Enterprise Security Management CheckPoint SecuRemote VPN v4.0 for pcanywhere White Paper 7KH#&KDOOHQJH Virtual Private Networks (VPNs) provides a powerful means of protecting the privacy and integrity of business communications over the Internet. Organizations now have a viable alternative to expensive leased lines when connecting private networks. However, VPNs between private networks do not provide secure connections for the growing number of remote users with Internet access. A true enterprise-wide VPN must extend to include all individuals requiring access to corporate network resources via the Internet, including sales professionals, telecommuters, and trusted business partners. 7KH#6ROXWLRQ SecuRemote provides flexible VPN support for remote and mobile users and is an integral component of CheckPoint Software Technologies comprehensive VPN solution. Using SecuRemote, Windows 95 and Windows NT users can connect to their corporate network via dial-up Internet connections and establish secure VPN sessions to access sensitive network resources. Once established, the VPN will transparently encrypt and authenticate business critical data traveling between the corporate network and the user's laptop or desktop PC to protect against eavesdropping and malicious data tampering.
Product Features Provides secure client-to-lan connectivity Delivers high-performance IP-layer data encryption Encrypts confidential data before leaving the user s PC Supports multiple industry-standard data encryption and user authentication protocols Product Benefits Enables mobile users to securely access resources on corporate networks Provides compatibility with any network application and is completely user transparent Protects business communications from eaves-dropping and data tampering Provides full compatibility with FireWall-1 security policies )OH[LEOH#'HSOR\PHQW The SecuRemote software installs on any Windows desktop or laptop PC and supports all IPbased network communications. It interfaces with existing network adapters and TCP/IP network stacks for maximum compatibility. And because it supports high-performance IP-layer encryption, SecuRemote does not require any change or modification to any applications. In addition to supporting dynamic IP addressing for dial-up communications, SecuRemote can also be deployed in LAN environments using fixed IP addresses. With this level of flexibility, SecuRemote is the ideal VPN solution for both Internet and intranet deployments.,qwhooljhqw#2shudwlrq SecuRemote maintains detailed information on all network sites within the VPN community. Each time a user requests a connection, SecuRemote intercepts the request and determines whether the destination resource resides within the encryption domain of a known FireWall-1 gateway. (An encryption domain consists of all network resources that rely on a designated FireWall-1 gateway to encrypt and decrypt data on their behalf). Once the proper FireWall-1 gateway has been identified, SecuRemote is automatically invoked and challenges the user for proper authentication. After the user is successfully authenticated, SecuRemote negotiates with the FireWall-1 gateway and establishes a secure VPN tunnel. SecuRemote protects the privacy of all client communications by encrypting outgoing data and decrypting incoming packets. All VPN functions, including key negotiation and data encryption, are completely transparent to the user. CheckPoint SecuRemote VPN v4.0 for pcanywhere White Paper 2
6XSSRUW#IRU#,QGXVWU\#6WDQGDUG#3URWRFROV SecuRemote supports industry standard VPN protocols and algorithms to deliver complete compatibility with FireWall-1 security policies. 6XSSRUW#IRU#3XEOLF#.H\#,QIUDVWUXFWXUHV SecuRemote supports public key infrastructures utilizing X.509 digital certificates and Entrust Certificate Authorities (CA). As an Entrust Ready application, SecuRemote can request and validate Entrust certificates on a user's behalf to initiate an IKE key negotiation with a FireWall-1 gateway. Remote VPN users can now benefit from the improved security and scalability offered by public key infrastructures. To enhance user-level security for PKI deployments, SecuRemote supports the Public Key Cryptography Standard (PKCS) #11 interface for accessing information contained in hardware or software tokens. PKCS #11 compatible tokens provide secure storage of private keys used for data encryption and digital signatures. (QWHUSULVH#6HFXULW\#,QWHJUDWLRQ SecuRemote works seamlessly with CheckPoint's market-leading FireWall-1 enterprise security suite. It is easy to incorporate secure remote access as part of an overall security policy by adding a single rule to the FireWall-1 rule base. And because SecuRemote establishes VPN tunnels directly with the FireWall-1 gateway, all elements of an enterprise security policy are strictly enforced, including access control, user authentication, and logging. System Requirements Operating Systems Disk Space Memory Network Adapters TCP/IP Support Media Windows 95 or Windows NT (Intel x86 architecture) 6 MB 24 MB (Windows 95) - 32 MB (Windows NT) No known restrictions Microsoft MSTCP CD-ROM and Web download For more information, please contact a CheckPoint Software reseller or go to www.checkpoint.com.
