Introduction to Check Point SSL VPN vs IPSEC VPN Part 2

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] yes Shalom and welcome everyone I want to welcome you once again to checkpoint training bytes checkpoint training bytes as we're reviewing an advanced training on checkpoint products features and blades and this training module we'll be looking at checkpoint VPNs checkpoint offers two kinds of VPNs we offer tips at VPN and also the ssl VPN in this training module we'll be discussing both of these VPN technologies and we're gonna break down these technologies and discuss the key advantages between them and this will help us give a better understanding of how do you work before we get started let's take a quick look at the agenda of this training module we're going to start this lecture by first discussing the two different VPN solutions how each solution has some advantages and some strengths why some customers might prefer one solution over the other and then again why there might be a need to have both solutions depending on the problems and situations being encountered then we're gonna start by dissecting one of the primary differences between both solutions which is how each solution works with regards to OSI model the OSI layer and so in essence what are some of the pros and some of the cons for each VPN method next we're going to look at another consideration which is do you want to have a client application installed or do you want to just use a monitor browser to attend ticket and connect to the corporate office what are some of the advantages of going client versus client lists which means do you want to use a VPN client application installed on your PC or do you just want the simplification of using a browser with its default inherent SSL capabilities finally we're going to discuss another major concern which is how simple or complex each solution is what are some of the benefits each solution offers and under what considerations and circumstances would you want to use one solution over the other one final note before we get started and I would like to remind you all to make sure you also review the summary at the end of this video here is where I summarize the key takeaways from this lecture but also sometimes I also include some important nuggets that I forgot to include in the main body and [Music] so now let's get started in this training video we'll start to really dissect the differences between Apes at protocol versus the SSL protocol we will see that each protocol offers some advantages and have each protocol a specific features and strengths and how each protocol can be used and implemented differently but note I did not create this video to give you a knowledge and what blade to purchase but instead I created this video to give you the knowledge on how they work how they are different so you can understand why check one offers two different VPN solutions in fact we have many customers that have purchased and use both VPN blades and so there might be some users or clients that need all of the IPSec capabilities or we also might have some clients or users that need all the SSL strengths but then again this could be the same user but depending on the different circumstances depending on the situations and scenarios that the user finds himself in then the user might launch either Dipset VPN client or another scenarios he might launch the SSL VPN now in comparing both VPN solutions let's first start off by talking about security both pretty much offer the same level of security and here I'm not talking about encryption keys and strengths but I'm referring back to the CIA model with the scales being pretty evenly balanced between both VPN solutions what I mean by this is that they both offer VPN encryption they both can encrypt the data for confidentiality they both can keep the data secure and private they both offer data integrity to guarantee that data has not been tampered with and also not been modified while in transit and also they both offer authenticity which make sure that the authorship has been verified and proven to come from the original from the original source and so there must be other reasons to choose either VPN method and with the scales being tipped in either direction depending on which features are required which features are desired alright so now let's start talking about some of the major differences that separate hips ik protocols versus SSL protocol one of the major features that tips the scale in the favor upset protocol is that pretty much any application that uses TCP or UDP protocol can be encapsulated encrypted through an IPSec VPN tunnel and this is not the case with SSL VPN SSL VPN can only encrypt certain applications we will see that in a moment and so this I believe is if SEC's protocol best VPN selling point and I think it's the biggest advantage that IPSec protocol has over the SSL protocol in that the IPSec VPN protocol runs deep inside the kernel deep inside the operating system kernel and so the IPSec protocol runs deep inside layer 3 of the OSI model in the network stack of the operating system and this really means that every encapsulated segment every layer for segment that needs to be encapsulated into a layer 3 packet not only will it be encapsulated into a layer 3 packet but at the same time it can also be encrypted within the layer 3 if needed this in essence means that every application that runs TCP every application that runs UDP protocol can be encapsulated inside a layer 3 lips act packet which really means that every application can work over if site VPN tunnel and even better than that not only every application but every layer 3 protocol like ICMP IGMP can also be encrypted within an IPSec layer 3 VPN and so let's draw a visual to see how this works when the data is encapsulated down the OSI layer of the desktops kernel and the packet reads the layer 3 of the network layer of the TCP stack the VPN routing engine recognizes the packet needs to be sent through a VPN tunnel the VPN routing engine requests the VPN daemon to establish and negotiate a VPN tunnel and so the VPN daemon will negotiate a VPN tunnel which appeared it will negotiate the keys and encryption methods that we'll use later on in a VPN tunnel and so when a tunnel negotiation is completed then these keys and encryption methods will be used to encrypt the packet and so then the letter 3 packet is encrypted when the letter 3 packet is encrypted it encrypts a whole packet not only does it encrypt