Check Point secures net from within

Check Point Software Technologies Ltd. this week announced its new virtual private network architecture, which will provide high-availability security not only from network to network but also within an agency.

The company's new Secure Virtual Network (SVN) architecture is a long-term strategy to bring the encryption and authentication offered by VPN solutions all the way down to the client and application level.

Most organizations have focused on using firewalls to block intruders from outside the network and VPN technology to securely connect trusted external users and partners. But analysts and agencies agree that about 80 percent of security breaches come from people inside an organization, and Check Point is positioning its technology as the way to enforce security at the user level.

"It's providing VPN technology on the corporate network," said Greg Smith, director of product marketing at Check Point. "Most people recognize that the majority of threats happen within the network...and we see VPNs being throughout the enterprise."

Many security vendors are working on bringing this type of solution to the market, but Check Point's large base of users and technology partners is a distinct advantage, analysts said. "The idea that they are working with is that SVN is a growing field, and I believe they're right," said Betty Gifford, senior analyst with the networking and telecommunications integrated services program at market research firm Dataquest. "I think everyone in the industry is trying to find a way to do this."

In the first step to offer this functionality, Check Point announced several new products and enhancements to its central VPN and firewall products.

Check Point's new VPN-1 SecureClient and SecureServer extends the security of the usual connection for external users to clients inside the network. The internal VPN connection encrypts all traffic among clients and between a client and the server behind the organization's firewall.

The VPN-1 SecureClient also provides a personal firewall that uses the policies defined by the system administration to protect the information stored on each system from intrusion while connected to the network.

"It's encrypted from the time the information leaves the end user's PC, so it's virtually unhackable," Gifford said. "You can actually go in and get SecureClient and SecureServer products that allow you to have guarantees for the security of your data across and outside of your network."

All of this, however, is dependent on the availability and compatibility of the VPN connection. Along with its new OpenPKI, which simultaneously supports digital certificates from the public-key infrastructure solutions of multiple vendors, Check Point has added redundant gateways to its VPN-1/Firewall-1 suite.

Instead of using a single gateway that regulates and encrypts all VPN traffic, Check Point is placing a second, redundant gateway that will take over if the primary gateway fails.

To make sure that there is no down time and that the transfer is completely transparent to a user even if the user is connected at the time of the failure, the information used by the gateways to establish the connections is synchronized about every 50 milliseconds using IPSec Internet Key Exchange.

"It is critical to the mission of the organization that the connection be maintained," Smith said. "Organizations are moving more and more traffic to their VPN, and they want to eliminate the single point of failure."

As another backup for remote users connecting to a network from locations across the country or the world, Check Point also announced VPN-1 SecuRemote. When the default gateway to which a remote client is set to connect fails, SecuRemote automatically sends out requests to the agency's other gateways to provide the connection.

This high availability, combined with the security of the user connection, could be important for agencies with growing numbers of mobile employees, Gifford said.

"More and more you get mandated to work from home or outside the office...and this could be an important player in that situation," she said.

On the management side, Check Point integrated its FloodGate-1 network bandwidth management tool into VPN-1 and introduced a new reporting system that will give administrators better control over how traffic flows through their secure network.

Just as it does for a standard network, FloodGate-1 prioritizes the traffic through the VPN to provide better service based on a policy established by the administrator. The VPN-1/Firewall-1 Reporting System monitors system use and identifies attempted intrusions and violations. The customizable reports can be generated automatically and distributed through e-mail, a World Wide Web page, printer or application.

"It helps you understand what's going on with your VPN-1 and Firewall-1 applications," said Raphael Reich, Check Point product marketing manager.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group