&KHFN#3RLQW#6HFX5HPRWH#LQWHJUDWLRQ#ZLWK#SF$Q\ZKHUH#<13 The SecuRemote VPN client offers a secure remote control session over the Internet for pcanywhere and CheckPoint customers. Customers who wish to use the SecuRemote VPN client supplied with pcanywhere need to have CheckPoint's FireWall-1 or VPN-1 installed on their network. The following procedures describe how to configure FireWall-1 and VPN-1 and the SecuRemote 4.0 which enables you to integrate pcanywhere with the CheckPoint VPN solution. This description assumes the administrator is familiar with the FireWall-1 or VPN-1 product and the desired settings for his/her users. The explanation walks through the setup for the Firewall first, then moves into the installation of the SecuRemote supplied with pcanywhere. For further information on the FireWall-1, VPN-1, or SecuRemote 4.0, reference the CheckPoint website at www.checkpoint.com. To configure the firewall to accept pcanywhere traffic (Only needed for FireWall- 1 v4.0 SP3 or lesser versions otherwise skip to step 5): 1 Add the integration of pcanywhere to the FireWall-1 or VPN-1by adding the pcanywhere Service Objects to the Security Policy. The Services dialog can be found under the Manage menu of the Security Policy window. There are two types of services to configure for pcanywhere: the TCP and UDP objects. Clicking New in the Services dialog can create these objects.
2 Select TCP. pcanywhere integration requires that the Name of this object be pcanywhere-data, the Port is 5631, and protocol is set to None. 3 Click OK. pcanywhere integration requires that the Name of this object be pcanywhere-stat, the Port is 5632, and protocol is set to None. NOTE: Repeat the previous two steps for the UDP object. 4 Click OK. The object appears in the Services dialog. 5 Create a rule to handle pcanywhere traffic across the firewall. FireWall-1 or VPN-1 is ready for the creation of rules to handle pcanywhere traffic. Consult the CheckPoint documentation for detailed instructions on the configuration of FireWall-1 and VPN-1.
NOTE: Once these rules have been setup the FireWall-1 is ready to start accepting pcanywhere traffic using the SecuRemote. On the client side the user installs the appropriate SecuRemote client (Win9x or Windows NT, Windows 2000 not currently supported) on his/her machine. During the installation, decide whether to install the client on all network adapters or on dial up adapters only. All Network Adapters allow user authentication and encryption on the network and during dialup sessions. Dialup Only authenticate and encrypt during dialup connections to the network only. 6 Click Start. Select SecuRemote from the Program menu. The only configuration necessary is to add the site to which the user has access. 7 Enter the IP address or name of the firewall. The SecuRemote searches for FireWall-1 and returns the verification dialog box. Once verified, the SecuRemote automatically completes the rest of the Site information.
The site appears in the container of the main interface. You may simply close the console of the SecuRemote at this point. The SecuRemote now resides in the system tray and is ready to authenticate and encrypt the user's information upon connection. When a user launches a pcanywhere object to connect to a host inside the firewall, the authentication dialog box appears, and pcanywhere initializes in the background. The connection does not commence until the user has been authorized by the FireWall-1. The user logs into the network using the SecuRemote Login dialog. Once SecuRemote authenticates the user the pcanywhere remote control session begins. From this point on the SecuRemote encrypts the user's information being passed to the network. Note: SecuRemote from this point on runs silently in the background.