Connectra Gateway Access Control

all_connectra

Check Point Connectra™ is the only scure remote access gateway that unifies best of breed SSL VPN, IPSec VPN, and integrated intrusion prevention for the most secure connectivity with unmatched centralized management and deployment flexibility.

Overview
Features
Model Specs
Data Sheets

Connectra allows mobile and remote workers to connect easily and securely to critical resources while protecting enterprise networks and endpoints from external threats. A broad range of connectivity scenarios coupled with integrated intrusion prevention and unified with powerful central management offer unprecedented control over remote access configurations and security policy administration. As a first line of defense, Connectra offers comprehensive endpoint security to protect networks and endpoints from debilitating viruses, malware and malicious attacks.

End users will appreciate Connectra’s streamlined access features and user-friendly portal interface. DynamicID™ SMS authentication eliminates the need to carry and manage tokens and Smartcards where two-factor authentication is required. In addition, roaming between networks without re-authentication is now possible with Check Point Endpoint Connect™. This lightweight client can be downloaded and installed directly from the Connectra portal. If data loss when connecting from public endpoints is a concern, session security can be ensured with Check Point Secure Workspace. Secure Workspace creates an encrypted virtual file-system, allowing complete destruction of all session data and activity logs when the session ends.

Unified Gateway with Central Management Secure Web-Based Connectivity
Connectra is a Secure Remote Access Gateway that enables remote users to access corporate resources. It provides both Web-based and network-level access through the SSL encryption delivered in most Internet browsers. Through an integrated Connectra Web portal, users can access Web applications, Web-based resources, shared files, and email. For extra flexibility, administrators can customize the design of the Connectra Web portal, including support for multiple languages.

For non-Web, client/server applications, Connectra provides secure network-level access over the Web with SSL Network Extender™. Included with Connectra, SSL Network Extender is a browser plug-in that tunnels traffic from endpoint applications over SSL. It supports any IP-based application, including ICMP, TCP, and UDP, without requiring complex configuration to support each application. SSL Network Extender can even work on remote PCs without requiring administrator privileges.

Integrated Intrusion Prevention
Integrated intrusion prevention provided by Connectra for SSL VPN access ensures the integrity of internal applications. Integrated Stateful Inspection, Web Intelligence™, and Application Intelligence™ technologies offer protection against malicious activities and attacks over SSL VPN. For example, Connectra can prevent users from accessing confidential data using directory traversal or SQL injection attacks—a particular concern in extranet environments. Connectra can ensure that worms cannot spread through SSL VPN when a remote user is tunneling native applications. In addition, Connectra comes with a one-year SmartDefense™ Services subscription to ensure that integrated application protections are up to date.

Comprehensive Endpoint Security
With the integration of Check Point Endpoint Security On Demand™, Connectra secures network resources from remote PCs—regardless if they are used and/or owned by employees or partners, customers, or other network guests. It enforces network security policy for SSL VPN connections, ensures session confidentiality, and keeps the organization secure.

Scans for spyware to ensure that malicious processes, keystroke loggers, and Trojan horses are not installed on remote endpoints, Connectra scans for these and other spyware through remote users’ browsers. By disabling spyware and enforcing baseline security requirements before it grants SSL VPN access, Connectra stops identity and password theft and prevents data loss.
Ensures information confidentiality to enable secure access even in unmanaged environments like airport Internet kiosk PCs, Connectra provides Secure Workspace, an option that provides a totally secure environment and which encrypts all session files such as attachments, cookies, emails, and passwords on the remote endpoint. This prevents sensitive corporate information from being viewed or stolen even after a session ends and the user leaves the PC.

Connectra can enforce access policies requiring antivirus software and/or firewall installation before granting users access. Out-of-compliance users are offered links to self-remediation resources. Once in compliance, they are allowed to log in.

Restrict access to individual resources based on the trust level of the endpoint and user. For example, one set of resources may be defined with a “high” sensitivity level and access allowed only if a remote endpoint provides strong authentication like token-based authentication and has current antivirus software installed and running. Similarly, another set of resources can be accessed only when someone is using the Secure Workspace.

