Building a distributed VPN network based on Check Point. Several typical scenarios

    In this article, we will look at options for building distributed networks using Check Point. I will try to describe the main features of Site-to-Site VPN from Check Point, consider several typical scenarios, describe the pros and cons of each of them, and try to tell you how to save when planning a distributed VPN network.

    Check Point uses standard IPSec

    This is the first thing you need to know about Check Point Site-to-Site VPN. And this thesis answers one of the most frequent questions regarding Check Point VPN:

    - Is it possible to “make friends” with other devices?
    - Yes, you can!

    The so-called 3rd party VPN. Since standard IPSec is used, VPNs can be built with any device that supports IPSec. Personally, I tried to build VPNs with Cisco ASA, Cisco Router, D-Link, Mikrotik, StoneGate. Everything works, although there are some features. The main thing is to set all the parameters for the first and second phases. Supported parameters for IPSec connection:

    Encryption Method: IKEv1, IKEv2

    IKE Security Association (Phase 1)
    - Encryption Algorithm: AES-128, AES-256, DES, 3DES, CAST
    - Data Integrity: SHA1, SHA256, SHA384, MD5, AES-XCBC
    - Diffie-Hellman group : Group 1, Group 2, Group 5, Group 14, Group 19, Group 20

    IKE Security Association (Phase 2)
    - Encryption Algorithm: AES-128, AES-256, AES-GCM-128, AES-GCM-256, DES , 3DES, DES-40CP, CAST, CAST-40, NULL
    - Data Integrity: SHA1, SHA256, SHA384, MD5, AES-XCBC

    Additional parameters:
    - Use aggressive mode (Phase 1)
    - Use Perfect Forward Secrecy (Phase 2)
    - Support IP Compression (Phase 2)

    Because VPN can be built not only with Check Point, then the question immediately arises, what is “set” in the branches?

    What equipment to use for branch offices?

    There are only two options. Consider them and try to describe the pros and cons of each of them.

    1. Check Point at the branch

    This is the easiest option. Check Point is installed in the central office (HQ) and in the branches (Branch).

    Pros . The main plus is the convenience of management. You manage security policies from one place (Security Management Server). All logs are stored in one place. It is possible to generate reports and see the big picture. The administration of a distributed network is greatly simplified. You may not even need a monitoring system, some of the functions are performed by the central server by default. Configuring VPN is accelerating, there is no need for endless editing of access-lists. In a rough approximation, this can be compared with DMVPN from Cisco (more on that later).

    Minuses. The only negative - financial costs. Of course, the question “expensive or inexpensive” is a bit philosophical and I will not discuss this topic. But even the smallest branch (even an ATM) will require the installation of a Check Point gateway. We will discuss specific models for such tasks a little later.

    Who uses a similar option (Check Point in the branch)? In fact, almost all business segments: banks, retail, industry, health care, oil and gas companies.

    Fig. 1. Check Point SmartConsole with the display of all branch office gateways

    2. NOT Check Point at the branch

    Also a fairly common option. Check Point is placed in the center (HQ), and in Branch (Branch) - any other device that supports IPSec VPN.

    Pros . Perhaps the only plus is the minimum financial costs. You can put the cheapest Mikrotik or D-Link, VPN to the central office will work fine.

    Minuses. Cons much more. In fact, you lose all the advantages described in the previous version. We'll have to “handles” to edit the settings on each of the branches. If there are 2 - 3, then perhaps this is not such a big problem. But if there are more than 5-10, then a serious question of further scaling will arise. Configuration management, access policies, monitoring, all this will have to be organized on the basis of third-party solutions (possibly open source). Another big disadvantage is that it is impossible to organize a backup of the VPN channel.
    Who uses a similar option (NOT Check Point at the branch)? Typically, this is a small business with a small number of branches.

    Type of Internet access for branches. Independent or centralized?

    The choice of device for the branch depends on the type of Internet access. Here, too, two options, and each has its own pros and cons.

