Professional Documents
Culture Documents
An Introduction to VPN
Technology
QTS Ongoing
Education Series
Check Point Facts
History Check Point
Software
Founded June 1993
IPO June 1996
Strong growth in revenues and profits
Global market leadership
62% VPN market share (Datamonitor, 2001)
42% firewall market share (#1 Position - IDC, 2000)
De-facto standard for Internet security
Strong business model
Technology innovation and leadership
Technology partnerships
Strong and diversified channel partnerships
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -2-
Check Point’s Solid
Foundation
Financial Strength
Last 12 Months
Revenues of $543M
Profit of $313M
Strong Balance Sheet
Market Leadership
220,000+ Installations
100,000+ VPN Gateways
83 Million+ VPN Clients
81,000+ Customers
1,500+ Channel Partners
300+ OPSEC Partners 100
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -3-
Platform Choice - Open
Dedicated Appliances Open Systems
(Check Point Pioneered the
market)
Attractive
Entry Level Price/Performance
Easy set up Wide Variety of
Enterprise Class Platforms
Network Grade 60-80% of the Market
Data Center & ISPs
High Performance /
Flexibility
Carrier Class
Future Platforms
Consumer & Small Business
Cable & DSL
Wireless
GPRS, 2.5G-3G Infrastructure
Multi-Subscriber
Service Providers Network Services
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -4-
OPSEC Partners
The Open Platform for Security
Open framework for security
integration - “The Security OS”
Over 270 partners
Breadth of solutions
Choice
Certification
www.OPSEC.com
Voted #1 Partner
Alliance Program
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -5-
Enhanced Management
Capabilities
SecureUpdate for OPSEC Partners
Central management of software install for
OPSEC applications
OPSEC Application monitoring
Central monitoring of OPSEC applications
alongside Check Point products
Open Management repository
Import/Export objects from management
database
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -6-
Agenda
What is a Virtual Private Network (VPN)?
VPN deployment situations
Why use VPNs?
Types of VPN protocols
IPSec VPNs
Components
A sample session
Deployment questions
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -7-
What is a VPN?
Acme Corp
A VPN is a private
connection over an
open network VPN
A VPN includes
authentication and
encryption to protect Internet
Acme Corp
Site 2
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -8-
Types of VPNs
Remote Access VPN Corporate
Provides access to Site
internal corporate
network over the Internet
Reduces long distance,
modem bank, and
technical support costs
Internet
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -9-
Types of VPNs Corporate
Site
Remote Access VPN
Site-to-Site VPN
Connects multiple offices
over Internet
Reduces dependencies
on frame relay and
leased lines Internet
Branch
Office
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -10-
10-
Types of VPNs
Corporate
Remote Access VPN Site
Site-to-Site VPN
Extranet VPN
Provides business
partners access to critical
information (leads, sales
tools, etc)
Internet
Reduces transaction and
operational costs
Partner #2
Partner #1
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -11-
11-
Types of VPNs
Remote Access VPN
Site-to-Site VPN Database
Server
Extranet VPN
Client/Server VPN
LAN
Protects sensitive clients Internet
internal communications
Most attacks originate
within an organization
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -12-
12-
Alternate Technologies
Site-to-site/extranets
Frame relay, leased lines
Remote access
Dial up modem banks
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -13-
13-
Why Use Virtual Private
Networks?
More flexibility
Leverage ISP point of presence
Use multiple connection types (cable, DSL,
T1, T3)
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -14-
14-
Why Use Virtual Private
Networks?
More flexibility
More scalability
Add new sites, users quickly
Scale bandwidth to meet demand
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -15-
15-
Why Use Virtual Private
Networks?
More flexibility
More scalability
Lower costs
Reduced frame relay/leased line costs
Reduced long distance
Reduced equipment costs (modem
banks,CSU/DSUs)
Reduced technical support
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -16-
16-
VPN-1 Return on Investment
Case History – Professional Services Company
Combined
Annual Cost
$78,485 $676,464 $597,980 /yr
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -17-
17-
VPN ROI Calculator
Tool URL:
http://www.checkpoint.com/products/vpn1/roi_calculators/index.html
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -18-
18-
Components of a VPN
Encryption
Message authentication
Entity authentication
Key management
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -19-
19-
Point-to-Point Tunneling
Protocol
Layer 2 remote access VPN distributed with Windows product family
Addition to Point-to-Point Protocol (PPP)
Allows multiple Layer 3 Protocols
Uses proprietary authentication and ancryption
Limited user management and scalability
Known security vulnerabilities
Corporate Network
Remote PPTP Client
PPTP RAS Server
Internet
Corporate Network
Remote L2TP Client
L2TP Server
Internet
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -22-
22-
Components of an IPSec VPN
Encryption DES, 3DES, and more
Message HMAC-MD5, HMAC-
Authentication SHA-1, or others
Entity Digital Certificates,
Authentication Shared Secrets,Hybrid
Mode IKE
Key Management Internet Key Exchange
(IKE), Public Key
Infrastructure (PKI)
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -23-
23-
Security Associations
An agreement between two parties
about:
Authentication and encryption algorithms
Key exchange mechanisms
And other rules for secure communications
Security associations are negotiated at
least once per session – possibly more
often for additional security
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -24-
24-
Encryption Explained
Used to convert data to a secret code
for transmission over an untrusted
network
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -25-
25-
Symmetric Encryption
Same key used to encrypt and decrypt message
Faster than asymmetric encryption
Used by IPSec to encrypt actual message data
Examples: DES, 3DES, RC5, Rijndael
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -26-
26-
Asymmetric Encryption
Different keys used to encrypt and decrypt
message (One public, one private)
Provides non-repudiation of message or
message integrity
Examples include RSA, DSA, SHA-1, MD-5
Bob Alice
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -27-
27-
Key Management
Shared Secret
Simplest method; does not scale
Two sites share key out-of-band (over telephone,
mail, etc)
Public Key Infrastructure
Provides method of issuing and managing
public/private keys for large deployments
Internet Key Exchange
Automates the exchange of keys for scalability
and efficiency
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -28-
28-
What are Keys?
An Encryption Key is:
A series of numbers and
letters…
…used in conjunction
with an encryption
algorithm…
…to turn plain text into
encrypted text and back
into plain text
The longer the key, the
stronger the encryption
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -29-
29-
What is Key Management?
A mechanism for
distributing keys
either manually or
automatically
Includes:
Key generation
Certification
Distribution
Revocation
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -30-
30-
Internet Key Exchange (IKE)
Automates the exchange of security
associations and keys between two VPN sites
IKE provides:
Automation and scalability
Improved security
Encryption keys be changed frequently
Hybrid IKE
Proposed standard designed by Check Point
Allows use of existing authentication methods
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -31-
31-
Different Types of VPN/Firewall
Topologies
VPN device is vulnerable to
Firewall VPN Internet attack eg. denial of service
Firewall
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -32-
32-
Different Types of VPN/Firewall
Topologies
VPN device is vulnerable to
Firewall VPN Internet attack eg. denial of service
Firewall
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -33-
33-
Protecting Remote Access
VPNs
The Problem:
Remote access VPN clients can be “hijacked”
Allows attackers into internal network
The Solution:
Centrally managed personal firewall on VPN
clients
Attacker
Cable or xDSL
Internet
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -34-
34-
Summary
Virtual Private Networks have become
mission-critical applications
IPSec is the leading protocol for creating
enterprise VPNs
Provides encryption, authentication, and data
integrity
Organizations should look for:
Integrated firewalls and VPNs
Centralized management of VPN client security
A method to provide VPN QoS
©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential -35-
35-