puresecurity

VPN-1 SecureClient
Enhanced VPN-1 connectivity

Product descriPtion
VPN-1 SecureClient extends the VPN to remote users for safe network access and communication and enables administrators to enforce desktop policies for additional security.

YOUR CHALLENGE
As employees become more mobile and organizations continue to deploy remote access VPNs, security and network managers face key security challenges. These include providing appropriate levels of access to corporate resources, protecting remote desktops or other client systems from compromise, and efficiently managing security and policy updates for these diverse remote access points.

Product features
n

Secure remote connections to VPN-1 gateways User-friendly interface and easy deployment Support for industry-standard VPN protocols Security policy enforcement extends to the desktop

OUR SOLUTION
Check Point VPN gateways extend the VPN to remote users, enabling them to communicate securely and access corporate networks. All data is encrypted before it leaves the remote PC or mobile device, making connections completely secure. The VPN client transparently encrypts and authenticates critical data to protect against eavesdropping and malicious data tampering. VPN-1 SecureClient extends security to the desktop by allowing security administrators to enforce desktop security policies for remote users. This functionality is critical in protecting corporate networks from unauthorized agents gaining access to the network by first gaining access to a remote user machine. VPN-1 SecureClient is supported by SmartDefense Services, which maintain the most current preemptive security for the Check Point security infrastructure. To help you stay ahead of new threats and attacks, SmartDefense Services provide real-time updates and configuration advisories for defenses and security policies.

Product benefits
n

Enables local and remote users to securely access resources on the corporate network Provides authentication solutions that best meet your needs Defends remote PCs and handheld devices from attacks Protects against new threats through SmartDefense Services

corporate network

Dial-up internet VPN-1 Power Gateway Wireless VPN-1 SecureClient DSL or Cable Modem

VPN-1 SecureClient

VPN-1 SecureClient

SecureClient Mobile

VPN-1 SecureClient enables state-of-the-art remote access VPNs.

The NGX platform delivers a unified security architecture for Check Point.
1

VPN-1 SecureClient

VPn-1 securecLient
Check Points VPN-1 SecureClient provides the following features to help you take charge of your resources and maintain integrity of remote systems.

adVanced VPn-1 securecLient VPN-1 SecureClient provides enhanced functionality for supporting the security of remote clients. desktop security policy It protects remote client machines by enforcing desktop security policies on the remote client. The administrator can centrally define desktop security policy rules for users or groups of users, enabling organizations with different types of remote userssuch as sales or IT staffto tailor client security policies to varying user needs. These policies not only protect the data on client machines from unauthorized access, but also eliminate vulnerability to attacks from fellow users on shared networks. Unauthorized access attempts can either be logged and viewed within VPN-1 SecureClient or sent as alerts to a SmartCenter management server. secure configuration verification VPN-1 SecureClient strengthens enterprise security by ensuring client machines cannot be configured to circumvent the enterprise security policy. Using secure configuration verification (SCV), managers can specify SCV checksa set of predefined conditions for a securely configured client system. These checks are performed regularly to ensure that remote client machines comply with the organizations security policies. In addition to these predefined checks, security administrators can define custom checks. For example, an SCV check can be written to ensure that VPN-1 SecureClient users are running the most current version of antivirus software. Multiple connectivity modes VPN-1 SecureClient provides various modes to address a variety of connectivity and routing issues faced by remote users. Office Mode addresses routing issues between the client and the gateway by encapsulating IP packets with the remote users original IP address, thereby enabling users to appear as if they were in the office while connecting remotely. Office Mode also provides enhanced antispoofing by ensuring that the IP address encountered by the gateway is authenticated and assigned to the user. Visitor Mode enables employees to access resources while they are working at a remote location such as a hotel or a customer office, where Internet connectivity may be limited to Web browsing using the standard HTTP and HTTPS ports. Hub Mode enables rigorous, centralized inspection of all client traffic, removing the need to deploy security functions to multiple offices, and giving employees secure client-to-client communications such as Voice over IP (VoIP) or Internet conferencing using applications like Microsoft NetMeeting.

