Check Point NG[s]AI

Introducing the Check Point Next Generation Suite of Products

• FireWall-1 is the cornerstone of the NG AI suite, providing data filtering, logging, and authentication in stand-alone, distributed, and high-availability clustered gateway models.

• VPN-1 builds onto the features of FireWall-1, adding encryption and VPN support.

• The LDAP account management now runs integrated into the Security Dashboard, enabling you to manage LDAP database-stored user accounts more easily.

• SecuRemote is used with VPN-1 and creates the client or user end of the VPN tunnel, providing the authentication and encryption needed to establish and maintain the VPN connection.

• SecureClient adds a personal firewall to the SecuRemote feature set. This firewall, running the same robust Stateful Inspection engine, installed onto the user s computer enables you to centrally control the security settings of VPN-connected desktops. In addition to the firewall capabilities, SecureClient can send its logs to the central management server, once connected.

• The SmartView Reporter helps you trend and analyze your network by using predefined or customized report criteria to generate data traffic statistics and reports .

• The Check Point ClusterXL module helps you create clusters of firewalls to reduce service downtime by providing seamless failover from one gateway to another using either high availability or load sharing. Load sharing allows for the aggregation of available resources across all systems in the cluster.

• FloodGate-1 has been integrated into VPN-1/FireWall-1 to provide QoS prioritization of network traffic as it passes through the gateway. This allows for providing QoS and traffic prioritization inside the VPN tunnel, a task difficult for separate solutions.

• Meta IP provides you with secure, scalable solutions for DNS and DHCP server management. As well as providing standards-based servers, Meta IP provides additional tools such as Secure DHCP that you use to authenticate your users before giving their machine a fully functional IP address.

• The UA module extends the user-authorization information acquired by VPN-1/FireWall-1 to trusted third-party applications. This can help reduce multiple logons and reduce development time for new applications.

Understanding VPN-1/FireWall-1 SVN Components

• The VPN-1/FireWall-1 management module resides on the SmartCenter (management) server, and not only stores and pushes out the Security Policy to the enforcement points, but is also responsible for storing all the objects and definitions used in the policy. Logs from Check Point enforcement modules, including SecureClient, are stored in the log database hosted by the management server.

• The management module is at the heart of the distributed model for firewall deployment, allowing for centralized logging and easy security management even for environments with several firewalls.

• The GUI client is used to manage and configure the options and policies stored on the management server. The GUI is made up of a number of tools and components combined into the SmartDashboard that allows for easy, visual configuration of the Security, NAT, QoS, and Desktop Security polices.

• The firewall module contains the inspection engine that uses a compiled version of the Security Policy to control traffic attempting to pass between the firewall s interfaces.

• The SIC module ensures that communication between GUI clients , management servers, and the inspection engine is secure to prevent modification or copying of data in transit.

Looking at Firewall Technology

• Proxy or application gateway firewalls provide in-depth control of a single application, allowing for very detailed filtering. However, this makes scaling to new applications difficult and can reduce performance of the firewall.

• Packet filters offer great performance and affordability because this type of firewall is often built-in routers or similar network devices. Since packet filtering firewalls are unaware of the application layer, granular control is not possible.

• VPN-1/FireWall-1 uses a Check Point-patented technology called Stateful Inspection to control IP network data.

• Stateful Inspection is able to make control decisions based on information from the top five layers of the OSI model, providing granular control and application awareness.

• The firewall tracks communications data, and as a result, throughput performance is increased by leveraging the ability to determine continuations of previously accepted sessions versus new connection attempts that need to be applied to the rule set.

Complete SVN Concept

• The real power of Check Point s solution comes to fruition when multiple components are used together. With the tight integration of the different technologies, very complex designs become not only possible but also manageable, ensuring complete end-to-end security throughout the enterprise and all related systems.