checkpoint vpn presentation

W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T

An Introduction to VPN TechnologyAn Introduction to VPN Technology

QTS Ongoing Education Series

--22--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential

Check Point FactsCheck Point Facts HistoryHistory

Founded June 1993Founded June 1993 IPO June 1996IPO June 1996 Strong growth in revenues and profitsStrong growth in revenues and profits

Global market leadershipGlobal market leadership 62% VPN market share (Datamonitor, 2001)62% VPN market share (Datamonitor, 2001) 42% firewall market share (#1 Position - IDC, 2000)42% firewall market share (#1 Position - IDC, 2000) De-facto standard for Internet securityDe-facto standard for Internet security

Strong business modelStrong business model Technology innovation and leadershipTechnology innovation and leadership Technology partnershipsTechnology partnerships Strong and diversified channel partnershipsStrong and diversified channel partnerships

Check Point Software


Check Point’s Solid FoundationCheck Point’s Solid Foundation

Financial StrengthFinancial Strength Last 12 MonthsLast 12 Months

Revenues of $543MRevenues of $543M Profit of $313MProfit of $313M

Strong Balance SheetStrong Balance Sheet Market LeadershipMarket Leadership

220,000+ Installations220,000+ Installations 100,000+ VPN Gateways100,000+ VPN Gateways 83 Million+ VPN Clients83 Million+ VPN Clients 81,000+ Customers81,000+ Customers 1,500+ Channel Partners1,500+ Channel Partners 300+ OPSEC Partners300+ OPSEC Partners

100100


Platform Choice - OpenPlatform Choice - Open

Dedicated AppliancesDedicated Appliances(Check Point Pioneered the (Check Point Pioneered the market)market)

Entry LevelEntry Level Easy set upEasy set up

Enterprise ClassEnterprise Class Network GradeNetwork Grade

Data Center & ISPsData Center & ISPs High Performance / High Performance /

Carrier ClassCarrier Class

Future PlatformsFuture Platforms Consumer & Small BusinessConsumer & Small Business

Cable & DSLCable & DSL WirelessWireless

GPRS, 2.5G-3G InfrastructureGPRS, 2.5G-3G Infrastructure Multi-SubscriberMulti-Subscriber

Service Providers Network ServicesService Providers Network Services

Open SystemsOpen Systems Attractive Attractive

Price/PerformancePrice/Performance Wide Variety of Wide Variety of

PlatformsPlatforms 60-80% of the Market60-80% of the Market

FlexibilityFlexibility


OPSEC PartnersOPSEC Partners

Open framework for security Open framework for security integration - “The Security OS”integration - “The Security OS”

Over 270 partnersOver 270 partners Breadth of solutionsBreadth of solutions ChoiceChoice CertificationCertification

www.OPSEC.comwww.OPSEC.com

Voted #1 PartnerVoted #1 Partner

Alliance ProgramAlliance Program

The Open Platform for SecurityThe Open Platform for Security


Enhanced Management CapabilitiesEnhanced Management CapabilitiesSecureUpdate for OPSEC PartnersSecureUpdate for OPSEC Partners

Central management of software install for Central management of software install for OPSEC applicationsOPSEC applications

OPSEC Application monitoringOPSEC Application monitoring Central monitoring of OPSEC applications Central monitoring of OPSEC applications

alongside Check Point productsalongside Check Point productsOpen Management repositoryOpen Management repository

Import/Export objects from management Import/Export objects from management databasedatabase


AgendaAgenda What is a Virtual Private Network (VPN)?What is a Virtual Private Network (VPN)?

VPN deployment situationsVPN deployment situations Why use VPNs?Why use VPNs? Types of VPN protocolsTypes of VPN protocols

IPSec VPNsIPSec VPNs ComponentsComponents A sample sessionA sample session

Deployment questionsDeployment questions


What is a VPN?What is a VPN? A VPN is a private A VPN is a private

connection over an connection over an open networkopen network

A VPN includes A VPN includes authentication and authentication and encryption to protect encryption to protect data integrity and data integrity and confidentialityconfidentiality

VPN

VPN

InternetInternet

Acme Corp

Acme CorpSite 2


Types of VPNsTypes of VPNs Remote Access VPNRemote Access VPN

Provides access to Provides access to internal corporate internal corporate network over the Internetnetwork over the Internet

Reduces long distance, Reduces long distance, modem bank, and modem bank, and technical support coststechnical support costs

InternetInternet

CorporateSite


Types of VPNsTypes of VPNs Remote Access VPNRemote Access VPN Site-to-Site VPNSite-to-Site VPN

Connects multiple offices Connects multiple offices over Internetover Internet

Reduces dependencies Reduces dependencies on frame relay and on frame relay and leased linesleased lines InternetInternet

BranchOffice

CorporateSite


Types of VPNsTypes of VPNs Remote Access VPNRemote Access VPN Site-to-Site VPNSite-to-Site VPN Extranet VPNExtranet VPN

Provides business Provides business partners access to critical partners access to critical information (leads, sales information (leads, sales tools, etc)tools, etc)

