Introduction to Check Point SSL VPN vs IPSEC VPN Part1

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] yes hello Shalom and welcome everyone I want to welcome you once again to checkpoint training bytes checkpoint training bytes is where we brewing an advanced training on checkpoint products features and blades and this training module we'll be looking at checkpoint VPNs checkpoint offers two kinds of VPNs we offered apes Ike VPN and also the SSL VPN in this training module we'll be discussing both of these VPN technologies and we're gonna break down these technologies and discuss the key advantages between them and this will help us give a better understanding of how do you work her before we get started let's take a look at the agenda of this training module we'll start this lecture by first discussing the need for security we will start right from the beginning of the internet development what were some of the challenges to keep the data secure over the Internet and also discuss some of their pre internet VPN solutions next we're going to discuss the motivations for using VPNs over the Internet YV pianos were introduced to keep data secure and private also at the same time keep operational costs low then we will discuss some different types of VPN solutions how EPSA can ssl have become the leading industry standards here will NEX discuss how and why Check Point became involved in VPN solutions we will discuss the difference between checkpoint VPN products and when and why they were introduced next we will discuss different VPN topologies what are the main differences between a site-to-site VPN and the remote access VPN when should you use either one or both of these VPN topologies finally we will discuss not only why checkpoint offers two different VPN solutions if site VPN blade in a mobile access VM late but also why checkpoint supports two different protocols what is the difference between hip sect protocol and SSL protocol and what protocols work with each of checkpoints VPN solutions so let's start our discussion from the beginning when the internet and a World Wide Web was just starting to converge together it was a very humble beginning but it was a very honorable creation and as the internet started developing and expanding it was at first mostly used with virtuous motives most traffic was passing in the clear exposed and unprotected but at that time there really was no concerns everything was rosy most reasons to use the Internet was righteous and Noble it was used mostly for various methods of communication using very simplistic protocols but as the internet grew larger there started to be nefarious interests on the internet working and observing either to cause damage or interrupt the daily workflow after all it was a public infrastructure and their motives were not always honest and admirable and even today the Internet can be used for good or for evil and so companies needed ways to protect your data to be sure that that data was confidential that no one can access it making sure that the data was private and secure they also needed to be sure that the integrity of the data was intact meaning that no one had modified the data and the data was original with no changes or unauthorized modifications in addition they needed to be sure that authenticity was verified meaning that they were communicating to the original intended author and recipient in other words it was not an imposter or a phony pretending to be someone else this is also called the CIA model confidential integrity authenticity sometimes the a could be for authentication sometimes you'll see CIA too but for this discussion I will use authenticity we will refer to this model again in this video one of the original and primary solution is to guarantee all these conditions was to use a dedicated private line a private leased line which was used to bypass the wilderness of the internet but these dedicated leased lines were very expensive companies had to rent or purchase dedicated equipment basically the owned or rented the equipment and made their own private leased lines this would definitely make sure that data was protected since this equipment was to only one specific customer and so the resources were usually not shared where other customers but the solution is very expensive which meant that regardless if you're using the equipment or not you are still being charged to reserve and hold equipment for when you needed it another way to look at this is to think of it as a long distance telephone line this line was dedicated to customers and customers were paying for long distance service charges every month regardless if they're using it or not regardless of how much data was being transmitted if you don't need it in one month you're still paying the long-distance telephone calls just to rent equipment for the instances and occasions that when you do need it in comparison contrast this to using the internet which is very cheap to use because it uses and shares its equipment and time to distribute the load and resources amongst thousands of users and so in order to combat this expense of private lease lines some companies started to offer many secure solutions like VPNs at Virtual Private Network which really means that you're using a public infrastructure like the Internet and creating your own in quotes private dedicated leased line closed quotes this is what we call a VPN a virtual private network how by first confidentiality by first encrypting the data to be sure that it cannot be seen to make sure it stays private by message digesting each packet to be sure that the packet was not tampered with and signing each packet with a digital signature to be sure it was truly from the legitimate sender and received by the right person and so by using the VPN solution you