Download - Checkpoint VPN Presentation
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T
An Introduction to VPN TechnologyAn Introduction to VPN Technology
QTS Ongoing Education Series
--22--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Check Point FactsCheck Point Facts HistoryHistory
Founded June 1993Founded June 1993 IPO June 1996IPO June 1996 Strong growth in revenues and profitsStrong growth in revenues and profits
Global market leadershipGlobal market leadership 62% VPN market share (Datamonitor, 2001)62% VPN market share (Datamonitor, 2001) 42% firewall market share (#1 Position - IDC, 2000)42% firewall market share (#1 Position - IDC, 2000) De-facto standard for Internet securityDe-facto standard for Internet security
Strong business modelStrong business model Technology innovation and leadershipTechnology innovation and leadership Technology partnershipsTechnology partnerships Strong and diversified channel partnershipsStrong and diversified channel partnerships
Check Point Software
--33--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Check Point’s Solid FoundationCheck Point’s Solid Foundation
Financial StrengthFinancial Strength Last 12 MonthsLast 12 Months
Revenues of $543MRevenues of $543M Profit of $313MProfit of $313M
Strong Balance SheetStrong Balance Sheet Market LeadershipMarket Leadership
220,000+ Installations220,000+ Installations 100,000+ VPN Gateways100,000+ VPN Gateways 83 Million+ VPN Clients83 Million+ VPN Clients 81,000+ Customers81,000+ Customers 1,500+ Channel Partners1,500+ Channel Partners 300+ OPSEC Partners300+ OPSEC Partners
100100
--44--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Platform Choice - OpenPlatform Choice - Open
Dedicated AppliancesDedicated Appliances(Check Point Pioneered the (Check Point Pioneered the market)market)
Entry LevelEntry Level Easy set upEasy set up
Enterprise ClassEnterprise Class Network GradeNetwork Grade
Data Center & ISPsData Center & ISPs High Performance / High Performance /
Carrier ClassCarrier Class
Future PlatformsFuture Platforms Consumer & Small BusinessConsumer & Small Business
Cable & DSLCable & DSL WirelessWireless
GPRS, 2.5G-3G InfrastructureGPRS, 2.5G-3G Infrastructure Multi-SubscriberMulti-Subscriber
Service Providers Network ServicesService Providers Network Services
Open SystemsOpen Systems Attractive Attractive
Price/PerformancePrice/Performance Wide Variety of Wide Variety of
PlatformsPlatforms 60-80% of the Market60-80% of the Market
FlexibilityFlexibility
--55--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
OPSEC PartnersOPSEC Partners
Open framework for security Open framework for security integration - “The Security OS”integration - “The Security OS”
Over 270 partnersOver 270 partners Breadth of solutionsBreadth of solutions ChoiceChoice CertificationCertification
www.OPSEC.comwww.OPSEC.com
Voted #1 PartnerVoted #1 Partner
Alliance ProgramAlliance Program
The Open Platform for SecurityThe Open Platform for Security
--66--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Enhanced Management CapabilitiesEnhanced Management CapabilitiesSecureUpdate for OPSEC PartnersSecureUpdate for OPSEC Partners
Central management of software install for Central management of software install for OPSEC applicationsOPSEC applications
OPSEC Application monitoringOPSEC Application monitoring Central monitoring of OPSEC applications Central monitoring of OPSEC applications
alongside Check Point productsalongside Check Point productsOpen Management repositoryOpen Management repository
Import/Export objects from management Import/Export objects from management databasedatabase
--77--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
AgendaAgenda What is a Virtual Private Network (VPN)?What is a Virtual Private Network (VPN)?