Protect Against New Threats
Connectra is supported by SmartDefense Services, which maintain the most current preemptive security for the Check Point security infrastructure. To help you stay ahead of new threats and attacks, SmartDefense Services provide real-time updates and configuration advisories for defenses and security policies. These ensure that Connectra endpoint security and intrusion prevention capabilities have the latest protections available.

Powerful Centralized Management
Connectra can be managed centrally with Check Point SmartCenter™ or standalone through a user-friendly interface. Centralized management offers unmatched leverage and control of security policies, and enables organizations to use a single repository for user and group definitions, network objects, access rights, and security policies across their entire security and remote access infrastructure. Unified access policies will be enforced automatically throughout their distributed environment, empowering them to securely provision access from anywhere.

Best End User Experience
Endpoint Connect VPN Client
Check Point Endpoint Connect™ is a new, lightweight IPSec VPN client for use with Connectra gateways. Designed for reliable connectivity with maximum usability, Endpoint connect delivers seamless and secure remote access to corporate network resources and is now included with every Connectra license.

Traditional VPN clients can frustrate mobile users and prevent them from accomplishing critical tasks. Endpoint Connect is built with today’s corporate professionals in mind. Traditional IPSec clients are too cumbersome, requiring reconnection and re-authentication with every move. Users must re-login in to the VPN every time their laptop wakes up, and also when they switch networks—from the corporate LAN to Wi-Fi to GPRS. Please see the Endpoint Connect product page for more information.

DynamicID™ Direct SMS Authentication
Connectra can now be configured to send a one-time password (OTP) to an end-user communication device (such as a mobile phone) via an SMS message. SMS two-factor authentication provides an extra level of security while eliminating the difficulties associated with managing hardware tokens. Please see the DynamicID product page for more information.

Most Deployment Options
Connectra is available as a turnkey appliance, as software for installation on open servers or as virtual appliance.

Connectra appliances feature Connectra Software that has been preinstalled on dedicated Check Point or OPSEC™ certified appliances
Connectra Software can also be installed on open servers and includes SecurePlatform™, a security hardened operating system from Check Point
Connectra Software can be deployed as a virtual appliance and is certified on VMware ESX Server

Connectra can be deployed in a network DMZ or on a trusted LAN and is easy to install and simple to manage. It supports several authentication options including LDAP, RADIUS, SecurID/ACE, or an internal database.

Technical Features

Flexible, Secure Remote Access
Unmached Mobility
Comprehencive Endpoint Security
Integrated Intrusion Prevention
High Performance
Advanced Scalability

Flexible, Secure Remote Access
Secure clientless SSL VPN connectivity for browser-based remote access to an extensive range of enterprise applications, as well as client-based mobile IPSec connectivity for corporate users “On the Go”

Browser-based remote access

Internet Explorer, Mozilla and Safari browser support
Windows, Windows Mobile, Mac, iPhone and Linux platform support
SharePoint, SAP Portal and other Web applications
Outlook Web Access, Lotus iNotes and other mail applications
Built-in web front-end for Native POP3/IMAP servers
Windows (SMB/CIFS) file servers for file sharing

Java-based browser plug-ins for on-demand application delivery

Windows, Mac and Linux platforms
FTP, Jabber IM, RDP, SSH, Telnet, terminal emulation
TN3270, TN5250 extensible

Browser plug-ins for on-demand connectivity

Windows, Mac and Linux platform support
SSL Network Extender - included with Connectra
- Application mode: TCP based applications, including Citrix, MS RDP, Outlook, FTP clients etc.
- Network mode: All IP-based applications

Unmatched Mobility
Roaming provides uninterrupted LAN-like IPSec access from laptops and Smartphones

Endpoint Connect - VPN client for laptops and PCs
SSL / IPSec client for Windows 2000, XP and Vista platforms
Two-factor authentication with PKI, SecureID and SoftID
Office Mode support
Integrated endpoint compliance and malware scanner
Dynamic transport (IPSec or SSL)
Roaming, location awareness and Intelligent Auto-connect
Supports IP-based applications

