The Secure Virtual Network (SVN) architecture from Check Point Software Technologies Ltd. seeks to obliterate the notion of a secured perimeter with holes poked through to allow VPN connectivity.
“Instead of points of entry, the network needs to be secured as a layer,” said Leslie Stern, product marketing manager for Check Point in Redwood City, Calif.
Key components of the SVN include VPN-1 SecureClient and VPN-1 SecureServer. SecureClient connects to SecureServer to allow administrators to force security policies on remote access VPN clients, said Stern. Users will not be able to establish the VPN connection unless their clients’ configurations match the pre-set security policy, and administrators can specify to the system whether or not to tell the user why the connection has failed.
“Sometimes you don’t want to let people know what they have to do to get into your system,” Stern said.
Richard Karon, business product developer with Perot Systems in Plano, Tex., has been testing the Check Point SVN products and will be reselling them in the near future. He said he likes the ability to not have to let users know too much about the security settings.
“I don’t want to let every user go and pick their own policy because me as a corporation wants to control those assets or control the way they come into my network. I can do that more easily if I have a centralized management station,” such as with Check Point, Karon said.
SecureClient also serves as a personal firewall. Stern said it is important to secure the remote PC more than ever because of the proliferation of shared networks such as cable Internet services, as well as permanent IP addresses.
Karon agreed that firewalling the client is essential.
“If you look at the weakest link when you think about connecting to a VPN, once you’re authenticated you have free access to those particular devices to which you’re allowed. If you’re a user who is allowed to get… the more sensitive information applications, then you’re open to attack as a client. So being able to have the ability to put a policy on the client itself, that is a big bonus because now you’ve eliminated one of the biggest vulnerabilities in the whole VPN model,” said Karon.
Betty Gifford, senior analyst for the telephony integration services and support for Dataquest Inc. in Minneapolis, Minn., agreed that securing the remote access PC is important.
“I work remotely and I link up every day through the Gartner Group’s Stamford, Conn., office all the way into the LAN in Boston… The provider of my DSL line is not necessarily secure. If we used the Check Point software, we would be able to tell that it was secure,” Gifford said.
Gifford also noted that the products guarantee high availability by transparently connecting to VPN-1 Gateways when the primary gateway is unreachable, “and it’s a fairly comprehensive approach to things because it offers multiplatform support and has many different applications both as Internet and intranet security.”
Karon said he hasn’t had a chance to test all of the SVN features such as clustering and reporting, but he has found other features that make his life easier.
“Some of the features in it that we like are that it lets you use in multiple ways the same domain. That was a big plus. Also, the network address translation is now in a pool so that you can take a many to a some versus a one-to-one or many-to-one… If I have to map one-for-one, that means for every address I have to have a comparable address that I can hand out. If I can map it just to a pool of addresses, I know that pool just has to be as big as my concurrent user base,” Karon said.
VPN-1 SecureClient (www3.checkpoint.com/products/vpn1/index.html) is priced at US$49.99 per protected client. VPN-1 SecureServer is priced at US$895 per protected server. Other components of SVN are priced separately.
Check Point in Mississauga, Ont., is at (905) 270-4311.