Virtual Private Networks

Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connect

Virtual Private Networks

Administration Guide Version NGX R65

All rights reserved This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

©2003-2007 Check Point Software Technologies Ltd All rights reserved Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal,

SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering,

Preface Who Should Use This Guide 20

Summary of Contents 21

Section 1: Introduction to VPN Technology 21

Section 2: Site-to-Site VPN 21

Section 3: Remote Access VPN 23

Appendices 25

Related Documentation 26

More Information 29

Feedback 30

Introduction to VPN Technology Chapter 1 Overview The Connectivity Challenge 34

The Basic Check Point VPN Solution 35

What is VPN 35

Understanding the Terminology 37

Site to Site VPN 38

VPN Communities 38

Remote Access VPN 40

Chapter 2 IPSEC & IKE Overview 42

Methods of Encryption and Integrity 45

Phase I modes 46

Renegotiating IKE & IPSec Lifetimes 47

Perfect Forward Secrecy 47

IP Compression 48

Subnets and Security Associations 49

Need for Integration with Different PKI Solutions 60

Supporting a Wide Variety of PKI Solutions 61

PKI and Remote Access Users 61

PKI Deployments and VPN 61

Trusting An External CA 64

Enrolling a Managed Entity 65

Validation of a Certificate 66

Special Considerations for PKI 69

Using the Internal CA vs Deploying a Third Party CA 69

Distributed Key Management and Storage 69

Configuration of PKI Operations 71

Trusting a CA – Step-By-Step 71

Enrolling with a Certificate Authority 74

Certificate Revocation (All CA Types) 78

Certificate Recovery and Renewal 79

Adding Matching Criteria to the Validation Process 80

CRL Cache Usage 80

Modifying the CRL Pre-Fetch Cache 81

Configuring CRL Grace Period 81

Configuring OCSP 82

Chapter 4 Introduction to Site to Site VPN The Need for Virtual Private Networks 84

