Data Sheet

1

Check Point protects every part of your network—perimeter, internal, Web—to keep your information resources safe, accessible, and easy to manage.

The NGX platform delivers a unified security architecture for Check Point perimeter, internal, and Web security.

PRODUCT DESCRIPTIONCheck Point Connectra is a complete Web Security Gateway that provides SSL VPN access and integrated endpoint and application security.

PRODUCT FEATURES■ Secure Web-based connectivity

■ Integrated endpoint security

■ Integrated application security

■ Flexible platform options

PRODUCT BENEFITS■ Delivers clientless SSL VPN access

to enterprise resources

■ Stops identity, password, and data theft on remote endpoints

■ Protects internal resources from attacks from unsecured endpoints

■ Integrates with existing network and security infrastructure

■ Provides deployment flexibility

NGX HIGHLIGHTS■ SmartCenter™ centralized

management integration

■ Centralized monitoring, reporting, maintenance, and updates

Connectra Web Security GatewayWeb connectivity with unmatched security

YOUR CHALLENGEBrowser-based SSL VPN for remote access has emerged as a convenient way to deliver easy anywhere access to the corporate network for remote employees and business partners. This approach simplifies access and decreases remote access costs. Yet enabling anywhere access from any endpoint complicates the process for securing information and IT resources.

For example, allowing browser-based access means that users may access the network from PCs not managed by the organization, such as home or airport kiosk PCs. These remote endpoints may have little or no security software or, worse, may have spyware or malware installed. Connectivity from unsecured endpoints exposes an organization to attacks and malicious activity through an SSL VPN gateway. Without effective management of the security of remote endpoints and protecting against attacks on SSL VPNs, the inherent simplicity of SSL VPN exposes an organization to additional threats.

OUR SOLUTIONCheck Point Connectra™ is a complete Web Security Gateway that provides SSL VPN access and integrated endpoint and application security in a single, unified solution. By combining both connectivity and security in one solution, organizations can effectively deploy SSL VPNs safely and securely to a diverse set of users from the industry’s most reliable provider of intelligent security solutions.

The Connectra Web portal allows remote users to view email, browse Web links, access Web applications, access shared files, and run client/server applications from the convenience of a Web browser.

2

SECURE WEB-BASED CONNECTIVITYConnectra is a gateway used by remote users to access resources on a corporate network via the Web. It provides both Web-based and network-level access over SSL. Through an integrated Connectra Web portal, users can access Web applications and resources and access shared files and email. For extra flexibility, administrators can customize the design of the Connectra Web portal, including support for multiple languages.

For non-Web, client/server applications, Connectra provides secure network-level access over the Web with SSL Network Extender™. Included with Connectra, SSL Network Extender is a browser plug-in that tunnels traffic from endpoint applications over SSL. It supports any IP-based application, including ICMP, TCP, and UDP without requiring complex configuration to support each application. And because it is capable of tunneling any IP application, it even supports applications like FTP and VoIP that create unique problems with their use of dynamic ports.

INTEGRATED ENDPOINT SECURITYWith the integration of a clientless version of Check Point Integrity™, the industry’s most trusted endpoint security solution, Connectra secures network resources from remote PCs—regardless if they are used and/or owned by employees or partners, customers, or other network guests. It enforces network security policy for SSL VPN connections, ensures session confidentiality, and keeps the organization secure.

Scans for spywareTo ensure that malicious processes, keystroke loggers, or Trojan horses are not installed on the remote endpoint, Connectra scans for these and other spyware through the remote user’s browser. By disabling spyware and enforcing baseline security requirements before it grants SSL VPN access, Connectra stops identity and password theft and prevents data loss. In addition, SmartDefense™ Services delivers real-time updates for endpoint security checks.

Enables secure access in unmanaged environmentsTo enable secure access even in unmanaged environments like an airport Internet kiosk PC, Connectra provides an integrated secure browser that encrypts session files such as emails, attachments, cookies, and passwords on the remote endpoint. This prevents sensitive corporate information from being viewed or stolen even after a session ends and the user leaves the PC.

Connectra can enforce an access policy requiring antivirus software and/or an installed firewall before a user is granted access. Users who are out of compliance are offered links to self-remediation resources. Once back in compliance, they are allowed to log in.

Connectra Web Security Gateway

HTTP, POP3, SMTP,IMAP, CIFS/SMB

Connectra Web Portal

Connectra

SSL Network Extender

Remote User Organization

IP

SSL

SSL

For network-level remote access, Connectra includes the SSL Network Extender browser plug-in to allow SSL remote access for any IP-based application.

Connectra integrated endpoint security checks for malicious processes on a remote endpoint and enforces baseline security before allowing network access. Connectra also offers users a secure browser option that encrypts all session data sent to the endpoint and erases it when the user logs off.

3

Administrators can also use Connectra to restrict access to individual resources based on the trust level of the endpoint and user. For example, one set of resources may be defined with a “high” sensitivity level and access allowed only if a remote endpoint provides strong authentication like token-based authentication and has current antivirus software installed and running. Similarly, another set of resources can be accessed only when someone is using the integrated secure browser.

INTEGRATED APPLICATION SECURITYIntegrated application security provided by Connectra for SSL VPN access ensures the integrity of internal applica-tions. Integrated Stateful Inspection, Web Intelligence™, and Application Intelligence™ technologies offer protection against malicious activities and attacks over SSL VPN. For example, Connectra can prevent users from accessing confidential data using Directory Traversal or SQL Injection attacks, a particular concern in extranet environments. Connectra can ensure that worms cannot spread through SSL VPN when a remote user is tunneling native applica-tions over SSL VPN. In addition, Connectra comes with a one-year SmartDefense Services subscription to ensure that integrated application protections are up to date.

