Features & Benefits:
Product Features
- Integrated firewall, VPN, and intrusion prevention
- Accelerated security for throughput up to 12 Gbps
- Centralized, policy-based security management
Product Benefits
- Ensures consistent, proven security across a distributed
network
- Increases security performance to support high-demand
environments
- Enhances the ability to deploy new applications quickly
without security concerns
- Protects against new threats through SmartDefense™ Services
- Simplifies management of complex security infrastructures
Providing an Active Defense Against Threats:
VPN-1 Power protects against next-generation threats and
attacks by providing truly integrated security based on FireWall-1®
and SmartDefense™ intrusion prevention technologies. FireWall-1
and SmartDefense cooperate as if they were a single application—the
level of effort needed to combat today’s blended threats.
FireWall-1 is based on Check Point-patented Stateful Inspection,
the de facto standard for Internet security. It understands
the context of network traffic and provides out-of-the box support
for more than 150 predefined applications, protocols, and services
such as Citrix, Oracle, Web conferencing, and more. Because
it is extensible, FireWall-1 quickly adapts as new applications,
which need to be secured, appear on your network.
SmartDefense intrusion prevention uses Application Intelligence™
technologies to understand how applications and protocols should
work. With this information, SmartDefense intrusion prevention
can preemptively block entire classes of attacks based on suspicious
behavior. You stay protected as new variants appear—without
the need for signature updates that do not appear until after
the threat has done its damage. And Check Point SecureXL™ security
acceleration technology enables you to provide preemptive intrusion
prevention protection at throughput of more than 5 Gbps—with
all default protections active on an open server
This intelligence also means companies can deploy advanced
applications such as video and voice with the confidence that
unknown vulnerabilities cannot endanger the network. As IT security
departments deploy VoIP throughout a distributed network, VPN-1
Power prevents disruptive attacks by ensuring that VoIP sessions
adhere to standards and to specific vendor implementations.
It also prevents denial-ofservice (DoS) attacks against your
communications system by recognizing suspiciously high numbers
of call attempts that would signal a possible attack.
Likewise, you can stop potentially vulnerable applications
such as IM clients that do not adhere to corporate standards
or peer-to-peer file trading that crosses your VPN-1 Power security
gateway. A common vector for spyware and malware to enter the
network, these applications can be difficult to stop because
of built-in masquerading techniques. VPN-1 Power security gateways
recognize these attempts and provide the means to establish
control over potentially harmful applications.
To reduce the risk of internal endpoint security violations,
VPN-1 gateways integrate with Integrity™ endpoint enforcement.
As internal hosts attempt to access resources beyond a VPN-1
gateway, it will check for the presence of an Integrity endpoint
security client and determine whether the host complies with
your security policy. Administrators either can deny noncompliant
hosts access or log them as noncompliant for later action.
VPN-1 gateways also work with computers that have the integrated
Intel vPro system to provide an extra layer of internal security.
If a computer with a vPro-enabled network interface card (NIC)
attempts to violate security policy, VPN-1 can lock it down,
preventing further network access.
Integrated protection for Web servers
Organizations can deploy Web Intelligence™, an optional Web
application firewall, on VPN-1 Power security gateways to provide
advanced Web application security. Web Intelligence protects
Web applications from common hacking techniques such as command
injection, cross-site scripting, directory traversal, LDAP injection,
and SQL injection. Web Intelligence also includes Malicious
Code Protector™, a patent-pending technology that prevents buffer-overflow
attacks. Malicious Code Protector uses a unique detection mechanism
that analyzes the behavior of executable code, catching malicious
attacks without the aid of signatures, stopping both known and
unknown attacks.
VPN-1 UTM Power: Accelerated security with content inspection
Because some organizations desire the content inspection capability
found in unified threat management solutions, customers have
the option of purchasing VPN-1 UTM Power. VPN-1 UTM Power provides
the accelerated security found in VPN-1 Power but complements
it with integrated antivirus and Web filtering. Updated through
SmartDefense Services, these features enable a higher level
of security for email, Web, and other content-driven traffic.
SmartDefense Services
VPN-1 Power security gateways are supported by SmartDefense
Services, which maintain the most current preemptive security
for the Check Point security infrastructure. To help you stay
ahead of new threats and attacks, SmartDefense Services provide
real-time updates and configuration advisories for defenses
and security policies. SmartDefense Services, a subscription-based
solution for all Check Point products, enable your defenses
to evolve with or ahead of threats by enhancing existing defenses
and adding new defense techniques between regularly scheduled
product upgrades.
Total Control, Total Visibility:
Key to your security objectives’ success is having strong
management, auditing, and analysis tools for your overall security
environment. As part of a Check Point unified security architecture,
VPN-1 Power provides unified control over security policy and
unified visibility into security information across a distributed
security infrastructure. Using SmartCenter™ Power, you can define
one policy that is enforced across all VPN-1 Power, VPN-1 UTM,
and VPN-1 UTM Edge™ security gateways. By working on a single
policy, you reduce the risk of configuration error and the time
required to manage your security
SmartCenter Power increases your organizational efficiency
by providing control and visibility over other Check Point solutions
within your network. Connectra Web security gateways, InterSpect
internal security gateways, and Check Point Integrity™ endpoint
enforcement all integrate with SmartCenter Power so that you
can easily view your complete security infrastructure’s security
events from a single console.
