Check Point guarantees VPN availability

Updates and new products from Check Point Software Technologies Ltd. are designed to make the life of a security manager easier.

The Check Point 2000 upgrade to the company’s Secure Virtual Networking (SVN) architecture now includes IPSec VPN technology to extend to legacy systems, according to Leslie Stern, product marketing manager for Check Point in Redwood City, Calif. She said the main benefit of Check Point’s IPSec deployment is that it uses RADIUS for authentication instead of passwords or PKI.

“A lot of customers have been hesitant to go to IPSec because of the PKI requirement,” Stern said.

John McConnell, president of McConnell Associates in Boulder, Colo., agreed, but warned that taking PKI out of the picture may be a security risk.

“Without PKI, you may be a little more exposed, so [Check Point is] going to have to make sure there’s conclusive proof that they haven’t sacrificed security. But certainly it takes some of the complication out, if you don’t have to set up PKI and manage that,” he said.

Check Point 2000 also features an upgrade to Firewall-1 and VPN-1 called Malicious Activity Detection, which analyses log records to detect well-known network attacks and suspicious activity.

“This is not real-time intrusion detection,” Stern emphasized. “It’s a management efficiency tool. It automates what security managers do anyway.”

Some of the events detected include: successive alerts, port scanning, successive login failures, successive multiple connections, LANd attacks, clocked connection port scanning and address spoofing.

Another Firewall-1/VPN-1 upgrade is Content Security, which provides virus scanning, URL filtering and Java and ActiveX screening.

The new High Availability Module provides transparent failover for VPN connections.

“We guarantee your VPN will not go down,” said Mike Lee, a product marketing manager with Check Point in Redwood City, Calif. The guarantee, however, is not in the form of a service level agreement or other written contract. Lee said the module monitors system health and fails VPN connections over without the need to re-authenticate or risk the loss of current data. Up to eight backup gateways can be chained.

Other new features in the 2000 upgrade include a Secure Authentication API (SAA) that can integrate with other security systems such as biometrics or tokens, plus availability for Windows 2000 and Red Hat Linux platforms.

The Check Point 2000 upgrade will ship on a CD-ROM at the end of this month. On the CD will also be a preview of Check Point’s Visual Policy Editor, which maps out security rules to a graphical format. Security managers can then test by the click of a mouse how a given rule affects the network and what segments fall under what security features. Stern said the colours in the map match the log file notifications Check Point users already use.

McConnell was impressed with the Visual Policy Editor, and said he knows of no competitor with a similar technology.

“That’s going to be really powerful…because it will really simplify laying out and managing policies,” McConnell said.

The full licensable version of the editor will be available sometime later this year, Stern said.

The Check Point 2000 ( upgrade CD will be shipped free of charge to all subscription customers, but the full, licensed versions of the High Availability Module and Visual Policy Editor will not be free. Check Point has not yet set pricing for either one.

Check Point in Redwood City, Calif., is at 1-800-429-4391.