can use a cheap public Internet infrastructure and bypassed astronomical expense of using a private leased lines and still keep e data secure and private now let's talk about different ways that organizations might choose to set up VPNs there are many kinds of ways to build VPNs and there many vendors offer competing solutions using different protocols that can help build VPNs solutions like PPTP l2tp Yuriy ssh ssl hips ik and others most vendors offer one or more of these solutions in this video we'll focus primarily on two methods hip sick VPN and SSL VPN these two solutions are probably the most popular and have become an industry standard with the right range of solutions went improvements and continuing development by many vendors and manufacturers there are really two different frames of thought most vendors are an SSL is the best camp other vendors say that if sec VPN is the best and so each vendor will support either one of these two VPN solutions not so a check point we offer both solutions because there are some pros and cons between both of these two VPN competing methods there might be specific reasons why you want to use either one of these methods and hopefully this video will help shed some light on this today the differences between them might be almost indistinguishable at least from the users perspective but from the architecture or administrators perspective there are some major differences that we'll discuss in a moment but before diving in their pros and cons let's take a step back in time again to see how and when and why check point now offers two competing VPN solutions even though check point now supports and sells both VPN solutions traditionally that was not always the case first let's take a look at a basic VPN if Sachi PN was one of the original core products after checkpoint invented the stateful inspection firewall in 1993 he then introduced if sec VPNs into the product line around 1998 and so for a long time Chuck Pony used to offer only IPSec VPN I believe they were in a camp that epic offers the best security with the most reliability with regards to data confidentiality and data integrity and only many years later around 2003 2004 did the introduced an SSL based appliance they first came out with a new product called the connector which is an SSL based appliance the connection appliance was a dedicated appliance that offered only SSL VPN capabilities it operating system splat and so regardless of which can't be belonged to no problem we now offer both VPN solutions and so for a while check won't offer two different appliances their traditional firewall with if site VPN capabilities and now a new SSL appliance like an extra appliance which is really only a dedicated SSL appliance and then a few years later that connector product line became integrated into the check point full firewall product line meaning that today we only sell one appliance our traditional firewall appliance and then you can enable either the IPSec VPN or the SSL VPN product or both either one or both can be enabled and run on the same gateway appliance when we first integrated that connector appliance we call that the SSL VPN blade which makes sense since it does SSL VPN but now with the popularity of smartphones and tablets in 2000 online this is a product got renamed to mobile access blade or mat for short but even if you know a little bit of the history it still does not explain the why why this checkpoint offer both methods first let's start off with a free reasons that a company or organization might need to configure VPNs one reason is that when a company starts growing and expanding into different geographical locations it might still need to access resources in the corporate or branch networks a company might have multiple offices in various locations and sites and in order to correspond across vast distances they will send the data over the Internet and you will need to guarantee that the data will kept secure and untampered this is what is commonly referred to as an internet an Internet is a private network that a company uses to exchange information securely over the Internet another reason to use a VPN is not only to use a company's resources that are located in remote locations but it also might be needed to access and share information with this and vendors or partners maybe suppliers or distributors or authorized customers this is what these referred to has an extranet an extranet is a network which enables authorized business partners to exchange data securely but all of these scenarios is what we refer to a site-to-site VPN or an eric to network VPN I've also heard it being called the Gateway the Gateway VPN or a router to router VPN because all of the traffic is encrypted between the kiwis between the routers the traffic from the desktop to the Gateway is in the clear meaning is not tampered from the server to the Gateway it's also in the clear unencrypted only the traffic that is exchanged between the Gary's are actually being encrypted using ciphers encryption algorithms how this works is when a desktop or PC wants to communicate to a remote server or needs access to records or data that are stored in protected remote locations from the desktops perspective it believes the server is in the local network so the packet is sent in the clear and then a packet gets routed internally to the Gateway which is that VPN networking device and when the Gateway recognizes that the destination IP is part of remote encryption protect the network and so the local VPN gateway will negotiate a VPN tunnel between him and the remote VPN gateway they will exchange keys encryption methods in order to establish a secure VPN tunnel between themselves between the sites between the gateways and then all the traffic that exchange between the sites will be