Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Standards-Based Integrations

Standards-based Integrations
(RADIUS/TACACS+, 802.1x EAP, SNMP, LDAP, CAPI, PKI, PKCS #7, #11, #10, #12)
The list of standards supported by OPSEC continues to grow as new industry standard proposals gain acceptance in the market or are ratified. In order to keep up with the many industry standards or standard protocols that exist today to ensure multi-vendor product interoperability, Check Point Software is a standards bearer and an active participant in standards bodies. The following industry-specific standards are integral parts of the OPSEC framework.

RADIUS/TACACS+
Remote Authentication Dial-In User Service (RADIUS) is the IETF (Internet Engineering Task Force) standard that has gained broad acceptance for the authentication of dial-up users. TACACS+ is a similar protocol that has gained some level of multi-vendor acceptance. Token-based authentication schemes can be implemented using the RADIUS protocol or alternatively, TACACS+.

With RADIUS support, VPN-1/FireWall-1 and Connectra can enforce authentication by checking with a RADIUS server before allowing, for example, an external engineering development partner access to the company CAD/CAM system. Other access control devices such as routers or modem servers can use the same RADIUS authentication server. The RADIUS standard unifies this authentication function. Different vendor security products can be used to authenticate a connection between two business partners provided that the equipment at each end of the communication is compliant with the RADIUS standard.

802.1x EAP
Given the difficulty of controlling the physical boundaries of these networks, it is imperative to restrict access only to authenticated users (e.g., by using Check Point's VPN-1, or 802.1X/EAP authentication), and to verify that connecting endpoints are compliant with corporate security standards.

Check Point has partnered with leading WLAN & Switch vendors to certify and promote joint solutions based on the 802.1X/EAP standard. The joint solutions comprising Partner and Check Point Integrity endpoint security software automatically verify compliance with corporate security policy prior to enabling access to the network.

SNMP
SNMP, the Simple Network Management Protocol, is the industry standard protocol for the management of hardware and software resources from a central location. The SNMP management model employs two basic entities-a management station loaded with a resource MIB (Management Information Base) file and an agent. The MIB describes the information, and the agent, a program running on the resource to be managed, provides it to the management station when queried. The MIB also describes "traps", which are unsolicited event notifications that the agent sends to the management station when a preset condition is met. This allows the agent to continually monitor the resource and report exceptions to the management station.

VPN-1/FireWall-1 provides a MIB and SNMP agent for management of the VPN-1/FireWall-1 gateway. Using any network management station, the VPN-1/FireWall-1 gateway can be queried for current status. In addition, the VPN-1/FireWall-1 agent can alert the management station of network events that might affect the operation of the gateway, or violations of the network security policy.

LDAP
LDAP, the Light-weight Directory Access Protocol, is an industry standard for exchanging information with LDAP-compliant directory servers. LDAP specifies a method for retrieving, storing, and representing data in a directory server-which typically is a repository for user information as well as network resources. Some examples of information stored in a Directory Server include user identification data, X.509 certificates for use with Public Key Infrastructure (PKI) solutions, IP-to-hostname mappings, etc. Various third-party directory servers offer sophisticated features such as replication (master/slave, multi-master), directory referrals, and backup services that make directory servers an ideal repository for mission-critical enterprise data.
When used in conjunction with the Check Point SmartDirectory, VPN-1/FireWall-1 uses LDAP to access information from Directory Servers to identify and authenticate users via user passwords, pre-shared secrets, digital certificates, or third-party authentication servers. In addition, VPN-1/FireWall-1 optionally uses the directory server to store some access control attributes. The communication between VPN-1/FireWall-1 and directory server is encrypted using SSL to maintain data privacy.

CAPI
SecuRemote/ SecureClient NG supports Microsoft's CryptoAPI Version 2.0. This API is used by SecuRemote/ SecureClient to access tokens that provide secure storage of public/private key pairs. Examples of CAPI token products include Smartcards, PCMCIA tokens, PCI adapters, and USB devices. CAPI is supported by SecuRemote/ SecureClient NG on the Windows 98, 98SE, ME, Windows NT 4, Windows 2000, and Windows XP.

PKI
Public Key Infrastructure (PKI) is technology that provides scalable trusted authentication for applications such as VPNs. X.509 digital certificates are used by IPSEC/IKE to validate the public keys required to establish an encrypted connection and verify the authenticity of the parties in the exchange. The certificate authority (CA), considered to be a trusted third party entity that vouches for (or authenticates) the identity of the digital certificate owner, issues certificate revocation lists (CRLs) that are used to validate a user's certificate. Depending on the CA, a CRL may be stored in an HTTP server or an LDAP directory.

Check Point's goal is to provide an open integration environment whereby any vendor's PKI solution can be tightly integrated with Check Point's products. It is common for suppliers, partners and customers sharing an eBusiness extranet to each operate their own different CA; for example, your partner may have a VeriSignT CA, and your supplier may have an Entrust® CA. VPN-1 Gateway's ability to simultaneously support certificates from multiple different CAs allows customers to set up and support multi-CA extranets that can be used with business partners, suppliers and customers. Open PKI makes it possible for administrators to select the PKI solution which best fits their needs and fully leverage this solution with Check Point's VPN-1 product. Through the use of industry standard public key cryptography standards (PKCS), Check Point created OPSEC PKI integration points for VPN-1 Gateway, VPN-1 SecureClient, and VPN-1 SecuRemote.

PKCS#7
Support of this standard enables SecuRemote/ SecureClient and VPN-1 Management Station to securely receive X509 certificate from a Certificate Authority.

PKCS#10
This enables SecuRemote/ SecureClient VPN-1 client software and VPN-1 Management Station to enroll for an X509 certificate from a Certificate Authority.

PKCS#11
VPN-1/FireWall-1 NG supports this standard. PKCS#11 Cryptographic tokens provide acceleration of public key operations and/or secure storage of public/private key pairs. VPN-1 uses this API to access secure server tokens that provide secure key storage and random number generation. VPN-1 can also use this API to access secure fast tokens that provide Public Key Acceleration (DH and RSA).

PKCS#12
Enables transport of X509 certificate from web browser to SecuRemote client software. X509 certificate transport mechanism required by SecuRemote for PKI Service Provider integration.