SecureClient Mobile - VPN client for Smartphones and PDAs

Pocket PC 2003, Windows Mobile 5.x and 6.x platform support
Two-factor authentication with PKI, SecureID, SoftID
SSL-based VPN tunnel with personal firewall and roaming support
Office Mode support
Bluetooth, WAP and other peripheral control
On-demand tunnel integration with Outlook Mobile to conserve power
Supports IP-based applications

Comprehensive Endpoint Security
Endpoint Security On Demand - optional endpoint compliance and malware scanner

Ensures that connecting endpoints are compliant with corporate policy
Detects keyloggers, trojans and other malware
Out-of-compliance users are offered links to self-remediation resources

Secure Workspace – ensures VPN session confidentiality when using public computers

Creates a secure virtual environment, insulated from the host
Encrypts and deletes browser and application caches, files etc. when session ends

Integrated Intrusion Prevention
Web Intelligence

Provides protection against malicious code transferred in Web-related applications
Blocks worms, various attacks such as buffer overflows, SQL and command injections, cross-site scripting, customizable HTTP worm catcher, directory traversal, header rejection, malicious HTTP code

Application Intelligence

Extends further protection for non-web traffic transferred over VPN tunnels created by SNX, Endpoint Connect, and SecureClient Mobile
Protections included for FTP, Mail and other IP protocols

High Performance
ClusterXL (included with Connectra) offers full cluster capability for stateful high availability and load sharing

Advanced Scalability
Connectra can scale to over 10,000 concurrent users on the Connectra 9072 appliance, as well as other high-end, single blade servers

Key Benefits

Unified Gateway with Central Management

Consolidate SSL VPN and IPSec VPN connectivity in a best-of-breed unified secure remote access gateway
Integrated intrusion prevention and comprehensive endpoint security block viruses, malware and malicious attacks
Centralized management unifies policy deployment, client administration and event reporting
Defend against the latest threats with automatic, real-time security updates with SmartDefense™ Services

Best End User Experience

Ensure session security when connecting from public computers or Internet kiosks with Secure Workspace
Uninterrupted connectivity even when roaming between wireless networks
Automatic endpoint scanning prior to user authentication for additional level of security
First and only vendor to provide direct SMS authentication eliminating need for Smartcards and tokens

Most Deployment Options

Appliance - A full range of Connectra appliances are available to align with any enterprise remote access requirements for optimum price/performance
Software - Connectra software can be installed on a wide variety of open server platforms certified by Check Point to run SecurePlatform™
Virtual Appliance - Connectra is certified on VMware ESX Server as a virtual appliance, reducing operating costs for MSPs, ISPs and telcos

Appliance Technical Specifications

	Connectra 270	Connectra 3070	Connectra 9072
Connectra version	R66	R66	R66
Performance
Maximum concurrent SSL users	100	1000	10000
Maximum Concurrent IPSec users	100	1000	10000
SSL/IPSec hardware acceleration	No	No	Yes
Interfaces
Built-in Interfaces	4 Copper GbE	10 Copper GbE	10 Copper GbE
Optional interfaces	N/A	N/A	4 x 1 GbE copper 4 x 1 GbE Fiber LR (single mode) 4 x 1 GbE Fiber SR (multi mode)
VLANs	256	256	256
Storage
Size	160 GB	160 GB	2 x 160 GB
Type	Built-in	Built-in	Removable, hot-swappable
Enclosure
Enclosure	1U	1U	2U
Dimensions (standard)	16.8 x 10 x 1.73 in.	17.4 x 15 x 1.73 in.	17 x 20 x 3.46 in.
Dimensions (metric)	429 x 255 x 44mm	443 x 381 x 44mm	431 x 509.5 x 88mm
Weight	3.7kg (8.1 lbs)	6.5kg (14.3 lbs)	16.5 kg (36.3) lbs
Power
Dual, hot-swappable power supplies	No	No	Yes
Power Input	100-240V 50-60Hz
Power Supply Spec (Max)	65W	250W	400W
Power Consumption (Max)	26.2W	77.5W	200.7W
Operating environment range	Temperature: 5° to 40° C, Humidity: 10%-85% non-condensing, Altitude: 2,500m
Compliance	UL 60950; FCC Part 15, Subpart B, Class A; EN 55024; EN 55022; VCCI V-3AS/NZS 3548:1995; CNS 13438 Class A (test passed; country approval pending); KN22KN61000-4 Series, TTA; IC-950; ROHS