Reduces transaction and Reduces transaction and operational costsoperational costs

CorporateSite

InternetInternet

Partner #1

Partner #2


Types of VPNsTypes of VPNs Remote Access VPNRemote Access VPN Site-to-Site VPNSite-to-Site VPN Extranet VPNExtranet VPN Client/Server VPNClient/Server VPN

Protects sensitive Protects sensitive internal communicationsinternal communications

Most attacks originate Most attacks originate within an organizationwithin an organization

InternetInternet

LAN clients

Database Server

LAN clients with sensitive data


Alternate TechnologiesAlternate TechnologiesSite-to-site/extranetsSite-to-site/extranets

Frame relay, leased linesFrame relay, leased linesRemote accessRemote access

Dial up modem banksDial up modem banks


Why Use Virtual Private Networks?Why Use Virtual Private Networks?More flexibilityMore flexibility

Leverage ISP point of presenceLeverage ISP point of presence Use multiple connection types (cable, DSL, Use multiple connection types (cable, DSL,

T1, T3)T1, T3)


Why Use Virtual Private Networks?Why Use Virtual Private Networks?More flexibilityMore flexibilityMore scalabilityMore scalability

Add new sites, users quicklyAdd new sites, users quickly Scale bandwidth to meet demandScale bandwidth to meet demand


Why Use Virtual Private Networks?Why Use Virtual Private Networks?More flexibilityMore flexibilityMore scalabilityMore scalabilityLower costsLower costs

Reduced frame relay/leased line costsReduced frame relay/leased line costs Reduced long distanceReduced long distance Reduced equipment costs (modem Reduced equipment costs (modem

banks,CSU/DSUs)banks,CSU/DSUs) Reduced technical supportReduced technical support


VPN-1 Return on InvestmentVPN-1 Return on Investment

5 branch offices, 1 large corporate office, 200 remote access users.

Payback: 1.04 months. Annual Savings: 88%

Check Point VPN-1 Solution

Non-VPN Solution

Savings with Check Point

Startup Costs (Hardware

and Software)$51,965

Existing; sunk costs =

$0

Site-to-Site Annual Cost

$30,485 $71,664 Frame relay

$41,180 /yr

RAS Annual Cost

$48,000 $604,800Dial-in costs

$556,800 /yr

Combined Annual Cost

$78,485 $676,464 $597,980 /yr

Case History – Professional Services Company


VPN ROI CalculatorVPN ROI Calculator

Tool URL: http://www.checkpoint.com/products/vpn1/roi_calculators/index.html


Components of a VPNComponents of a VPNEncryptionEncryptionMessage authenticationMessage authenticationEntity authenticationEntity authenticationKey managementKey management


Point-to-Point Tunneling ProtocolPoint-to-Point Tunneling Protocol Layer 2 remote access VPN distributed with Windows product familyLayer 2 remote access VPN distributed with Windows product family

Addition to Point-to-Point Protocol (PPP)Addition to Point-to-Point Protocol (PPP) Allows multiple Layer 3 ProtocolsAllows multiple Layer 3 Protocols

Uses proprietary authentication and ancryptionUses proprietary authentication and ancryption Limited user management and scalabilityLimited user management and scalability Known security vulnerabilitiesKnown security vulnerabilities

Internet

Remote PPTP Client

ISP Remote AccessSwitch

PPTP RAS Server

Corporate Network


Layer 2 Tunneling Protocol (L2TP)Layer 2 Tunneling Protocol (L2TP) Layer 2 remote access VPN protocolLayer 2 remote access VPN protocol

Combines and extends PPTP and L2F (Cisco supported Combines and extends PPTP and L2F (Cisco supported protocol)protocol)

Weak authentication and encryptionWeak authentication and encryption Does not include packet authentication, data integrity, or key Does not include packet authentication, data integrity, or key

managementmanagement Must be combined with IPSec for enterprise-level securityMust be combined with IPSec for enterprise-level security

Internet

Remote L2TP Client

ISP L2TP Concentrator

L2TP Server

Corporate Network


Internet Protocol Security (IPSec)Internet Protocol Security (IPSec)Layer 3 protocol for remote access, Layer 3 protocol for remote access,

intranet, and extranet VPNsintranet, and extranet VPNs Internet standard for VPNsInternet standard for VPNs Provides flexible encryption and message Provides flexible encryption and message

authentication/integrityauthentication/integrity Includes key managementIncludes key management


Components of an IPSec VPNComponents of an IPSec VPN EncryptionEncryption Message Message

AuthenticationAuthentication Entity Entity

AuthenticationAuthentication

Key ManagementKey Management

DES, 3DES, and moreDES, 3DES, and more HMAC-MD5, HMAC-HMAC-MD5, HMAC-

SHA-1, or othersSHA-1, or others Digital Certificates, Digital Certificates,

Shared Secrets,Hybrid Shared Secrets,Hybrid Mode IKEMode IKE

Internet Key Exchange Internet Key Exchange (IKE), Public Key (IKE), Public Key Infrastructure (PKI)Infrastructure (PKI)

All managed by security associations (SAs)All managed by security associations (SAs)