encrypted using the keys and algorithms that are used and negotiated during the negotiation phase and so all the data between the client and the local gateway are in a clear but the local gateway to remote gateway all the data will be encrypted using the VPN encryption schemes agreed upon during the VPN negotiation then the remote gateway well then decrypt the packet and send it to the server in the clear and this process is repeated in reverse direction the server will reply back to the client in the clear the packet is routed to the remote gateway the remote koe recognizes that a needs to encrypt the data the data is encrypted the packet is then routed through the internet encrypted and protect it and when it receives our arrives on the local gateway it is then and this process is repeated for every annul packets that are being exchanged between the client and the server and so this is what we refer to as a VPN tunnel not a tunnel in the literal sense but a tunnel in a virtual sense the packets on the Internet can take different routes to get to a final destination so it's not a physical tunnel per se but it's a virtual tunnel and this virtual tunnel refers to the fact that no one on the Internet are able to decipher the packets decrypt the communication because all of it is encrypted these cyber packets can only be decrypted by the participating gateways what we call the peers the cipher keys that are used to decrypt the packets are the same keys that were negotiated in a tunnel establishment phase so the traffic inside their organization is always sent in the clear meaning unencrypted but this is fine since we trust the original sources send treats trust the sources inside the company's infrastructure only the traffic that's sent through the internet that needs to be protected is encrypted and so this tunnel between the gateways is what we refer to as a virtual tunnel the VPN another major reason to have VPNs is if a company have a big wide roaming user base for example an organization might have a traveling sales force the sales force might need to have access to the company records when the remote or they might have remote users or users are working from home and so these remote users need to access the data and resources that are stored on the corporate or branch offices and this again is where the VPN comes in that it needs to be secured over the internet which is the public domain so we need to be sure that the data is protected and secured and untampered when this travels over the internet this is what we call the client a site VPN also known as a remote access VPN today this is a very fast-growing field remote users might need to access corporate resources from different locations using either their desktops laptops or maybe they need to access the company's resources from their smartphones and tablets and so all of these devices might need to gain access to the corporate organization's resources and with malware and crooks on the rise it's important to make sure that remote users and corporate data is always protected at all times and so just to be sure to sit clear when remote user needs to access resources like records or data that are stored in the corporate or branch networks the remote access VPN software that's running on the client desktop PC the software will recognize that the destination network is part of the remote VPN encryption Network and so then the client the VPN agent will start to negotiate with the remote gateway to build a VPN tunnel just like a site-to-site VPN it negotiates things like what encryption schemes to use what encryption methods to utilize and when the tunnel negotiation is completed then the client can send and receive data to and from the Gateway all being encrypted and all the data is encrypted from the remote access device directly to the Gateway the Gateway decrypt seth's and sends it on to the remote servers the internal servers the protective servers and this communication from the rural Gateway to the servers are always in the clear unencrypted and then when the remote servers replies again it replies in the clear a packet gets routed to the remote gateway the remote key we then starts the encryption phase all over again encrypts the packet sends a packet through the VPN tunnel through the internet and traffic is always gonna be tunneled between remote gateway and the local gateway and so now that we know the reasons to use GP ends let's get back to checkpoint VPNs so checkpoint today offers to VPN products we have the original dipstick VPN blade and now the new mobile access blade remember the mobile access is a rebranding of the original SSL VPN which came from the connector product line the IPSec VPN blade can support both site to sites or client to site VPN a mobile access blade is only a client of site VPN it can only do remote access it cannot be used to set up a site-to-site VPN in other words a site the site only supports Lipset protocols I client the site supports both hips tech protocols and SSL protocols and so not only this checkpoint offers two or different VPN solutions apes VPN products and the mobile access product each VPN solution can support different encryption protocols a VPN tunnel can be established and encrypted using either the IPSec protocols or the SSL protocol traditionally the IPSec VPN use the IPSec protocols the mobile access blade uses the SSL protocols this is no longer the case the IPSec VPN blade can work with either both if set protocols or the SSL protocols on the other hand the mobile access blade only works with SSL protocols and so the main difference between IPSec VPN blade and the mobile access VPN blade is this and I think the first question to ask is do you want to set up site-to-site VPN S or client to site VPNs if you want to set up site to site VPN s