You are on page 1of 35

WORLDWIDE LEADER IN SECURING THE INTERNET

An Introduction to VPN
Technology

QTS Ongoing
Education Series
Check Point Facts
 History Check Point
Software
 Founded June 1993
 IPO June 1996
 Strong growth in revenues and profits
 Global market leadership
 62% VPN market share (Datamonitor, 2001)
 42% firewall market share (#1 Position - IDC, 2000)
 De-facto standard for Internet security
 Strong business model
 Technology innovation and leadership
 Technology partnerships
 Strong and diversified channel partnerships

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -2-
Check Point’s Solid
Foundation
 Financial Strength

Last 12 Months

Revenues of $543M

Profit of $313M

Strong Balance Sheet
 Market Leadership
 220,000+ Installations
 100,000+ VPN Gateways
 83 Million+ VPN Clients
 81,000+ Customers
 1,500+ Channel Partners
 300+ OPSEC Partners 100

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -3-
Platform Choice - Open
Dedicated Appliances Open Systems
(Check Point Pioneered the
market)
 Attractive
 Entry Level Price/Performance
 Easy set up  Wide Variety of
 Enterprise Class Platforms
 Network Grade  60-80% of the Market
 Data Center & ISPs
 High Performance /
 Flexibility
Carrier Class
Future Platforms
 Consumer & Small Business
 Cable & DSL
 Wireless
 GPRS, 2.5G-3G Infrastructure
 Multi-Subscriber
 Service Providers Network Services
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -4-
OPSEC Partners
The Open Platform for Security
 Open framework for security
integration - “The Security OS”
 Over 270 partners
 Breadth of solutions
 Choice
 Certification
 www.OPSEC.com

Voted #1 Partner
Alliance Program
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -5-
Enhanced Management
Capabilities
 SecureUpdate for OPSEC Partners
 Central management of software install for
OPSEC applications
 OPSEC Application monitoring
 Central monitoring of OPSEC applications
alongside Check Point products
 Open Management repository
 Import/Export objects from management
database

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -6-
Agenda
 What is a Virtual Private Network (VPN)?
 VPN deployment situations
 Why use VPNs?
 Types of VPN protocols
 IPSec VPNs
 Components
 A sample session
 Deployment questions

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -7-
What is a VPN?
Acme Corp
 A VPN is a private
connection over an
open network VPN
 A VPN includes
authentication and
encryption to protect Internet

data integrity and


confidentiality
VPN

Acme Corp
Site 2

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -8-
Types of VPNs
 Remote Access VPN Corporate
 Provides access to Site
internal corporate
network over the Internet
 Reduces long distance,
modem bank, and
technical support costs

Internet

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -9-
Types of VPNs Corporate
Site
 Remote Access VPN
 Site-to-Site VPN
 Connects multiple offices
over Internet
 Reduces dependencies
on frame relay and
leased lines Internet

Branch
Office

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -10-
10-
Types of VPNs
Corporate
 Remote Access VPN Site
 Site-to-Site VPN
 Extranet VPN
 Provides business
partners access to critical
information (leads, sales
tools, etc)
Internet
 Reduces transaction and
operational costs

Partner #2
Partner #1

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -11-
11-
Types of VPNs
 Remote Access VPN
 Site-to-Site VPN Database
Server
 Extranet VPN
 Client/Server VPN
LAN
 Protects sensitive clients Internet
internal communications
 Most attacks originate
within an organization

LAN clients with


sensitive data

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -12-
12-
Alternate Technologies
 Site-to-site/extranets
 Frame relay, leased lines
 Remote access
 Dial up modem banks

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -13-
13-
Why Use Virtual Private
Networks?
 More flexibility
 Leverage ISP point of presence
 Use multiple connection types (cable, DSL,
T1, T3)

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -14-
14-
Why Use Virtual Private
Networks?
 More flexibility
 More scalability
 Add new sites, users quickly
 Scale bandwidth to meet demand

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -15-
15-
Why Use Virtual Private
Networks?
 More flexibility
 More scalability
 Lower costs
 Reduced frame relay/leased line costs
 Reduced long distance
 Reduced equipment costs (modem
banks,CSU/DSUs)
 Reduced technical support

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -16-
16-
VPN-1 Return on Investment
Case History – Professional Services Company

 5 branch offices, 1 large corporate office, 200 remote


access users.
 Payback: 1.04 months. Annual Savings: 88%
Check Point Non-VPN Savings with
VPN-1 Solution Solution Check Point
Startup Costs Existing;
(Hardware $51,965 sunk costs =
and Software) $0
Site-to-Site
Annual Cost
$30,485 $71,664
Frame relay
$41,180 /yr
RAS
Annual Cost
$48,000 $604,800 $556,800 /yr
Dial-in costs

Combined
Annual Cost
$78,485 $676,464 $597,980 /yr

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -17-
17-
VPN ROI Calculator

Tool URL:
http://www.checkpoint.com/products/vpn1/roi_calculators/index.html

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -18-
18-
Components of a VPN
 Encryption
 Message authentication
 Entity authentication
 Key management

