Data Sheet

1

Check Point protects every part of your network—perimeter, internal, Web—to keep your information resources safe, accessible, and easy to manage.

The NGX platform delivers a unified security architecture for Check Point perimeter, internal, and Web security.

PRODUCT DESCRIPTIONVPN-1® SecureClient™ extends the VPN to remote users for safe network access and communication and enables administrators to enforce desktop policies for additional security.

PRODUCT FEATURES■ Secure remote connections

to VPN-1 gateways

■ User-friendly interface and easy deployment

■ Support for industry-standard VPN protocols

■ Security policy enforcement extends to the desktop

• SECURITY POLICY PRODUCT BENEFITS■ Enables local and remote users

to securely access resources on the corporate network

■ Provides authentication solutions that best meet your needs

■ Protects remote PCs and handheld devices from attacks

• SECURITY POLICY NGX HIGHLIGHTS■ Flexible user authentication

■ Broad set of client connectivity options

VPN-1 SecureClientSecure remote access

YOUR CHALLENGEAs employees become more mobile and organizations continue to deploy remote access VPNs, security and network managers face key security challenges. These include providing appropriate levels of access to corporate resources, protecting remote desktops or other client systems from compromise, and efficiently managing security and policy updates for these diverse remote access points.

OUR SOLUTIONCheck Point VPN gateways extend the VPN to remote users, enabling them to communicate securely and access corporate networks. All data is encrypted by VPN-1® SecuRemote® before it leaves the remote PC or mobile device, making connections completely secure. The VPN client transparently encrypts and authenticates critical data to protect against eavesdropping and malicious data tampering.

VPN-1 SecureClient™ is an enhanced application providing the capabilities of VPN-1 SecuRemote plus additional features for client security and software management.

VPN-1 SecureClient extends security to the desktop by allowing security administrators to enforce desktop security policies for remote users. This functionality is critical in protecting corporate networks from unauthorized agents gaining access to the network by first gaining access to a remote user machine.

VPN-1 SecuRemote

Dial-up

Wireless

VPN-1 SecureClient

VPN-1 SecureClient

VPN-1 Pro Gateway

Corporate Network

Internet

VPN-1 SecureClient

DSL or Cable

VPN-1 SecuRemote and VPN-1 SecureClient enable state-of-the-art remote access VPNs.

2

VPN-1 SECUREMOTE AND VPN-1 SECURECLIENTCheck Point VPN-1 SecuRemote and VPN-1 SecureClient provide the following features to help you take charge of your resources and maintain integrity of remote systems.

FLEXIBLE CONNECTIVITY OPTIONSVPN-1 SecuRemote and VPN-1 SecureClient support dynamic and fixed IP addressing for dial-up, cable/modem or Digital Subscriber Lines (DSL) connections. This flexibility makes the VPN clients the ideal solution for telecommuters and mobile workers who need to access their company networks via an Internet Service Provider (ISP), wireless hot spot, or hotel Internet access connection.

Easy deployment The tight integration of VPN-1 SecureClient and VPN-1 SecuRemote with Check Point’s VPN-1 gateway solutions makes it easy to incorporate secure remote access as part of an overall security policy. For easy deployment of remote access VPNs, Check Point VPN technology features a One-Click format. Remote access VPNs can be created by simply placing all participating VPN-1 SecureClient and VPN-1 SecuRemote users into a “VPN community,” which enables organizations to define the security parameters for an entire group of remote users. As new members are added to the community, they automatically inherit the appropriate properties and can immediately establish secure remote access connections to the corporate network.

Flexible authentication In addition to pre-shared secrets and X.509 digital certificates natively supported by the IPSec standard, Check Point’s VPN-1 clients support multiple authentication schemes such as SecurID tokens, username and password, RADIUS, TACACS, and other third-party authentication methods, such as biometrics. This flexibility allows organizations to leverage existing authentication technologies and infrastructure.

Organizations that want strong authentication without incurring expensive PKI setup costs can use Check Point’s Internal Certificate Authority (ICA), which is tightly integrated with VPN-1 gateways, to issue X.509 digital certificates to client users and gateways for secured communication.

High availabilityCheck Point’s VPN Load Distribution feature is a high-availability and load-sharing solution for remote access VPN connections. Inbound VPN connections can be distributed across a cluster of VPN-1 gateways. If one gateway fails, new VPN connections will automatically connect to remaining cluster members.