VPN deployment situationsVPN deployment situations Why use VPNs?Why use VPNs? Types of VPN protocolsTypes of VPN protocols
IPSec VPNsIPSec VPNs ComponentsComponents A sample sessionA sample session
Deployment questionsDeployment questions
--88--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
What is a VPN?What is a VPN? A VPN is a private A VPN is a private
connection over an connection over an open networkopen network
A VPN includes A VPN includes authentication and authentication and encryption to protect encryption to protect data integrity and data integrity and confidentialityconfidentiality
VPN
VPN
InternetInternet
Acme Corp
Acme CorpSite 2
--99--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Types of VPNsTypes of VPNs Remote Access VPNRemote Access VPN
Provides access to Provides access to internal corporate internal corporate network over the Internetnetwork over the Internet
Reduces long distance, Reduces long distance, modem bank, and modem bank, and technical support coststechnical support costs
InternetInternet
CorporateSite
--1010--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Types of VPNsTypes of VPNs Remote Access VPNRemote Access VPN Site-to-Site VPNSite-to-Site VPN
Connects multiple offices Connects multiple offices over Internetover Internet
Reduces dependencies Reduces dependencies on frame relay and on frame relay and leased linesleased lines InternetInternet
BranchOffice
CorporateSite
--1111--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Types of VPNsTypes of VPNs Remote Access VPNRemote Access VPN Site-to-Site VPNSite-to-Site VPN Extranet VPNExtranet VPN
Provides business Provides business partners access to critical partners access to critical information (leads, sales information (leads, sales tools, etc)tools, etc)
Reduces transaction and Reduces transaction and operational costsoperational costs
CorporateSite
InternetInternet
Partner #1
Partner #2
--1212--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Types of VPNsTypes of VPNs Remote Access VPNRemote Access VPN Site-to-Site VPNSite-to-Site VPN Extranet VPNExtranet VPN Client/Server VPNClient/Server VPN
Protects sensitive Protects sensitive internal communicationsinternal communications
Most attacks originate Most attacks originate within an organizationwithin an organization
InternetInternet
LAN clients
Database Server
LAN clients with sensitive data
--1313--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Alternate TechnologiesAlternate TechnologiesSite-to-site/extranetsSite-to-site/extranets
Frame relay, leased linesFrame relay, leased linesRemote accessRemote access
Dial up modem banksDial up modem banks
--1414--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Why Use Virtual Private Networks?Why Use Virtual Private Networks?More flexibilityMore flexibility
Leverage ISP point of presenceLeverage ISP point of presence Use multiple connection types (cable, DSL, Use multiple connection types (cable, DSL,
T1, T3)T1, T3)
--1515--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Why Use Virtual Private Networks?Why Use Virtual Private Networks?More flexibilityMore flexibilityMore scalabilityMore scalability
Add new sites, users quicklyAdd new sites, users quickly Scale bandwidth to meet demandScale bandwidth to meet demand
--1616--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Why Use Virtual Private Networks?Why Use Virtual Private Networks?More flexibilityMore flexibilityMore scalabilityMore scalabilityLower costsLower costs
Reduced frame relay/leased line costsReduced frame relay/leased line costs Reduced long distanceReduced long distance Reduced equipment costs (modem Reduced equipment costs (modem
banks,CSU/DSUs)banks,CSU/DSUs) Reduced technical supportReduced technical support
--1717--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
VPN-1 Return on InvestmentVPN-1 Return on Investment
5 branch offices, 1 large corporate office, 200 remote access users.