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -19-
19-
Point-to-Point Tunneling
Protocol
 Layer 2 remote access VPN distributed with Windows product family
 Addition to Point-to-Point Protocol (PPP)
 Allows multiple Layer 3 Protocols
 Uses proprietary authentication and ancryption
 Limited user management and scalability
 Known security vulnerabilities

Corporate Network
Remote PPTP Client
PPTP RAS Server

Internet

ISP Remote Access


Switch
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -20-
20-
Layer 2 Tunneling Protocol
(L2TP)
 Layer 2 remote access VPN protocol
 Combines and extends PPTP and L2F (Cisco supported
protocol)
 Weak authentication and encryption
 Does not include packet authentication, data integrity, or key
management
 Must be combined with IPSec for enterprise-level security

Corporate Network
Remote L2TP Client

L2TP Server

Internet

ISP L2TP Concentrator


©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -21-
21-
Internet Protocol Security
(IPSec)
 Layer 3 protocol for remote access,
intranet, and extranet VPNs
 Internet standard for VPNs
 Provides flexible encryption and message
authentication/integrity
 Includes key management

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -22-
22-
Components of an IPSec VPN
 Encryption  DES, 3DES, and more
 Message  HMAC-MD5, HMAC-
Authentication SHA-1, or others
 Entity  Digital Certificates,
Authentication Shared Secrets,Hybrid
Mode IKE
 Key Management  Internet Key Exchange
(IKE), Public Key
Infrastructure (PKI)

All managed by security associations (SAs)

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -23-
23-
Security Associations
 An agreement between two parties
about:
 Authentication and encryption algorithms
 Key exchange mechanisms
 And other rules for secure communications
 Security associations are negotiated at
least once per session – possibly more
often for additional security

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -24-
24-
Encryption Explained
 Used to convert data to a secret code
for transmission over an untrusted
network

Clear Text Encrypted Text

“The cow jumped Encryption “4hsd4e3mjvd3sd


over the moon” Algorithm a1d38esdf2w4d”

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -25-
25-
Symmetric Encryption
 Same key used to encrypt and decrypt message
 Faster than asymmetric encryption
 Used by IPSec to encrypt actual message data
 Examples: DES, 3DES, RC5, Rijndael

Shared Secret Key

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -26-
26-
Asymmetric Encryption
 Different keys used to encrypt and decrypt
message (One public, one private)
 Provides non-repudiation of message or
message integrity
 Examples include RSA, DSA, SHA-1, MD-5
Bob Alice

Alice Public Key Alice Private Key


Encrypt Decrypt

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -27-
27-
Key Management
 Shared Secret
 Simplest method; does not scale
 Two sites share key out-of-band (over telephone,
mail, etc)
 Public Key Infrastructure
 Provides method of issuing and managing
public/private keys for large deployments
 Internet Key Exchange
 Automates the exchange of keys for scalability
and efficiency

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -28-
28-
What are Keys?
 An Encryption Key is:
 A series of numbers and
letters…
 …used in conjunction
with an encryption
algorithm…
 …to turn plain text into
encrypted text and back
into plain text
 The longer the key, the
stronger the encryption

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -29-
29-
What is Key Management?
 A mechanism for
distributing keys
either manually or
automatically
 Includes:
 Key generation
 Certification
 Distribution
 Revocation

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -30-
30-
Internet Key Exchange (IKE)
 Automates the exchange of security
associations and keys between two VPN sites
 IKE provides:
 Automation and scalability
 Improved security
 Encryption keys be changed frequently
 Hybrid IKE
 Proposed standard designed by Check Point
 Allows use of existing authentication methods

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -31-
31-
Different Types of VPN/Firewall
Topologies
VPN device is vulnerable to
Firewall VPN Internet attack eg. denial of service

Two connections to the


firewall for every
VPN Firewall Internet
Internet communication request

VPN Bypasses security policy


Internet Denial of service

Firewall

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -32-
32-
Different Types of VPN/Firewall
Topologies
VPN device is vulnerable to
Firewall VPN Internet attack eg. denial of service

Only integrated VPN/firewall solutions


can deliver full accessTwo connections to the
control
firewall for every
VPN Firewall Internet
Internet
and consistent security policy enforcement
communication request

VPN Bypasses security policy


Internet Denial of service

Firewall

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -33-
33-
Protecting Remote Access
VPNs
 The Problem:
 Remote access VPN clients can be “hijacked”
 Allows attackers into internal network
 The Solution:
 Centrally managed personal firewall on VPN
clients
Attacker

Cable or xDSL

Internet

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -34-
34-
Summary
 Virtual Private Networks have become
mission-critical applications
 IPSec is the leading protocol for creating
enterprise VPNs
 Provides encryption, authentication, and data
integrity
 Organizations should look for:
 Integrated firewalls and VPNs
 Centralized management of VPN client security
 A method to provide VPN QoS

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -35-
35-

You might also like