Check Point tools ease VPN administration

Check Point Software Technologies Ltd. is adding management features to its VPN-1/Firewall-1 software it says will make it easier for customers to add and configure their IP Security VPN sites.

Three new tools, known as One Click VPN, One Click Extranet and One Click Certificate, automate procedures for expanding VPNs and adding remote users, which saves time and eliminates manual processes that invite human error. As companies add more sites and remote users to VPNs, the complexity of making changes spirals because VPN servers at every existing site have to be updated.

The One Click VPN software feature on Check Point’s Secure Update management platform asks users to enter the IP address of a new site. It then configures the new gateway with the policies that have been set for the VPN and distributes information about the site to the VPN gateways at all the other sites. Remote access users connecting via PC without a gateway cannot be added in this way, but that capability is planned, Check Point says.

One Click Extranet is designed for linking a VPN with a business partner. To work, the software requires that both parties have Check Point gateways in their networks as well as Check Point management servers. The management servers share data about the gateways they control, and administrators can then configure their gateways to let them establish encrypted IPSec tunnels. One Click Extranet is a misnomer though, because it requires more than a single mouse-click to work.

One limitation of the VPN and Extranet One Click features is that they cannot be used on the same server at the same time.

Valuable Tools

Still, companies of all sizes should find these tools valuable, says Jeff Wilson, research director for Infonetics. “For big users with lots of sites, setting up VPNs is difficult, and [these features are] making bulk configuration easier. For smaller enterprises, [Check Point is] making it easier to establish the obvious firewall/VPN configurations that are useful in smaller VPNs,” he says.

The more sites you manage, the more important this is, says Paul Kahyet, chief systems engineer for Schlumberger Network Solutions, which runs Check Point VPNs for Schlumberger’s petroleum affiliate and other corporations.

“We are concerned about how easy it is to add a site. Do you have to touch all your different gateways, or do you do it through your management system and that management system updates to all the different sites automatically? That is one of the big factors we looked at,” Kahyet says.

Easing Configurations

Simplifying VPN configuration is a major thrust of VPN vendors that make gateways, such as WatchGuard Technologies, NetScreen Technologies and SonicWall, as well as service providers that offer managed services, such as OneSecure and SmartPipes.

For remote-access IPSec VPNs, One Click Certificate makes it easier to distribute digital certificates that are stored on remote PCs to support strong authentication of remote users. These certificates require a certificate authority to issue them, and Check Point has built one into its Next Generation management software. This eliminates the need for companies to set up their own certificate authorities or hire a service provider to handle them.

The Check Point certificate authority issues certificates to remote PCs that connect to the VPN via dial-up Internet connections. If the Check Point Secure Remote VPN client on the remote machine has authentication information sent via e-mail or floppy disk by the network administrator, the certificate authority automatically issues the certificate.

Earlier versions of Check Point’s certificate authority supported distributing digital certificates among gateways only.

A new feature of Secure Remote helps balance the load between VPN servers that are paired at a single busy site. Until now, the remote software would be configured to connect with one server or the other. Now, each remote machine connects to one or the other at random. This reduces the chances that either server will get swamped should all its assigned users try to connect at once.

Check Point also says Siemens and Compaq are introducing hardware that supports Firewall-1/VPN-1 software. Siemens’ appliance, called 4 Your Safety, features four 10/100 Ethernet ports and has a firewall speed of 250Mbps. The company has not rated the speed of its VPN capability yet.

The device costs US$6,200 for a model with one processor and US$7,000 for two.

This will pit Siemens against another Check Point partner, Nokia, which also makes VPN gateway appliances based on Check Point software.

Check Point can be reached at