ADVANCED VPN-1 SECURECLIENTVPN-1 SecureClient provides enhanced functionality for supporting the security of remote clients.

Desktop security policy VPN-1 SecureClient protects remote client machines by enforcing desktop security policies on the remote client. The administrator can centrally define desktop security policy rules for users or groups of users, enabling organizations with different types of remote users—such as sales or IT staff—to tailor client security policies to varying user needs. These policies not only protect the data on client machines from unauthorized access, but also eliminate vulnerability to attacks from fellow users on shared networks. Unauthorized access attempts can either be logged and viewed within VPN-1 SecureClient or sent as alerts to a SmartCenter™ management server.

Secure Configuration Verification VPN-1 SecureClient strengthens enterprise security by ensuring client machines cannot be configured to circumvent the enterprise security policy. Using Secure Configuration Verification (SCV), managers can specify SCV checks—a set of predefined conditions for a securely configured client system. These checks are performed regularly to ensure that remote client machines comply with the organization's security policies.

In addition to these predefined checks, security admini strators can define custom checks. For example, an SCV check can be written to ensure that VPN-1 SecureClient users are running the most current version of antivirus software.

Multiple connectivity modes VPN-1 SecureClient provides various modes to address a variety of connectivity and routing issues faced by remote users.

• Office Mode addresses routing issues between the client and the gateway by encapsulating IP packets with the remote user’s original IP address, thereby enabling users to appear as if they were “in the office” while connecting remotely. Office Mode also provides enhanced anti-spoofing by ensuring that the IP address encountered by the gateway is authenticated and assigned to the user.

• Visitor Mode enables employees to access resources while they are working at a remote location such as a hotel or a customer office, where Internet connectivity may be limited to Web browsing using the standard HTTP and HTTPS ports.

• Hub Mode enables rigorous, centralized inspection of all client traffic, removing the need to deploy security functions to multiple offices, and giving employees secure client-to-client communications such as Voice over IP (VoIP) or Internet conferencing using applications like Microsoft NetMeeting.

VPN-1 SecureClient

3

Simplified remote user experience VPN-1 SecureClient is a rich, full-featured GUI that simplifies the remote user’s connectivity experience.

Installation wizards guide the remote user through client installation and site destination creation. In addition, multiple authentication credentials can be stored so that users can seamlessly connect to sites with different access requirements without having to reconfigure the settings each time they connect to a site.

Users can enable Auto Connect mode, which prompts them with a connection dialog box upon seeing a network connection. Connection status messages alert the user to the progress of their connection attempts. Status View windows detailed connection status, as well as troubleshooting indicators such as network activity counters.

Secure remote access

Integrated connection and authentication window

Wizard to assist remote user with site destination creation

Status View with detailed connection information

4

Worldwide Headquarters3A Jabotinsky Street, 24th FloorRamat Gan 52520, IsraelTel: 972-3-753-4555Fax: 972-3-575-9256Email: info@checkpoint.com

U.S. Headquarters800 Bridge ParkwayRedwood City, CA 94065Tel: 800-429-4391; 650-628-2000Fax: 650-654-4233www.checkpoint.com

Compact view versus extended viewSecureClient can be configured to provide the remote user with an Extended View that has the full feature set. Alternatively, organizations with a single site and gateway configuration may choose Compact View for maximum remote ease-of-use. Because Compact View is pre-configured, the remote user does not need to perform site or profile management. Connection and settingdialog boxes have also been simplified to provide only essential features.

Streamlined software distribution and management VPN-1 SecureClient includes features to streamline the initial distribution and ongoing maintenance of client software. These features dramatically decrease end-user support costs associated with VPN management, and improve overall security by ensuring that client software installations are always consistent and current. VPN-1 SecureClient supports MSI and is interoperable with all major software distribution packages.

SUPPORTED PLATFORMS

Windows 2000, 2003 Server, XP, XP Tablet PC EditionHandheld PC 2000, PocketPC 2002/2003 SEMac OS 10.3

Advance Status View window

©2003-2005 Check Point Software Technologies Ltd. All rights reserved. Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa, Cooperative Security Alliance, Eventia, Eventia Analyzer, Eventia Reporter, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge, SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX, VPN-1 XL, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the Zone Labs logo, are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988 and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications.

May 12, 2005 P/N 501672