This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JC_S
Employee
Employee
‎2018-08-10 07:32 AM

Possible to 'hide' subnets outside of encryption domain

Scenario: Site A and Site B both have 'Secure' subnets.  Traffic to and from these subnets must be encrypted.  They also have 'User' subnets that are not secure and have high bandwidth consumption.  Any traffic from a User subnet to a Secure subnet must be encrypted in both directions, however, User to User traffic must not be encrypted (mostly due to bandwidth limitations over the VPN links).  There is both a VPN gateway and a Internet gateway, and they are on separate routing paths.

Currently, Site A and Site B Secure compromise their respective encryption domains.  If we were to add User to either encryption domain, we would have to forward 100% of traffic over the VPN, which will run into bandwidth issues.  However, if we don't add it, then any User traffic would not be considered interesting traffic and would be sent out in the clear even if destined for Secure.  Our thought is to create a NAT on each Site, then using routing to send back anything destined to the NAT back to the VPN gateway. This way, the User subnets can be added to the encrypt domain, but will only route over the VPN when the original destination is for Secure.

Does this sound feasible?

3 Replies
Danny
Champion Champion
Champion
‎2018-08-10 07:52 AM

You are a Check Point employee, so you should tell us.

Excluding subnets in encryption domain from accessing a specific VPN community

Just exclude the 'User' subnets of Site A from getting encrypted when trying to communicate to other 'User' subnets at Side B.

0 Kudos
JC_S
Employee
Employee
‎2018-08-10 08:10 AM
In response to Danny

Unfortunately, it wouldn't solve the bandwidth issue.  Once the traffic gets to the VPN gateway, it would be going on the same physical link whether it was encrypted or not.  That's why I was thinking of hiding it to trick the router.

The other solution I was considering was policy based routing on the router to cause any traffic with a source in the Secure networks to go over the VPN, but I've generally found PBR to be unreliable.

0 Kudos
Danny
Champion Champion
Champion
‎2018-08-10 08:27 AM
In response to JC_S

PBR will route it through another physical link.

You might need to pay attention on your address spoofing settings as well as the NAT configuration.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events