the packets payload but also encrypts the original header the original IP addresses the original port numbers then it adds its own tip SEC header its own epoch IP header and forwards a traffic through the internet on its way through the peer which is the packets destination IP address in comparison what SSL VPN is that SSL is a layer six protocol in that it works in literacy and it can only theoretically encrypt only letter seven applications and so any application that runs in layer seven can you use SSL protocols the data from layer 7 gets encapsulated in Alaric's packet which runs SSL protocol and then it won't rip this data and so any lower layer of protocols protocols running below layer 6 cannot use SSL protocols at least not with some help not with some help from the add-ons that we'll see later on and so to get a visual the packet is destined to a remote server which is the SSL server the client will try to establish a virtual circuit to the server it will start the 3.we handshake that is used for a TCP connection and when a three-way handshake is completed the server will notify the client that it needs to build an SSL VPN tunnel the climb and server will exchange certificates to build SSL VPN tunnel then the layer 7 application will get encapsulated into a lares 6 SSL packet and the packet continues down the OSI layer adds the layer 4 ports then adds the layer 3 IP addresses then the packet is forward and routed through the Internet on its way to its destination and so only the data portion of the packet is encrypted none of the layer 4 or the layer 3 information of the packet is encrypted and so when a remote server receives the packet it then needs the Lee capsulate the layer 3 packet then it the capsule AIT's the layer for packet just like any regular TCP packet since nothing is encrypted up to now and so when it moves the data segment up to the layer 6 they then will need to decrypt the SSL layer 6 payload which contains a layer 7 data which is processed by the layer 7 application and then again I'm trying to separate the two different VPN solutions into two different categories there is some overlap that we'll look at later on and so they keep track of this let's start a matrix to keep track of the pros and cons and so EPS ik VPN is a layer 3 protocol it's a portlet protocol that can encapsulate every packet SSL on the other hand is a layer 6 protocol it encrypts only letter of 7 applications using port 443 one of the major differences or features is the Uni a client or do you want to go client list client based refers to an agent or app that needs to be installed on the desktop client lists refers to no agent or application that is installed on the desktop I think this is where SSL shines over IPSec at least it was its original main selling point this I believe is why checkpoint introduced a second remote access method mobile access blade when he already had hips ache VPN remote access in that an SSL VPN can be client lists you do not need to install any software on the desktop or laptop or smartphone all you need is a modern-day browser as long as your desktop or laptop or smartphone or tablet has the latest and supported browser version you can build a VPN tunnel to the corporate or remote office using an SSL tunnel every browser already has SSL capabilities directly built-in HTS is HTTP protocol that was encrypted using SSL protocol so SSL VPN which is the mobile access blade can be used with a simple browser where as an IPSec VPN remote access you need to have a client application already installed on their desktop and so there is a bit more manual installation process involved when you're using IPSec VPN not only do you first need to install a client but you also need to manage and support this VPN client agent on each desktop meaning you might need to keep it upgraded and patched you might also need to troubleshoot when things are not working you may need to uninstall and reinstall the new version and continue with upgrades for security and maintenance reasons also this client needs to be compatible with each pretty system this client is only supported on some of the major operating systems and so you need to ensure and test that the client has no compatibility conflicts just like any other application running on the desktop RPC and so if you have a big roaming user base there needs to be a lot of desktops or laptops to manage upgrade and maintain and so this is where the strength of SSL VPN comes in traditionally in SSL VPN there really is no maintenance or management needed all you need is a good operating system with a modern-day browser and so really you just need to let the browser manufacture do the upgrade and patching of the browser and so the manufacturers of your browser like Chrome Firefox or ie are always patching any vulnerabilities and fixing any stability issues and so let them worry about updates and patches and so a similar benefit with SSL VPN is that you can use any PC any desktop any laptop any smartphone or tablet from any location like a library and internet cafe from a friend's or a family's PC as long as you have a browser with internet connection you can access the corporate resources as long as it has been configured and allowed by the administrator as long as it meets company policy standards that were established by the security team the salk then it should work this is not so with a client base CPN first the client needs to be installed by the MAS department second is client can only usually be installed on corporate equipment like PCs and laptops you probably and most likely will not be able to install the client on unauthorized desktops or PCs or your friend's PC the client software will install but you will not have the permissions nor the certificate properly configured to authenticate to the corporate offices and it could be a few other reasons that it will fail to connect so let's again start a little matrix to keep track of these pros and cons sslvpn is a client list only a modern-day browser is required which already comes with each and every operating system and so it's very easy to manage and maintain you might even say it's self managed ape set VPN on the other hand requires a client installation which is harder to manage and maintain and it can only be used unauthorized or corporate hardware and so again for now I'm trying to separate the differences between these two different VPN solutions into black and white categories or some overlap that we'll look at later on so next let's