Confidentiality 84

Authentication 84

Integrity 84

The Check Point Solution for VPN 85

How it Works 85

VPN Communities 87

VPN Topologies 88

Authentication Between Community Members 93

Dynamically Assigned IP Gateways 94

Routing Traffic within a VPN Community 95

Access Control and VPN Communities 96

Excluded Services 97

Special Considerations for Planning a VPN Topology 98

Configuring Site to Site VPNs 99

Migrating from Traditional Mode to Simplified Mode 99

Configuring a Meshed Community Between Internally Managed Gateways 100

Configuring a Star VPN Community 101

Confirming a VPN Tunnel Successfully Opens 102

Configuring a VPN with External Gateways Using PKI 103

Configuring a VPN with External Gateways Using a Pre-Shared Secret 107

How to Authorize Firewall Control Connections in VPN Communities 110

Why Turning off FireWall Implied Rules Blocks Control Connections 110

Allowing Firewall Control Connections Inside a VPN 111

Site-to-Site VPN

Chapter 5 Domain Based VPN

Overview 116

VPN Routing and Access Control 117

Configuring Domain Based VPN 118

Configuring VPN Routing for Gateways via SmartDashboard 118

Configuration via Editing the VPN Configuration File 120

Configuring the ‘Accept VPN Traffic Rule’ 121

Configuring Multiple Hubs 121

Configuring ROBO Gateways 124

Chapter 6 Route Based VPN Overview 126

VPN Tunnel Interface (VTI) 127

Numbered VTI 129

Unnumbered VTI 130

Using Dynamic Routing Protocols 131

Configuring Numbered VTIs 132

Enabling Route Based VPN 132

Numbered VTIs 132

VTIs in a Clustered Environment 135

Configuring VTIs in a Clustered Environment 136

Enabling Dynamic Routing Protocols on VTIs 143

Configuring Anti-Spoofing on VTIs 147

Configuring a Loopback Interface 149

Configuring Unnumbered VTIs 152

Routing Multicast Packets Through VPN Tunnels 156

Chapter 7 Tunnel Management Overview 160

Permanent Tunnels 160

Overview 174

Automatic RIM 175

Custom Scripts 177

tnlmon.conf File 179

Injecting Peer Gateway Interfaces 180

Configuring RIM 182

Configuring RIM in a Star Community: 182

Configuring RIM in a Meshed Community: 183

Enabling the RIM_inject_peer_interfaces flag 184

Tracking Options 184

Chapter 9 Wire Mode The Need for Wire Mode 186

The Check Point Solution 187

Wire Mode Scenarios 188

Wire Mode in a MEP Configuration 188

Wire Mode with Route Based VPN 189

Wire Mode Between Two VPN Communities 190

Special Considerations for Wire Mode 192

Configuring Wire Mode 193

Enabling Wire Mode on a VPN Community 193

Enabling Wire Mode on a Specific Gateway 193

Chapter 10 Directional VPN Enforcement The Need for Directional VPN 196

The Check Point Solution 197

Directional Enforcement within a Community 197

Directional Enforcement between Communities 198

Configuring Directional VPN 200

Configuring Directional VPN Within a Community 200

Configuring Directional VPN Between Communities 201

Chapter 11 Link Selection Overview 204

Using Link Selection 205

IP Selection by Remote Peer 205

Outgoing Route Selection 207

Using Route Based Probing 208

Responding Traffic 209

Source IP Address Settings 209

Link Selection Scenarios 211

Gateway with a Single External Interface 211

Gateway with a Dynamic IP Address (DAIP) 212

Gateway with Several IP Addresses Used by Different Parties 212 Gateway With One External Interface and One Interface Behind a Static NAT Device 213

