Check Point aims to automate VPN expansions

Check Point Software Technologies Ltd. announced a way for users to insert additional security gateways in VPNs without having to manually reconfigure the existing gateways.

The company is adding a software feature called Automated VPN Deployment that frees network managers from a chore that grows enormously as a VPN grows. For example, adding a sixth gateway to a fully meshed, five-gateway VPN calls for configuring five new – which is typically no big deal. Adding 20 gateways to an 80-gateway network, however, calls for 2,290 new tunnels.

This automated deployment is done using a certificate authority that has been added to Check Point’s VPN management server. The certificate authority automatically authenticates the new gateways so the existing ones know it is okay to create tunnels with them.

Check Point is also automating the process of distributing changes to VPN clients on remote PCs. Changes to security policies that govern how remote PCs must behave in a VPN can now be pushed to client devices when they log on.

Some similar features are supported by Check Point VPN competitors, including NetScreen Technologies Inc. and Cisco Systems Inc. Because Check Point also licenses its products to other vendors, some of these features could show up in Nokia Corp. and RapidStream equipment as well.

These changes are part of a broad upgrade to its software – clients, gateways, firewalls – Check Point is calling Next Generation. The upgrades include the ability for users to monitor traffic between sites to determine effective throughput and network delay between VPN gateways. This feature can be used by firms to monitor traffic for problems and verify whether service providers are meeting service-level agreements.

Next Generation software also includes support for Differentiated Services, the scheme for tagging IP packets so they are treated with varying levels of priority.

The software also adds the ability to try alternative access to resources if the primary link fails. So, for example, a user at a branch office might try to reach a server at headquarters and the connection fails. The branch-office server would instead make a VPN connection to another branch office that has a dedicated link to headquarters. Check Point calls this Continuous Access VPN.

This feature is valuable but has some limitations, said Don Meyers, manager of research and development for Memphis investment firm Morgan Keegan & Co. Users have to weigh the importance of the traffic that travels over the alternate, dedicated route. These dedicated links are usually sized for a certain amount of traffic and could become congested if all VPN traffic to a downed site is allowed to cross them, he says.

These new features are available now as a free upgrade to customers with a software subscription contract. The company is on the Web at