By Andrew Garcia  |  Posted 2005-03-14 Print this article Print

With Connectra 2.0, Check Point Software Technologies Ltd. leverages its vast experience securing networks, applications and client endpoints to provide the most comprehensive security feature set weve seen in an SSL VPN product to date. However, the product could stand to be more interoperable and easier for administrators to use.

Like 3SP Ltd.s SSL-Explorer , Connectra 2.0 is available as a software-based distribution, which includes Check Points Linux-based Secure Platform as the underlying hardened operating system.

Pricing for the software-based Connectra 2.0 platform, which is available now, starts at $8,000 for a 50-concurrent-user license and escalates to $60,000 for 1,000 users.

Although a software-based SSL (Secure Sockets Layer) VPN is an attractive alternative for small installations that want to leverage existing server equipment, larger deployments will undoubtedly find more bang for the buck with Check Points Connectra 2.0 appliances, such as the $60,000 Connectra 6500.

Connectra provides two modes of remote access. The first is native access to Web applications, file shares and e-mail. The second is access to TCP, UDP (User Datagram Protocol) or ICMP (Internet Control Message Protocol) services via an ActiveX-based VPN client called SSL Network Extender. In tests, eWEEK Labs found that Web-based applications work well using the Mozilla Foundations Firefox browser, but access to file shares or SSL Network Extender-enabled applications will require Internet Explorer on the remote client.

Enabling SSL Network Extender increased Connectras footprint on the Internet because we also had to create a firewall rule that opened TCP port 444 in addition to SSL port 443.

Connectra provides defenses against network-level attacks such as Teardrop or Ping of Death and provides a stateful firewall to control user access to resources. However, Connectras true strength comes with the integration of Check Points Application Intelligence and Web Intelligence. Stateful firewalls are not mindful of malicious content embedded in permitted data streams, so with these services, Connectra offers defenses against FTP-, DNS (Domain Name System)- and CIFS (Common Internet File System)-based application-layer attacks.

We could also configure Connectra to defend HTTP data streams against directory traversal, cross-site scripting and SQL injection attacks and to monitor for transmissions that dont conform to the HTTP specifications.

To protect client endpoints, Connectra taps software from Check Points Zone Labs division. We configured Connectra to automatically distribute ICS (Integrity Clientless Security)—an add-on ActiveX control that performs a quick scan for many types of malware, adware and tracking cookies and verifies up-to-date anti-virus signatures for most common anti-virus applications. ICS licenses are priced starting at $3,000 for 50 users; an unlimited user license costs $15,000.

We configured Connectra to deny access to clients infected with Trojans or keystroke loggers. Indeed, ICS denied access to infected machines before log-in and reported the infection to the user with administrator-defined remediation instructions or links. However, cleaning the infection will require third-party tools. ICS does include an option to disable found malware, but we had little success getting this feature to neutralize our particular infection strains.

We could require an ICS scan to log in to the network, or we could require the scan to access certain resources. If the former is enabled, the ActiveX control cannot run for users of non-Internet Explorer browsers, and those users will be locked out of Connectra.

We could enable the Integrity Secure Browser feature, which provides a secure browsing experience to the user by encrypting session traces on the remote endpoint and deleting everything upon log-out. However, file sharing is not available natively in the Secure Browser and will need to be configured through SSL Network Extender.

Unlike many Check Point products, which are managed via Check Points SmartCenter, Connectra is configured via an integrated, secure Web interface. Administrators can upload logs to SmartCenter if they want to centrally monitor multiple Check Point devices.

Connectra includes an integrated user database and supports external LDAP and RADIUS databases, as well as certificates and RSA Security Inc.s SecurID. Connectra leverages Protection Level profiles that dictate what strength authentication is needed for a particular application or resource.

Click here to read Labs review of SecurID for Windows. For instance, we could configure Connectra so that users needed only a user name and password to log in to Outlook Web Access but required a client-side certificate to log in to file servers. The Protection Level profiles can also dictate which resources require ICS scans.

We connected the SSL VPN with our AD (Active Directory) deployment via LDAP but found Connectras LDAP configuration implementation more difficult than what weve seen in competing products from Juniper Networks Inc. or Symantec Corp. In addition, Connectra offered few tools to help connect with our directory, and the logs were surprisingly ineffective in helping us solve LDAP misconfigurations.

In Connectra, access to resources is defined by group membership, which can be defined locally or culled from external authentication servers. However, wed like to see Check Point add reporting capabilities that allow administrators to get a global view of configured access policies at a glance, without having to navigate to each individual policy.

Technical Analyst Andrew Garcia can be reached at andrew_garcia@ziffdavis.com.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel