Connectra Web Security Gateway

puresecurity

Product Description Connectra Connectra™ is a complete Web Security Gateway that unifies SSL VPN access with comprehensive endpoint security Web Security Gateway and integrated intrusion prevention. Web connectivity with unmatched security Product features n Secure SSL VPN remote access Your Challenge n Comprehensive endpoint security Access to information is critical to modern businesses, and, increasingly, n Integrated intrusion prevention employees and business partners need to access it anytime from virtually n Appliance or software platforms anywhere. Sharing timely information increases your business competitiveness, partnership effectiveness, and employee productivity. And sharing this information requires a solution that is universally available and easy to use—even for Product benefits the lay user. n Delivers Web-based secure remote access for an extensive In addition to enabling ubiquitous access, the confidentiality and integrity of range of enterprise applications this information is even more important in today’s information-driven economy. Yet the explosion of spyware, like keystroke loggers and Trojan horses, threat- n Shields information from malicious ens the confidentiality and integrity of information shared with remote users. spyware and malware on remote endpoints Bottom line, you need to provide easy access to information from anywhere n Defends the integrity of internal while ensuring that your enterprise IT resources retain their security everywhere. infrastructure from worms and attacks n Provides standalone or full OUR SOLUTION SmartCenter™ central management ™ Connectra is a complete Web Security Gateway that provides SSL VPN n Protects against new threats access and comprehensive endpoint and integrated intrusion prevention through SmartDefense™ Services security in a single, unified solution. By combining SSL VPN connectivity and security in one solution, organizations can effectively deploy SSL VPNs safely and securely to a diverse set of users while ensuring the confidentiality and integrity of information that is critical to business success. And Connectra is supported by SmartDefense™ Services, which protect against new threats by providing real-time defense updates and configuration advisories.

The Connectra Web portal allows remote users to view email, browse Web links, run client/server applications, and access Web applications and shared files from the convenience of a Web browser. The NGX platform delivers a unified security architecture for Check Point.

1 Connectra Web Security Gateway

SECURE WEB-BASED CONNECTIVITY Connectra is a Web Security Gateway that enables remote users to access corporate resources. It provides both Web-based and network-level access through the SSL encryption delivered in most Internet browsers. Through an integrated Connectra Web portal, users can access Web applications, Web-based resources, shared files, and email. For extra flexibility, administrators can customize the design of the Connectra Web portal, including support for multiple languages.

For non-Web, client/server applications, Connectra provides secure network-level access over the Web with SSL Network Extender™. Included with Connectra, SSL Network Extender is a browser plug-in that tunnels traffic from endpoint applications over SSL. It supports any IP-based application, including ICMP, TCP, and UDP, without requiring complex configuration to support each application. SSL Network Connectra with Integrity Secure Workspace, shown here, gives users Extender can even work on remote PCs without requiring a completely isolated desktop which gives them a confidential place administrator privileges. to access information even when on a guest machine. With mobile PDAs and cell phones, Connectra offers SecureClient™ Mobile SSL VPN connectivity so users can Ensures information confidentiality access email and applications. SecureClient Mobile enables To enable secure access even in unmanaged environments users to transparently roam in and out of connectivity to like airport Internet kiosk PCs, Connectra provides Integrity carrier data and WiFi networks and offers simplified firewall Secure Workspace, an option that provides a totally secure protection to prevent abuse of confidential data. environment and which encrypts all session files such as attachments, cookies, emails, and passwords on the remote COMPREHENSIVE ENDPOINT SECURITY endpoint. This prevents sensitive corporate information With the integration of Integrity Clientless Security™, a from being viewed or stolen even after a session ends and clientless version of Check Point Integrity™, the industry’s the user leaves the PC. most trusted endpoint security solution, Connectra secures Connectra can enforce an access policy requiring antivirus network resources from remote PCs—regardless if they are software and/or firewall installation before granting users used and/or owned by employees or partners, customers, access. Out-of-compliance users are offered links to self- or other network guests. It enforces network security policy remediation resources. Once in compliance, they are allowed for SSL VPN connections, ensures session confidentiality, to log in. and keeps the organization secure. Administrators can also use Connectra to restrict access to Scans for spyware individual resources based on the trust level of the endpoint To ensure that malicious processes, keystroke loggers, and user. For example, one set of resources may be defined and Trojan horses are not installed on remote endpoints, with a “high” sensitivity level and access allowed only if a Connectra scans for these and other spyware through remote remote endpoint provides strong authentication like token- users’ browsers. By disabling spyware and enforcing base- based authentication and has current antivirus software line security requirements before it grants SSL VPN access, installed and running. Similarly, another set of resources Connectra stops identity and password theft and prevents can be accessed only when someone is using the Integrity data loss. In addition, SmartDefense Services delivers real- Secure Workspace. time updates for endpoint security checks.

