Encryption

Long-distance communications between enterprises, partners, branch offices and mobile users have become essential to business relationships. Historically, dedicated point-to-point connections between networks were employed for fully private inter-enterprise commerce and long distance transactions. However, the inflexibility and prohibitive cost of this approach prevented its widespread use. Enterprises are increasingly using public networks, such as the Internet, as a flexible, cost-effective connection between their private networks. 

A private network that utilizes some public network segments is called a Virtual Private Network or VPN. A VPN is significantly less expensive and more flexible than a dedicated private network, making global connectivity feasible and affordable for businesses of any size. Each private network need only be connected to a local Internet provider and  adding new connections is simple and inexpensive. 

However, public networks expose corporations to the following dangers: 

  • break-ins — unauthorized Internet access to internal networks
  • eavesdropping and tampering — monitoring and/or altering enterprise communications as they travel over the Internet

Check Point FireWall-1 allows enterprises to take full advantage of Virtual Private Networks - in a completely secure environment. FireWall1's encryption services establish secure communication channels over the Internet, assuring full privacy, authenticity and data integrity in corporate internetworking. 

FireWall-1 Encryption

Check Point FireWall-1 provides transparent, selective encryption for a wide range of services, allowing organizations to make full use of the Internet for all business and connectivity needs. Multiple encryption schemes, key management and an internal Certificate Authority are fully integrated with other FireWall-1 features. FireWall-1's intuitive graphical interface makes it simple to define and manage encryption in an enterprise security policy. 

Secure VPNs 

Firewall gateways can encrypt data communications traveling over the Internet between disparate networks, thereby creating a secure or Virtual Private Network. FireWall-1 implements encryption for corporate internetworks without the need to install and configure encryption software on each host in each network involved. A FireWall-1 gateway performs encryption on behalf of its encryption domain — the local area network (LAN) or group of networks that it protects. Packets traveling over the public segment of the connection are encrypted, while on the internal network - behind the gateway - packets are not encrypted. 

Selective Encryption 

FireWall-1's selective encryption feature allows the transmission of both clear and encrypted data between the same workstations and networks. Instead of encrypting all communications between corporate networks, FireWall-1 allows administrators to define the specific services that require encryption resulting in greatly enhanced performance. 

Multiple Encryption Schemes

Check Point FireWall-1 supports four key management schemes: 

  1. FWZ
  2. an efficient, in-place proprietary key management scheme that uses FWZ-1 (a worldwide exportable encryption algorithm) and DES (North America only). 
  3. Manual IPSec
  4. an encryption and authentication scheme that uses fixed keys. which are exchanged manually. 
  5. SKIP (Simple Key Management for Internet Protocol)
  6. a key management protocol which defines the way in which encryption and authentication keys can be securely shared between two parties. SKIP with RC4-40 encryption and 512-bit public keys is available for worldwide export.
  7. ISAKMP/Oakley(IKE)
  8. IKE (Internet Key Exchange) providing automated protocol negotiation and key exchange for IPSec encryption. IKE is the official Internet standard for VPN interoperability and is required by the Automotive Network eXchange (ANX). Currently, Check Point is one of only six vendors who have achieved IPSec IKE compliance through the ICSA.
Manual IPSec and SKIP are specific implementations of published draft standards from the IP Security Protocol Working Group (IPSec) within the IETF. Without encryption standards, the same proprietary encryption implementation would have to be used at each of the end points of an encryption domain. Recognizing the need for interoperability in security mechanisms, the goal of IPSec is to describe a general framework for IP layer encryption and authentication. The draft standards which have been published by this forum describe the use of DES and Triple DES for encryption and MD5 and SHA-1 for authentication and data integrity. 

Interoperability between different network security solutions is a requirement in today's world of Internet-based global communications. Two examples illustrate this requirement:

1) A large, multinational company with several remote offices and subsidiaries whose IS departments have operated independently. One or more different network security solutions may have been deployed across the company. For the company to conduct secure, encrypted communications using the Internet, these disparate solutions must have the ability to interoperate, enabling encryption and decryption of communications regardless of the security application.

2) A company that wishes to implement an extranet, providing partners, distributors and customers access to important business information while keeping sensitive corporate data secure. Each company may have implemented a different network security solution, requiring interoperability to ensure the effectiveness of the Extranet. 

Emerging Security Protocol Standards - Interoperability Testing

In May 1997, at Networld+Interop Spring in Las Vegas, fifteen companies, including Check Point Software Technologies Ltd., Cisco, Entrust Technologies, FTP Software Inc., IRE, Microsoft, Raptor, Timestep Corporation, and Trusted Information Systems demonstrated IPsec interoperability, ushering in the era of vendor independence in network security. 

Check Point Software Technologies is also actively involved in the interoperability trials for ISAKMP/Oakley, selected as the encryption key management system for IPSec starting with IPv6. Check Point has already demonstrated an interoperable solution and will continue to play a leading role in delivering this technology. 

High Efficiency and Performance

FireWall-1 FWZ encryption (unless using SecuRemote encapsulation) does not alter communication length, maintains MTU validity and eliminates packet fragmentation, thus achieving the highest performance available over the network.  FireWall-1 supports encryption speeds greater than 10 Mb/sec through a standard desktop workstation.  In addition, routing priorities and policies are preserved. 

VPN Extended to Remote Users 

FireWall-1 SecuRemote extends the Virtual Private Network to the desktop and laptop. Mobile and remote Microsoft Windows 95 and NT users can connect to their enterprise networks via dial-up Internet connections — either directly to the server or through Internet Service Providers — and transfer sensitive corporate data as safely and securely as from behind the corporate Internet FireWall. 

FireWall-1 SecuRemote is based on a technology called Client Encryption which encrypts data before it leaves the laptop providing a completely secure solution for any IP communication. There is no need to change any of the existing network applications on the user's PC. FireWall-1 SecuRemote can interface with any existing adapter or TCP/IP stack and can be connected to several different sites that use VPNs. 

SecuRemote is completely integrated with all FireWall-1 features, including authentication, logging, and alerting. After a FireWall-1 SecuRemote user is authenticated, a completely transparent secured connection is established and the user is treated just as any user in the Virtual Private Network. 

FireWall-1 SecuRemote includes the following features: 

  • support for dynamic IP addressing, which is necessary for dial-up communication
  • strong user authentication
  • strong encryption using FWZ1 or DES algorithm
  • enabling interoperability with Public Key Infrastructures (PKI) using Entrust X.509 Digital Certificates and Entrust Certificate Authority (CA) technology

FireWall-1 SecuRemote works in conjunction with the Encryption Module. Customers only need to purchase the Encryption Module for the firewalled point of access, since the FireWall-1 SecuRemote client is free of charge. Once the Encryption Module is setup on the firewall gateway, simply download the FireWall-1 SecuRemote client from Check Point's web site or distribute it from the CD-ROM, and install it on the client system. Since FireWall-1 provides an integrated CA, installation and configuration are simple to perform.

@1999 Check Point Software Technologies Ltd. All rights reserved. Used with permission