    1. Independent access to the Internet

    Used most often. The VPN channel is used exclusively for accessing the resources of the central office (where Check Point is located).

    Pros . Internet access does not depend on the VPN channel and equipment in the central office. Those. if there is everything in the central office, the branch will maintain access to the Internet, it will simply lose access to some corporate resources.

    Cons . Significantly complicates the management of security policies. In fact, if you have a task to secure branches, then you should apply such protective measures as IPS, streaming antivirus, URL filtering, etc. This results in a lot of problems with the management and monitoring of information security.

    Recommendations. With this option, of course, it is better to use Check Points on branches. You can manage all this “farming” centrally. You can create one typical Internet access policy and “roll it out” to all branches. Monitoring is also greatly simplified. You will see all security incidents in one place with the possibility of correlation of events.

    2. Centralized Internet access

    This option is used much less frequently. VPN is built to the central office (where Check Point is located) and absolutely all traffic of the branches is wrapped there. Internet access is possible only through the central office.

    Pros . In this case, you basically do not care what is in the branch, the main thing is to build a VPN to the center. There should not be big problems with the config either, since in fact, there will be only one rule - “all traffic in vpn”. All security policies and access lists you will configure only in the central office. As you understand, with this option, you significantly save on the purchase of Check Point.

    Minuses. There is still a problem with scalability, management and monitoring (although not as critical as with independent access to the Internet). Plus, the work of branches is entirely dependent on the central office. In the event of a contingency situation, the entire network will fall. Branches will remain without the Internet.

    Recommendations. This option is great for a small number of branches (2-4). Of course, if you are satisfied with the risks voiced (dependence on the center). When choosing a Check Point device for the central office, it is worth considering the traffic of the branches and carefully calculate the required performance. In essence, you will receive centralized management of branch traffic with minimal financial costs. However, with a large number of branches (and “serious” traffic), such a scheme is highly discouraged. Too big consequences in case of failure. Troubling will be complicated, and the central office will require very powerful hardware, which may eventually become more expensive than if the branches had their own Check Point gateways.

    Possible savings on licenses

    If you decide to use Check Point in branches and you only need a VPN (for example, with a centralized Internet connection), then you can significantly save on licenses. Blade IPSec VPN is not licensed. By purchasing a device, you always get the functionality of Firewall and VPN. You do not need to buy extension services for this, everything will work anyway.

    The only thing you have to buy is the technical support service so that you can contact the support and replace the device in case of a breakdown. However, there is an option to save (although I do not recommend it). If you are confident in your knowledge and that you do not have to contact a support service, then you can not buy an extension of technical support.

    You can purchase one or two devices in the spare parts kit and if a breakdown occurs in one of the branches, then simply change this device. With a large number of branches it may be more cost-effective to buy a pair of spare devices than to buy support for all the rest. I repeat that I do not recommend this option.

    Check Point Models for Branch (SMB)

    There is an opinion that Check Point is a vendor exclusively for large companies. However, in the model range there are quite a few options for devices for the SMB sector. Especially if this “piece of hardware” will be used for branches, being under the control of a central Management Server in the head office.

    Fig. 2. Check Point lineup

    We have already published a separate article on SMB solutions , so I will simply list the models that are most often used for branches:

    1. 5000th series (5100, 5200) for large branches (150-200 people);
    2. 3000th series (3100, 3200) for medium-sized branches (100-150 people);
    3. 1400th series (1430, 1450, 1470, 1490) for small branches (less than 100 people).

    Data on the number of people exclusively our subjective opinion based on experience. We highly recommend to pay attention to the 1400 series. These are relatively new models based on ARM processors. They have some technological limitations compared to the older models (since another OS is used is Gaia Embedded), however, if there is a Management Server, these limitations are insignificant, especially for branch networks.