Link Selection and ISP Redundancy 215

Early Versions Compatibility Resolving Mechanism 218

Configuring Link Selection 219

Resolving Addresses via Main and Single IPs 219

Resolving Addresses using DNS lookup 220

Resolving Addresses via Probing 220

Configuring Outgoing Route Selection 221

Configuring For Responding Traffic 221

Configuring Source IP Address Settings 222

Configuring On Demand links 223

Configuring the Early Version Compatibility Resolving Mechanism 224

Outgoing Link Tracking 224

Chapter 12 Multiple Entry Point VPNs Overview 226

VPN High Availability Using MEP or Clustering 226

How It Works 227

Explicit MEP 228

MEP Selection Methods 229

Implicit MEP 236

Routing Return Packets 240

Special Considerations 242

Configuring MEP 243

Configuring Explicit MEP 243

Configuring Implicit MEP 244

Configuring IP Pool NAT 246

Chapter 13 Traditional Mode VPNs Introduction to Traditional Mode VPNs 248

VPN Domains and Encryption Rules 249

Defining VPN Properties 251

Internally and Externally Managed Gateways 252

Considerations for VPN Creation 253

Choosing the Authentication Method 253

Choosing the Certificate Authority 253

Configuring Traditional Mode VPNs 254

Editing a Traditional Mode Policy 254

Configuring VPN Between Internal Gateways using ICA Certificates 255

Remote Access VPN

Chapter 14 Introduction to Remote Access VPN

Need for Remote Access VPN 266

The Check Point Solution for Remote Access 267

Enhancing SecuRemote with SecureClient Extensions 268

Establishing a Connection Between a Remote User and a Gateway 269

Remote Access Community 270

Identifying Elements of the Network to the Remote Client 270

Connection Mode 271

User Profiles 271

Access Control for Remote Access Community 272

Client-Gateway Authentication Schemes 272

Advanced Features 275

Alternatives to SecuRemote/SecureClient 275

VPN for Remote Access Considerations 276

Policy Definition for Remote Access 276

User Certificate Creation Methods when Using the ICA 276

Internal User Database vs External User Database 277

NT Group/RADIUS Class Authentication Feature 278

VPN for Remote Access Configuration 279

Establishing Remote Access VPN 280

Creating the Gateway and Defining Gateway Properties 282

Defining User and Authentication Methods in LDAP 282

Defining User Properties and Authentication Methods 282

Initiating User Certificates in the ICA Management Tool 282

Generating Certificates for Users in SmartDashboard 283

Initiating Certificates for Users in SmartDashboard 283

Configure Certificates Using Third Party PKI 284

Enabling Hybrid Mode and Methods of Authentication 285

Configuring Authentication for NT groups and RADIUS Classes 286

Using a Pre-Shared Secret 286

Defining an LDAP User Group 286

Defining a User Group 287

Defining a VPN Community and its Participants 287

Defining Access Control Rules 287

Installing the Policy 288

User Certificate Management 288

Modifying Encryption Properties for Remote Access VPN 290

Working with RSA’S Hard and Soft Tokens 291

Chapter 15 Office Mode The Need for Remote Clients to be Part of the LAN 296

Office Mode Solution 297

Introducing Office Mode 297

How Office Mode Works 298

Assigning IP Addresses 300

Using Name Resolution - WINS and DNS 302

Anti Spoofing 303

Using Office Mode with Multiple External Interfaces 303

Office Mode Per Site 304

Enabling IP Address per User 306

The Problem 306

The Solution 306

Office Mode Considerations 309

IP pool Versus DHCP 309

Routing Table Modifications 309

Using the Multiple External Interfaces Feature 309

Configuring Office Mode 310

Office Mode — IP Pool Configuration 310

Configuring IP Assignment Based on Source IP Address 313

Office Mode via ipassignment.conf File 314

Subnet masks and Office Mode Addresses 314

Checking the Syntax 315

Office Mode — DHCP Configuration 316

Office Mode - Using a RADIUS Server 317

Office Mode Configuration on SecureClient 319

Office Mode per Site 319

Chapter 16 SecuRemote/SecureClient The Need for SecureClient 322

The Check Point Solution 323

How it Works 323

SCV Granularity for VPN Communities 324

Blocking Unverified SCV Connections 325

Selective Routing 326

Desktop Security Policy 329

When is a Policy Downloaded? 329

Policy Expiration and Renewal 329

Prepackaged Policy 329

Policy Server High Availability 329

Wireless Hot Spot/Hotel Registration 330

Enable Logging 331

NAT Traversal Tunneling 332

Idleness Detection 333

Enable/Disable Switching Modes 343

Add HTML Help to Package 344

Configuring Idle Detection 345

Configuring the idleness_detection Property 345

Chapter 17 SecureClient Mobile Overview of SecureClient Mobile 348

Connectivity Features 349

Session Continuation and Timeout 349

Initiate Dialup 350

Always Connected 350

Authentication Schemes 350

