12 Check Point VPN-1/FireWall-1 on AIX: A Cookbook for Stand-Alone and High Availability Solutions
1.4 What’s new in VPN-1/FireWall-1 V4.1 and SP1
This section describes the new functionality in the V4.1 releases of the
following VPN-1 products:
• VPN-1 Gateway
• VPN-1 SecuRemote
• VPN-1 SecureClient
• VPN-1 SecureServer
Features described herein are new to V4.1, as compared to V4.0. Those
features that first became available in Check Point 2000 Edition, also known
as SP1, are noted as such.
New functionality specific to VPN-1 Gateway
Open PKI Support
Both VPN-1 Gateway V4.1 and VPN-1 SecuRemote V4.1 support the use of
X.509 digital certificates issued and signed by leading Certificate Authorities
(in addition to the Entrust CAs supported by VPN-1 V4.0). This support
includes the ability to register, as well as validate, these certificates.
Additional CA vendors, such as Verisign, Baltimore Technologies, and
Netscape are being certified under the OPSEC "PKI Products and Services"
category. OPSEC Certification and VPN-1 support for certificates is based on
industry standards, such as X.509 and PKCS #7, #10, and #12, and is only
available for IPSec VPN-1 implementations.
• Provides customers with the flexibility to choose the PKI solution that best
meets their needs.
• Ensures that PKI vendors' Certificate Authority products or services
interoperate with Check Point VPN-1 and are in compliance with leading
Support for concurrent use of multi-vendor certificates
VPN-1 Gateway V4.1 modules can simultaneously hold and use digital
certificates from multiple Certificate Authorities. This capability enables a
VPN-1 Gateway to establish multiple concurrent IPSec/IKE connections with
Chapter 1. The design of firewall environments 13
gateways using certificates from multiple CAs, and even certificates from
• Enables the establishment of heterogeneous extranets with key business
partners and customers.
High Availability for IPSec/IKE
VPN-1 Gateway V4.1 state table synchronization has been enhanced to
handle IPSec/IKE session information, enabling high availability solutions that
maintain IPSec/IKE connections during fail-over. IPSec/IKE synchronization
and fail-over capabilities support both site-to-site and client-to-site VPN
connections. These enhancements also enable third-party products to do
load balancing between VPN-1 Gateways. High Availability solutions, which
leverage these capabilities, are offered both by Check Point and by OPSEC
• Mission-critical VPN gateways are always available.
• In the event of a failure, users can continue working with complete
Hybrid Mode Authentication (New in VPN-1/FireWall-1 V4.1 SP1)
Check Points' Hybrid Mode Authentication for IPSec enables the use of
widely deployed ("legacy") authentication techniques, such as token cards,
RADIUS, and TACACS+, within IPSec VPNs. The hybrid mode authentication
technology is currently an IETF draft, making Check Point the only vendor
with a solution being considered for inclusion into the IPSec standard.
• Strong security through the IPSec standard and the technologies it
supports, such as the Internet Key Exchange (IKE) and Triple DES
• Standards-based interoperability that does not require the deployment of
new authentication technologies such as X.509 certificates.
Visual Policy Editor (Formerly known as the Topology GUI) (New in
VPN-1/FireWall-1 V4.1 SP1)
Provides a comprehensive picture of enterprise security deployment by
drawing a map of security objects, such as firewalls, VPNs, servers,
14 Check Point VPN-1/FireWall-1 on AIX: A Cookbook for Stand-Alone and High Availability Solutions
networks, routers, and so on, and the relationships between them. The Visual
Policy Editor illustrates the effect of individual security policy rules by
color-coding relevant elements in the map to indicate source, destination and
encryption method. Other powerful policy editing capabilities include the
ability to visually locate objects in the topology, edit object parameters and
define groups of objects in the Visual Policy Editor.
• Increases security managers' understanding and control of Internet
• Validates the intent and integrity of the security policy.
• Object-oriented interactions make the process of managing a security
policy more efficient.
Integrated Bandwidth Management
FloodGate-1 V4.1 has been integrated into the VPN-1 Management Console
under the "Bandwidth Management" tab. In V4.1, VPN-1 and FloodGate-1
also share network object definitions. The Management Console also
provides fine-grain administrative access controls, so that Bandwidth Policy
managers can not see or edit security policies.
• Improved interface eases management of enterprise security and
bandwidth management policy.
Wizards provide guided, step-by-step creation of new security policies and
object definitions. Wizards are also available in VPN-1 V4.0, Service Pack 3
• Simplifies the creation of a new network and enterprise security policy.
New Licensing Scheme
Check Point has implemented a new licensing scheme. The new licensing
uses longer keys, but replaces feature strings with SKUs. All 4.1 customers
• Licensing is simplified with more straightforward feature strings.