then you can only use the IPSec VPN blade the mobile access blade does not do site to site VPN S on the other hand if you want to do client the site VPNs then you can use either blade I client the site can be established with either a tip SEC VPN blade or the mobile access VPN late and so the answer the first question what product you use IPSec VPN blade or mobile access VPN blade if you need a site-to-site then you must use IPSec VPNs but on the other hand if you need a client to site VPNs you have your choice you can use either product you can use the IPSec VPN or the mobile access VPN and so since site the site GP ends you can only use IPSec VPN blades and since this video is really about the differences between hip stick protocols and SSL protocols we will no longer discuss site besides VPNs we will continue to focus only on client to sites would access VPNs which can use either hips ik VPN protocols or SSL protocols or use the IPSec VPN blade or the mobile access blade and so if you need site to site epeans you don't need to continue watching this video any longer on the other hand if you do need client to site VPNs then we're right back to the first question which is do you want to use IPSec VPN product or mobile access product since the both can do remote access VPN so the answer here is a little bit more complex a sub question would be do you want to use IPSec protocols or SSL protocols if you want to use the IPSec protocols then you can only use the IPSec VPN blade because the mobile access blade does not support if sect protocols mobile access blade only supports SSL protocols if you want to use SSL protocols then you can use either the IPSec VPN blade or the mobile access VPN blade both of the blades will support SSL protocols but even though they both support SSL protocols there are different implementations of how they support SSL protocols we will see that later on in this video so then the real question is what protocols do you want to use and this comes to the heart of this video which is what is the difference between if set protocols and SSL protocols what are some of the Vantage's of using IPSec what are the advantages of using SSL which boils down to what product do you want to purchase do you want to purchase epic VPN or do you want to purchase SSL what will access blade and so know before finishing this video let's take a few moments to summarize all the information that we covered in this module first we started off this lecture by discussing the start of the internet how security was not even a consideration at the beginning of the Internet's foundation but later it became a concern as the internet grew larger and with various players with different motivations some of which were not always honest or admire about which this in turn caused organizations and companies to find ways to secure their data a popular solution at the turn of the century was to purchase a private leased line we discussed how a private leased line was introduced and created to secure traffic amongst organizations local networks and remote networks infrastructures and how a private leased line offers security protections like the CIA confidentiality integrity and authenticity but a private leased line was very expensive which in turn helped motivate the start of the VPN security industry also we discussed how the VPN industry originated how different VPN protocols were introduced and used to keep that a secure over the internet and how two primary protocols like the IPSec protocols and SSL protocols grew to become the industry's leading standards of today then we discuss the differences between upset blade and mobile access blades and here we discussed how checkpoint first introduced if sect VPN blade around 1998 which supported a p-- set protocols and then later we added SSL protocol support to the IPSec VPN blade to help address some of the challenges and limitations with the IPSec protocols and then later in 2003 we introduced a new SSL VPN appliance that connects your appliance which later merge into the mobile access blade and how today chip 1 offers to with different VPN solutions they've site VPN blade and also the mobile access VPN blade and in our effort to explain why we offer two different VPN solutions we discussed two different kinds of VPN topologies we discussed what a site-to-site VPN is and how an Internet can be used to secure an organizational strategy or pert head office and it also amongst its various remote branch offices then we discussed what an extranet was which is a VPN that secures traffic between a cooperation and its various partners resellers vendors and customers then we discussed remote access VPN s which our client to site VPN s that secures network traffic that transversing over to internet from roaming users so they can access the cooperation or branch records or data from the remote locations either from home hotels or cafes finally we discussed not only why checkpoint offers two different VPN solutions it's like VPN blade and mobile access VPN blade but also why checkpoint supports two different protocols the difference between a p-- sec protocol and SSL protocol and we also discussed which protocols work with each of checkpoints VPN blades I hope you found this video informative hope to see you in the next video until then Shalom and bye for now Jack boy wait secure the future [Applause]

Info

Channel: Check Point Training Bytes

Views: 38,064

Rating: undefined out of 5

Keywords: CCSA, CCSE, Check Point Certified Administrator, Check Point Certified Security Expert, MAB, Mobile access blade, check point mobile access blade, ipsec vpn, ssl vpn, check point ipsec vpn blade, check point ssl vpn blade, check point mab

Id: rvsdSdfGPDg

Channel Id: undefined

Length: 24min 47sec (1487 seconds)

Published: Tue Sep 18 2018