between enterprises, partners, branch offices and
mobile users have become essential to business
dedicated point-to-point connections between
networks were employed for fully private
inter-enterprise commerce and long distance
transactions. However, the inflexibility and
prohibitive cost of this approach prevented its
widespread use. Enterprises are
increasingly using public networks, such as the
Internet, as a flexible, cost-effective
connection between their private networks.
A private network that utilizes some public network segments is called a Virtual Private Network or VPN. A VPN is significantly less expensive and more flexible than a dedicated private network, making global connectivity feasible and affordable for businesses of any size. Each private network need only be connected to a local Internet provider and adding new connections is simple and inexpensive.
However, public networks expose corporations to the following dangers:
Check Point FireWall-1 allows enterprises to take full advantage of Virtual Private Networks - in a completely secure environment. FireWall1's encryption services establish secure communication channels over the Internet, assuring full privacy, authenticity and data integrity in corporate internetworking.
Check Point FireWall-1 provides transparent, selective encryption for a wide range of services, allowing organizations to make full use of the Internet for all business and connectivity needs. Multiple encryption schemes, key management and an internal Certificate Authority are fully integrated with other FireWall-1 features. FireWall-1's intuitive graphical interface makes it simple to define and manage encryption in an enterprise security policy.
Firewall gateways can encrypt data communications traveling over the Internet between disparate networks, thereby creating a secure or Virtual Private Network. FireWall-1 implements encryption for corporate internetworks without the need to install and configure encryption software on each host in each network involved. A FireWall-1 gateway performs encryption on behalf of its encryption domain the local area network (LAN) or group of networks that it protects. Packets traveling over the public segment of the connection are encrypted, while on the internal network - behind the gateway - packets are not encrypted.
FireWall-1's selective encryption feature allows the transmission of both clear and encrypted data between the same workstations and networks. Instead of encrypting all communications between corporate networks, FireWall-1 allows administrators to define the specific services that require encryption resulting in greatly enhanced performance.
Multiple Encryption Schemes
Check Point FireWall-1 supports four key management schemes:
Interoperability between different network security solutions is a requirement in today's world of Internet-based global communications. Two examples illustrate this requirement:
1) A large, multinational company with several remote offices and subsidiaries whose IS departments have operated independently. One or more different network security solutions may have been deployed across the company. For the company to conduct secure, encrypted communications using the Internet, these disparate solutions must have the ability to interoperate, enabling encryption and decryption of communications regardless of the security application.
2) A company that wishes to implement an extranet, providing partners, distributors and customers access to important business information while keeping sensitive corporate data secure. Each company may have implemented a different network security solution, requiring interoperability to ensure the effectiveness of the Extranet.
Emerging Security Protocol Standards - Interoperability Testing
In May 1997, at Networld+Interop Spring in Las Vegas, fifteen companies, including Check Point Software Technologies Ltd., Cisco, Entrust Technologies, FTP Software Inc., IRE, Microsoft, Raptor, Timestep Corporation, and Trusted Information Systems demonstrated IPsec interoperability, ushering in the era of vendor independence in network security.
Check Point Software Technologies is also actively involved in the interoperability trials for ISAKMP/Oakley, selected as the encryption key management system for IPSec starting with IPv6. Check Point has already demonstrated an interoperable solution and will continue to play a leading role in delivering this technology.
High Efficiency and Performance
FireWall-1 FWZ encryption (unless using SecuRemote encapsulation) does not alter communication length, maintains MTU validity and eliminates packet fragmentation, thus achieving the highest performance available over the network. FireWall-1 supports encryption speeds greater than 10 Mb/sec through a standard desktop workstation. In addition, routing priorities and policies are preserved.
VPN Extended to Remote Users
FireWall-1 SecuRemote extends the Virtual Private Network to the desktop and laptop. Mobile and remote Microsoft Windows 95 and NT users can connect to their enterprise networks via dial-up Internet connections either directly to the server or through Internet Service Providers and transfer sensitive corporate data as safely and securely as from behind the corporate Internet FireWall.
FireWall-1 SecuRemote is based on a technology called Client Encryption which encrypts data before it leaves the laptop providing a completely secure solution for any IP communication. There is no need to change any of the existing network applications on the user's PC. FireWall-1 SecuRemote can interface with any existing adapter or TCP/IP stack and can be connected to several different sites that use VPNs.
SecuRemote is completely integrated with all FireWall-1 features, including authentication, logging, and alerting. After a FireWall-1 SecuRemote user is authenticated, a completely transparent secured connection is established and the user is treated just as any user in the Virtual Private Network.
FireWall-1 SecuRemote includes the following features:
FireWall-1 SecuRemote works in conjunction with the Encryption Module. Customers only need to purchase the Encryption Module for the firewalled point of access, since the FireWall-1 SecuRemote client is free of charge. Once the Encryption Module is setup on the firewall gateway, simply download the FireWall-1 SecuRemote client from Check Point's web site or distribute it from the CD-ROM, and install it on the client system. Since FireWall-1 provides an integrated CA, installation and configuration are simple to perform.