Payback: 1.04 months. Annual Savings: 88%
Check Point VPN-1 Solution
Non-VPN Solution
Savings with Check Point
Startup Costs (Hardware
and Software)$51,965
Existing; sunk costs =
$0
Site-to-Site Annual Cost
$30,485 $71,664 Frame relay
$41,180 /yr
RAS Annual Cost
$48,000 $604,800Dial-in costs
$556,800 /yr
Combined Annual Cost
$78,485 $676,464 $597,980 /yr
Case History – Professional Services Company
--1818--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
VPN ROI CalculatorVPN ROI Calculator
Tool URL: http://www.checkpoint.com/products/vpn1/roi_calculators/index.html
--1919--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Components of a VPNComponents of a VPNEncryptionEncryptionMessage authenticationMessage authenticationEntity authenticationEntity authenticationKey managementKey management
--2020--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Point-to-Point Tunneling ProtocolPoint-to-Point Tunneling Protocol Layer 2 remote access VPN distributed with Windows product familyLayer 2 remote access VPN distributed with Windows product family
Addition to Point-to-Point Protocol (PPP)Addition to Point-to-Point Protocol (PPP) Allows multiple Layer 3 ProtocolsAllows multiple Layer 3 Protocols
Uses proprietary authentication and ancryptionUses proprietary authentication and ancryption Limited user management and scalabilityLimited user management and scalability Known security vulnerabilitiesKnown security vulnerabilities
Internet
Remote PPTP Client
ISP Remote AccessSwitch
PPTP RAS Server
Corporate Network
--2121--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Layer 2 Tunneling Protocol (L2TP)Layer 2 Tunneling Protocol (L2TP) Layer 2 remote access VPN protocolLayer 2 remote access VPN protocol
Combines and extends PPTP and L2F (Cisco supported Combines and extends PPTP and L2F (Cisco supported protocol)protocol)
Weak authentication and encryptionWeak authentication and encryption Does not include packet authentication, data integrity, or key Does not include packet authentication, data integrity, or key
managementmanagement Must be combined with IPSec for enterprise-level securityMust be combined with IPSec for enterprise-level security
Internet
Remote L2TP Client
ISP L2TP Concentrator
L2TP Server
Corporate Network
--2222--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Internet Protocol Security (IPSec)Internet Protocol Security (IPSec)Layer 3 protocol for remote access, Layer 3 protocol for remote access,
intranet, and extranet VPNsintranet, and extranet VPNs Internet standard for VPNsInternet standard for VPNs Provides flexible encryption and message Provides flexible encryption and message
authentication/integrityauthentication/integrity Includes key managementIncludes key management
--2323--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Components of an IPSec VPNComponents of an IPSec VPN EncryptionEncryption Message Message
AuthenticationAuthentication Entity Entity
AuthenticationAuthentication
Key ManagementKey Management
DES, 3DES, and moreDES, 3DES, and more HMAC-MD5, HMAC-HMAC-MD5, HMAC-
SHA-1, or othersSHA-1, or others Digital Certificates, Digital Certificates,
Shared Secrets,Hybrid Shared Secrets,Hybrid Mode IKEMode IKE
Internet Key Exchange Internet Key Exchange (IKE), Public Key (IKE), Public Key Infrastructure (PKI)Infrastructure (PKI)
All managed by security associations (SAs)All managed by security associations (SAs)
--2424--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Security AssociationsSecurity AssociationsAn agreement between two parties An agreement between two parties
about:about: Authentication and encryption algorithmsAuthentication and encryption algorithms Key exchange mechanismsKey exchange mechanisms And other rules for secure communicationsAnd other rules for secure communications
Security associations are negotiated at Security associations are negotiated at least once per session – possibly more least once per session – possibly more often for additional securityoften for additional security
--2525--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Encryption ExplainedEncryption ExplainedUsed to convert data to a secret code Used to convert data to a secret code
for transmission over an untrusted for transmission over an untrusted networknetwork
EncryptionAlgorithm
“The cow jumped over the moon”
“4hsd4e3mjvd3sda1d38esdf2w4d”
Clear TextClear Text Encrypted TextEncrypted Text
--2626--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Symmetric EncryptionSymmetric Encryption Same key used to encrypt and decrypt messageSame key used to encrypt and decrypt message Faster than asymmetric encryptionFaster than asymmetric encryption Used by IPSec to encrypt actual message dataUsed by IPSec to encrypt actual message data Examples: DES, 3DES, RC5, RijndaelExamples: DES, 3DES, RC5, Rijndael
Shared Secret KeyShared Secret Key
