© Copyright 2009, 2010
Check Point Software Technologies Ltd.
Page 4 of 36
This document may be freely reproduced and distributed whole and intact including this Copyright Notice.
CHECK POINT CONNECTRA
Overview
Check Point's Connectra is a tightly integrated firmware solution
combining sophisticated IPsec and SSLv3 Virtual Private Network (VPN)
technologies with a hardened Operating System (OS). Connectra allows
mobile and remote workers to connect easily and securely to critical
resources while protecting enterprise networks and endpoints from
external threats. A broad range of connectivity scenarios coupled with
integrated intrusion prevention and unified with powerful central
management offer unprecedented control over remote access
configurations and security policy administration. As a first line of defense,
Connectra offers comprehensive endpoint security to protect networks and
endpoints from debilitating viruses, malware and malicious attacks.
Connectra is integrated with Check Point's SecurePlatform, a customized
and hardened Operating System, with no unnecessary components that
could pose security risks. SecurePlatform is pre-configured and optimized
to perform its task as a network security device. An embedded apache
server daemon (httpd) supports centralized administration over TLS using
a SmartCenter administration server.
Connectra is designed to allow secure access to an organization's
resources to multiple users over an unsecured TCP/IP network. Execuring
in a DMZ behind a firewall, the Connectra system performs all the required
security functions and provides the following high-level functionality:
Secure, authenticated and encrypted sessions with Clients and
subsystems.
Secure IPsec and TLS VPN between subsystems.
Central security administration.
Figure 1 shows a configuration where ConnectraTM is deployed on a LAN.
Figure 2 shows a configuration where ConnectraTM is deployed in a DMZ.
When deployed in a LAN, the remote user opens a browser and initiates
an HTTPS request to the ConnectraTM gateway. Sessions initiated using
HTTP will be redirected automatically to HTTPS. The SSL connection is
terminated within the LAN, and the clear text requests forwarded to the
internal servers. The internal servers reply "in the clear" to ConnectraTM,
which encrypts the back connection to the remote user. In the scenario
shown in Figure 2, the perimeter firewall must be configured to allow
encrypted SSL traffic to ConnectraTM.