Print Download PDF Send Feedback

Previous

Next

Check Point VPN

In This Section:

IPsec VPN

Remote Access VPN

VPN Components

VPN Terminology

Establishing a Connection between a Remote User and a Security Gateway

IPsec VPN

The IPsec VPN solution lets the Security Gateway encrypt and decrypt traffic to and from other gateways and clients. Use SmartConsole to easily configure VPN connections between Security Gateways and remote devices.

For Site-to-Site Communities, you can configure Star and Mesh topologies for VPN networks, and include third-party gateways.

The VPN tunnel guarantees:

IKE and IPsec

The Check Point VPN solution uses these secure VPN protocols to manage encryption keys, and send encrypted packets. IKE (Internet Key Exchange) is a standard key management protocol that is used to create the VPN tunnels. IPsec is protocol that supports secure IP communications that are authenticated and encrypted on private or public networks.

Remote Access VPN

If employees remotely access sensitive information from different locations and devices, system administrators must make sure that this access does not become a security vulnerability. Check Point's Remote Access VPN solutions let you create a VPN tunnel between a remote user and the internal network. The Mobile Access Software Blade extends the functionality of Remote Access solutions to include many clients and deployments.

VPN Connectivity Modes

When securely connecting remote clients with the internal resources, organizations face connectivity challenges, such as these:

The Check Point IPsec VPN Software Blade provides these VPN connectivity modes to help organizations resolve those challenges:

Sample Remote Access VPN Workflow

Here is an example of a Remote Access VPN workflow:

  1. Use SmartConsole to enable Remote Access VPN on the Security Gateway.
  2. Add the remote user information to the Security Management Server:
    • Create and configure an LDAP Account Unit
    • Enter the information in the SmartConsole user database

    Optional - Configure the gateway for remote user authentication (optional).

  3. Define the gateway Access Control and encryption rules.
  4. Create the group objects to use in the gateway rules:
    • LDAP Group object - for an LDAP Account Unit
    • User Group object - for users configured in the SmartConsole user database
  5. Create and configure the encryption settings for the VPN community object in Global Properties > Remote Access > VPN - Authentication and Encryption.
  6. Add Access Control rules to the Access Control Rule Base to allow VPN traffic to the internal networks.

 

 

Enable remote access VPN

 

 

 

 

 

 

Configure LDAP
Account Unit

LDAP

Manage Users?

R80 Smart
Console

Configure users

 

 

 

Configure user authentication

 

 

 

Configure user authentication

 

 

 

Create LDAP user
group object

Create VPN Community

Create user
group object

 

 

 

 

 

 

Configure rules for VPN access in Access Control Rule Base

 

 

 

 

 

 

 

 

Install policy

 

 

VPN Components

VPN is composed of:

VPN Terminology

Term

Description

VPN

Virtual Private Network. A secure, encrypted connection between networks and remote clients on a public infrastructure. A VPN gives authenticated remote users and sites secured access to an organization's network and resources.

VPN Doman

A group of computers and networks connected to a VPN tunnel by one VPN gateway that handles encryption and protects the VPN Domain members.

VPN Community

A named collection of VPN domains, each protected by a VPN gateway.

VPN Security Gateway

The gateway that manages encryption and decryption of traffic between members of a VPN Domain, typically located at one (Remote Access VPN) or both (Site to Site VPN) ends of a VPN tunnel.

Site-to-Site VPN

An encrypted tunnel between two gateways, typically of different geographical sites.

Remote Access VPN

An encryption tunnel between a Security Gateway and remote access clients, such as Endpoint Security VPN, and communities.

Remote Access Community

A group of computers, appliances, and devices that access with authentication and encryption, the internal protected network from physically remote sites.

IKE

Internet Key Exchange. An encryption key management protocol that enhances IPSec by providing additional features, flexibility, and ease of configuration.

IPSec

A set of secure VPN protocols that manage encryption keys and encrypted packet traffic, to create a standard for authentication and encryption services.

Establishing a Connection between a Remote User and a Security Gateway

A VPN tunnel establishment process is initiated to allow the user to access a network resource protected by a Security Gateway. An IKE negotiation takes place between the peers.

During IKE negotiation, the peers' identities are authenticated. The Security Gateway verifies the user's identity and the client verifies that of the Security Gateway. The authentication can be performed using several methods, including digital certificates issued by the Internal Certificate Authority (ICA). It is also possible to authenticate using third-party PKI solutions and pre-shared secrets.

After the IKE negotiation ends successfully, a secure connection (a VPN tunnel) is established between the client and the Security Gateway. All connections between the client and the Security Gateway VPN domain (the LAN behind the Security Gateway) are encrypted inside this VPN tunnel, using the IPsec standard. Except for when the user is asked to authenticate in some manner, the VPN establishment process is transparent.

Item

Description

1

Host1. Part of VPN Site 1.

2

Gateway 1. Part of VPN Site 1.

3

Internet

4

Remote Client

5

Gateway 2. Part of VPN Site 2.

6

LDAP Server. Part of VPN Site 2.

In the figure, the remote user initiates a connection to Security Gateway 1. User management is not performed via the VPN database, but by LDAP server belonging to VPN Site 2. Authentication takes place during the IKE negotiation. Security Gateway 1 verifies that the user exists by querying the LDAP server behind Security Gateway 2. After the user's existence is verified, the Security Gateway authenticates the user, for example by validating the user's certificate. After IKE is successfully completed, a tunnel is created and the remote client connects to Host 1.

If the client is behind the Security Gateway (for example, if the user accesses the corporate LAN from a company office), connections from the client to destinations that are also behind the LAN Security Gateway are not encrypted.