talk about seamless versus infull VPN again I'm trying to separate and distinguish each VPN solution from each other to give you some more perspective on why we offer different VPN solutions and so why customers might want to run one party other or both VPN solutions depending on the circumstances being encountered and also depending on the situation needing resolving and so another feature that helps tips the scale in favor if site VPN is what we call a seamless VPN if site VPN is known as a seamless solution SSL VPN is known as a seam full and I think this is another advantage that if site VPN has over SSL VPN once the IPSec VPN client is installed and authenticated the user when travelling and is remote and not in the office the IPSec VPN will automatically launch and connect you directly to the corporate organization it establishes a VPN tunnel as soon as it detects that is remote and this I think is a second biggest selling point for IPSec VPN is that you can use all applications just like you are in office in fact when traveling with my laptop at home or on the road I can access all my daily corporate applications and servers just like I was back at the office for an example I can open outlook and send and receive emails just like I am in the office I can seamlessly connect to SFTP servers with my SFTP client application I can use my instant messaging application to chat directly with coworkers I can also use our ticketing system to view and update any cases and view and use other internal servers including internal wiki pages and open and close tasks or cases just like I would do if I was in the office in fact most of the time I can access most of the servers and applications just like I would from the office but almost no or limited work interruptions and so an IPSec VPN client allows you to work from home and be just a sporadic as looking from the office this last point was specifically directed to my manager in fact a we're in process of rolling out hips ik DPN remote access as a disaster recovery solution for some or most of her office employees meaning that if weather or other disasters events prevent us from making it to the office we can work from home and still keep the tickets for resting and customers updated and continue working to keep customer satisfied and continue to provide case resolutions and provide final closure so this behavior is different with sslvpn sslvpn for a lack of a better word is what I call scene full in other words sslvpn is not seamless there are some differences and distinctions when using SSL VPN to connect to the office using SSL VPN you first need to open a browser enter and connect to the gateways URL HTTP IP address / SSL VPN then you need to authenticate using your corporate credentials then you'll be directed to SSL web portal this is a web page that has links to shared resources specifically for your account for your profile you might see a link to get your emails and we click on the link you will then be able to viewer emails web page instead of using Outlook a regular email client and so depending on the administrator and how its configured or allowed what resources have been shared you will only see multiple links to those resources links to an FTP server links to different applications this page is what we called SSL web portal or SSL portal for short you can still work remotely using SSL VPN but it's not as seamless but and again going back to the original point you can work with SSL VPN from anywhere anytime from any device as long as you have a browser and an internet connection so I usually only use it for quick updates I'm checking on customers and cases and also I can email and CC a co-worker that's in the office to have them update a ticket or work a case and so I use SSL VPN more when I just want to touch base with the office I need to take a quick look to see if we received and email updates or check to see if there are any case updates oh maybe I just need to access a specific file but since I'm using a browser to do this it limits my productivity since I'm not using that native applications the native applications like Outlook or FTP client but instead I'm accessing the resources through a browser which is still effective to check for updates on one or two cases but it's a little bit more restrictive if I'm trying to work from home or remote location but the great advantage of using SSL VPN is I don't need to carry my corporate laptop with me I can use any smartphone or tablet or use a friend's PC or a parent's PC to connect and login to the corporate office and check request the case update or request a file but again since this is SSL VPN you are still limited by which layer of several applications can be tunneled over SSL so let's go back to that matrix tips like VPN is a seamless you can roam and access the corporate resources just like you are in the office SSL VPN on the other hand is sinful you can connect and authenticate through a browser and you can access there are seven applications that can be tunneled through an SSL VPN now before ending the session let's take a few moments to discuss and review the topics discussed in this training module we started off this lecture by first discussing why some customers might need to have one or both our VPN solutions we stated that each solution has some inherent built-in strengths and how each solution has some different features I mentioned that I wanted to split both solutions as much as possible so we can get a better perspective on how they work how they are different and only later in upcoming video we will review some of the cons again and see how they were resolved how each solution today is almost indistinguishable indistinguishable from each other I mentioned that some of our customers might need to have one or the other are both our VPN solutions depending on what strengths he needs and also what problems you shine resolve and so we discussed some of the key advantages for each solutions right on the box what we call the native strengths then we really started to discuss the main differences between layer 3 versus layer 6 VPNs here is where we really started to break apart and dissect each VPN solution into their primary differences the first being that epsy PPN works at layer 3 of the OSI model which means that it can encrypt and tunnel even higher layer protocols starting from the network layer and any protocols that reside there all the way up to application layer so pretty much any protocol or application can