Check Point secures net from within

Check Point Software Technologies Ltd. this week announced its new virtual private network architecture, which will provide high-availability security not only from network to network but also within an agency.

The company's new Secure Virtual Network (SVN) architecture is a long-term strategy to bring the encryption and authentication offered by VPN solutions all the way down to the client and application level.

Most organizations have focused on using firewalls to block intruders from outside the network and VPN technology to securely connect trusted external users and partners. But analysts and agencies agree that about 80 percent of security breaches come from people inside an organization, and Check Point is positioning its technology as the way to enforce security at the user level.

"It's providing VPN technology on the corporate network," said Greg Smith, director of product marketing at Check Point. "Most people recognize that the majority of threats happen within the network...and we see VPNs being throughout the enterprise."

Many security vendors are working on bringing this type of solution to the market, but Check Point's large base of users and technology partners is a distinct advantage, analysts said. "The idea that they are working with is that SVN is a growing field, and I believe they're right," said Betty Gifford, senior analyst with the networking and telecommunications integrated services program at market research firm Dataquest. "I think everyone in the industry is trying to find a way to do this."

In the first step to offer this functionality, Check Point announced several new products and enhancements to its central VPN and firewall products.

Check Point's new VPN-1 SecureClient and SecureServer extends the security of the usual connection for external users to clients inside the network. The internal VPN connection encrypts all traffic among clients and between a client and the server behind the organization's firewall.

The VPN-1 SecureClient also provides a personal firewall that uses the policies defined by the system administration to protect the information stored on each system from intrusion while connected to the network.

"It's encrypted from the time the information leaves the end user's PC, so it's virtually unhackable," Gifford said. "You can actually go in and get SecureClient and SecureServer products that allow you to have guarantees for the security of your data across and outside of your network."

All of this, however, is dependent on the availability and compatibility of the VPN connection. Along with its new OpenPKI, which simultaneously supports digital certificates from the public-key infrastructure solutions of multiple vendors, Check Point has added redundant gateways to its VPN-1/Firewall-1 suite.

Instead of using a single gateway that regulates and encrypts all VPN traffic, Check Point is placing a second, redundant gateway that will take over if the primary gateway fails.

To make sure that there is no down time and that the transfer is completely transparent to a user even if the user is connected at the time of the failure, the information used by the gateways to establish the connections is synchronized about every 50 milliseconds using IPSec Internet Key Exchange.

"It is critical to the mission of the organization that the connection be maintained," Smith said. "Organizations are moving more and more traffic to their VPN, and they want to eliminate the single point of failure."

As another backup for remote users connecting to a network from locations across the country or the world, Check Point also announced VPN-1 SecuRemote. When the default gateway to which a remote client is set to connect fails, SecuRemote automatically sends out requests to the agency's other gateways to provide the connection.

This high availability, combined with the security of the user connection, could be important for agencies with growing numbers of mobile employees, Gifford said.

"More and more you get mandated to work from home or outside the office...and this could be an important player in that situation," she said.

On the management side, Check Point integrated its FloodGate-1 network bandwidth management tool into VPN-1 and introduced a new reporting system that will give administrators better control over how traffic flows through their secure network.

Just as it does for a standard network, FloodGate-1 prioritizes the traffic through the VPN to provide better service based on a policy established by the administrator. The VPN-1/Firewall-1 Reporting System monitors system use and identifies attempted intrusions and violations. The customizable reports can be generated automatically and distributed through e-mail, a World Wide Web page, printer or application.

"It helps you understand what's going on with your VPN-1 and Firewall-1 applications," said Raphael Reich, Check Point product marketing manager.