Check Point Competitive Differentiation - Integrated Application Security

This thumbnail value story highlights a key capability Check Point believes significantly differentiates its SSL VPN gateway from other vendors' products.

Check Point's comprehensive integrated application security for Connectra - Web Intelligence™ and Application Intelligence™- offers far greater protection than competing SSL VPN gateways that offer no built-in application- level security, and a superior ROI to solutions that require a separate application security appliance.

Internal applications face the outside world

Internal applications contain some of the most sensitive information in your organization—such as financial data, human resources information, and core company intellectual property. Internally, an organization can maintain strict controls over its computer networks and its physical surroundings. However, SSL VPN-based remote access presents a much greater challenge because of the number and diversity of potential endpoints that can access the network.

Bypassing the Perimeter

The way you deploy SSL VPN gateways can have an enormous impact on your organization’s strategy for perimeter security, potentially making it completely irrelevant. Because all incoming traffic is encrypted when it reaches a DMZ-based SSL VPN gateway, it cannot be screened by external firewalls. And unencrypted traffic passed back to the LAN from the SSL VPN gateway is stripped of all state and user information used by your internal firewall, rendering your perimeter security virtually ineffective. Even worse, your most sensitive internal servers typically demand internal SSL encryption, so absolutely no inspection or policy enforcement can be applied at the perimeter—instead, all trust and security is surrendered to the SSL VPN gateway.

By not unifying security with connectivity, the “access anywhere” that SSL VPN offers puts your organization at risk with security issues “everywhere,” that is, from every new access point.

The Check Point Solution

The integrated application security provided for SSL VPN access by Connectra ensures the integrity of internal applications. Integrated Web Intelligence™ and Application Intelligence™ technologies offer protection against malicious activities and attacks, delivering integrated intrusion prevention for SSL VPN. For example, Connectra can prevent users from accessing confidential data using directory traversal or SQL injection attacks—a particular concern in extranet environments. Connectra can ensure that worms do not spread via SSL VPN when a remote user tunnels native applications. In addition, Connectra comes with a one-year SmartDefense™ Services subscription to ensure that integrated application protections are up to date.

Protecting the SSL VPN gateway and accessed applications

Check Point Web Intelligence and Application Intelligence provide customers with the capability to configure, enforce, and update attack protections for application traffic. Web Intelligence protections are designed specifically for Web-based attacks while Application Intelligence protects the network and non-Web applications. In addition, information and new attack defenses for Web Intelligence are provided online as part of Check Point’s SmartDefense Service. For further reading see Web Intelligence Tech Note, Application Intelligence White Paper, and Malicious Code Protector White Paper (defending against buffer overflow attacks).

Integrated application security enables organizations to apply intrusion prevention within the SSL VPN gateway itself.

Web Intelligence and Application Intelligence provide capabilities to address the following four defense strategies, which are required for successful application-level security:

Validate compliance to standards: Violation of standards may be indicative of malicious traffic. Any traffic not adhering to strict protocol or application standards must be closely scrutinized before it is permitted into the network, otherwise business-critical applications may be put at risk.

Validate protocols usage (protocol anomaly detection):Testing for protocol compliance is important, but of equal importance is the capability to determine whether data within protocols adheres to expected usage. In other words, even if a communication stream complies with a protocol standard, the way in which the protocol is being used may be incongruous with what is expected. This is strong evidence that an attack is likely underway.

Limit the ability of applications to carry malicious data: Even if application-layer communications adhere to protocols, they may still carry data that can potentially harm the system. Therefore, a security gateway must provide mechanisms to limit or control the ability of applications to introduce potentially dangerous data or commands into the internal network.

Control application-layer operations: Not only can application-layer communications introduce malicious data into a network, an application itself might perform unauthorized operations. A network security solution must have the ability to identify and control such operations by performing “access control” and “legitimate usage” checks. This level of security requires the capability to distinguish application operations at a granular level.

    

Comparison of Application Security Tests Performed by the Tolly Group ( a link to the complete report is provided below)

For Additional Reading:

Check Point Connectra Information and Evaluation Resources: Links to further online information on Connectra and how to order an evaluation copy of Connectra.

Tolly Group Security and ROI Report. An independent third-party test report that compares the security and ROI of Check Point Connectra to other leading SSL VPN solutions.