Secure VPN Connectivity
VPN-1 SecuRemote and VPN-1 SecureClient support dynamic and fixed IP addressing for all Internet Service Provider (ISP) services - dial-up, cable modem, or Digital Subscriber Lines (DSL) - making them the ideal solution for telecommuters and mobile workers. When installed internally, VPN-1 clients protect critical business communications on traditional and wireless LANs.
Sometimes VPN-1 client traffic needs to traverse a NAT device or a firewall prior to reaching the VPN-1 gateway. Because not all NAT devices can handle IPSec traffic, the traffic can be dropped. To address this problem, VPN-1 clients enable NAT traversal by supporting UDP encapsulation and IKE over TCP.
Support for Industry Standard Protocols
VPN-1 SecuRemote and VPN-1
SecureClient support industry standard VPN protocols
and algorithms to deliver complete compatibility
with VPN-1/FireWall-1 security policies.
|Encryption Algorithms||Key Length|
|(Advanced Encryption Standard - AES)||128- to 256-bit|
|X.509 Digital Certificates|
|Operating System Password|
|Public Key Algorithms||Key Length|
|RSA||512- to 1536-bit|
|Diffie-Hellman||768- to 1536-bit|
Flexible User Authentication
VPN-1 SecuRemote and VPN-1 SecureClient support for Hybrid Mode Authentication, the Check Point Secure Authentication API (SAA) and the Check Point Internal Certificate Authority (ICA) provides a range of user authentication options.
Hybrid Mode Authentication enables use of widely used authentication methods such as token cards (e.g., SecurID), RADIUS and TACACS within IPSec VPNs. This means that you can select user authentication solutions that best meet your organization's needs, while leveraging the industry-standard security of X.509 digital certificates for VPN gateway authentication.
Check Point SAA Support extends user authentication options to include a range of OPSEC-certified authentication products, including biometric devices. This support is particularly important to organizations that want to employ an existing authentication solution with a PKI-based trust model.
Check Point ICA enables use of digital certificates for user authentication in an IPSec/IKE VPN, out-of-the-box. The ICA can automatically issue digital certificates to all Check Point management servers, gateways and VPN-1 SecureClient users. The ICA is included with VPN-1 gateways.
Enriched Access with Office Mode
When reliability is critical, Multiple Entry Point (MEP) functionality provides a cost-efficient alternative to high availability configurations that require redundant hardware.
In multi-site VPNs, VPN-1 clients can detect a gateway outage, and then use a designated backup gateway to access network resources. The VPN connection is established and all traffic is routed correctly through an alternate gateway with complete user transparency. In addition, VPN-1 client connections can be load shared among VPN-1 gateways.