Subscribe to Windows IT Pro
March 19, 2001 12:00 AM

VPN Gateways

Michael Norian
Windows IT Pro
InstantDoc ID #20068
Rating: (1)

VPN-1 Gateway 4.1
Primarily known for its excellent firewall products, Check Point also has a foothold in the VPN market. Check Point sent me the VPN-1 Gateway SP1 package, its combination VPN-1 and Firewall-1 product for NT Server. (The VPN-1 management and firewall modules don't support Win2K.) The hard-copy and PDF-based documentation effectively describes the technology and the complex software. The inclusion of a Recommended Reading section is a nice touch.

The installation, however, wasn't as pleasant. I ran the standard Check Point installation program on my test gateway and found myself in an annoying installation loop. Check Point had sent me an invalid evaluation license key, so the installation failed. Because the installation failed, the process never installed the uninstallation program. Therefore, I had a half-installed firewall-and-VPN gateway. After a brief call to Check Point's extremely helpful technical support team, I obtained a new key. With the new key, I completed the installation and was ready for configuration.

You must install the software's firewall component—a requirement that might be a disadvantage if you already have another vendor's firewall in place. (Running two firewalls is becoming increasingly common, however.) The VPN-1 Gateway architecture is a bit more distributed than that of other VPN solutions, but the installation program gives you the option of installing the management and firewall modules on one server. VPN-1 Gateway consists of three components: the Policy Editor GUI, in which you manage the polices and configure VPN and Firewall services; the Management Module, which stores all the policies, databases, logging files, and other object information files; and the Firewall Module, which inspects the packets on its defined network interfaces. I installed the Policy Editor on the back-end host behind the gateway, and I installed the Management Module and Firewall Module on the Compaq gateway.

You can connect the VPN clients to VPN-1 Gateway in two ways. You can use the SecuRemote client, which is a typical VPN client that lets remote (i.e., Internet-connected) and local (i.e., intranet-connected) users establish secure tunnels to VPN-1 Gateway. Alternatively, you can use the more secure SecureClient.

The SecureClient has a nice feature that lets you dictate to remote clients how the system handles incoming connections. You can use the Policy Editor to set up policies that deny incoming connections to the remote client, thereby ensuring that an intruder can't "piggyback" a connection from the gateway to the client. (A piggyback attack occurs when an intruder exploits the remote VPN client's vulnerability and breaks into the corporate network through the remote client's established tunnel.) You install SecureClient on the remote PCs—and local PCs, if you want to establish a VPN on the local private subnet—that you want to tunnel into the corporate LAN.

I installed the SecureClient on the test laptop. The SecureClient installation is somewhat less rigorous than a full firewall installation, but I wouldn't want to perform the installation over the phone with a CEO. You can choose from an assortment of authentication mechanisms—from a gateway-established user account and password to a more elaborate mechanism such as RADIUS or RSA Security's SecurID. I chose the simple gateway user ID and password mechanism.

The documentation was indispensable as I set up users, groups, encryption domains, and tunnels—all of which the product requires for proper operation. I quickly set up a temporary user, all the appropriate network entities, and the rules to which my test laptop would adhere when connecting into the back-end host behind the gateway.

I launched the Policy Editor, which Figure 7 shows, and successfully connected to the gateway. Policy Editor boasts the impressive and popular Check Point firewall interface, and VPN administration is essentially a function of firewall administration. Only after you learn the fundamentals of the Check Point firewall and Policy Editor will you be able to set up appropriate rules for VPN communication—and standard Check Point firewall schemes.

The bottom line is that this solid product is a firewall solution that gives you VPN functionality. Because of the product's comprehensive and complex nature, its installation was cumbersome. The configuration was also difficult, but after delving into the excellent printed and online documentation, I finally established a tunnel between my remote laptop and back-end server. VPN-1 Gateway's price is reasonable when you compare the product's excellent support and abundant features with that of its competitors.