Support for Alternate Gateway 352

Gateway History 352

Allow Clear Traffic During ActiveSync and When Disconnected 352

Secure Configuration Verification (SCV) Traversal 353

Topology and Split Tunneling 354

Hub Mode (VPN Routing for Remote Access) 355

Office Mode 355

Visitor Mode (SSL Tunnel) 355

Security Policies and Client Decide 356

IP Firewall Policy 357

Connectivity Policy 358

General "GUI" Policy 359

Client Deployment, Repackaging and Upgrade 360

Installing SecureClient Mobile 361

SecureClient Mobile Gateway Side Installation 361

Module Support 361

Downloading HFAs 361

SmartCenter Server Support 362

Downloading SCM Management Patch 362

Management Patch Installation 362

Gateway Patch 363

Client Side Installation 364

Hardware and Software Requirements 364

Check Point Certificates and Locked Devices 364

CAB Package 365

MSI Package 366

Configuring SecureClient Mobile 368

Configuring a Gateway to Support SecureClient Mobile 369

Configuring the Gateway as a Member of a Remote Access Community 369

Load Sharing Cluster Support 371

Authentication Schemes 374

Configuring the Authentication Method 374

Re-authenticate Users 375

Configuring Encryption Methods 375

Certificates 375

Management of Internal CA Certificates 376

Importing a Certificate 376

Topology Update 377

Security Policy 377

Route All Traffic (Hub Mode) 378

Client Side Configuration 379

Connecting to a Site 379

Configuring Display Settings 379

Status Page 380

Advanced Configuration 381

Configuring a Non-Centrally Managed Gateway 392

Configuration in a Mixed SecureClient and SecureClient Mobile Environment 393 Client Deployment Overview 395

Package Customization 395

Adding a File to a CAB Package 396

Deleting a File from a CAB Package 397

Exporting the Client Configuration 398

Defining the Client Installation Version 399

Creating a CAB Package 399

Creating an MSI Package 400

Configuring the SAA Plugin 400

Troubleshooting 402

Enabling Log Files 402

Routing Table 402

IP Configuration 402

Error Messages 402

Additional Resources 404

Chapter 18 Packaging SecureClient Introduction: The Need to Simplify Remote Client Installations 406

The Check Point Solution - SecureClient Packaging Tool 407

Overview 407

How Does Packaging Tool Work? 408

The MSI Packaging Solution 408

Creating a Preconfigured Package 409

Creating a New Package Profile 409

Generating a Package 410

Adding Scripts to a Package 411

Introducing Desktop Security 417

The Desktop Security Policy 418

Policy Server 420

Policy Download 420

Logs and Alerts 421

Desktop Security Considerations 422

Planning the Desktop Security Policy 422

Avoiding Double Authentication for Policy Server 423

Configuring Desktop Security 424

Server Side Configuration 424

Client Side Configuration 425

Chapter 20 Layer Two Tunneling Protocol (L2TP) Clients The Need for Supporting L2TP Clients 428

Solution - Working with L2TP Clients 429

Introduction to L2TP Clients 429

Establishing a VPN between a Microsoft IPSec/L2TP Client and a Check Point Gateway 430

Behavior of an L2TP Connection 431

VPN-1 Power Gateway Requirements for IPSec/L2TP 431

Authentication of Users and Client Machines 432

User Certificate Purposes 435

Considerations for Choosing Microsoft IPSec/L2TP Clients 436

Configuring Remote Access for Microsoft IPSec/L2TP Clients 437

General Configuration Procedure 437

Configuring a Remote Access Environment 438

Defining the Client Machines and their Certificates 438

Configuring Office Mode and L2TP Support 438

Preparing the Client Machines 438

Placing the Client Certificate in the Machine Certificate Store 439

Placing the User Certificate in the User Certificate Store 440

Setting up the Microsoft IPSec/L2TP Client Connection Profile 440

Configuring User Certificate Purposes 441

Making the L2TP Connection 442

For More Information 443

Chapter 21 Secure Configuration Verification The Need to Verify Remote Client’s Security Status 446

The Secure Configuration Verification Solution 447

Introducing Secure Configuration Verification 447

How does SCV work? 448

SCV Checks 450

Considerations regarding SCV 453

Planning the SCV Policy 453

User Privileges 453

Using pre-NG Clients with SCV 454

Configuring SCV 455

Client Side Configuration 456

SCV Policy Syntax 456

The local.scv Sets 460

A Complete Example of a local.scv File 462

Common Attributes 468

Chapter 22 VPN Routing - Remote Access The Need for VPN Routing 484

Check Point Solution for Greater Connectivity and Security 485

Hub Mode (VPN Routing for Remote Clients) 486

Configuring VPN Routing for Remote Access VPN 490

Enabling Hub Mode for Remote Access clients 490

Configuration of Client to Client Routing by Including the Office Mode Range of Addresses in the VPN Domain of the Gateway 491

