Checkpoint VPN-1 is a security appliance developed by Check Point, an Israeli software provider with focus on IT security. Checkpoint VPN-1 by itself is a stateful firewall with a web-based setup, best applicable for large-scale VPN deployments.

The purpose of the appliance is to safeguard corporate resources, ensure privacy and protect the integrity of data communication. VPN-1 attempts to accomplish this by integrating access control, user authentication, and encryption.

Central Management

Management of VPN-1 VPN-1 can be centrally managed by SmartCenter, Provider-1, or Security Management Portal, which allow a user to define, manage, and monitor multiple Check Point gateways from one console.

Large-scale management may also be implemented through Smart Large Scale Manager (SmartLSM), a part of SmartCenter Pro, another one of Check Point’s products. SmartLSM allows a user to access many gateways through one security policy, or a profile.

SmartCenter Pro also allows SmartUpdate, which helps centrally manage software updates and licenses, so that updates are conducted automatically and without infringing upon secure activity. Eventia Reporter is another of Check Point’s products that can work with the VPN-1 to provide centralized reporting.

  • Plug-and-play: wizard-driven Web-based management is also an option for the VPN-1. This configuration must be set up at the remote site, though set-up can be easily completed by non-technical staff.
  • One-click VPN communities: VPN communities allows the VPN-1 to inherit community security parameters as well as establish IPSec sessions with others in the VPN community.
  • Bandwidth management: For businesses with remote offices where critical traffic competes with noncritical traffic over one ISP connection, VPN-1 may be able to guarantee and prioritize traffic. Weighted priorities grant bandwidth based on value to the business, as well as set bandwidth limits to noncritical traffic.
  • Out-of-band management: VPN-1 supports out-of-band schemes including Command Line Interface (CLI) through SSH, serial port, or SNMP.

Secure Connection

Encryption and authentication are the methods in which Checkpoint VPN-1 protects the privacy of data communication. Port-based and tag-based VLAN may also be used.

VPN-1 can be used as an internal VPN server, which will increase the strength of authentication for wireless users and internal LAN. VPN-1 encrypts data through AES, 3DES, and DES algorithms, as well as the industry-standard X.509 digital certificates.

VPN-1 can also use digital certificates self-signed by the user, or those provided by Check Point Internal Certificate Authority.

  • Stateful Inspection: Check Point’s Stateful Inspection technology is patented to track the state and context of network communications. VPN-1 can therefore secure approximately 150 predefined applications, services or protocols, including instant messaging, web browsing, peer-to-peer applications, and multimedia services.
  • Topology support: Unlike other organizations who may use hub-and-spoke topology, which sends all traffic through a primary VPN gateway, VPN-1 routes all traffic through a central gateway and filters it through OPSEC-certified products and URL filtering. VPN-1 is also able to support split-tunneling.
  • Flexible VLAN support: By segmenting internal networks into many virtual networks, VPN-1 supports VLANs for increased security within the local network. Port-based VLAN splits four LAN networks into segmented networks whereas tag-based VLAN connects a device through a switch inside a VLAN trunk, expanding port density.

Consistent Connection

VPN-1 ensures that a business can consistently rely on its VPN network so that business activity will not be infringed upon.

  • ISP redundancy: When two ISPs are are connected to the appliance, VPN-1 will automatically pick up connection from the other ISP if one of the ISP connections are lost.
  • WAN interfaces: Primary and secondary appliances can share one WAN IP address in order to achieve virtually uninterrupted access to internal servers.
  • Dialup Backup: Dialup Backup provides a primary and secondary Internet connection source by connected a dialup modem as a primary Internet connection where broadband Internet is unavailable. If the primary Internet connection has failed, VPN-1 will automatically connect to the modem.

Works Consulted

“Check Point FW-1/VPN-1 NG/FP3 Implementation Guide.” CRYPTO-Server 3rd Party

Integration (n.d.): n. pag. Gemalto. CRYPTOCard, 2006. Web. 1 Feb. 2017.

Snyder, Joel. “Check Point's VPN-1 Edge W Security Device Picks up Wireless

Support.”Network World. Network World, 30 May 2005. Web. 01 Feb. 2017.

“VPN-1 Edge.” VPN-1 Edge (n.d.): n. pag. Cama State. Check Point, 4 May 2005. Web. 1 Feb.



Comments are closed.