be encrypted over IPSec VPN as long as these protocols and applications work at layer 3 and above and this is one of the biggest advantages of using IPSec VPN because you can encrypt every TCP and every UDP application including pretty much every other application that can be encrypted through an IPSec VPN tunnel and I explained that when a packet is encapsulated in layer three if the VPN routing engine determines that the remote server is part of an encryption domain that the layer 3 will encrypt the data plus the whole segment and packet then it adds its own hip state header and its own epic trailer then assigns a new IP address header before forwarding the packet on its way to the pier to the check VPN gateway then the remote VPN gateway has to decrypt the whole packet from layer three plus the layer four and then decrypt that a portion of the packet before it can be capsulate the whole packet so then it can process it through the kernels OSI stack then we discussed the SSL VPN which uses SSL capabilities inherently built into their six layer of most applications most TCP applications so SSL VPN uses default SSL features that are built into every browser and so we mentioned that only the letter six data is encrypted none of the transport or network header information is encrypted this really simplifies VPNs since it makes it very simple to just open a browser and connect to the remote side but since VPN encryption is then only a layer of six then only later seven applications can be encrypted specifically only TCP there are seven applications and then we discussed what are some of the advantages of having if SEC VPN application versus using SSL VPN browser we talked about that's a cell VPN solution and that one of its strengths and advantages is that an SSL VPN product uses the browser either ie Firefox or Chrome and so checkpoint SSL VPN takes advantages of every browser well there are six capabilities which can do SSL encryption and we mentioned that every modern day browser has built-in ssl capabilities inherently to each of its browsers which can really simplify VPN since most of the company user base are already familiar with using a browser and so they can use their preferred browser of choice we mentioned not all you need to do is open a browser from a PC or any laptop and also from any smartphone or tablet in essence it allows most users to connect from anywhere anytime with any device and still establish an SSL VPN to the corporate location then we talked about epic VPN which requires an application installation the application can have some pre-configured parameters already configured by the administrator like what sites to connect to you can also configure it to automatically detect it's remote and it will automatically connect and encrypt any data that you access or send to the remote effects but this client needs to be installed and managed on a corporate read stops or laptops by the Mis Department then we talked about seamless hips equip Ian's versus sinful SSL VPN s I mentioned that IPSec VPN is a seamless solution which allows you to work from home just like you are in office you will be able to access your emails or servers or files just like you are in the office I mentioned that you would be able to access your native applications like Outlook SFTP client and also servers and files just like you would be if you're in the office so epic VPN best feature is that you can work from home or remote just like you would be from the office with little or no network interruption or a digression on the other hand I mentioned that SSL VPN is for lack of a better word has seen full solution which means that you will need to access your files or data and emails from a browser from SSL web portal page I mentioned that the cell VPN browser first needs to connect SSL VPN gateway which will then redirect you to a browser page to what we call this a cell portal and after intend occasion and logging in you'll be able to see all the applications that are shared or were shared by the administrator this application will show up as links in the SSL portal page and once you click on the link it will display your application data inside the browser page just like your email will be accessible through the browser able to view your emails through a browser and you'll also be able to view any servers or files or applications that were shared by the administrator using the mobile access VPN product it will still allow you to work remotely but most of the applications will only be accessible through the web browser but then again only TCP applications will have SSL capabilities inherently built in one final note before leaving this video I just want to make the point that I did not and try not to give the impression that one solution is better than the other I just want to separate them into different categories and I try to list each solutions native strengths later in an upcoming lecture we will see how each of the and limitations are addressed how each solution cons are turned into pros I find the Apes equip en is mostly used by administrators which allows them to access most of the corporate resources just like you would if they were in the office I find that most of the company user base are better served by using SSL VPN but it's really most of a company or user preference or choice there is really no heart or true answers here for example I prefer to use IPSec VPN because it allows me to take my laptop with me and I'm still able to connect from home and work from home when traveling remotely or abroad during my work business hours my manager on the other hand prefers to use his smartphone with SSL VPN capabilities he can always be connected to the office and he can check the status of what's happening at the office since he has his phone with him all the time 24/7 and so he's always connect his office he can always call the office or customers if needed and still stay connected to the office with SSL VPN I really hope this video has helped shed some light on the differences between SSL VPN versus Ipsy VPN I hope you found this video informative I hope to see you in the next video until then Shalom and bye for now [Music] [Applause]

Info

Channel: Check Point Training Bytes

Views: 12,378

Rating: undefined out of 5

Keywords: CCSA, CCSE, CCSM, Check Point Certified Administrator, Check Point Certified Expert, Check Point Certified Master

Id: TTIEHSeUeYI

Channel Id: undefined

Length: 28min 29sec (1709 seconds)

Published: Thu Jun 13 2019