Client to Client via Multiple Hubs Using Hub Mode 491

Chapter 23 Link Selection for Remote Access Clients Overview 494

IP Selection by Remote Peer 494

Link Selection for Remote Access Scenarios 496

Gateway with a Single External IP Address 496

Gateway with Multiple External IP Addresses 497

Calculate IP Based on Network Topology 498

Configuring Link Selection 499

Configuring the Early Version Compatibility Resolving Mechanism 500

Chapter 24 Using Directional VPN for Remote Access Enhancements to Remote Access Communities 501

Configuring Directional VPN with Remote Access Communities 503

Chapter 25 Remote Access Advanced Configuration Non-Private Client IP Addresses 506

Remote Access Connections 506

Solving Remote Access Issues 506

How to Prevent a Client Inside the Encryption Domain from Encrypting 507

The Problem 507

The Solution 507

Back Connections (Server to Client) 514

Sending Keep-Alive Packets to the Server 514

Auto Topology Update (Connect Mode only) 515

How to Work with non-Check Point Firewalls 516

Early SecuRemote/SecureClients Versions 517

Resolving Internal Names with the SecuRemote DNS Server 518

The Problem 518

The Solution 518

Chapter 26 Multiple Entry Point for Remote Access VPNs The Need for Multiple Entry Point Gateways 522

The Check Point Solution for Multiple Entry Points 523

SecureClient Connect Profiles and MEP 523

Preferred Backup Gateway 524

Visitor Mode and MEP 525

Routing Return Packets 525

Disabling MEP 526

Configuring MEP 527

First to Respond 527

Primary-Backup 528

Load Distribution 529

Configuring Return Packets 529

Configuring Preferred Backup Gateway 530

Disabling MEP 531

Chapter 27 Userc.C and Product.ini Configuration Files Introduction to Userc.C and Product.ini 534

The Userc.C File 534

The Product.ini file 535

Userc.C File Parameters 536

SecureClient 536

Encryption 539

Multiple Entry Point 543

Encrypted Back Connections 544

Topology 544

NT Domain Support 545

Miscellaneous 546

Product.ini Parameters 549

Chapter 28 SSL Network Extender Introduction to the SSL Network Extender 554

How the SSL Network Extender Works 555

Commonly Used Concepts 556

Remote Access VPN 556

Remote Access Community 556

Office Mode 556

Integrity Clientless Security 557

Special Considerations for the SSL Network Extender 559

Pre-Requisites 559

Features 560

Configuring the SSL Network Extender 562

Configuring the Server 562

Configuring ICS Policies 570

Load Sharing Cluster Support 572

Customizing the SSL Network Extender Portal 573

Installation for Users without Administrator Privileges 577

SSL Network Extender User Experience 578

Configuring Microsoft Internet Explorer 578

About ActiveX Controls 579

Downloading and Connecting the Client 579

Uninstall on Disconnect 591

Using SSL Network Extender on Linux / Mac Operating Systems 591

Removing an Imported Certificate 596

Troubleshooting 598

SSL Network Extender Issues 598

ICS Issues 599

Chapter 29 Resolving Connectivity Issues The Need for Connectivity Resolution Features 602

Check Point Solution for Connectivity Issues 603

Other Connectivity Issues 603

Overcoming NAT Related Issues 604

During IKE phase I 605

During IKE phase II 605

During IPSec 607

NAT and Load Sharing Clusters 609

Overcoming Restricted Internet Access 611

Visitor Mode 611

Configuring Remote Access Connectivity 615

Configuring IKE Over TCP 615

Configuring Small IKE phase II Proposals 616

Configuring NAT Traversal (UDP Encapsulation) 616

Configuring Visitor Mode 618

Configuring Remote Clients to Work with Proxy Servers 619

Configuring the Gateway 630

Configuring the Client 633

Appendices Appendix A VPN Command Line Interface VPN Commands 638

SecureClient Commands 640

Desktop Policy Commands 642

Appendix B Converting a Traditional Policy to a Community Based Policy Introduction to Converting to Simplified VPN Mode 644