Security AssociationsSecurity AssociationsAn agreement between two parties An agreement between two parties

about:about: Authentication and encryption algorithmsAuthentication and encryption algorithms Key exchange mechanismsKey exchange mechanisms And other rules for secure communicationsAnd other rules for secure communications

Security associations are negotiated at Security associations are negotiated at least once per session – possibly more least once per session – possibly more often for additional securityoften for additional security


Encryption ExplainedEncryption ExplainedUsed to convert data to a secret code Used to convert data to a secret code

for transmission over an untrusted for transmission over an untrusted networknetwork

EncryptionAlgorithm

“The cow jumped over the moon”

“4hsd4e3mjvd3sda1d38esdf2w4d”

Clear TextClear Text Encrypted TextEncrypted Text


Symmetric EncryptionSymmetric Encryption Same key used to encrypt and decrypt messageSame key used to encrypt and decrypt message Faster than asymmetric encryptionFaster than asymmetric encryption Used by IPSec to encrypt actual message dataUsed by IPSec to encrypt actual message data Examples: DES, 3DES, RC5, RijndaelExamples: DES, 3DES, RC5, Rijndael

Shared Secret KeyShared Secret Key


Asymmetric EncryptionAsymmetric Encryption Different keys used to encrypt and decrypt Different keys used to encrypt and decrypt

message (One public, one private)message (One public, one private) Provides non-repudiation of message or Provides non-repudiation of message or

message integritymessage integrity Examples include RSA, DSA, SHA-1, MD-5Examples include RSA, DSA, SHA-1, MD-5

Alice Public KeyAlice Public KeyEncryptEncrypt

Alice Private KeyAlice Private KeyDecryptDecrypt

BobBob AliceAlice


Key ManagementKey Management Shared SecretShared Secret

Simplest method; does not scaleSimplest method; does not scale Two sites share key out-of-band (over telephone, Two sites share key out-of-band (over telephone,

mail, etc)mail, etc) Public Key InfrastructurePublic Key Infrastructure

Provides method of issuing and managing Provides method of issuing and managing public/private keys for large deploymentspublic/private keys for large deployments

Internet Key ExchangeInternet Key Exchange Automates the exchange of keys for scalability Automates the exchange of keys for scalability

and efficiencyand efficiency


What are Keys?What are Keys? An Encryption Key is:An Encryption Key is:

A series of numbers and A series of numbers and letters…letters…

……used in conjunction used in conjunction with an encryption with an encryption algorithm…algorithm…

……to turn plain text into to turn plain text into encrypted text and back encrypted text and back into plain textinto plain text

The longer the key, the The longer the key, the stronger the encryptionstronger the encryption


What is Key Management?What is Key Management? A mechanism for A mechanism for

distributing keys distributing keys either manually or either manually or automaticallyautomatically

Includes:Includes: Key generationKey generation CertificationCertification DistributionDistribution RevocationRevocation


Internet Key Exchange (IKE)Internet Key Exchange (IKE) Automates the exchange of security Automates the exchange of security

associations and keys between two VPN sitesassociations and keys between two VPN sites IKE provides:IKE provides:

Automation and scalabilityAutomation and scalability Improved securityImproved security

Encryption keys be changed frequentlyEncryption keys be changed frequently

Hybrid IKEHybrid IKE Proposed standard designed by Check PointProposed standard designed by Check Point Allows use of existing authentication methodsAllows use of existing authentication methods


VPN device is vulnerable to attack eg. denial of service

Two connections to the firewall for every communication request

Bypasses security policyDenial of service

VPN InternetFirewall Internet

VPN

Firewall

Internet

VPNFirewall Internet

Different Types of VPN/Firewall TopologiesDifferent Types of VPN/Firewall Topologies


VPN device is vulnerable to attack eg. denial of service

Two connections to the firewall for every communication request

Bypasses security policyDenial of service

VPN InternetFirewall Internet

VPN

Firewall

Internet

VPNFirewall Internet

Different Types of VPN/Firewall TopologiesDifferent Types of VPN/Firewall Topologies

Only integrated VPN/firewall solutions can deliver full access control

and consistent security policy enforcement


Protecting Remote Access VPNsProtecting Remote Access VPNs The Problem:The Problem:

Remote access VPN clients can be “hijacked”Remote access VPN clients can be “hijacked” Allows attackers into internal networkAllows attackers into internal network

The Solution:The Solution: Centrally managed personal firewall on VPN Centrally managed personal firewall on VPN

clientsclients

Internet

Attacker

Cable or xDSL


SummarySummary Virtual Private Networks have become Virtual Private Networks have become

mission-critical applicationsmission-critical applications IPSec is the leading protocol for creating IPSec is the leading protocol for creating

enterprise VPNsenterprise VPNs Provides encryption, authentication, and data Provides encryption, authentication, and data

integrityintegrity Organizations should look for:Organizations should look for:

Integrated firewalls and VPNsIntegrated firewalls and VPNs Centralized management of VPN client securityCentralized management of VPN client security A method to provide VPN QoSA method to provide VPN QoS

checkpoint vpn presentation

Documents