fLeXibLe connectiVitY oPtions

VPN-1 clients support dynamic and fixed IP addressing for dial-up, cable modem, or digital subscriber line (DSL) connections. This flexibility makes VPN clients the ideal solution for telecommuters and mobile workers who need to access their company networks via an Internet service provider (ISP), wireless hot spot, or hotel Internet access connection. easy deployment The tight integration of VPN-1 clients with VPN-1 gateway solutions makes it easy to incorporate secure remote access as part of an overall security policy. For easy deployment of remote access VPNs, Check Point VPN technology features a One-Click format. Remote access VPNs can be created by simply placing all participating VPN-1 clients and users into a VPN community, which enables organizations to define the security parameters for an entire group of remote users. As new members are added to the community, they automatically inherit the appropriate properties and can immediately establish secure remote access connections to the corporate network. flexible authentication In addition to pre-shared secrets and X.509 digital certificates natively supported by the IPSec standard, VPN-1 clients support multiple authentication schemes such as SecurID tokens, username and password, RADIUS, TACACS, and other third-party authentication methods, such as biometrics. This flexibility allows organizations to leverage existing authentication technologies and infrastructure. Organizations that want strong authentication without incurring expensive PKI setup costs can use Check Points Internal Certificate Authority (ICA), which is tightly integrated with VPN-1 gateways, to issue X.509 digital certificates to client users and gateways for secured communication. High availability Check Points VPN load distribution feature is a HighAvailability and load-sharing solution for remote access VPN connections. Inbound VPN connections can be distributed across a cluster of VPN-1 gateways. If one gateway fails, new VPN connections will automatically connect to remaining cluster members.

Enhanced VPN-1 connectivity

simplified remote user experience VPN-1 SecureClient uses a rich, full-featured GUI that simplifies the remote users connectivity experience. Installation wizards guide the remote user through client installation and site destination creation. In addition, multiple authentication credentials can be stored so that users can seamlessly connect to sites with different access requirements without having to reconfigure the settings each time they connect to a site.

Wizard to assist remote users with site destination creation.

Users can enable Auto Connect mode, which prompts them with a connection dialog box upon seeing a network connection. Connection status messages alert users to the progress of their connection attempts. Status View windows detail connection status and troubleshooting indicators such as network activity counters.

Integrated connection and authentication window.

Status View with detailed connection information.

Continued on page 4
3

streamlined software distribution and management It includes features to streamline the initial distribution and ongoing maintenance of client software. These features dramatically decrease end-user support costs associated with VPN management and improve overall security by ensuring that client software installations are always consistent and current. VPN-1 SecureClient supports MSI and is interoperable with all major software distribution packages. complete remote access protection Integrity SecureClient combines the market leading capabilities of VPN-1 SecureClient and Integrity to deliver the most advanced remote access connectivity, endpoint protection, and network access policy enforcement in one solution. Combining multiple safeguards into a single package makes it easier to deploy and manage critical endpoint defenses, from the same unified security platform as other Check Point products. secure, uninterrupted remote access for mobile devices SecureClient Mobile gives Windows Mobile device users secure, uninterrupted remote access to resources protected by Connectra and VPN-1 gateways. Mobile workers can now roam across networks and change connection status without losing their session or constantly reentering their credentials. With an intuitive user interface and minimal impact on device resources, SecureClient Mobile minimizes administrative effort and provides central management from the same platform used to manage PC remote access. suPPorted PLatforMs
Windows 2000, 2003 Server, XP, XP Tablet PC Edition Windows Pocket PC 2003/SE, Windows Mobile 5.0 Smartphone Mac OS 10.3, 10.4.6, and higher (Universal Binary)

Advance Status View window.

compact view versus extended view VPN-1 SecureClient can be configured to provide remote users with an Extended View that has the full feature set. Alternately, organizations with a single site and gateway configuration may choose Compact View for maximum remote ease-of-use. Because Compact View is preconfigured, remote users do not need to perform site or profile management. Connection and setting dialog boxes have also been simplified to provide only essential features.

20032007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications. February 28, 2007 P/N 502426

Worldwide Headquarters
3A Jabotinsky Street, 24th Floor Ramat Gan 52520, Israel Tel: 972-3-753-4555 Fax: 972-3-575-9256 Email: info@checkpoint.com
4

u.s. Headquarters 800 Bridge Parkway Redwood City, CA 94065 Tel: 800-429-4391; 650-628-2000 Fax: 650-654-4233 www.checkpoint.com