    VPN topology (Start, Mesh)

    Let's talk about more “technical” things and start with VPN topologies (VPN Community in Check Point terminology). Like other vendors, Check Point has two types:

    1. Star . The name speaks for itself. VPN channels from all branches converge to the center. With this topology, even if the branches need to communicate with each other, the traffic will go through the center. Sometimes it is not very convenient and practical. Although in practice most often used this topology.
    2. Mesh . “Each with each” topology. There is no center here. All gateways placed in the same Mesh VPN Community can build tunnels with each other.

    It should be noted that in this case no one bothers you to combine these two topologies. For example, to connect two Start Community through one Mesh:

    Pic. 3. Star + Mesh

    Two types of tunnels

    Finally, we reached a point where we can discuss what a Check Point VPN is really convenient for, provided that the branches also have Check Point. When building a VPN tunnel, we have a choice of two types:

    1. Domain Based VPN

    The meaning is pretty simple. In the properties of the branch gateway (and the center too), you specify the networks that are behind Check Point, i.e. local networks of branches.

    Fig. 4. Definition of the VPN Domain

    Since all gateways are managed by a single server management, this information is “flipped” between all members of the VPN community (whether it is Star or Mesh). Thus, there is no need to edit the VPN settings on each of the gateways, they will already know where, which network and with which IPSec parameters to build the VPN. No prescription of peers or access lists. Setup is quick and quite simple. In my opinion it is even more convenient than DMVPN. Domain based VPN is the most commonly used practice.

    2. Route Based

    This type of VPN will seem very familiar to Cisco fans. On the gateways, a VTI (Virtual Tunnel Interface) is created and a VPN channel with tunnel addresses is raised. Encrypted traffic that routes wrapped in a tunnel. In this case, the routes can be both static and dynamic. For example, you can raise such a VPN with all branches and run OSPF. Thus, all gateways will know about all available networks and automatically “wrap” the necessary traffic into the desired tunnel. I think this can be compared with GRE tunnels.


    Route based VPN is used much less frequently. in most cases, there is enough Domain Based VPN, which is easier to understand and faster to set up. In this case, Domain Based VPN can be used in the case of third-party equipment (NOT Check Point) in the branches. Again, based on personal experience, I can recommend using Domain Based VPN. There will be much less problems. Route Based is better not to use at all (a lot of limitations, degradation in performance). Although of course it all depends on your tasks and each case must be considered separately.

    VPN on certificates or Pre-shared key

    Like any device with IPSec support, Check Point can build VPNs based on a Pre-shared key and based on certificates. I will not explain the advantages of the VPN channel on certificates. I’ll just say that another advantage of building a distributed network on Check Point solutions is the presence of an integrated certificate authority (CA). This CA is always present on the Management Server by default and automatically generates certificates for all Check Point gateways that are under its control. No need to “suffer” with a third-party certification authority (although it can also be “screwed” to Check Point).

    VPN fault tolerance

    Quite often they forget about this opportunity. And she is. The branch and the central office can have two Internet channels. If the branch also has Check Point, then we can configure a fault tolerant VPN (Domain Based). Do not neglect this opportunity Check Point, especially since it is configured in just a few clicks.

    Licensing Management Server

    Another important point that is forgotten when planning a distributed network. Security Management Server is licensed by the number of gateways it can manage. There are licenses to manage 5 gateways, 10, 25, 50, 150 and more. In this case, prices are very different. A cluster counts as two gateways! Be careful when planning your budget.

    Additional benefits of Check Point VPN

    From a technical point of view, Check Point VPN has many more advantages. One could tell by wire mode, the ability to constantly keep a tunnel even if there is no traffic, the ability to create different rules for encrypted and regular traffic, the ability to exclude a certain type of traffic from the tunnel, etc. But I would not like to go into such technical details in order not to tire anyone. If you are interested in something specific, then ask in the comments. I tried to go more on architectural features.

    PS Thanks to Ilya Gorelkin (Check Point company) for help in preparing the material.

    Also popular now: