The main reason for this new feature is to properly handle internal network routing, when a company's internal network is connected to the Internet in multiple places.
Prior to version 4.1, if a SecuRemote VPN was established through one of the company's firewalls, the Internet routable source IP address would have to be passed into the internal network. This works fine, so long as the path back out to the Internet goes through the same firewall original packets came in on.
However, several large companies now have multiple Internet connections, which poses a unique problem. If you were to route the Internet routable source address through one firewall, and then try to access internal resources in another office that had it's own Internet connection, there is a high probability that return packets would be routed through the second office's Internet connection, and thus break the VPN. It is for this reason, that Check Point added new functionality to allow you to "hide" incoming VPN traffic. This way, one can add specific internal routes to get VPN return traffic back to the specific firewall it came from.
Prior to version 4.1, if a SecuRemote VPN was established through one of the company's firewalls, the Internet routable source IP address would have to be passed into the internal network. This works fine, so long as the path back out to the Internet goes through the same firewall original packets came in on.
However, several large companies now have multiple Internet connections, which poses a unique problem. If you were to route the Internet routable source address through one firewall, and then try to access internal resources in another office that had it's own Internet connection, there is a high probability that return packets would be routed through the second office's Internet connection, and thus break the VPN. It is for this reason, that Check Point added new functionality to allow you to "hide" incoming VPN traffic. This way, one can add specific internal routes to get VPN return traffic back to the specific firewall it came from.
No comments:
Post a Comment