VPN-1 Certificate Manager integrates best-of-breed technologies into a complete PKI and user management solution. The Certificate Authority (CA) from Entrust Technologies provides comprehensive key lifecycle management. The LDAP-compliant directory from Netscape Communications stores the X.509 digital certificates for all VPN nodes, as well as the Certificate Revocation Lists (CRLs). Check Point Software has pre-configured these industry-leading technologies specifically for VPN-1, and integrated them with a unified installation and management interface.

Best-of-Breed Technologies
With VPN-1 Certificate Manager, Check Point Software delivers a Public Key Infrastructure which is easy to install, manage, and use. VPN-1 Certificate Manager is the only PKI customized for VPNs and designed specifically to integrate seamlessly with the Entrust-Ready™ capabilities of Check Point VPN-1 Gateway™ Solutions and VPN-1 SecuRemote™.

VPN-1 Certificate Manager is comprised of the following components:

• The Certificate Authority (CA) from Entrust Technologies enables companies to create and revoke X.509 digital certificates for strong authentication and encryption.
• The LDAP-compliant directory from Netscape Communications provides a scalable, centrally manageable solution for storing and retrieving all user information, including digital certificates.

The unified installation from Check Point Software dramatically simplifies installation and configuration of the PKI components. The award-winning Check Point management interface integrates certificates and other user-level security information into the overall enterprise security policy.

Scalability
The PKI and LDAP-compliant directory components of VPN-1 Certificate Manager provide the underlying technology to enable VPNs to support a growing number of users while preserving manageability.

For IKE VPN deployments there are two methods for authenticating the identities of VPN peers: pre-shared secrets and X.509-based digital certificates. While using pre-shared secrets may be practical for small VPN deployments, VPN-1 Certificate Manager provides a truly scalable PKI solution for key management for a large number of VPN nodes.

The Lightweight Directory Access Protocol (LDAP) is an extensible standard for directory servers. The LDAP-compliant directory in VPN-1 Certificate Manager includes schema definitions which store user-level security information, including X.509 digital certificates, for a virtually unlimited number of VPN users.

Manageability
VPN-1 Certificate Manager includes the Check Point Account Management client, an administrative GUI for managing all aspects of the user account lifecycle-identity, account information, security, and VPN attributes-along with the certificate lifecycle. This unified interface improves management efficiency, and minimizes the risks associated with data inconsistency which can occur when multiple administrative tools are in use. The Account Management client GUI also provides querying functionality and user templates, which aid in the ongoing management of user-level security attributes.

Industry Standards for Interoperability
Check Point VPN-1 solutions are ICSA-certified to adhere to the IPSec framework, the emerging standard for VPNs, therefore ensuring interoperability with other IPSec-compliant solutions in use by customers and business partners. VPN-1 Certificate Manager extends interoperability by enabling multiple sites and clients to utilize X.509 digital certificates and the Internet Key Exchange (IKE) for authentication and encryption.

Turnkey PKI
Solution for Scalable VPNs VPN-1 Certificate Manager enables network security managers to quickly add PKI capabilities to existing Check Point VPN-1 deployments. Each of the components has been pre-configured specifically for VPNs-customizations include schema modifications for Netscape Directory Server and streamlining of the Entrust PKI. The unified installation program consolidates all required inputs into a single window, and coordinates the installation of each component with the appropriate parameters.

Maximum Security
VPN-1 Certificate Manager provides maximum security by guaranteeing the authenticity of local and remote users as well as the privacy and integrity of network communications. While Check Point VPN-1 solutions offer a choice of authentication schemes, VPN-1 Certificate Manager uses X.509 digital certificates to provide the strongest user and site authentication mechanism currently available. Compliance with the IPSec/IKE standard enables gateways and clients to automatically determine and use the strongest possible encryption algorithms between them. By providing a state-of-the- art PKI, VPN-1 Certificate Manager maximizes the security of communications by securing keys within digital certificates, and by providing full key lifecycle management capabilities including certificate revocation.

Furthermore, VPN-1 Certificate Manager provides two types of secure client registration: off-line initialization, where the CA generates the key-pair and distributes it using either a hardware or software token; or on-line registration, where the certificate information is generated on the user's PC, securely transferred to the CA, signed by the CA, and then published on the LDAP directory server.

1. Turnkey PKI including best-of-breed Certificate Authority and Directory Server
2. Pre-configuration and unified installation of all components
3. Choice of hardware or software tokens for strong two-factor authentication
4. Account Management interface for managing user security information, including X.509 certificates
5. Delivers state-of-the-art security for scalable VPNs
6. Saves time and reduces complexity of multi-vendor solutions
7. Provides flexibility for both administrators and end users
8. Eases administration and reduces security risks through centralized user management