How Traditional VPN Mode Differs from a Simplified VPN Mode 645

How an Encrypt Rule Works in Traditional Mode 646

Principles of the Conversion to Simplified Mode 648

Placing the Gateways into the Communities 649

Conversion of Encrypt Rule 650

When the Converted Rule Base is too Restrictive 651

Conversion of Client Encrypt Rules 652

Conversion of Auth+Encrypt Rules 652

How the Converter Handles Disabled Rules 653

After Running the Wizard 653

Appendix C VPN Shell Configuring a Virtual Interface Using the VPN Shell 656

Index 665

Preface P

Preface

In This Chapter

Who Should Use This Guide

This guide is intended for administrators responsible for maintaining network security within an enterprise, including policy management and user support

This guide assumes a basic understanding of

• System administration

• The underlying operating system

• Internet protocols (IP, TCP, UDP etc.)

Summary of Contents

This guide describes the VPN components of VPN-1 Power It contains the

following sections and chapters:

Section 1: Introduction to VPN Technology

This section describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure

Chapter 2, “IPSEC & IKE” Description of encryption modes used to

transport packets securely using VPN tunnels

Chapter 3, “Public Key

Infrastructure”

Public Key Infrastructure is a system of certificate authorities that verify and authenticate the validity of each party exchanging information

Chapter 8, “Route Injection

Mechanism”

Route Injection Mechanism (RIM) enables a VPN-1 Power gateway to use dynamicrouting protocols to propagate the encryption domain of a VPN-1 Power peer gateway tothe internal network and then initiate back connections

Chapter 9, “Wire Mode” Describes how Wire Mode improves connectivity

by allowing existing connections tofail over successfully by bypassing firewall enforcement

Chapter 10, “Directional VPN

Enforcement”

Explains how to control the direction of VPN traffic between gateways

Chapter 11, “Link Selection” Explanation of how the Link Selection feature is

used to determine which interface is used for incoming and outgoing VPN traffic as well as the best possible path between gateway modules

Chapter 12, “Multiple Entry

Point VPNs”

Description of how the Multiple Entry Point (MEP) feature provides a high availability and load sharing solution for VPN connections between peer gateways

Section 3: Remote Access VPN

This section explains how to ensure secure communication between gateway modules and remote access clients

Chapter 15, “Office Mode” Office Mode enables a VPN-1 Power gateway to

assign a remote client an IP address

Chapter 16,

“SecuRemote/SecureClient”

SecuRemote/SecureClient is a method that allows you to connect to your organization in a secure manner, while at the same time

protecting your machine from attacks that originate on the Internet

Chapter 17, “SecureClient

Mobile”

SecureClient Mobile is a client for mobile devices that includes a VPN and a firewall SecureClient Mobile's VPN is based on SSL (HTTPS) tunneling and enables handheld devices to securely access resources behind Check Point gateways

Chapter 19, “Desktop

Security”

Description of how SecureClient protects remote clients by enforcing a Desktop Security Policy on the remote client

Chapter 21, “Secure

Configuration Verification”

Secure Configuration Verification (SCV) enables the administrator to monitor the configuration of remote computers, to confirm that the

configuration complies with the organization’s Security Policy, and to block connectivity for machines that do not comply

Chapter 22, “VPN Routing -

Remote Access”

Understanding how VPN Routing provides a way

of controlling how VPN traffic is directed between gateway modules and remote access clients

Chapter 23, “Link Selection

for Remote Access Clients”

Explanation of how the Link Selection feature is used to determine which interface is used for incoming and outgoing VPN traffic as well as the best possible path between gateway modules and remote access clients

Chapter 25, “Remote Access

Advanced Configuration”

Understanding more complex remote access scenarios

Chapter 26, “Multiple Entry

Point for Remote Access

VPNs”

