The Check Point VPN Solution

07/06/2016
TheCheckPointVPNSolution
InThisSection:
VPNComponents
UnderstandingtheTerminology
SitetoSiteVPN
RemoteAccessVPN
IPv6SupportandLimitations
SmartDashboardToolbar
TheIPsecVPNSoftwareBladeletstheSecurityGatewayencryptanddecrypttraffictoandfromothergatewaysandclients.
UseSmartDashboardtoeasilyconfigureVPNconnectionsbetweenSecurityGatewaysandremotedevices.Youcanconfigure
StarandMeshtopologiesforlargescaleVPNnetworksthatincludethirdpartygateways.TheVPNtunnelguarantees:
AuthenticityUsesstandardauthenticationmethods
PrivacyAllVPNdataisencrypted
IntegrityUsesindustrystandardintegrityassurancemethods
IKEandIPsec
TheCheckPointVPNsolutionusesthesesecureVPNprotocolstomanageencryptionkeys,andsendencryptedpackets.IKE
(InternetKeyExchange)isastandardkeymanagementprotocolthatisusedtocreatetheVPNtunnels.IPsecisprotocolthat
supportssecureIPcommunicationsthatareauthenticatedandencryptedonprivateorpublicnetworks.
VPNComponents
VPNiscomposedof:
VPNendpoints,suchasSecurityGateways,SecurityGatewayclusters,orremoteclients(suchaslaptopcomputersor
mobilephones)thatcommunicateusingaVPN.
VPNtrustentities,suchasaCheckPointInternalCertificateAuthority(ICA).TheICAispartoftheCheckPointsuite
usedforcreatingSICtrustedconnectionbetweenSecurityGateways,authenticatingadministratorsandthirdparty
servers.TheICAprovidescertificatesforinternalSecurityGatewaysandremoteaccessclientswhichnegotiatetheVPN
link.
VPNManagementtools,suchasSecurityManagementServerandSmartDashboard.SmartDashboardisthe
SmartConsoleusedtoaccesstheSecurityManagementServer.TheVPNManagerispartofSmartDashboard.
SmartDashboardenablesorganizationstodefineanddeployIntranet,andremoteAccessVPNs.
UnderstandingtheTerminology
AnumberoftermsareusedwidelyinSecureVPNimplementation,namely:
VPNVirtualPrivateNetwork.Asecure,encryptedconnectionbetweennetworksandremoteclientsonapublic
infrastructure,togiveauthenticatedremoteusersandsitessecuredaccesstoanorganization'snetworkandresources.
VirtualTunnelInterfaceVirtualTunnelInterface.Avirtualinterfacethatisamemberofanexisting,RouteBased,VPN
tunnel.
VPNPeerAgatewaythatconnectstoadifferentgatewayusingaVirtualTunnelInterface.
VPNDomainAgroupofcomputersandnetworksconnectedtoaVPNtunnelbyoneVPNgatewaythathandles
encryptionandprotectstheVPNDomainmembers.
https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/13868.htm
1/7
07/06/2016
VPNCommunityAnamedcollectionofVPNdomains,eachprotectedbyaVPNgateway.
VPNSecurityGatewayThegatewaythatmanagesencryptionanddecryptionoftrafficbetweenmembersofaVPN
Domain,typicallylocatedatone(RemoteAccessVPN)orboth(SitetoSiteVPN)endsofaVPNtunnel.
SitetoSiteVPNAnencryptedtunnelbetweentwogateways,typicallyofdifferentgeographicalsites.
RemoteAccessVPNAnencryptiontunnelbetweenaSecurityGatewayandremoteaccessclients,suchasEndpoint
SecurityVPN,andcommunities.
RemoteAccessCommunityAgroupofcomputers,appliances,anddevicesthataccess,withauthenticationand
encryption,theinternalprotectednetworkfromphysicallyremotesites.
StarTopologyA"hubandspoke"virtualprivatenetworkcommunity,withgatewaysdefinedasSatellites(spokes)that