EASY DEPLOYMENT AND MANAGEMENTAs a standalone solution that can be deployed in a network DMZ or on a trusted LAN, Connectra is easy and simple to install and manage. For deployments with an existing authentication database, Connectra can integrate with LDAP, RADIUS, or SecureID/ACE databases. Connectra also includes an internal database for organizations without existing authentication databases. For existing Check Point customers, a SmartCenter™ management server can be

used for monitoring, reporting, maintaining, and updating Connectra from the same management infrastructure as VPN-1® and InterSpect™ gateways.

FLEXIBLE DEPLOYMENT OPTIONSConnectra is available as an appliance or as software for open servers.

• Connectra appliance: preinstalled Connectra software on dedicated Check Point or OPSEC™ certified appliances. (For appliance information, please visit the Platform Selection Guide: www.checkpoint.com/products/protect/platforms.html.)

• Connectra software: a software solution for open servers. Connectra software installs SecurePlatform™, a hardened operating system, and Connectra software in less than 10 minutes

Web connectivity with unmatched security

Email Server

Authentication Server(Optional)

Integrated EndpointSecurity

SmartCenterManagement

Integrated ApplicationSecurity

SSL

SSL

Check PointConnectra

Remote User• Employees• Business Partners• Mobile Users• Employee Home PC

Web Server

File Share Server

Non-WebApplication Server

InternetTo enable secure SSL VPN remote access, Connectra combines easy browser-based access with integrated endpoint and application security for Web connectivity with unmatched security.

An intuitive Web-based administrative interface lets you quickly configure resources and applications. Assigning a security sensitivity level to a resource will enforce specific security requirements of the endpoint before access is granted to the resource.

4

Worldwide Headquarters3A Jabotinsky Street, 24th FloorRamat Gan 52520, IsraelTel: 972-3-753-4555Fax: 972-3-575-9256Email: info@checkpoint.com

U.S. Headquarters800 Bridge ParkwayRedwood City, CA 94065Tel: 800-429-4391; 650-628-2000Fax: 650-654-4233www.checkpoint.com

CHECK POINT CONNECTRA APPLIANCE

CONNECTRA SOFTWAREConnectra software on open server, running on Check Point SecurePlatform

Minimum system requirementsCPU Intel Celeron 2.4 GHz or equivalentMemory 512 MBDisk space 6 GB hard drive

Web connectivity

Secure connectivity• SSL v.3, TLS • RC4 (128), 3DES (128, 256), AES (128, 256)

Connectra Web portal• Web: Static links, dynamic links, relative links, JavaScripts, Visual Basic,

Citrix, Lotus iNotes• Email access options:

1) Integrated Web interface for email servers using IMAP2) Native email client via POP3S, SMTPS 3) Outlook Web Access 2000 and 2003 access over SSL VPN

• File sharing: Windows SMB/CIFS. Native file browsing through Windows Explorer• Languages: French, Italian, German, Spanish, Traditional and Simplified

Chinese, Japanese• Supported browsers: Internet Explorer 5.5+, Mozilla, Netscape 6+, Safari

SSL Network Extender• ActiveX and Java plug-ins• Application support: Any IP-based application: Citrix, FTP, ICMP, IMAP, POP,

rlogin, SMTP, Telnet, TFTP, TN3270, VoIP, and more• Networking options: Office Mode (internal IP address), DNS, and WINS support• Supported operating systems: Windows 2000/XP, Linux

Authentication and authorization• Active Directory, client certificates, internal database, LDAP, RADIUS, RSA

SecureID• Dynamic authorization grants access rights to resources based on authentica-

tion type or endpoint security scan results

Real-time security updates

SmartDefense Services• Includes one-year subscription for real-time updates for Application

Intelligence, Web Intelligence, and endpoint security protections

Integrated application security

Web attack protection• Web Intelligence: protection against malicious code transferred in Web-related

applications, worms, various attacks such as Cross-Site Scripting, Buffer Overflows, SQL Injections, Command Injections, Directory Traversal, and malicious HTTP code

Application level attack protection• Application Intelligence for traffic in SSL Network Extender. Connectra actively

protects organizations from both network and application attacks using Check Point’s Stateful Inspection and Application Intelligence technologies

Protection levels• Resources are defined with sensitivity levels. Access authorized based on

security of endpoint and authentication used

Cookie protection• Cookies are protected and hosted on the gateway

Automatic timeout• Automatic timeout of SSL VPN sessions, idle, and forced methods

Integrated endpoint security (optional add-on)

Spyware and malware detection• ActiveX plug-in• Detects and disables keystroke loggers, Trojan horses, worms, adware,

browser plug-ins, dialers, third-party cookies, and other hacker tools and undesirable software

Quarantine browser and cache cleaning• Encrypts session data on remote endpoints and fully deletes protected data

after the session is completed

Host checking• Checks for installed and updated antivirus software, PC firewalls, and other

administrator-defined criteria before login

Reporting and remediation• Policy compliance reporting—list unmet conditions by end user. Customizable

remediation resources. Provide guidance and links to resources that enable out-of-compliance users to become compliant with enterprise access policy

Management

Web-based administration• Web-based administration over SSL for configuration, monitoring,

and maintenance• Restrictions by IP address• Configuration change logging

Centralized management• SmartCenter (requires NGX platform)• Secure Internal Communication, SmartView Tracker™, SmartView Monitor™,

SmartView Status™, SmartUpdate™, SmartDefense Services

Connectra specifications

©2003-2005 Check Point Software Technologies Ltd. All rights reserved. Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa, Cooperative Security Alliance, Eventia, Eventia Analyzer, Eventia Reporter, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge, SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX, VPN-1 XL, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the Zone Labs logo, are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988 and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications.

June 22, 2005 P/N 501861