--2727--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Asymmetric EncryptionAsymmetric Encryption Different keys used to encrypt and decrypt Different keys used to encrypt and decrypt
message (One public, one private)message (One public, one private) Provides non-repudiation of message or Provides non-repudiation of message or
message integritymessage integrity Examples include RSA, DSA, SHA-1, MD-5Examples include RSA, DSA, SHA-1, MD-5
Alice Public KeyAlice Public KeyEncryptEncrypt
Alice Private KeyAlice Private KeyDecryptDecrypt
BobBob AliceAlice
--2828--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Key ManagementKey Management Shared SecretShared Secret
Simplest method; does not scaleSimplest method; does not scale Two sites share key out-of-band (over telephone, Two sites share key out-of-band (over telephone,
mail, etc)mail, etc) Public Key InfrastructurePublic Key Infrastructure
Provides method of issuing and managing Provides method of issuing and managing public/private keys for large deploymentspublic/private keys for large deployments
Internet Key ExchangeInternet Key Exchange Automates the exchange of keys for scalability Automates the exchange of keys for scalability
and efficiencyand efficiency
--2929--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
What are Keys?What are Keys? An Encryption Key is:An Encryption Key is:
A series of numbers and A series of numbers and letters…letters…
……used in conjunction used in conjunction with an encryption with an encryption algorithm…algorithm…
……to turn plain text into to turn plain text into encrypted text and back encrypted text and back into plain textinto plain text
The longer the key, the The longer the key, the stronger the encryptionstronger the encryption
--3030--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
What is Key Management?What is Key Management? A mechanism for A mechanism for
distributing keys distributing keys either manually or either manually or automaticallyautomatically
Includes:Includes: Key generationKey generation CertificationCertification DistributionDistribution RevocationRevocation
--3131--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Internet Key Exchange (IKE)Internet Key Exchange (IKE) Automates the exchange of security Automates the exchange of security
associations and keys between two VPN sitesassociations and keys between two VPN sites IKE provides:IKE provides:
Automation and scalabilityAutomation and scalability Improved securityImproved security
Encryption keys be changed frequentlyEncryption keys be changed frequently
Hybrid IKEHybrid IKE Proposed standard designed by Check PointProposed standard designed by Check Point Allows use of existing authentication methodsAllows use of existing authentication methods
--3232--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
VPN device is vulnerable to attack eg. denial of service
Two connections to the firewall for every communication request
Bypasses security policyDenial of service
VPN InternetFirewall Internet
VPN
Firewall
Internet
VPNFirewall Internet
Different Types of VPN/Firewall TopologiesDifferent Types of VPN/Firewall Topologies
--3333--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
VPN device is vulnerable to attack eg. denial of service
Two connections to the firewall for every communication request
Bypasses security policyDenial of service
VPN InternetFirewall Internet
VPN
Firewall
Internet
VPNFirewall Internet
Different Types of VPN/Firewall TopologiesDifferent Types of VPN/Firewall Topologies
Only integrated VPN/firewall solutions can deliver full access control
and consistent security policy enforcement
--3434--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
Protecting Remote Access VPNsProtecting Remote Access VPNs The Problem:The Problem:
Remote access VPN clients can be “hijacked”Remote access VPN clients can be “hijacked” Allows attackers into internal networkAllows attackers into internal network
The Solution:The Solution: Centrally managed personal firewall on VPN Centrally managed personal firewall on VPN
clientsclients
Internet
Attacker
Cable or xDSL
--3535--©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential
SummarySummary Virtual Private Networks have become Virtual Private Networks have become
mission-critical applicationsmission-critical applications IPSec is the leading protocol for creating IPSec is the leading protocol for creating
enterprise VPNsenterprise VPNs Provides encryption, authentication, and data Provides encryption, authentication, and data
integrityintegrity Organizations should look for:Organizations should look for:
Integrated firewalls and VPNsIntegrated firewalls and VPNs Centralized management of VPN client securityCentralized management of VPN client security A method to provide VPN QoSA method to provide VPN QoS