createtunnelsonlywiththecentralgateway("hub").
MeshedtopologyAVPNcommunitywithaVPNDomainthatcreatesatunneltootherVPNDomains.
DomainbasedVPNAmethodtorouteencryptedtrafficwithparametersdefinedbySecurityGateways.
RouteBasedVPNAroutingmethodforparticipantsinaVPNcommunity,definedbytheVirtualTunnelInterfaces
(VTI).
IKE(InternetKeyExchange)AnEncryptionkeymanagementprotocolthatenhancesIPSecbyprovidingadditional
features,flexibility,andeaseofconfiguration.
IPSecAsetofsecureVPNprotocolsthatmanageencryptionkeysandencryptedpackettraffic,tocreateastandardfor
authenticationandencryptionservices.
SitetoSiteVPN
ThebasisofSitetoSiteVPNistheencryptedVPNtunnel.TwoSecurityGatewaysnegotiatealinkandcreateaVPNtunneland
eachtunnelcancontainmorethanoneVPNconnection.OneSecurityGatewaycanmaintainmorethanoneVPNtunnelatthe
sametime.
SampleSitetoSiteVPNDeployment
Item
Description
SecurityGateway
VPNtunnel
InternalnetworkinVPNdomain
Host1
Host6
InthissampleVPNdeployment,Host1andHost6securelysenddatatoeachother.TheFirewallsdoIKEnegotiationand
createaVPNtunnel.TheyusetheIPsecprotocoltoencryptanddecryptdatathatissentbetweenHost1andHost6.
VPNWorkflow
2/7
07/06/2016
Host1sendspacket
toHost6
FirewallsA&Bcreate
VPNtunnel
Host6receives
unencrypteddata
FirewallAencrypts
data
FirewallBdecrypts
data
Encrypteddataissent
throughVPNtunnel
VPNCommunities
AVPNDomainisacollectionofinternalnetworksthatuseSecurityGatewaystosendandreceiveVPNtraffic.Definethe
resourcesthatareincludedintheVPNDomainforeachSecurityGateway.ThenjointheSecurityGatewaysintoaVPN
communitycollectionofVPNtunnelsandtheirattributes.NetworkresourcesofdifferentVPNDomainscansecurely
communicatewitheachotherthroughVPNtunnelsthatterminateattheSecurityGatewaysintheVPNcommunities.
VPNcommunitiesarebasedonStarandMeshtopologies.InaMeshcommunity,thereareVPNtunnelsbetweeneachpairof
SecurityGateway.InaStarcommunity,eachsatelliteSecurityGatewayhasaVPNtunneltothecentralSecurityGateway,but
nottootherSecurityGatewaysinthecommunity.
Note:GlobalVPNCommunitiesarenotsupportedinsupportedinthisrelease.
MeshTopology
Item
StarTopology
Description
SecurityGateway.ForStartopology,thecentralSecurityGateway.
ForStartopology,satelliteSecurityGateways.
SampleCombinationVPNCommunity
3/7
07/06/2016
Item
Description
LondonSecurityGateway
NewYorkSecurityGateway
LondonNewYorkMeshcommunity
Londoncompanypartner(externalnetwork)
LondonStarcommunity
NewYorkcompanypartner(externalnetwork)
NewYorkStarcommunity
ThisdeploymentiscomposedofaMeshcommunityforLondonandNewYorkSecurityGatewaysthatshareinternalnetworks.
TheSecurityGatewaysforexternalnetworksofcompanypartnersdonothaveaccesstotheLondonandNewYorkinternal
networks.TheStarVPNcommunitiesletthecompanypartnersaccesstheinternalnetworks.
RoutingVPNTraffic
ConfiguretheSecurityGatewaytorouteVPNtrafficbasedonVPNdomainsorbasedontheroutingsettingsoftheoperating
system.
NoteForeachVPNgateway,youmustconfigureanexistinggatewayasadefaultgateway.
DomainBasedVPN
TheVPNtrafficisroutedaccordingtotheVPNdomainsthataredefinedinSmartDashboard.Usedomainbasedroutingtolet