Choose Carefully
Implementing a VPN solution on a network can be expensive and labor-intensive, especially if the solution involves a firewall installation. Take your time, read the documentation twice, install the demonstration versions, and choose wisely.

VPN-1 Gateway 4.1
Contact: Check Point Software * 650-628-2000 or 800-429-4391
Web: http://www.checkpoint.com
Price: $15,500 for 100 users (with SecureClient)
Decision Summary
Pros: Excellent documentation; great GUI; full-featured firewall; good flexibility
Cons: Tedious installation and licensing; expensive (if you don't need the firewall functionality); complex configuration

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • Anonymous User
    7 years ago
    Apr 21, 2005

    You have got to be ******** me! Do you work for Symantec or what? Norton's and the majority of other AV products BLOW DOG. I prefer Grisoft's AVG simply because it's reliable and, wait for it (queue drum roll) - It's FREE for personal use. I guess this will only last till they decide to get greedy like the rest of 'em (once they build a user base up). Anyway, this article is about F-Secure+ VPN not friggin AV, so who gives a **** if your box got eaten by a horde of virii, worms or what have you.
    I'll certainly give the VPN server a go. RRAS on my dodgy Win2003 server install is broken (I had the same problem with Win2K) and it's an easier option to try this than go through a server re-build. If I have to go down that path, I think I'll go with Linux which is what my firewall is running and it never gives me any greif.

  • Anonymous User
    8 years ago
    Oct 26, 2004

    Hey, Grega! F-Secure has the BADEST Antivirus protection ever! I've used it for a while, and switched fast over to Norton's solutions, because their much more polite and stable.

  • grega
    8 years ago
    Jan 26, 2004

    F-secure are the best articles ever. I had many viruses in my machine, and I had installed Norton 2004. Norton didn´t discover, that more than 1000 of files on my hard drive were infected by win32Parite/b virus. Maybe it did, but too late, I deleted it when F-secure said that computer is infected. I installed trial version of F-secure 2004, and after restart, anti-virus foudned the viruses. it discovered a Trojans (host.dll) and more. I still cannot believe, that this anti-virus is so strong. I was thinking that Norton is the best. I was checking the internet and I found this product. I smile and said- this one is bad!, but I tried anyway. From now on, this anti-virus is my favourite product. I told my friends about it and they were surprised. That anti-virus is quick, carefull, nice and most important-strong. I decided to buy full version on F-secure anti-virus 2004. It really is- a good keeper of my PC. Itœ cool. It doesn´t take many hard drive space, it is quick, strong... In one sentence- F-secure is the BEST PROTECTION :)

  • Dwight Krossa
    11 years ago
    Jul 12, 2001

    Microsoft's Built-in VPN Solution


    Michael Norian's Lab Comparative: "VPN Gateways" (April 2001) is in-depth and comprehensive. However, I want to clarify one inaccuracy in the article.


    The sidebar "What About Win2K?" implies that the Windows 2000 built-in VPN solution requires Active Directory (AD) and a Win2K domain. Not so: The built-in VPN solution doesn't require either. Although AD provides optimal manageability, you can use the built-in VPN solution on its own. Because it's well integrated into the OS, the built-in solution lets IT provide a markedly improved user experience in situations such as dialing in to the corporate network.


    Microsoft offers an industry standard IP Security (IPSec) client in Win2K Professional and comprehensive VPN solutions in Win2K, Internet Security and Acceleration (ISA) Server 2000, and Small Business Server 2000. Microsoft's VPN solutions let remote users access a private network across the Internet, permit a remote office to connect to the corporate network through a persistent connection or an on-demand router-to-router VPN connection, and enable businesses to build an extranet to communicate securely with business partners. Customers can choose to deploy IPSec-based VPNs that integrate with Windows environments and provide transitional support for older Windows platforms through PPTP. I encourage readers to consider these integrated options when they look for a VPN solution.

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.