What is our primary use case?
We use Check Point Remote Access VPN to provide access to our corporate network and resources to remote users in a secure way. Users have access that is limited or defined by the server.
Access is granted for identified devices post-posture validation.
Access should be provided via VPN using multifactor authentication other than username/credentials. Users are able to connect from anywhere at anytime using both mechanisms (i.e. User VPN client or browser).
This solution mitigates or minimizes data leakage issues.
It is stable and scalable and requires minimal management and access provisioning.
How has it helped my organization?
This solution has improved our organization by providing access to corporate resources in a secure fashion. It uses complete end-to-end encryption from the end-user machine to the VPN device.
Access policies are created on the firewall for restricting access to resources and applications based on the user profile/policy.
Our security gateway is integrated with Active Directory and access to resources/applications is provided based on the security group created in Active directory.
This product has inbuild/native integration with MFA solutions.
It does not require any additional hardware in cases where the organization already has the Check Point NGFW. The mobile access blade and remote access VPN can be enabled on the same security gateway. Check Point provides a common dashboard and management console used in conjunction with the NGFW.
Multiple access can be provided using multiple realms, based on the user ID or security group, and access can be provided accordingly. Each realm will have a pool of IP addresses for which access will be provisioned on the firewall.
What is most valuable?
Organizations that already use the Check Point NGFW Solution do not require any additional hardware, which makes the implementation straightforward and reduces the time to go live. The only requirement is to purchase an additional license from Check Point, and then enable the mobile access blade. After this, the solution is ready to roll out and provide access based on the configured policy.
Access is restricted based on user ID, security group, and device type.
Access is provisioned post-posture policy validation and it offers protection against users connecting to the corporate network from non-corporate devices, which minimizes data leakage possibilities.
Access is available from browsers or VPN clients using MFA. This is helpful in cases where the machine does not have the client installed or the client is corrupted.
We are able to restrict access based on geo-location and device type. Devices can be Android, iOS, Windows, or Linux.
It provides threat prevention capabilities while uses connect via VPN for Windows devices.
What needs improvement?
Access is provisioned based on a single L3 tunnel being established between the endpoint and the VPN device. If an attacker gains access to this session then all of the tunnel traffic is compromised. It needs to move to next-generation style access, provisioning such as per-app VPN.
The GUI interface for configuring the SSL VPN is not user-friendly and requires expertise.
Devices are exposed over the internet and it can lead to a security threat.
When a critical patch needs to be applied to the VPN, downtime is required for the entire NGFW. This can impact the business when it has a single security gateway.
This product cannot manage sudden user growth, as each security gateway has limitations in terms of performance and throughput.
The fully-featured security module is only supported on Windows and Mac systems, which means that organizations with Linux will face issues providing secure access. Specifically, modules such as Threat prevention, Access control, and Incident analysis are supported only on Windows and Mac.
What do I think about the stability of the solution?
It's very stable in terms of downtime, although it required updates.
What do I think about the scalability of the solution?
The solution can be easily scaled by adding a security gateway.
How are customer service and technical support?
The Check Point technical support is excellent.
Which solution did I use previously and why did I switch?
We used Aventail SonicWALL as a standalone product. We switched because it was expensive in terms of management and maintenance. As we already had Check Point NGFW, it was easy to enable the VPN on the same device.
How was the initial setup?
Enabling the VPN was simple and straightforward with the purchase of an additional license from the OEM. Once we acquired the license, it involved enabling the module on the security gateway. The solution was ready to go live within 10-15 minutes.
What about the implementation team?
The implementation was completed by our in-house team with the assistance of the OEM.
What's my experience with pricing, setup cost, and licensing?
Organizations that already have the Check Point NGFW need to purchase an additional license to have access to the VPN functionality.
Which other solutions did I evaluate?
We evaluated Pulse and Citrix before choosing this option.
What other advice do I have?
Traditional VPNs that work on L3 or L4, with a single VPN tunnel, are typically hosted on-premises. As organizations are adopting cloud computing, it makes sense to have a VPN solution hosted on the cloud for better control and security.
Which deployment model are you using for this solution?