Security /

Check Point software bolsters LAN security

By Tim Greene
Network World, 08/30/99

REDWOOD CITY, CALIF. - Check Point this week will introduce software that protects servers from unauthorized users within corporate LANs and across public networks.

VPN-1 SecureClient and SecureServer bring Check Point's existing firewall and policy-based security to desktops and central application servers. SecureClient also extends these same protections to remote users who dial in to corporate networks.

"This new software lets enterprises protect individual applications. It's a logical architecture," says Abner Germanow, an analyst at International Data Corp. in Framingham, Mass.

With SecureServer software installed on a Windows NT server, network administrators can use a firewall to protect the applications from unauthorized users on the LAN as well as those dialing in via an Internet virtual private network (VPN).

The new products, a new VPN reporting system and upgrades of Check Point's VPN-1/Firewall-1 software are part of the company's Secure Virtual Network architecture. The architecture extends firewall and encryption support from any network workstation or server to any other workstation or server in an enterprise net.

The new release of VPN-1/Firewall-1 software lets users link VPN-1 server gateways for backup. For example, the software enables a backup VPN-1 server to take over for another failed server, keeping individual VPN sessions alive so remote users are unaware of the failure. The servers involved would synchronize the exchange of encryption keys in order to keep the session going without interruption.

The upgraded software also backs up VPN-1 servers when they are located at different corporate sites. So if a remote user has dialed in to one VPN-1 server and it fails, the remote user's VPN-1 client software will automatically try to access a backup server located at another corporate site. In this case, though, the client's VPN session is dropped and the client would have to establish a new session with the second server.

In order for the remote user to access the same VPN resources, the two sites must be networked by some other means besides the failed VPN server - such as a dedicated line or frame relay link.

Check Point is also expanding the number of companies whose public-key infrastructures (PKI) it will support. Formerly Check Point supported just Entrust, but the list has expanded to include Netscape, Baltimore Technologies, GTE, IBM, Microsoft, Security Dynamics, Spryrus and VeriSign.

All of the companies have agreed to support an open PKI defined by Check Point, but interoperability with the other vendors' gear has yet to be certified, Check Point says.

Once compatibility has been achieved, Check Point customers will find it easier to set up VPNs with business partners who use VPN gear made by other vendors, Check Point says.

"To do VPNs properly on a large scale, you need to be able to exchange digital certificates in a variety of places," Germanow says.

Check Point is also adding reporting software that can generate reports based on the logging data gathered by the VPN-1 software. Check Point Reporting System runs on Windows NT or Solaris workstations.

The software lets network executives plan VPN capacity by monitoring and assessing actual use, the company says.

The capability is long overdue, IDC's Germanow says: "They were in dire need of this."

Pricing for VPN-1/Firewall-1 starts at $3,495. VPN-1 Secure Client costs $50 per client, and Secure Server costs $895 per server. All are available now.