As new security features like content inspection are added
to VPN-1 gateways, organizations can update SmartCenter without
doing a full upgrade by using plug-in management updates. Updating
other Check Point security solutions from a central location
with SmartUpdate lowers the cost and complexity of keeping security
up-to-date and shortens the time needed to ensure all gateways
have the latest security protections—decreasing your exposure
to attack.
The Check Point SmartView Tracker integrated log viewer unifies
the logs from Check Point solutions distributed throughout your
network. You gain immediate awareness of important security
events through a single information view for logs and can take
appropriate action instantly.
VPN Connectivity with Total Security:
Because organizations are dealing with increasingly complex
virtual private networks, VPN-1 Power contains a comprehensive
set of technologies to build remote access and site-to-site
VPNs that simplify configuration while still maintaining flexibility
for different deployment scenarios.
Simplifying complex site-to-site
VPNs With the increased complexity of linking sites together
for video, voice, and other applications, organizations need
tools to lay out complicated topologies with minimal effort.
VPN-1 Power meets that need by providing a unified method to
create and manage complex VPNs. The SmartDashboard™ enables
administrators to define participants—including third-party
VPN gateways—in large-scale VPNs. VPN gateways can be configured
for both star and mesh topologies in minutes with minimal management
overhead for shared secrets through an integrated certificate
authority. Providing even more flexibility, VPN-1 Power includes
two methods to define and create VPNs:
Route-based VPNs—administrators define what traffic should
be encrypted by VPN rules, enabling the creation of complex
large-scale site-to-site VPNs in dynamic environments. Route-based
VPNs also support the extension of dynamic routing and multicast
communities across VPNs
Domain-based VPNs—administrators define which resources behind
the gateway should have encrypted VPN traffic
Flexible remote access support
Every enterprise has unique requirements for remote access,
depending on the types of users, the applications, and the level
of endpoint security needed. You gain the flexibility to meet
the different needs of remote users with both IPSec and SSL
VPN technologies for remote access supported within VPN-1 Power:
- VPN-1 SecuRemote—VPN-1 SecuRemote offers basic IPSec
connectivity for remote users
- VPN-1 SecureClient—VPN-1 SecureClient offers complete
IPSec connectivity with an integrated, centrally managed
desktop firewall
- Integrity SecureClient—Integrity SecureClient extends
the security found in VPN-1 SecureClient with Integrity
endpoint security, based on the award-winning ZoneAlarm®
personal firewall
- SecureClient Mobile—SecureClient Mobile delivers firewall
protection and secure, uninterrupted remote access for wireless
devices such as mobile phones
- SSL Network Extender—SSL Network Extender™ is an on-demand
client that provides full network-layer secure access through
a browser plug-in, enabling remote users to access email
or other network applications in their native interfaces
- Integrity Clientless Security—Integrity Clientless Security
mitigates risks from unmanaged PCs connecting to Web-facing
resources, enforcing prelogin security policy, blocking
spyware, enabling on-demand, end-to-end session confidentiality,
without preinstalled clients
SmartDashboard enables centralized control over not only
VPN-1 Power but also an entire security infrastructure.
Building a secure VPN
A key element in Check Point’s philosophy is that VPN connectivity
must be matched with a high level of security. By truly integrating
FireWall-1 and SmartDefense with VPN technologies, VPN-1 Power
enables you to connect remote users, sites, and partners without
worrying that your VPN will become a network backdoor. At your
discretion, VPN-1 Power can apply the entire security policy
to encrypted traffic, a subset of traffic, or allow VPN traffic
to enter uninspected.
In addition, it provides strong security for the VPN against
DoS attacks such as those directed against the Internet Key
Exchange (IKE) mechanism. VPN-1 Power implements a unique solution
for IKE DoS, asking unknown gateways attempting to connect to
solve a computationally intensive problem before allocating
resources.
High Performance and Availability:
VPN-1 Power delivers accelerated security of more than 12
Gbps on an open server, guaranteeing the availability of information
without compromising security. Using Check Point-patented SecureXL™
security acceleration, VPN-1 Power security gateways enable
you to get maximum performance from open servers and appliances
even during DoS attacks.
VPN-1 Power uses advanced streaming technologies that allow
packet processing to be performed at the kernel level, significantly
improving network- and application-layer inspection, typically
a computing-intensive task. Combining the SecureXL framework
and streaming technology with Check Point’s commitment to open
systems delivers industry-leading performance at the lowest
possible cost.
Integrated VPN Quality of Service (QoS)
QoS is a requirement for any VPN where performance is important
and congestion on the Internet link may occur. FloodGate-1 ensures
optimum performance for missioncritical VPN-1 traffic, enabling
customers to migrate critical business traffic from private
WANs to the Internet.
High availability and load sharing
ClusterXL distributes traffic of all types across a cluster
of VPN-1 Power gateways. If a gateway becomes unreachable, all
connections are seamlessly redirected to the remaining cluster
members. By adding an optional ClusterXL module, near-linear
performance gains can be achieved by adding cluster members.
Nonstop forwarding
Combined with dynamic routing protocols such as BGP or OSPF,
ClusterXL delivers the industry’s only highavailability enforcement
point with graceful restart. VPN-1 Power significantly improves
the availability of mission-critical applications, eliminating
unnecessary ripple effects. Ripple effects are caused by changes
in routing tables when VPN-1 Power gateways become unavailable,
which can disrupt traffic forwarding for more than 10 minutes.
Check
Point VPN-1 UTM Power