This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Shahar_Grober
Advisor
‎2019-04-08 03:07 AM

SNX vs IPSEC Security

Hi,

 

Are there any security risk created by using SNX technology 

I am forced to use SNX due to some Linux users.

I want to know what are the security risks that this technology creates vs. IPSEC 

Some thoughts:

1. You need to open a portal to the internet 

2. you use browsers  which can be vulnerable to MiTM attacks and other vulnerabilities 

3. which encryption algorithms are used with SSL - does CP update the encryption algorithms

4. client maintenance and troubleshooting with different OS/Browsers (Some of them still needs Java) 

 

 

 

 

0 Kudos
7 Replies
G_W_Albrecht
Legend
Legend
‎2019-04-08 04:44 AM

Legacy SNX uses the IP Sec Blade only, not MAB SSL VPN - so you better explain that you want to use MAB portal for Linux users ! For Linux CLI access, see Connection to VPN server from Linux with SecureID

To compare security features, the best place is sk67820: Check Point Remote Access Solutions !

 

CCSE CCTE CCSM SMB Specialist
0 Kudos
Shahar_Grober
Advisor
‎2019-04-08 05:56 AM
In response to G_W_Albrecht

Hi Gunthar,

Please refer to my questions instead of throwing SK's up in the air
Wolfgang
Authority
Authority
‎2019-04-08 10:58 AM

Hello Shahar,

at first you have to decide to use SNX only or SNX via MobileAccessBlade.

With MOB more features are available, like accessing fileshare, ActiveSync, WebApplication etc.

 

To your question, I'll answer for SNX only mode:

1. You need to open a portal to the internet 

>>> Yes, you open a portal on your gateway on Port 443, but only SNX (SSL extender is running there).

2. you use browsers  which can be vulnerable to MiTM attacks and other vulnerabilities 

>>> You have to use browser they are supporting JAVA " SSL Network Extender requires that Java is installed on the endpoint computer"

3. which encryption algorithms are used with SSL - does CP update the encryption algorithms

>>> You can see the supported encryption algorithm in SmartConsole global properties => Remote Access => SSL network extender => excryption (AES, 3DES). This changed from some releases. 

4. client maintenance and troubleshooting with different OS/Browsers (Some of them still needs Java) 

In my opinion this is a nightmare. If you have a client configuration that works, never change it. SNX is really nice, but with every browser or Java update you are starting a new long support session to get it running.

 

Shahar, as I read from your reply to Guenther you don't like sk articles, but I think for better understanding you should have a look at SSL extender and Mobile Access Portal and Java Compatibility - New Mobile Access Portal Agent technology

Wolfgang

PhoneBoy
Admin
Admin
‎2019-04-08 04:48 PM

There is a CLI-only client for Linux, but it's limited to 3DES/RC4: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

The browser-based clients are updated with modern ciphers the same as on Windows. 

The other risks you mention don't seem all that different from any other end user use of Linux/Windows (MITM possibility, keeping software up to date), but maybe I'm missing something.

Jerry
Mentor
Mentor
‎2019-04-09 01:20 AM

just my 5 cents - the only risk with all above mentioned is ... "Java".
there are no other indicators whatsoever except, SSL is much faster than IPSec (tcp vs udp) and is more flexible for Linux/Apple/Mobile users. That's all. All the factors you've been asking specifically are valid when designing solution for specific use or in a TELCO not ENTERPRISE environment. In my humble opinion SNX/MAB solution are very robust for again, all depends on the scale and purpose of the usage (users wise).
Jerry
Timothy_Hall
Champion Champion
Champion
‎2019-04-09 11:15 AM
In response to Jerry

> SSL is much faster than IPSec (tcp vs udp)

In the real world yes.  In theory IPSec should be faster than HTTPS/TLS as there is no in-depth error checking on the outer ESP packet header, and it is assumed the tunneled protocol will handle any packet loss/out of order issues.  Considering that the tunneled protocol is usually TCP this assumption is correct, and avoids the extra overhead of doing TCP twice.  However given the speed of systems & networks these days that extra TCP overhead is pretty negligible.

HTTPS/TLS is incurring the extra overhead of doing TCP twice, BUT is much more tolerant of adverse networking conditions that happen in the real world.  Low MTUs and fragmentation don't really hurt the performance of HTTPS/TLS, but massively screws up the performance of IPSec and lead to nasty hacks like TCP MSS Clamping that can get even more complicated when SecureXL is involved.  Intervening NAT between the two peers really doesn't affect HTTPS/TLS much, but forces the double encapsulation of IPSec traffic into UDP 4500 datagrams via NAT-T which incurs a ridiculous amount of additional overhead.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Shahar_Grober
Advisor
‎2019-04-09 02:07 PM
In response to Timothy_Hall

Thanks for the reply guys,

leaving performance aside, my concerns are due to the fact that SNX has too many moving parts which I don't have control of (browsers, portals, Java updates, thin clients). My first choice will always be to go with a fixed client. It works flawlessly once you start running with it. Security wise, as far as I understand, SNX might be good as long as the browser or the Java are not vulnerable.

Another point is that SNX is more than a hassle to provision than IPSec but with Linux users, I don't have a lot of choices. The best solution in my point of view would be to support a Linux client (Open VPN style) which supports SSL VPN, but I have already discussed it in a separate thread 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    Virtual

    Thu 02 May 2024 @ 05:00 PM (CEST)

    SASE Masters: Deploying Harmony SASE for a 6,000-Strong Workforce in a Single Weekend
    CheckMates Events