satelliteSecurityGatewayssendVPNtraffictoeachother.ThecenterSecurityGatewaycreatesVPNtunnelstoeachsatellite
andthetrafficisroutedtothecorrectVPNdomain.
RouteBasedVPN
VPNtrafficisroutedaccordingtotheroutingsettings(staticordynamic)oftheSecurityGatewayoperatingsystem.The
SecurityGatewayusesaVTI(VPNTunnelInterface)tosendtheVPNtrafficasifitwereaphysicalinterface.TheVTIsof
SecurityGatewaysinaVPNcommunityconnectandcansupportdynamicroutingprotocols.
GranularRoutingControl
TheLinkSelectionfeaturegivesyougranularcontroloftheVPNtrafficinthenetwork.UsethisfeaturetoenabletheSecurity
Gatewayto:
FindthebestpossiblerouteforVPNtraffic
SelecttheinterfacesthatareusedforVPNtraffictointernalandexternalnetworks
ConfiguretheIPaddressesthatareusedforVPNtraffic
UserouteprobingtoselectavailableVPNtunnels
UseLoadSharingforLinkSelectiontoequallydistributeVPNtraffictoVPNtunnels
RemoteAccessVPN
Ifemployeesremotelyaccesssensitiveinformationfromdifferentlocationsanddevices,systemadministratorsmustmakesure
thatthisaccessdoesnotbecomeasecurityvulnerability.CheckPoint'sRemoteAccessVPNsolutionsletyoucreateaVPN
tunnelbetweenaremoteuserandtheinternalnetwork.TheMobileAccessSoftwareBladeextendsthefunctionalityofRemote
Accesssolutionstoincludemanyclientsanddeployments.
4/7
07/06/2016
ClientBasedvs.Clientless
CheckPointremoteaccesssolutionsuseIPsecandSSLencryptionprotocolstocreatesecureconnections.AllCheckPoint
clientscanworkthroughNATdevices,hotspots,andproxiesinsituationswithcomplextopologies,suchasairportsorhotels.
Thesearethetypesofinstallationsforremoteaccesssolutions:
ClientbasedClientapplicationinstalledonendpointcomputersanddevices.Clientsareusuallyinstalledona
manageddevice,suchasacompanyownedcomputer.Theclientsuppliesaccesstomosttypesofcorporateresources
accordingtotheaccessprivilegesoftheuser.
ClientlessUsersconnectthroughawebbrowseranduseHTTPSconnections.Clientlesssolutionsusuallysupply
accesstowebbasedcorporateresources.
OndemandclientUsersconnectthroughawebbrowserandaclientisinstalledwhennecessary.Theclientsupplies
accesstomosttypesofcorporateresourcesaccordingtotheaccessprivilegesoftheuser.
UsingRemoteAccessVPN
ThissectionexplainshowtouseaVPNtunneltoconnectaclientbasedremotecomputertoaninternalnetwork.Formore
aboutusingMobileAccesstoconnectremotedevicestointernalresources,seeRemoteAccesstotheNetwork.
NoteForeachVPNgateway,youmustconfigureanexistinggatewayasadefaultgateway.
VPNConnectivityModes
TheIPsecVPNSoftwareBladeletstheFirewallovercomeconnectivitychallengesforremoteclients.UseVPNconnectivity
modestomakesurethatremoteuserscanconnecttotheVPNtunnels.Thesearesomeexamplesofconnectivitychallenges:
TheIPaddressesofaremoteaccessclientmightbeunknown
TheremoteaccessclientcanbeconnectedtoahotelLANwithinternalIPaddresses
Itisnecessaryfortheremoteclienttouseprotocolsthatarenotsupported
OfficeMode
RemoteuserscanbeassignedthesameornonroutableIPaddressesfromthelocalISP.OfficeModesolvestheserouting
problemsandencapsulatestheIPpacketswithanavailableIPaddressfromtheinternalnetwork.Remoteuserscansend
trafficasiftheyareintheofficeanddonothaveVPNroutingproblems.
VisitorMode
