VPN-1 SecureClient.

Non-stop VPN

When reliability is critical, Multiple Entry Point (MEP) functionality provides a cost-efficient alternative to high availability configurations that require redundant hardware.

 

In multi-site VPNs, VPN-1 clients can detect a gateway outage, and then use a designated backup gateway to access network resources. The VPN connection is established and all traffic is routed correctly through an alternate gateway with complete user transparency. In addition, VPN-1 client connections can be load shared among VPN-1 gateways.