comparison of Check Point Secure Remote VPN and Nortels VPNClient

Raymond Banfield ray at UNIXPAC.COM.AU
Mon Jul 31 18:59:08 EDT 2000


have you considered looking at Raptor.
It comes in a couple of flavours, to do with your Firewall/VPN Needs.
It can be a dedicated VPN Server, (which is locked down for some
firewall security) or it can be the firewall with the VPN integrated.

Raptors Power VPN, can be simple to install once you get used to it, and
once you have done one install you can do many.

there is a field to add what the DNS Wins address will be to give to the
remote client.

You can also group more then one subnet into the rules, so if you need
to add another subnet, you add it to the group and it is then in the
rules already.

Once a client is set up in a way you know works for the configuration
you need, it is simple to replicate that for other users.

The remote client also will lock down other protocols and activities if
you wish.

worth a look.

Ray

Chris Carlson wrote:

> I'd expect that they'll always be religious arguments
> on what software is better that another.  That being
> said, here's my two cents...
>
> The Nortel VPN client (I assume you mean Contivity)
> and Check Point have much overlap, but have enough
> differences to warrant discussion.
>
> Check Point's SecuRemote is part of their overall
> Secure Virtual Network (SVN) concept, where multiple
> firewalls, client authentication, host-level
> authentication/firewall/encryption, VPNs, policy
> management, DHCP, and DHCP-to-PDC authentication all
> tie up into single, unified platform.  Quite a big
> task, and not without risk.
>
> The SecuRemote client itself, I belive, isn't
> particularly flexible.  It performs based on how Check
> Point thinks remote users should behave.  For example,
> every client always does split-tunnelling (corporate
> traffic goes down the tunnel while Internet traffic
> goes out directly to the Internet) with no option to
> turn it off.  That means that if you have a network on
> your internal net that is the same as on the Internet,
> it'll break.  Also, if you don't correctly configure
> all the multiple nets you may have behind your
> firewall, the user won't be able to tunnel there.  One
> customer of mine had 45 different subnets because of
> all the acquisitions they did.  Imagine trying to
> *manually* keep track of those nets while setting up
> Check Point's encryption domain.
>
> Something else, Check Point can't push down internal
> DNS or WINS information from the server to the client.
>  That means that you have to manually enter this
> information into the dial-up adapter of *every* user
> you have, and you better pray that you don't change it
> later on.
>
> Those are the two biggest gotchas I found.  On the
> plus side, Check Point has a version of SecuRemote
> called SecureClient that has a built-in,
> server-controlled firewall on the client machine.
> This is very useful for your users that have DSL or
> cable modems.
>
> As for Nortel, it does do dedicated tunnelling
> (forcing all traffic down the tunnel) or
> split-tunnelling (but it's a little kludgy), and
> supports server-side configuration of DNS and WINS (in
> addition to IP address, subnet, DNS subdomain, and DNS
> search path) to the client all managed in a LDAP
> directory.  It seamlessly ties into RADIUS and LDAP
> and has an easily customizable, pre-configured client,
> perfect for large corporate deployments.
>
> However, the Nortel Contivity product is ONLY a VPN
> device.  Though you can install Check Point on it
> (?!), the Nortel VPN doens't integrate with the Check
> Point FireWall-1 module.  If you want a dedicated VPN
> box, then I'd recommend Nortel.
>
> If you want a Firewall/VPN architecture, then I'd
> recommend you keep looking.  While Check Point has an
> all-in-one deployment, there's enough gotchas to make
> deploying a huge number of clients a management
> nightmare down the road... unless they radically
> change how they're doing things.
>
> A number of my clients have a hybrid deployment, they
> picked the best firewall platform and the best VPN
> platform for their needs.  If it wasn't the same,
> that's fine, unless your driving factor is a unified
> security architecture.  I believe that it's painless
> enough to integrate best-of-breed products together
> for a good enough overall solution, while really
> excelling at those points that matter: remote user
> VPNs, application-level authentication, etc.
>
> I'd heartily recommend an in-depth field trial before
> you deploy any VPN solution.  It's only after you have
> your installed base up and working do you realize that
> there could be something majorly wrong.  And with any
> VPN client deployment, once you have tens, hundreds,
> or thousands of clients out in the field, it'll be
> next to impossible to change or upgrade them.
>
> Good luck!
> Chris
> --
>
> --- Joe M Hoffman <Joe.M.Hoffman at MAIL.SPRINT.COM>
> wrote:
> > Has anyone done a comparison of Chek Point Secure
> > Remote/Secure Client
> > and
> > Nortels VPN client ? If so would it be possible for
> > you to point me to
> > or send me the
> > information please.
> >
> > Thanks,
> >
> > Joseph M. Hoffman, CCSA, CCSE, B.A.
> > Network Security Engineer III
> > Sprint Corporate Security
> > (913)624-2535
> > 1-800-724-3329 pin 3834675
> > mail stop: KSWESA0116
> >
> >
>
> __________________________________________________
> Do You Yahoo!?
> Kick off your party with Yahoo! Invites.
> http://invites.yahoo.com/
>
> VPN is sponsored by SecurityFocus.COM

--
Raymond Banfield
Unixpac Group of Companies            Level 3 / 339 Military Rd
email: ray at unixpac.com.au               Cremorne, N.S.W. 2090
Web: http://www.unixpac.com.au      Australia
Web: http://www.best.net.au             Ph:  + 61 2 9953 8366
Web: http://www.linuxplaza.com.au   Fax: + 61 2 9953 5875

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list