RemoteuserscanberestrictedtouseHTTPandHTTPStrafficonly.VisitorModeletstheseuserstunnelallprotocolswitha
regularTCPconnectiononport443.
SampleRemoteAccessVPNWorkflow
UseSmartDashboardtoenableandconfiguretheSecurityGatewayforremoteaccessVPNconnections.Thenaddtheremote
userinformationtotheSecurityManagementServer:createandconfigureanLDAPAccountUnitorentertheinformationin
theSmartDashboarduserdatabase.YoucanalsoconfiguretheFirewalltoauthenticatetheremoteusers.DefinetheFirewall
accesscontrolandencryptionrules.CreatetheLDAPgrouporusergroupobjectthatisusedfortheFirewallrules.Thencreate
andconfiguretheencryptionsettingsfortheVPNcommunityobject.AddtheaccessrulestotheFirewallRuleBasetoallow
VPNtraffictotheinternalnetworks.
Enableremoteaccess
VPN
5/7
07/06/2016
ConfigureLDAP
AccountUnit
LDAP
Configureuser
authentication
ManageUsers?
Smart
Dashboard
Configureusersin
SmartDashboard
database
CreateLDAPuser
groupobject
Configureuser
authentication
Createuser
groupobject
CreateVPNCommunity
ConfigurerulesforVPN
accessinFirewallRule
Base
Installpolicy
IPv6SupportandLimitations
ThisreleaseincludeslimitedIPv6supportforIPsecVPNcommunities:
IPv6issupportedforSitetoSiteVPNonly(MainIPtoMainIP).TheMainIPaddressforbothSecurityGatewaysmustbe
definedasanIPv6Address.YoucandefineotherIPaddressesthatareIPv4orIPv6.
IPv6supportsIKEv2encryptiononly.IKEv2isautomaticallyalwaysusedforIPv6traffic.Theencryptionmethod
configurationappliestoIPv4trafficonly.
VPNtunnelingonlysupportsIPv4insideanIPv4tunnel,andIPv6insideanIPv6tunnel.IPv4trafficinsideanIPv6
tunnelisnotsupported.
TheseVPNfeaturesarenotsupportedforIPv6:
VSX
RemoteAccessVPN
CRLfetchfortheinternalCertificateAuthority
MultipleEntryPoints(MEP)
RoutebasedVPN(VTI)
WireModeVPN
GatewayswithadynamicIPaddress.
RouteInjectionMechanism(RIM)
TraditionalmodeFirewallPolicies
IKEDenialofServiceprotection
IKEAggressiveMode
GatewayswithDynamicIPaddresses
6/7
07/06/2016
TraditionalModeVPN
MigrationfromTraditionalmodetoSimplifiedmode
TunnelManagement(permanenttunnels)
DirectionalVPNEnforcement
LinkSelection
GRETunnels
TunnelViewinSmartViewMonitor
VPNOverviewpage
vpn_route.confconfigurationfile
SmartDashboardToolbar
YoucanusetheSmartDashboardtoolbartodotheseactions:
Icon
Description
OpentheSmartDashboardmenu.Wheninstructedtoselectmenuoptions,clickthis
buttontoshowthemenu.
Forexample,ifyouareinstructedtoselectManage>UsersandAdministrators,
clickthisbuttontoopentheManagemenuandthenselecttheUsersand
Administratorsoption.
Savecurrentpolicyandallsystemobjects.
Openapolicypackage,whichisacollectionofPoliciessavedtogetherwiththesame
name.
RefreshpolicyfromtheSecurityManagementServer.
OpentheDatabaseRevisionControlwindow.
Changeglobalproperties.
VerifyRuleBaseconsistency.
InstallthepolicyonSecurityGatewaysorVSXGateways.
OpenSmartConsole.
TopofPage
2016CheckPointSoftwareTechnologiesLtd.Allrightsreserved.
DownloadPDF SendFeedback Print
7/7

The Check Point VPN Solution

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The Check Point VPN Solution

Uploaded by

Copyright:

Available Formats

07/06/2016

DownloadPDF SendFeedback Print

You might also like