For network-level remote Remote User Connectra Web Portal Organization access, Connectra includes the SSL Network Extender browser SSL plug-in to allow SSL HTTP, POP3, SMTP, remote access for any IMAP, CIFS/SMB IP-based application. IP

SSL Connectra

SSL Network Extender

2 Web connectivity with unmatched security

INTEGRATED INTRUSION PREVENTION Integrated intrusion prevention provided by Connectra for SSL VPN access ensures the integrity of internal applications. Integrated Stateful Inspection, Web Intelligence™, and Application Intelligence™ technologies offer protection against malicious activities and attacks over SSL VPN. For example, Connectra can prevent users from accessing confidential data using directory traversal or SQL injection attacks—a particular concern in extranet environments. Connectra can ensure that worms cannot spread through SSL VPN when a remote user is tunneling native applications. In addition, Connectra comes with a one-year SmartDefense Services subscription to ensure that integrated application protections are up to date.

EASY DEPLOYMENT AND MANAGEMENT Connectra can be deployed in a network DMZ or on a trusted LAN and is easy to install and simple to manage. It supports several authentication options including LDAP, RADIUS, SecurID/ACE, or an internal database. For existing Check An intuitive Web-based administrative interface lets you quickly configure resources and applications. Assigning a security sensitivity Point customers, a SmartCenter™ management server can be level to a resource will enforce specific security requirements of the used for full central management. This enables organizations endpoint before access is granted to the resource. to use a single repository of definitions for users and groups, network objects, access rights, and security policies across their entire security and remote access infrastructure. Unified FLEXIBLE DEPLOYMENT OPTIONS access policies will be enforced automatically throughout Connectra is available as an appliance or as software for their distributed environment, empowering them to securely open servers. See www.opsec.com for appliance and provision access from anywhere. hardware options.

PROTECTION AGAINST NEW THREATS • Connectra appliances feature preinstalled Connectra Connectra is supported by SmartDefense Services, which software on dedicated Check Point or OPSEC™ certified maintain the most current preemptive security for the Check appliances Point security infrastructure. To help you stay ahead of • Connectra software is a software solution for open serv- new threats and attacks, SmartDefense Services provide ers. It installs SecurePlatform™ Pro, a hardened operating real-time updates and configuration advisories for defenses system, and Connectra software in less than 10 minutes and security policies. These ensure that Connectra endpoint security and intrusion prevention capabilities have the latest protections available. Minimum Connectra software requirements CPU Intel Celeron 2.4 GHz or equivalent Authentication Server Memory 512 MB (optional) Disk space 6 GB hard disk drive Non-Web Application Server

File Share Server

Web Server

Email Server Integrated Intrusion Prevention

SSL Comprehensive Check Point Endpoint Security SmartCenter Connectra Management (optional) SSL Remote User • Employees • Business Partners To enable secure SSL VPN remote access, Connectra combines Internet • Mobile Users • Employee Home PC easy browser-based access with comprehensive endpoint and integrated intrusion prevention for Web connectivity with unmatched security. Continued on page 4