Software Technical Specifications

Connectra software is a software solution for open servers. It installs SecurePlatform™ 2.6, a hardened operating system, and Connectra software in less than 10 minutes. Connectra software and SecurePlatform are tested for compatibility with a wide variety of currently shipping and pre-release hardware platforms.

Minimum hardware requirements for installing Connectra software
CPU	Intel Celeron 2.4 GHz or equivalent
Memory	512 MB
Disk space	10 GB hard disk drive

Hardware Compatibility List Connectra Software

SecurePlatform is tested for compatibility with a wide variety of currently shipping and pre-release hardware platforms. We ensure that a wide variety of storage controllers and network adapters are supported by SecurePlaform. However, users should still take into consideration the vendor's own published list of limitations.

Secure Platform Certified Open Servers		Connectra Software
Vendor	Model	NGX R61	NGX R62/ R62CM	NGX R66
Dell	PowerEdge 1750	√	√	√
Dell	PowerEdge 1850	√	√	√
Dell	PowerEdge 1950 II	—	√	√
Dell	PowerEdge 1950 III	—	—	√
Dell	PowerEdge 2650	√	√	√
Dell	PowerEdge 2850	√	√	√
Dell	PowerEdge 2950 II	—	√	√
Dell	PowerEdge 2950 III	—	—	√
Dell	PowerEdge 2970	—	—	√
Dell	PowerEdge 750	√	√	√
Dell	PowerEdge 850	—	√	√
Dell	PowerEdge 860	—	√	√
Dell	PowerEdge R200	—	—	—
Dell	PowerEdge R300	—	—	—
Dell	PowerEdge R310 Rack Server	—	—	—
Dell	PowerEdge R610	—	—	—
Dell	PowerEdge R710	—	—	—
Dell	PowerEdge R900	—	—	—
Dell	PowerEdge R910 Rack Server	—	—	—
Dell	PowerEdge SC1425	√	√	√
Dell	PowerEdge SC1435 Official site	—	√	√
Fujitsu	PRIMERGY RX200 S4	—	—	—
Fujitsu	PRIMERGY RX200 S5	—	—	—
Fujitsu	PRiMERGY RX200 S6	—	—	—
Fujitsu	PRIMERGY RX300 S4	—	—	—
Fujitsu	PRIMERGY RX300 S5	—	—	—
Fujitsu	PRIMERGY RX300 S6	—	—	—
HP	BL460c with BladeSystem C class	—	√ CD Edition2	√
HP	BL480c with BladeSystem C class.	—	√ CD Edition2	√
HP	ProLiant BL460c G6	—	—	—
HP	ProLiant BL465c G5	—	—	—
HP	ProLiant DL-320 G5	—	√	√
HP	ProLiant DL-360 G4	√	√	√
HP	ProLiant DL-380 G3	√	√	√
HP	ProLiant DL-380 G4	√	√	√
HP	ProLiant DL-380 G6	—	—	—
HP	ProLiant DL-385 G1	√	√	√
HP	ProLiant DL-585 G1	—	√	√
HP	ProLiant DL165 G7	—	—	—
HP	ProLiant DL320 G6	—	—	—
HP	ProLiant DL360 G5	—	√	√
HP	ProLiant DL360 G6	—	—	—
HP	ProLiant DL360 G7	—	—	—
HP	ProLiant DL365 G1	—	—	√
HP	ProLiant DL380 G5	—	√	√
HP	ProLiant DL380 G7	—	—	—
HP	ProLiant DL385 G2	—	√	√
HP	ProLiant DL385 G5	—	—	—
HP	ProLiant DL385 G6	—	—	—
HP	ProLiant DL580 G4	—	—	√
HP	ProLiant DL580 G5	—	—	√
HP	ProLiant DL585 G2	—	—	√
HP	ProLiant ML-330 G3	√	√	√
HP	ProLiant ML-370 G5	—	√	√
HP	ProLiant ML350 G4	√	√	√
HP	ProLiant ML350 G5	—	√	√
HP	ProLiant ML370 G4	—	√	√
IBM	BladeCenter HS20 (Model 8677-3XU)	—	√	√
IBM	BladeCenter HS21 (Model 8677-2XX)	—	—	√
IBM	BladeCenter HS21 8853 (Model 8750-1xx - BladeCenter - HT)	—	√ CD Edition2	√
IBM	BladeCenter HS22	—	—	—
IBM	BladeCenter LS22	—	—	—
IBM	System x3250	—	√ CD Edition2	√
IBM	System x3250 M2	—	—	—
IBM	System x3550	—	√ CD Edition2	√
IBM	System x3550 M2	—	—	—
IBM	System x3550 M3	—	—	—
IBM	System x3650	—	√ CD Edition2	√
IBM	System x3650 M2	—	—	—
IBM	System x3650 M3	—	—	—
IBM	System x3650T	—	√	√
IBM	System x3655	—	√ CD Edition2	√
IBM	System x3850 M2	—	—	—
IBM	xSeries 205 (Model 8480-53X)	√	√	√
IBM	xSeries 206	√	√	√
IBM	xSeries 306	√	√	√
IBM	xSeries 306m	—	√	√
IBM	xSeries 336	—	—	—
IBM	xSeries 345 (Model 8670)	√	√	√
IBM	xSeries 346	—	√	√
Kontron	IP Network Server NSN2U (T5520UR)	—	—	—
Lenovo	ThinkServer RD210	—	—	—
Lenovo	ThinkServer RD220	—	—	—
Sun	Fire X4100 M2	—	—	√
Sun	Fire x4150	—	—	—
Sun	Fire X4170	—	—	—
Sun	Fire x4450	—	—	—
Sun	X2100	—	√	√
Sun	X2100 M2	—	√ CD Edition2	√
Sun	X2200 M2	—	√ CD Edition2	√
Sun	X4100	—	√ CD Edition2	√
Sun	X4200	—	√ CD Edition2	√
Sun	X4200 M2	—	—	√
SuperMicro	6023P-8R (Model SYS-6023-P8R)	√	√	√
Toshiba	Magnia 2200R	√	√	√

