- No special client VPN software required for remote LAN access
- integrated firewall, plus application and endpoint security
- intuitive management interface
- Some security options require plug-ins and are browser-specific
- endpoint security is a chargeable add-on
- limited integration with Check Point Smart management platform
At first glance there appears to be nothing special about Check Point’s Connectra Web security gateway. Like other SSL-based VPN (Virtual Private Network) solutions, it’s designed to connect remote and mobile users to a corporate network, and do so without the need for special client software -- just an SSL-enabled browser. However, Connectra has a couple of extra tricks up its sleeve -- most notably, integrated application and endpoint security to protect the network against trojans, spyware and other nasties that could, otherwise, be spread by infected remote endpoints.
The first version of Connectra (released last year) addressed this issue by adding firewall-like filtering of the VPN traffic. Moreover, unlike an ordinary firewall, the Connectra software is able to detect and block common application-layer attacks including cross-site scripting and SQL injection. Now the Connectra 2.0 implementation can also detect and disable active spyware, keystroke loggers and other possible infections at the client endpoint. It can also be configured to check the status of client antivirus and personal firewall software, and make sure that other security requirements are in place before allowing access. End points failing to meet preset security levels can then be denied access and/or directed to sites where the necessary updates and patches can be obtained.
Known as Integrity Clientless Security, this new endpoint security is based on technology from Zone Labs, acquired by Check Point last year. However, it’s not as clientless as the name implies, requiring an ActiveX browser plug-in that could be an issue on kiosks and other locked-down endpoints. Neither is it a standard feature, adding a further £1,700 to the price of a basic 50-user Connectra deployment.
Likewise, although you can specify the use of Connectra’s own secure browser to prevent cached information being stolen, this too requires a plug-in to work. If you want native access to network shares and require support for non-Web client/server applications, then yet another plug-in -- known as the SSL Network Extender -- is required. Not only could this be a problem on some endpoints, but the SSL Network Extender can also only be used with Microsoft’s Internet Explorer.
On the plus side, an intuitive Web-based interface is provided for management. We found this remarkably easy to follow compared to the interface used by Check Point on its ordinary firewalls. Indeed, the only real problem we had was caused by a misleading error message when authenticating clients via the built-in Web portal. However, a quick read of the excellent supporting documentation soon sorted this out, and overall the Connectra did exactly what was claimed with very little management effort.
Based on Check Point’s own secure OS, Connectra can be purchased either as software (£4,500 for 50 users) or as a pre-configured appliance using Dell PowerEdge hardware (£5,700 for 50 users). It can be deployed behind a company firewall or placed in a DMZ, and although performance is largely down to the hardware involved, the appliance implementations feature dual Gigabit Ethernet interfaces and so can handle hundreds of simultaneous connections.
As mentioned above, we had no real problems putting Check Point's Connectra 2.0 to work, and were impressed by what it had to offer. We could have done without the browser restrictions, and existing Check Point customers may find the limited integration with the vendor’s Smart management platform disappointing. Integration with LDAP, RADIUS and other external authentication systems could also be simplified.
But these are relatively minor gripes, and the new endpoint security features really do make the Connectra 2.0 stand out against alternative SSL VPN products. Check Point's pedigree should bring further peace of mind to enterprises considering a Web security gateway.