Description of how the Multiple Entry Point (MEP) feature provides a high availability and load sharing solution for VPN connections between peer gateways and remote access clients

Chapter 27, “Userc.C and

Chapter 29, “Resolving

Connectivity Issues”

Provides information of some of the challenges remote access clients face when connecting and various Check Point solutions

Chapter 30, “Clientless VPN” Explanation of how Clientless VPN provides

secure SSL-based communicationbetween clients when VPN technology is not available

Chapter Description

Community Based Policy”

Backround to both traditoinal and simplified modes as well as instructions for converting policies

Chapter C, “VPN Shell” Provides all the commands and arguments used

for VTI’s using the VPN Shell

Related Documentation

The NGX R65 release includes the following documentation:

TABLE P-1 VPN-1 Power documentation suite documentation

Title Description

Internet Security Product

Suite Getting Started

Guide

Contains an overview of NGX R65 and step by step product installation and upgrade procedures This document also provides information about What’s New, Licenses, Minimum hardware and software requirements, etc

Upgrade Guide Explains all available upgrade paths for Check Point

products from VPN-1/FireWall-1 NG forward This guide is specifically geared towards upgrading to NGX R65

Virtual Private Networks

Administration Guide

This guide describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure

Eventia Reporter

Administration Guide

Explains how to monitor and audit traffic, and generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point VPN-1 Power, SecureClient and SmartDefense

Provider-1/SiteManager-1

Administration Guide

Explains the Provider-1/SiteManager-1 security management solution This guide provides details about a three-tier, multi-policy management architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments

TABLE P-2 Integrity Server documentation

Check Point is engaged in a continuous effort to improve its documentation Please help us by sending your comments to:

cp_techpub_feedback@checkpoint.com

Introduction to VPN Technology

Chapter 1 Overview

In This Chapter

The Connectivity Challenge

With the explosive growth in computer networks and network users, IT managers are faced with the task of consolidating existing networks, remote sites, and remote users into a single secure structure

Branch offices require connectivity with other branch offices as well as the central organization Remote users require enhanced connectivity features to cope with today’s changing networking environments New partnership deals mean business to business connections with external networks

Typically, consolidation needs to take place using existing infrastructure For many, this means connectivity established via the Internet as opposed to dedicated leased lines Remote sites and users must be unified while at the same time maintaining high levels of security Once connectivity has been established, the connections

must remain secure, offer high levels of privacy, authentication, and integrity while

keeping costs low

In addition, only legitimate traffic must be allowed to enter the internal network Possibly harmful traffic must be inspected for content Within the internal network, different levels of access must also exist so that sensitive data is only available to the right people

The Basic Check Point VPN Solution

In This Section:

Virtual Private Networking technology leverages existing infrastructure (the Internet)

as a way of building and enhancing existing connectivity in a secure manner Based

on standard Internet secure protocols, VPN implementation enables secure links between special types of network nodes: the VPN-1 Power module Site to Site VPN ensures secure links between gateways Remote Access VPN ensures secure links between gateways and remote access clients

What is VPN

Check Point’s VPN-1 Power is an integrated software solution that provides secure connectivity to corporate networks, remote and mobile users, branch offices and business partners on a wide range of open platforms and security appliances

Figure 1-1 shows the variety of applications and appliances suitable for VPN-1 Power, from hand-held PDAs and wireless laptops to mission critical networks and servers:

Figure 1-1 VPN-1 Power solutions

VPN-1 Power integrates access control, authentication, and encryption to guarantee the security of network connections over the public Internet

A typical deployment places a VPN-1 Power gateway connecting the corporate network (from the Internet), and remote access software on the laptops of mobile users Other remote sites are guarded by additional VPN-1 Power gateways and communication between all components regulated by a strict security policy

VPN-1 Power Components

VPN-1 Power is composed of:

• VPN endpoints, such as gateways, clusters of gateways, or remote client

software (for mobile users) which negotiate the VPN link

• VPN trust entities, for example the Check Point Internal Certificate Authority

The ICA is part of the VPN-1 Power suite used for establishing trust for SIC connections between gateways, authenticating administrators and third party servers The ICA provides certificates for internal gateways and remote access clients which negotiate the VPN link

• VPN Management tools SmartCenter Server and SmartDashboard

SmartDashboard is the SmartConsole used to access the SmartCenter Server Management The VPN Manager is part of SmartDashboard SmartDashboard enables organizations to define and deploy Intranet, and remote Access VPNs

Understanding the Terminology

A number of terms are used widely in Secure VPN implementation, namely:

• VPN A private network configured within a public network, such as the Internet

• VPN Tunnel An exclusive channel or encrypted link between gateways

• VPN Topology The basic element of VPN is the link or encrypted tunnel Links

are created between gateways A collection of links is a topology The topology shows the layout of the VPN Two basic topologies found in VPN are Mesh and

Star

• VPN Gateway The endpoint for the encrypted connection, which can be any

peer that supports the IPSec protocol framework Gateways can be single standalone modules or arranged into clusters for “high availability” and “load sharing”

• VPN Domain A group that specifies the hosts or networks for which encryption

of IP datagrams is performed A VPN gateway provides an entrance point to the VPN Domain

• Site to Site VPN Refers to a VPN tunnel between gateways.

• Remote Access VPN Refers to remote users accessing the network with client

software such as SecuRemote/SecureClient or third party IPSec clients The

VPN-1 Power gateway provides a Remote Access Service to the remote clients.

• Encryption algorithm A set of mathematically expressed processes for

rendering information into a meaningless form, the mathematical

transformations and conversions controlled by a special key In VPN, various encryption algorithms such as 3DES and AES ensure that only the

communicating peers are able to understand the message

• Integrity Integrity checks (via hash functions) ensure that the message has not

been intercepted and altered during transmission

• Trust Public key infrastructure (PKI), certificates and certificate authorities are

employed to establish trust between gateways (In the absence of PKI, gateways employ a pre-shared secret.)

Site to Site VPN

At the center of VPN is the encrypted tunnel (or VPN link) created using the IKE/IPSec protocols The two parties are either VPN-1 Power gateways or remote access clients The peers negotiating a link first create a trust between them This trust is established using certificate authorities, PKI or pre-shared secrets Methods are exchanged and keys created The encrypted tunnel is established and then maintained for multiple connections, exchanging key material to refresh the keys when needed A single gateway maintains multiple tunnels simultaneously with its VPN peers Traffic in each tunnel is encrypted and authenticated between the VPN peers, ensuring integrity and privacy Data is transferred in bulk via these

virtual-physical links

VPN Communities

There are two basic community types - Mesh and Star A topology is the collection

of enabled VPN links in a system of gateways, their VPN domains, hosts located behind each gateway and the remote clients external to them

In a Mesh community, every gateway has a link to every other gateway, as shown in

Figure 1-2:

Figure 1-2 VPN-1 Power gateways in a Mesh community

In a Star community, only gateways defined as Satellites (or “spokes”) are allowed

to communicate with a central gateway (or “Hub”) but not with each other:

Figure 1-3 VPN-1 Power gateways in a Star community

As shown in Figure 1-3, it is possible to further enhance connectivity by meshing central gateways This kind of topology is suitable for deployments involving Extranets that include networks belonging to business partners

of the VPN-1 Power gateway or via an external LDAP server.

Figure 1-4 Remote Client to Host behind Gateway

In Figure 1-4, the remote user initiates a connection to the gateway Authentication takes place during the IKE negotiation Once the user’s existence is verified, the gateway then authenticates the user, for example by validating the user’s

certificate Once IKE is successfully completed, a tunnel is created; the remote client connects to Host 1