IPS-1 Sensor HW Requirements

4G of RAM for all models expect OpenSensor 100 which requires 2G.
Core and port configuration MUST follow the table below.

SW-Only Model	Maximum Cores & Ports	Approximate Rated Throughput
OpenSensor 100	1 Cores & 4 Ports	100Mbps
OpenSensor 200	2 Cores & 4 Ports	200Mbps
OpenSensor 500	4 Cores & 6 Ports	500Mbps
OpenSensor 1000	8 Cores & 8 Ports	1Gbps

If the number actual cores/ports exceed the maximum allowed by the OpenSensor model, the product operates as follows:

Actual cores > Maximum cores allowed = product will not operate.
Actual ports > Maximum ports + 2 = product will not operate.
Actual ports

Bypass Function - For deployments requiring fail pass-through function, bypass cards must be purchased and installed in the hardware platform. To purchase bypass cards, have your chosen HW configuration available and contact the Bypass Card Vendor

IPS-1 Management Server Requirements

4G of RAM.
RAID configurations are recommended due to the I/O intensive nature of IDS/IPS and the compliance driven nature of data retention
Due to the I/O intensive nature of IDS/IPS and possible compliance driven requirements for data retention, the management server must meet one of the following configuration requirements:
- RAID 1+0 with four SCSI drives provides performance and redundancy and for this reason is the recommended configuration.
- RAID 0 with two SCSI drives provides performance benefits but no redundancy and is the minimum recommended configuration.

Virtual Appliance Technical Specifications
Connectra is supported as a virtual appliance on VMware ESX Server

The following configuration is certified by Check Point and is recommended for use with SecurePlatform