3 CONNECTRA APPLIANCE specifications Integrated intrusion prevention Web attack protection Web connectivity • Web Intelligence protection against malicious code transferred in Web-related Secure connectivity applications: worms, various attacks such as buffer overflows, command • SSL v.3, TLS injections, cross-site scripting, customizable HTTP worm catcher, directory • 3DES (128, 256), AES (128, 256), RC4 (128) traversal, header rejection, malicious HTTP code, and SQL injection Connectra Web portal Application level attack protection • Web: Citrix, dynamic links, JavaScript, Lotus iNotes, relative links, static links • Application Intelligence for traffic in SSL Network Extender. Connectra actively • Email access options: protects organizations from both network and application attacks using Check 1) Integrated Web interface for email servers using IMAP Point’s Stateful Inspection and Application Intelligence technologies 2) Native email client via POP3S, SMTPS Protection levels 3) Outlook Web Access 2000/2003/2007 access over SSL VPN • Resources are defined with sensitivity levels. Access authorized based on • File sharing: Windows SMB/CIFS security of endpoint and authentication used • On-demand applications: FTP, Jabber IM, RDP, SSH, Telnet, terminal emulation, Cookie protection TN3270, TN5250, extensible • Cookies are protected and hosted on the gateway • Languages: Bulgarian, English, French, German, Italian, Japanese, Polish, Automatic timeout Romanian, Russian, Spanish, and Traditional and Simplified Chinese • Automatic timeout of SSL VPN sessions, idle, and forced methods • Supported browsers: Internet Explorer 5.5 or higher, Mozilla FireFox, Netscape 6 or higher, Safari Comprehensive endpoint security (optional add-on) SSL Network Extender Integrity Clientless Security • ActiveX and Java plug-ins • Total endpoint inspection • Application support: SSL VPN tunneling for any IP-based application, including • Detects and disables malware and spyware: adware, browser plug-ins, dialers, ICMP, TCP, and UDP keystroke loggers, third-party cookies, Trojan horses, worms, and other hacker • Networking options: DNS, Office Mode (internal IP address), and WINS support tools and undesirable software • Supported operating systems: Linux, Macintosh (including Intel-based), • Checks for installed and updated antivirus software, PC firewalls, and other Windows 2000/XP administrator-defined criteria before log in SecureClient Mobile (optional add-on) • Policy compliance reporting—list unmet conditions by end user. Customizable • SSL VPN client for Windows Pocket PC 2003/SE, Windows Mobile 5.0 remediation resources. Provide guidance and links to resources that enable • Supports any IP-based application, DNS, Office Mode, and WINS out-of-compliance users to become compliant with enterprise access policy • Integrated firewall features for mobile devices Integrity Secure Workspace Authentication and authorization • Total endpoint confidentiality • Active Directory, client certificates, internal database, LDAP, RADIUS, RSA • Encrypts session data on remote endpoints and fully deletes protected data SecurID after the session is completed • Dynamic Authorization grants access rights to resources based on • Monitors and controls applications so data cannot leave secure encrypted authentication type or endpoint security scan results workspace Performance and availability Real-time security updates High Availability and load sharing SmartDefense Services • ClusterXL® synchronization • Includes one-year subscription for real-time updates for Application • Full stateful failover (active/active, active/passive) Intelligence, Web Intelligence, and endpoint security protections • Fully internal load balancing Management • IP virtualization Web-based administration • Synchronized configuration, session state, • Web-based administration over SSL for configuration, monitoring, individual user preferences and maintenance Hardware acceleration • Automatic configuration backup, archiving, and restoration • Connectra Acceleration Card for SSL encryption offload • Restrictions by IP address • Optional add-in, included with Connectra 6000 appliance • Configuration change logging Centralized management • SmartCenter (requires NGX platform) • SmartDashboard™, Provider-1™, SmartView Monitor™, SmartView Status™, SmartViewTracker™, SmartUpdate™, Eventia Reporter™, Eventia Analyzer™, Secure Internal Communication, SmartDefense Services • SNMP

Connectra appliance.

©2003–2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications.

February 28, 2007 P/N 502428

Worldwide Headquarters U.S. Headquarters 3A Jabotinsky Street, 24th Floor 800 Bridge Parkway Ramat Gan 52520, Israel Redwood City, CA 94065 Tel: 972-3-753-4555 Tel: 800-429-4391; 650-628-2000 Fax: 972-3-575-9256 Fax: 650-654-4233 Email: [email protected] www.checkpoint.com 4